Solved Two iexplore.exe * 32 after removing Trojan

[doubleTrouble]

I am having issues with two iexplore.exe * 32 even when I am not running IE.
I have windows 7, and due to work policy had to move down to IE8.

I have also noticed that even if I kill the IE8 processes, when I open an in-house tool, it starts the IE8 again and slows the tool down. I checked that it should not be opening IE8 or slow for other people.

The following programs found trojans, but the problem is still happening.
Kapersky
Spybot
Malwarebytes

 

[doubleTrouble]

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.25.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
maaldridge :: ALDRIDGE-M-W7 [administrator]
Protection: Enabled
7/25/2012 10:37:26 AM
mbam-log-2012-07-25 (10-37-26).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 256811
Time elapsed: 1 minute(s), 51 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\maaldridge\AppData\Local\Temp\1jfuweif.exe (Trojan.Happili) -> Quarantined and deleted successfully.
(end)

 

[doubleTrouble]

After removing the trojan and restarting.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.25.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
maaldridge :: ALDRIDGE-M-W7 [administrator]
Protection: Enabled
7/25/2012 10:44:46 AM
mbam-log-2012-07-25 (10-44-46).txt
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 559450
Time elapsed: 30 minute(s), 23 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

 

[doubleTrouble]

2012/07/25 10:35:45 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Starting protection
2012/07/25 10:35:45 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Executing scheduled update: Daily
2012/07/25 10:35:48 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Protection started successfully
2012/07/25 10:35:51 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Scheduled update executed successfully: database updated from version v2012.07.03.05 to version v2012.07.25.07
2012/07/25 10:35:51 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Starting IP protection
2012/07/25 10:35:53 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE IP Protection started successfully
2012/07/25 10:35:53 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Starting database refresh
2012/07/25 10:35:53 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Stopping IP protection
2012/07/25 10:37:40 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE IP Protection stopped
2012/07/25 10:37:42 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Database refreshed successfully
2012/07/25 10:37:42 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Starting IP protection
2012/07/25 10:37:44 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE IP Protection started successfully
2012/07/25 10:41:26 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Starting protection
2012/07/25 10:41:30 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Protection started successfully
2012/07/25 10:41:33 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Starting IP protection
2012/07/25 10:41:36 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE IP Protection started successfully
2012/07/25 10:46:51 -0700 ALDRIDGE-M-W7 maaldridge IP-BLOCK 91.205.96.44 (Type: outgoing, Port: 64991, Process: avp.exe)
2012/07/25 10:51:49 -0700 ALDRIDGE-M-W7 maaldridge IP-BLOCK 91.205.96.44 (Type: outgoing, Port: 12047, Process: avp.exe)
2012/07/25 11:13:20 -0700 ALDRIDGE-M-W7 maaldridge IP-BLOCK 91.205.96.44 (Type: outgoing, Port: 49487, Process: avp.exe)
2012/07/25 11:18:48 -0700 ALDRIDGE-M-W7 maaldridge IP-BLOCK 91.205.96.44 (Type: outgoing, Port: 49588, Process: avp.exe)
2012/07/25 11:23:53 -0700 ALDRIDGE-M-W7 maaldridge IP-BLOCK 91.205.96.44 (Type: outgoing, Port: 49650, Process: avp.exe)
2012/07/25 11:30:12 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Stopping IP protection
2012/07/25 11:31:34 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE IP Protection stopped
2012/07/25 12:09:49 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Starting protection
2012/07/25 12:09:51 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Protection started successfully
2012/07/25 12:09:54 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE Starting IP protection
2012/07/25 12:09:55 -0700 ALDRIDGE-M-W7 maaldridge MESSAGE IP Protection started successfully
2012/07/25 12:12:26 -0700 ALDRIDGE-M-W7 maaldridge IP-BLOCK 91.205.96.44 (Type: outgoing, Port: 52281, Process: avp.exe)
2012/07/25 12:17:30 -0700 ALDRIDGE-M-W7 maaldridge IP-BLOCK 91.205.96.44 (Type: outgoing, Port: 53004, Process: avp.exe)
2012/07/25 12:31:38 -0700 ALDRIDGE-M-W7 maaldridge IP-BLOCK 91.205.96.44 (Type: outgoing, Port: 40297, Process: avp.exe)

 

[doubleTrouble]

Step 3 GMER

I do not have the password to disable the antivirus software, so I ran it in safemode.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-25 12:05:51
Windows 6.1.7601 Service Pack 1
Running: t6de78yz.exe

---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c659daeb835
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004eee1eb9
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c659daeb835 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004eee1eb9 (not active ControlSet)
---- EOF - GMER 1.0.15 ----

 

[doubleTrouble]

Step 4: DDS
DDS log

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by maaldridge at 13:02:21 on 2012-07-25
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3977.813 [GMT -7:00]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Kaspersky Anti-Virus *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
FW: Kaspersky Anti-Virus *Enabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files (x86)\Kaspersky Lab\NetworkAgent 8\klnagent.exe
C:\Windows\system32\mqsvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\SysWOW64\CCM\CcmExec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Kaspersky Lab\NetworkAgent 8\klnagent.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\MozyEnterprise\mozyentstat.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files (x86)\WinZip\WZQKPICK.EXE
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files (x86)\Microsoft Lync\communicator.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\conhost.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Microsoft Lync\UcMapi.exe
C:\Program Files (x86)\Allscripts Sunrise\Helios\3.0\Gateway\Eclipsys.Infrastructure.WindowsServices.exe
C:\Program Files (x86)\Allscripts Sunrise\Helios\6.0\Gateway\Eclipsys.Infrastructure.WindowsServices.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\MozyEnterprise\mozyentbackup.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files\MozyEnterprise\mozyentbackup.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsComProviderSvr.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = https://inside.allscripts.com
uDefault_Page_URL = https://inside.allscripts.com
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Lync Browser Helper: {31d09ba0-12f5-4cce-be8a-2923e76605da} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
TB: WebEx Productivity Tools: {90e2ba2e-dd1b-4cde-9134-7a8b86d33ca7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
uRun: [Google Update] "C:\Users\maaldridge\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [VS Revo Group] Rundll32.exe "C:\Users\maaldridge\AppData\Local\VS Revo Group\yzxxvcqk.dll",DllGetClassObject
uRun: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\MAALDR~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DIGITA~1.LNK - C:\Program Files (x86)\Digital Line Detect\DLG.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MOZYEN~1.LNK - C:\Program Files (x86)\MozyEnterprise\mozyentstat.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDDMST~1.LNK - C:\Program Files (x86)\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WDSMAR~1.LNK - C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WINZIP~1.LNK - C:\Program Files (x86)\WinZip\WZQKPICK.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\ie_banner_deny.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\scieplgn.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
Trusted Zone: a4healthsystems.com
Trusted Zone: adp.com
Trusted Zone: allscripts.com
Trusted Zone: allscripts.com\clarity.corp
Trusted Zone: allscripts.com\servicedesk.corp
Trusted Zone: books24x7.com
Trusted Zone: brainshark.com
Trusted Zone: clarity
Trusted Zone: codecorrect.com
Trusted Zone: delvenetworks.com\assets
Trusted Zone: diagnostix.com
Trusted Zone: eternal
Trusted Zone: force.com
Trusted Zone: force.com\*.na0.visual
Trusted Zone: fpx.com\od1
Trusted Zone: global.ad\servicedesk.misys
Trusted Zone: gotrain.net
Trusted Zone: intersourcing.com\www
Trusted Zone: intra
Trusted Zone: llnwd.net\*.fcod
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: misys.com\clarity
Trusted Zone: misys.com\servicedesk
Trusted Zone: misysgold
Trusted Zone: misyshealthcare.com
Trusted Zone: misyshealthcare.com\kb
Trusted Zone: misysimentor.com
Trusted Zone: mlv-ris-app-e
Trusted Zone: mlv-ris-app-f
Trusted Zone: mlv-ris-app-o
Trusted Zone: on24.com
Trusted Zone: onemisys.com\clarity
Trusted Zone: onemisys.com\eternal
Trusted Zone: onemisys.com\intra
Trusted Zone: onemisys.com\misysgold
Trusted Zone: payerpath.com
Trusted Zone: salesforce.com
Trusted Zone: servicedesk
Trusted Zone: skilldialogue.com
Trusted Zone: skillport.com
Trusted Zone: skillport.com\library
Trusted Zone: skillsoft.com
Trusted Zone: skillsoftcompliance.com
Trusted Zone: skillwsa.com
Trusted Zone: symantecliveupdate.com
Trusted Zone: velaro.com
Trusted Zone: windowsupdate.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://ssl3.eclipsnet.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 10.141.1.33 10.141.1.34 10.131.1.77 10.101.224.100
TCP: Interfaces\{06C4AC5A-53E8-43CC-9777-16FF9D813CAA} : DhcpNameServer = 10.131.1.15 10.131.1.59 10.101.224.52 10.101.224.181
TCP: Interfaces\{06C4AC5A-53E8-43CC-9777-16FF9D813CAA}\2303035364 : DhcpNameServer = 192.168.1.254 75.153.176.9
TCP: Interfaces\{06C4AC5A-53E8-43CC-9777-16FF9D813CAA}\23030353C4 : DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{06C4AC5A-53E8-43CC-9777-16FF9D813CAA}\5436C69607429542 : DhcpNameServer = 10.131.1.15 10.131.1.59 10.101.224.52 10.101.224.181
TCP: Interfaces\{06C4AC5A-53E8-43CC-9777-16FF9D813CAA}\F4E402E4F47502245616E6 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{829CCC39-CBEB-4C8C-97CA-011ADB61935A} : DhcpNameServer = 10.141.1.33 10.141.1.34 10.131.1.77 10.101.224.100
TCP: Interfaces\{9D82732A-BEEA-4171-A7E8-6EB94ACFFE15} : DhcpNameServer = 10.141.1.33 10.141.1.34 10.131.1.77 10.101.224.100
TCP: Interfaces\{EFB12861-64CB-4296-9F76-0B8D6D8B641C} : DhcpNameServer = 10.141.1.33 10.141.1.34 10.131.1.77 10.101.224.100
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
LSA: Authentication Packages = msv1_0 wvauth
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Lync\OCHelper.dll
BHO-X64: Lync add-on BHO - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
TB-X64: WebEx Productivity Tools: {90E2BA2E-DD1B-4cde-9134-7A8B86D33CA7} - C:\Program Files (x86)\WebEx\Productivity Tools\ptonecli.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
EB-X64: {5802D092-1784-4908-8CDB-99B6842D353D} - No File
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;C:\Windows\system32\DRIVERS\nvpciflt.sys --> C:\Windows\system32\DRIVERS\nvpciflt.sys [?]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdcfltn.sys --> C:\Windows\system32\DRIVERS\stdcfltn.sys [?]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys --> C:\Windows\system32\DRIVERS\klim6.sys [?]
R1 mozyentFilter;mozyentFilter;C:\Windows\system32\DRIVERS\mozyent.sys --> C:\Windows\system32\DRIVERS\mozyent.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2011-9-19 89600]
R2 AVP;Kaspersky Anti-Virus 6.0;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe [2010-3-12 311680]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2011-5-13 1043872]
R2 Credential Vault Host Storage;Credential Vault Host Storage;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2011-5-13 36768]
R2 GatewayAgent30;Allscripts Gateway Agent - 3.0;C:\Program Files (x86)\Allscripts Sunrise\Helios\3.0\Gateway\Eclipsys.Infrastructure.WindowsServices.exe [2011-3-22 32768]
R2 GatewayAgent60;Allscripts Gateway Agent - 6.0;C:\Program Files (x86)\Allscripts Sunrise\Helios\6.0\Gateway\Eclipsys.Infrastructure.WindowsServices.exe [2012-7-12 40960]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-9-19 13336]
R2 klnagent;Kaspersky Lab Network Agent;C:\Program Files (x86)\Kaspersky Lab\NetworkAgent 8\klnagent.exe [2010-10-20 141688]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-25 655944]
R2 mozyentbackup;MozyEnterprise Backup Service;C:\Program Files\MozyEnterprise\mozyentbackup.exe [2010-11-8 51536]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-9-19 2009704]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-7-24 1188896]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-7-24 1395736]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-2-2 378472]
R2 Wave Authentication Manager Service;Wave Authentication Manager Service;C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2011-7-1 1600000]
R2 WDDMService;WD SmartWare Drive Manager Service;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 129536]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Accelern.sys --> C:\Windows\system32\DRIVERS\Accelern.sys [?]
R3 cvusbdrv;Dell ControlVault;C:\Windows\system32\Drivers\cvusbdrv.sys --> C:\Windows\system32\Drivers\cvusbdrv.sys [?]
R3 dcdbas;System Management Driver;C:\Windows\system32\DRIVERS\dcdbas64.sys --> C:\Windows\system32\DRIVERS\dcdbas64.sys [?]
R3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;C:\Windows\system32\DRIVERS\e1c62x64.sys --> C:\Windows\system32\DRIVERS\e1c62x64.sys [?]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\Windows\system32\DRIVERS\klfltdev.sys --> C:\Windows\system32\DRIVERS\klfltdev.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 GatewayAgent31;Allscripts Gateway Agent - 3.1;"C:\Program Files (x86)\Allscripts Sunrise\Helios\3.1\Gateway\Eclipsys.Infrastructure.WindowsServices.exe" --> C:\Program Files (x86)\Allscripts Sunrise\Helios\3.1\Gateway\Eclipsys.Infrastructure.WindowsServices.exe [?]
S2 risdpcie;risdpcie;C:\Windows\system32\DRIVERS\risdpe64.sys --> C:\Windows\system32\DRIVERS\risdpe64.sys [?]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-7-24 166528]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-4-1 183560]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\system32\drivers\btusbflt.sys --> C:\Windows\system32\drivers\btusbflt.sys [?]
S3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files (x86)\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\x64\VSPerfDrv90.sys [2007-9-4 71024]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x64\msvsmon.exe [2005-9-23 4476096]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-07-25 17:35:41 -------- d-----w- C:\Users\maaldridge\AppData\Roaming\Malwarebytes
2012-07-25 17:35:36 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-25 17:35:35 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-25 17:35:35 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-25 14:22:42 479744 ----a-w- C:\Windows\SysWow64\RTFConv.dll
2012-07-25 05:05:51 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-07-25 05:05:23 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2012-07-25 05:05:21 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2012-07-24 21:32:32 -------- d-----w- C:\Users\maaldridge\AppData\Local\visi_coupon
2012-07-24 21:30:28 -------- d-----w- C:\Program Files (x86)\Yahoo!
2012-07-24 20:54:06 -------- d-----w- C:\Users\maaldridge\AppData\Local\Microsoft_Corporation
2012-07-22 22:41:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-07-22 22:41:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-07-22 22:41:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-07-22 22:41:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-07-22 22:41:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-07-22 22:41:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-07-22 22:41:36 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-07-22 22:40:38 -------- d-----w- C:\Users\maaldridge\AppData\Local\Apple
2012-07-20 18:34:07 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-20 18:30:27 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-07-20 18:30:27 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2012-07-20 18:30:27 212992 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2012-07-20 18:30:27 1499136 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2012-07-20 18:30:27 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-07-20 18:30:27 1019904 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-07-20 18:30:26 61440 ----a-w- C:\Program Files\Common Files\System\ado\msador15.dll
2012-07-20 18:30:26 57344 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msador15.dll
2012-07-20 18:30:26 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2012-07-20 18:30:26 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2012-07-20 18:30:26 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2012-07-20 18:30:26 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2012-07-20 18:30:26 143360 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msjro.dll
2012-07-13 04:33:52 114176 ----a-w- C:\Windows\SysWow64\Eclipsys.Platform.LdapReader.dll
2012-07-12 22:16:32 -------- d--h--w- C:\Windows\AxInstSV
2012-07-03 16:27:51 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-07-03 16:27:48 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-07-03 16:27:48 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-07-03 16:27:32 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-07-03 16:27:32 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-07-03 16:27:32 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-07-03 16:27:32 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-07-03 16:27:32 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-07-03 16:27:32 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
.
==================== Find3M ====================
.
2012-07-23 16:55:30 328704 ----a-w- C:\Windows\System32\services.exe
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-31 19:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-05-15 04:01:31 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-05-15 03:03:54 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-05 19:51:04 8769696 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-28 05:32:05 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
.
============= FINISH: 13:02:49.30 ===============

 

[doubleTrouble]

attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume2
Install Date: 4/11/2011 11:30:29 AM
System Uptime: 7/25/2012 12:07:08 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 032T9K
Processor: Intel(R) Core(TM) i5-2540M CPU @ 2.60GHz | CPU 1 | 2601/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 119 GiB total, 19.276 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Mass Storage Controller
Device ID: PCI\VEN_1217&DEV_8231&SUBSYS_04931028&REV_03\4&26B31A7F&0&01E5
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_1217&DEV_8231&SUBSYS_04931028&REV_03\4&26B31A7F&0&01E5
Service:
.
==== System Restore Points ===================
.
RP131: 7/24/2012 9:23:58 PM - Removed Sunrise Clinical Manager 6.0 Client (3521.0).
RP132: 7/24/2012 9:24:46 PM - Removed Sunrise Clinical Manager 6.0 Client (3522.0).
RP133: 7/24/2012 9:50:25 PM - Removed Sunrise Clinical Manager 6.0 Client (3530.0).
RP134: 7/24/2012 9:59:03 PM - Removed Sunrise Clinical Manager 6.0 Client (3531.0).
RP135: 7/25/2012 9:49:16 AM - Installed Sunrise Clinical Manager 6.0 Client (3533.0).
RP136: 7/25/2012 12:28:50 PM - Removed Adobe Reader 9.4.6.
.
==== Installed Programs ======================
.
.
AccelerometerP11
Allscripts Gateway 3.0 (777.0)
Allscripts Gateway 6.0
Allscripts TFS DatabaseStandards Policy
Bing Bar
BrettspielWelt
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Cisco WebEx Meeting Center for Internet Explorer
Cisco WebEx Meetings
Configuration Manager Client
Crystal Reports Basic for Visual Studio 2008
Crystal Reports for Visual Studio
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Client Configuration Toolkit
Dell Data Protection | Access
Dell Data Protection | Access | Drivers
Dell Data Protection | Access | Middleware
Dell Mobile Broadband Manager
Dell Security Device Driver Pack
Digital Line Detect
Dotfuscator Software Services - Community Edition
Eclipsys TFS ChangeSet Comments Policy
Eclipsys TFS DatabaseStandards Policy
Google Chrome
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
Hotfix for Microsoft Visual Studio Team System 2008 Development Edition - ENU (KB2465361)
Hotfix for Microsoft Visual Studio Team System 2008 Development Edition - ENU (KB2538241)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)
Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)
IDT Audio
Infragistics NetAdvantage 2006 Vol. 2 CLR 2.0 HotFix - Build.1079
Infragistics NetAdvantage for .NET 2006 Vol. 2 CLR 2.0
Infragistics NetAdvantage jQuery 2011.2
Infragistics NetAdvantage jQuery 2011.2 Samples
Infragistics NetAdvantage Reporting 2011.2
Infragistics NetAdvantage Reporting 2011.2 Samples
Infragistics NetAdvantage Silverlight 2011.2
Infragistics NetAdvantage Version Utility 2011.2
Infragistics NetAdvantage Windows Forms 2009.2
Infragistics NetAdvantage Windows Forms 2010.3
Infragistics NetAdvantage Windows Forms 2011.2
Infragistics NetAdvantage WPF 2009.2
Infragistics NetAdvantage WPF 2010.3
Infragistics NetAdvantage WPF 2011.2
Infragistics NetAdvantage WPF 2011.2 Samples
InstallVC90Support
Intel(R) Processor Graphics
Intel(R) Rapid Storage Technology
Intel(R) Turbo Boost Technology Driver
Java Auto Updater
Java(TM) 6 Update 29
join.me
Juniper Networks Network Connect 6.2.0
Juniper Networks Setup Client
Junk Mail filter update
Kaspersky Anti-Virus 6.0 for Windows Workstations
Kaspersky Lab Network Agent
MagicDisc 2.7.106
Malwarebytes Anti-Malware version 1.62.0.1300
Mesh Runtime
Messenger Companion
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
Microsoft Conferencing Add-in for Microsoft Office Outlook
Microsoft Document Explorer 2005
Microsoft Document Explorer 2008
Microsoft Office 2003 Web Components
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2010 Language Pack Service Pack 1 (SP1)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Project MUI (English) 2010
Microsoft Office Project Professional 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office Visio 2010
Microsoft Office Visio MUI (English) 2010
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Office Word MUI (English) 2010
Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
Microsoft Project 2010 Service Pack 1 (SP1)
Microsoft Project Professional 2010
Microsoft Report Viewer Redistributable 2008 (KB971119)
Microsoft Report Viewer Redistributable 2008 SP1
Microsoft ReportViewer 2010 SP1 Redistributable
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft Silverlight 4 SDK
Microsoft SQL Server 2005 Books Online (English)
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2008 R2 Data-Tier Application Framework
Microsoft SQL Server 2008 R2 Data-Tier Application Project
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Policies
Microsoft SQL Server 2008 R2 Transact-SQL Language Service
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Compact 3.5 SP1 Design Tools English
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
Microsoft SQL Server Database Publishing Wizard 1.3
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft Sync Framework SDK v1.0 SP1
Microsoft Team Foundation Server 2010 Power Tools
Microsoft Visio 2010 Service Pack 1 (SP1)
Microsoft Visio Premium 2010
Microsoft Visual C++ Compilers 2010 Standard - enu - x86
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219
Microsoft Visual F# 2.0 Runtime
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual SourceSafe 2005 - ENU
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Microsoft Visual Studio 2005 Premier Partner Edition - ENU Service Pack 1 (KB926601)
Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU
Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU Service Pack 1 (KB926601)
Microsoft Visual Studio 2005 Team Explorer - ENU
Microsoft Visual Studio 2005 Team Explorer - ENU Service Pack 1 (KB926601)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2008 Remote Debugger - ENU Service Pack 1 (KB945140)
Microsoft Visual Studio 2008 Shell (integrated mode) - ENU
Microsoft Visual Studio 2008 Team Explorer - ENU
Microsoft Visual Studio 2008 Team Explorer - ENU Service Pack 1 (KB945140)
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2010 SharePoint Developer Tools
Microsoft Visual Studio 2010 Ultimate - ENU
Microsoft Visual Studio Macro Tools
Microsoft Visual Studio Team System 2008 Development Edition - ENU
Microsoft Visual Studio Team System 2008 Development Edition - ENU Service Pack 1 (KB945140)
Microsoft Visual Studio Test Professional 2010 - ENU
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Studio Web Authoring Component
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Netwaiting
NVIDIA Stereoscopic 3D Driver
RICOH Media Driver ver.2.11.01.02
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2553322) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2553431) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio 2010 (KB2553374) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition
Security Update for Microsoft Visual Studio 2005 Premier Partner Edition - ENU (KB2251481)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB2251481)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB2538218)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB2548826)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB937061)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB971023)
Security Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB973673)
Security Update for Microsoft Visual Studio Team System 2008 Development Edition - ENU (KB2251487)
Security Update for Microsoft Visual Studio Team System 2008 Development Edition - ENU (KB972222)
Security Update for Microsoft Visual Studio Team System 2008 Development Edition - ENU (KB973675)
SpecFlow 1.8.1
Spybot - Search & Destroy
Sunrise Clinical Manager 6.0 Client (3525.0)
Sunrise Clinical Manager 6.0 Client (3532.0)
Sunrise Clinical Manager 6.0 Client (3533.0)
Sunrise Clinical Manager 6.0 Services
Sunrise Prescription Writer 6.0 Client (3410)
Sunrise Prescription Writer 6.0 Client (3417)
Sunrise Prescription Writer 6.0 Client (3420)
Sunrise Prescription Writer 6.0 Client (3436)
Sunrise Prescription Writer 6.0 Client (3438)
Sunrise Prescription Writer 6.0 Client (3444)
Sunrise Prescription Writer 6.0 Client (3445)
Sunrise Prescription Writer 6.0 Client (3452)
Sunrise Prescription Writer 6.0 Client (3453)
Sunrise Prescription Writer 6.0 Client (3454)
Sunrise Prescription Writer 6.0 Client (3456)
Sunrise Prescription Writer 6.0 Client (3525)
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft Visual SourceSafe 2005 - ENU (KB943847)
Update for Microsoft Visual Studio 2005 Premier Partner Edition - ENU (KB932232)
Update for Microsoft Visual Studio 2005 Team Edition for Software Developers - ENU (KB932232)
Update for Microsoft Visual Studio 2005 Team Explorer - ENU (KB932232)
Update for Microsoft Visual Studio 2008 Team Explorer - ENU (KB974558)
Update for Microsoft Visual Studio Team System 2008 Development Edition - ENU (KB974558)
Update for Microsoft Visual Studio Web Authoring Component (KB945140)
VC Runtimes MSI
Visual C++ 2008 IA64 Runtime - (v9.0.30729)
Visual C++ 2008 IA64 Runtime - v9.0.30729.01
Visual C++ 2008 x64 Runtime - (v9.0.30729)
Visual C++ 2008 x64 Runtime - v9.0.30729.01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - (v9.0.30729.4148)
Visual C++ 2008 x86 Runtime - (v9.0.30729.6161)
Visual C++ 2008 x86 Runtime - KB2465361 - (v9.0.30729.5570)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual C++ 2008 x86 Runtime - v9.0.30729.4148
Visual C++ 2008 x86 Runtime - v9.0.30729.5570
Visual C++ 2008 x86 Runtime - v9.0.30729.6161
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)
WCF RIA Services V1.0 SP1
WebEx Productivity Tools
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Mobile 5.0 SDK R2 for Pocket PC
Windows Mobile 5.0 SDK R2 for Smartphone
WinMerge 2.12.4
WinZip 11.1
.
==== Event Viewer Messages From Past Week ========
.
7/25/2012 8:59:39 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:59:42.0000 7/25/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/25/2012 8:59:17 AM, Error: Service Control Manager [7031] - The Kaspersky Lab Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
7/25/2012 6:56:22 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
7/25/2012 12:39:09 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 19:39:11.0000 7/25/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/25/2012 12:09:56 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/25/2012 12:09:32 PM, Error: Service Control Manager [7000] - The Allscripts Gateway Agent - 3.1 service failed to start due to the following error: The system cannot find the file specified.
7/25/2012 12:08:21 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} and APPID {B292921D-AF50-400C-9B75-0C57A7F29BA1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/25/2012 12:07:24 PM, Error: Service Control Manager [7003] - The Spybot-S&D 2 Security Center Service service depends the following service: wscsvc. This service might not be installed.
7/25/2012 12:07:23 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
7/25/2012 12:07:23 PM, Error: Service Control Manager [7001] - The NTRU TSS v1.2.1.36 TCS service depends on the TPM Base Services service which failed to start because of the following error: The operation completed successfully.
7/25/2012 12:07:23 PM, Error: Service Control Manager [7000] - The risdpcie service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/25/2012 11:50:36 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/25/2012 11:50:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/25/2012 11:50:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/25/2012 11:50:34 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\bcmihvsrv64.dll Error Code: 21
7/25/2012 11:50:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TdmService with arguments "" in order to run the server: {2F723A84-FD6F-4C32-9477-391FA6EA0BB6}
7/25/2012 11:50:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/25/2012 11:50:16 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/25/2012 11:50:14 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache kl1 KLIF mozyentFilter spldr Wanarpv6
7/25/2012 11:50:14 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain CORPORATE due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
7/25/2012 11:50:14 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
7/25/2012 11:48:19 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
7/25/2012 11:47:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/25/2012 11:47:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/25/2012 11:46:58 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache kl1 KLIF KLIM6 mozyentFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The Netlogon service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/25/2012 11:46:58 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/25/2012 10:42:46 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 17:42:54.0000 7/25/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/25/2012 10:41:18 AM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
7/25/2012 10:34:33 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 17:34:39.0000 7/25/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/24/2012 9:47:41 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 16:47:42.0000 7/24/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/24/2012 3:39:20 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 22:39:22.0000 7/24/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/24/2012 3:30:07 PM, Error: Service Control Manager [7023] - The WMI Performance Adapter service terminated with the following error: %%-2147467259
7/24/2012 3:27:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
7/24/2012 3:05:28 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 22:5:29.0000 7/24/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/24/2012 2:58:36 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 21:58:37.0000 7/24/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/24/2012 2:45:16 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {1CCB96F4-B8AD-4B43-9688-B273F58E0910} and APPID {AD65A69D-3831-40D7-9629-9B0B50A93843} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/24/2012 2:31:15 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} and APPID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user CORPORATE\maaldridge SID (S-1-5-21-73361282-1014109674-949316387-64872) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/24/2012 2:10:25 PM, Error: Service Control Manager [7023] - The Windows Time service terminated with the following error: A system shutdown is in progress.
7/24/2012 2:10:25 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: A system shutdown is in progress.
7/24/2012 2:10:25 PM, Error: Microsoft-Windows-Time-Service [46] - The time service encountered an error and was forced to shut down. The error was: 0x800706D3: The authentication service is unknown.
7/24/2012 2:10:25 PM, Error: Microsoft-Windows-Time-Service [4] - The time provider 'NtpClient' failed to start due to the following error: A system shutdown is in progress. (0x8007045B)
7/24/2012 2:10:25 PM, Error: BROWSER [8017] - The browser has failed to start because the dependent service LanmanWorkstation had invalid service status 4294967295. Status Meaning 1 Service Stopped 2 Start Pending 3 Stop Pending 4 Running 5 Continue Pending 6 Pause Pending 7 Paused
7/24/2012 2:10:24 PM, Error: Microsoft-Windows-Directory-Services-SAM [12291] - SAM failed to start the TCP/IP or SPX/IPX listening thread
7/24/2012 12:50:49 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 19:50:49.0000 7/24/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/24/2012 11:49:46 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 18:49:46.0000 7/24/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/24/2012 11:01:14 PM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
7/24/2012 10:48:44 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 17:48:44.0000 7/24/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/24/2012 1:51:56 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 20:52:51.0000 7/24/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/23/2012 9:59:36 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 16:59:40.0000 7/23/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/23/2012 9:56:48 AM, Error: Service Control Manager [7023] - The UPnP Device Host service terminated with the following error: Access is denied.
7/23/2012 9:55:15 AM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied.
7/23/2012 9:55:15 AM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.
7/23/2012 9:50:44 AM, Error: Schannel [36888] - The following fatal alert was generated: 48. The internal error state is 552.
7/23/2012 9:50:44 AM, Error: Schannel [36882] - The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.
7/23/2012 4:08:38 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 23:8:38.0000 7/23/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/23/2012 3:07:36 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 22:7:36.0000 7/23/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/23/2012 2:06:34 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 21:6:34.0000 7/23/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/23/2012 12:04:31 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 19:4:31.0000 7/23/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/23/2012 11:04:29 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 18:4:29.0000 7/23/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/23/2012 10:38:45 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 5:38:46.0000 7/24/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/23/2012 1:05:32 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 20:5:32.0000 7/23/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/22/2012 4:19:33 PM, Error: Schannel [36888] - The following fatal alert was generated: 43. The internal error state is 552.
7/22/2012 4:19:33 PM, Error: Schannel [36884] - The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is sipinternal.allscripts.com. The SSL connection request has failed. The attached data contains the server certificate.
7/20/2012 9:40:11 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 16:40:11.0000 7/20/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/20/2012 9:34:25 AM, Error: Microsoft-Windows-GroupPolicy [1110] - The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.
7/20/2012 4:19:43 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 23:19:59.0000 7/20/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/20/2012 3:40:01 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 22:40:17.0000 7/20/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/20/2012 2:38:15 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 21:38:15.0000 7/20/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/20/2012 11:42:41 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 18:43:7.0000 7/20/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/20/2012 11:09:39 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer CARAUSU-A-W7 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{06C4AC5A-53E8-43CC-9777-16FF9D813CAA}. The master browser is stopping or an election is being forced.
7/20/2012 10:41:42 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 17:41:41.0000 7/20/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/20/2012 1:50:53 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 20:50:53.0000 7/20/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/18/2012 9:44:19 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 16:44:18.0000 7/18/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/18/2012 9:44:10 AM, Error: Microsoft-Windows-GroupPolicy [1030] - The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
7/18/2012 4:09:52 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 23:9:50.0000 7/18/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/18/2012 3:08:31 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 22:8:26.0000 7/18/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/18/2012 12:46:22 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 19:46:23.0000 7/18/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/18/2012 12:35:31 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 7:35:31.0000 7/18/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/18/2012 11:45:19 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 18:46:1.0000 7/18/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/18/2012 10:45:02 AM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 17:45:3.0000 7/18/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
7/18/2012 1:47:04 PM, Error: Microsoft-Windows-Security-Kerberos [3] - A Kerberos Error Message was received: on logon session Client Time: Server Time: 20:47:13.0000 7/18/2012 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CORP.ALLSCRIPTS.COM Server Name: HTTP/mail.allscripts.com Target Name: HTTP/mail.allscripts.com@CORP.ALLSCRIPTS.COM Error Text: File: 9 Line: f09 Error Data is in record data.
.
==== End Of File ===========================

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================

• Download RogueKiller on the desktop
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
• Otherwise just double-click on RogueKiller.exe
• Pre-scan will start. Let it finish.
• Click on SCAN button.
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

====================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

[doubleTrouble]

If the tools find a problem, do I let the tool delete it? Or just save and post the log? I did the latter (save and post the log) for now.

OK, I think the tools found the problem. It found the same strange dll in VS Revo group that shows up on VSTS debugger in an infinite loop when my in-house tool misbehaves. =)

RougueKiller

RogueKiller V7.6.4 [07/17/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: maaldridge [Admin rights]
Mode: Scan -- Date: 07/25/2012 14:16:12
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 6 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : VS Revo Group (Rundll32.exe "C:\Users\maaldridge\AppData\Local\VS Revo Group\yzxxvcqk.dll",DllGetClassObject) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-73361282-1014109674-949316387-64872[...]\Run : VS Revo Group (Rundll32.exe "C:\Users\maaldridge\AppData\Local\VS Revo Group\yzxxvcqk.dll",DllGetClassObject) -> FOUND
[ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\maaldridge\AppData\Local\{3135917d-3e18-e023-cb24-6460c7602ab6}\n.) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : c:\windows\installer\{3135917d-3e18-e023-cb24-6460c7602ab6}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{3135917d-3e18-e023-cb24-6460c7602ab6}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{3135917d-3e18-e023-cb24-6460c7602ab6}\L --> FOUND
[ZeroAccess][FILE] @ : c:\users\maaldridge\appdata\local\{3135917d-3e18-e023-cb24-6460c7602ab6}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\users\maaldridge\appdata\local\{3135917d-3e18-e023-cb24-6460c7602ab6}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\maaldridge\appdata\local\{3135917d-3e18-e023-cb24-6460c7602ab6}\L --> FOUND
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: SAMSUNG SSD PM810 2.5" 7 +++++
--- User ---
[MBR] 2caf7bcaae2b4b9a3f5fa1755922b811
[BSP] 4fdbde7ae31e3d616b3d07f30ae6a9c6 : Windows 7 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 121793 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 249434112 | Size: 300 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt

=======================
aswMBR

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-25 14:19:01
-----------------------------
14:19:01.707 OS Version: Windows x64 6.1.7601 Service Pack 1
14:19:01.707 Number of processors: 4 586 0x2A07
14:19:01.707 ComputerName: ALDRIDGE-M-W7 UserName: maaldridge
14:19:02.051 Initialize success
14:19:56.839 AVAST engine defs: 12072501
14:21:03.708 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
14:21:03.708 Disk 0 Vendor: SAMSUNG_ AXM0 Size: 122104MB BusType: 8
14:21:03.708 Disk 0 MBR read successfully
14:21:03.723 Disk 0 MBR scan
14:21:03.739 Disk 0 Windows 7 default MBR code
14:21:03.739 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 121793 MB offset 2048
14:21:03.770 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 249434112
14:21:03.786 Disk 0 scanning C:\Windows\system32\drivers
14:21:09.263 Service scanning
14:21:23.229 Modules scanning
14:21:23.229 Disk 0 trace - called modules:
14:21:23.229 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys iaStor.sys hal.dll
14:21:23.229 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005d99060]
14:21:23.229 3 CLASSPNP.SYS[fffff88001a6c43f] -> nt!IofCallDriver -> [0xfffffa8005c9b9a0]
14:21:23.244 5 stdcfltn.sys[fffff88001da4c52] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004bac050]
14:21:23.635 AVAST engine scan C:\Windows
14:21:24.462 AVAST engine scan C:\Windows\system32
14:24:48.496 AVAST engine scan C:\Windows\system32\drivers
14:24:56.079 AVAST engine scan C:\Users\maaldridge
14:25:33.507 File: C:\Users\maaldridge\AppData\Local\VS Revo Group\yzxxvcqk.dll **INFECTED** Win32ownloader-PQL [Trj]
14:25:47.174 File: C:\Users\maaldridge\Desktop\RK_Quarantine\yzxxvcqk.dll.vir **INFECTED** Win32ownloader-PQL [Trj]
14:26:03.789 AVAST engine scan C:\ProgramData
14:27:24.699 Scan finished successfully
14:29:30.573 Disk 0 MBR has been saved successfully to "C:\Users\maaldridge\Desktop\MBR.dat"
14:29:30.573 The log file has been saved successfully to "C:\Users\maaldridge\Desktop\aswMBR.txt"

 

[doubleTrouble]

OK, I haven't "fixed" or "deleted" anything, but I see a change in behaviour.
Certain websites are crashing in IE, and closes the tab.

I get the following error message
-----------------------------------------------
Internet Explorer has stopped working.

A problem caused the program to stop working correctly. Windows will close the program and notifu you if a solution is available.

 

[Broni]

If the tools find a problem, do I let the tool delete it? Or just save and post the log? I did the latter (save and post the log) for now.

Never go beyond my instructions.
You did just fine.

We have ZeroAccess rootkit infection there.

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

• • 
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

I'll expect two logs:
- FRST.txt
- Search.txt

 

[doubleTrouble]

Do I do both the following? Or just one?
1. To enter System Recovery Options from the Advanced Boot Options:
2. To enter System Recovery Options by using Windows installation disc:

 

[Broni]

These are two ways to get there.
First one should work just fine.

 

[doubleTrouble]

OK, so I cannot run System Recovery tool until tomorrow when the IT guy comes back with the administrator password. The help desk won't give it to me over the phone.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• My machine prompted me for an administrator password to use the command prompt => So I am stuck until tomorrow morning.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next

I did some reading on the Zero access toolkit. Seems like the farbar approach is the method 3 below. Do you recommend any of method 2? I suppose method 1 didn't work for me.
Does it matter that I downloaded the tool from my infected computer onto the USB stick?
Is the tool on the USB stick bad?
http://www.2-viruses.com/remove-zeroaccess-rootkit

 

[Broni]

Just follow my instructions and you'll be fine.

Let me know tomorrow.

 

[doubleTrouble]

frst.txt

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 26-07-2012 10:10:38
Running from F:\
Windows 7 Enterprise (X64) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [611192 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [FreeFallProtection] C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2010-12-15] ()
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2010-12-07] (IDT, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167960 2011-01-14] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [391704 2011-01-14] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [418328 2011-01-14] (Intel Corporation)
HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [312936 2011-02-02] (NVIDIA Corporation)
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1875048 2010-12-30] ()
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [6492672 2011-01-18] (Dell Inc.)
HKLM\...\Run: [TdmNotify] C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [257392 2011-05-27] (Wave Systems Corp.)
HKLM\...\Run: [MsmqIntCert] regsvr32 /s mqrt.dll [x]
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" [311680 2010-03-12] (Kaspersky Lab)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Communicator] "C:\Program Files (x86)\Microsoft Lync\communicator.exe" /fromrunkey [11937552 2010-10-22] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3921432 2012-07-04] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\Administrator\...\Run: [WirelessManager] "C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe" [20480 2011-02-11] (Ericsson AB)
HKU\maaldridge\...\Run: [Google Update] "C:\Users\maaldridge\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-12-12] (Google Inc.)
HKU\maaldridge\...\Run: [VS Revo Group] Rundll32.exe "C:\Users\maaldridge\AppData\Local\VS Revo Group\yzxxvcqk.dll",DllGetClassObject [1054720 2012-02-05] (VSoft Technologies Pty Ltd)
HKU\maaldridge\...\Run: [Spybot-S&D Cleaning] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean [3527176 2012-07-04] (Safer-Networking Ltd.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.141.1.33 10.141.1.34 10.131.1.77 10.101.224.100
Lsa: [Authentication Packages] msv1_0
wvauth
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files (x86)\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Users\All Users\Start Menu\Programs\Startup\MozyEnterprise Status.lnk
ShortcutTarget: MozyEnterprise Status.lnk -> C:\Program Files\MozyEnterprise\mozyentstat.exe (EMC Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WDDMStatus.lnk
ShortcutTarget: WDDMStatus.lnk -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WDSmartWare.lnk
ShortcutTarget: WDSmartWare.lnk -> C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files (x86)\WinZip\WZQKPICK.EXE (WinZip Computing, S.L.)
Startup: C:\Users\maaldridge\Start Menu\Programs\Startup\MagicDisc.lnk
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
==================== Services (Whitelisted) ======
2 AVP; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" -r [311680 2010-03-12] (Kaspersky Lab)
2 GatewayAgent30; "C:\Program Files (x86)\Allscripts Sunrise\Helios\3.0\Gateway\Eclipsys.Infrastructure.WindowsServices.exe" [32768 2011-03-22] (Allscripts Healthcare Solutions, Inc.)
2 GatewayAgent60; "C:\Program Files (x86)\Allscripts Sunrise\Helios\6.0\Gateway\Eclipsys.Infrastructure.WindowsServices.exe" [40960 2012-07-12] (Allscripts Healthcare Solutions, Inc.)
2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
2 klnagent; "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent 8\klnagent.exe" [141688 2010-10-20] (Kaspersky Lab ZAO)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 mozyentbackup; "C:\Program Files\MozyEnterprise\mozyentbackup.exe" [51536 2010-11-08] (EMC Corporation)
2 MSMQ; C:\Windows\System32\mqsvc.exe [9216 2009-07-13] (Microsoft Corporation)
4 msvsmon90; "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe" /service msvsmon90 [4737024 2008-07-29] (Microsoft Corporation)
2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1188896 2012-07-04] (Safer-Networking Ltd.)
2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1395736 2012-07-04] (Safer-Networking Ltd.)
2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [166528 2012-03-22] (Safer-Networking Ltd.)
2 tcsd_win32.exe; "C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe" [1633280 2011-02-17] ()
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [397824 2010-11-20] (Microsoft Corporation)
2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1600000 2011-07-01] (Wave Systems Corp.)
2 GatewayAgent31; "C:\Program Files (x86)\Allscripts Sunrise\Helios\3.1\Gateway\Eclipsys.Infrastructure.WindowsServices.exe" [x]
========================== Drivers (Whitelisted) =============
3 dcdbas; C:\Windows\System32\DRIVERS\dcdbas64.sys [38472 2010-11-25] (Dell Inc.)
3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdX64.sys [29184 2008-06-05] (Juniper Networks)
3 e1kexpress; C:\Windows\System32\DRIVERS\e1k62x64.sys [293552 2009-11-06] (Intel Corporation)
1 kl1; C:\Windows\System32\Drivers\kl1.sys [157712 2009-11-11] (Kaspersky Lab)
3 KLFLTDEV; C:\Windows\System32\Drivers\KLFLTDEV.sys [30736 2009-09-03] (Kaspersky Lab)
1 KLIF; C:\Windows\System32\Drivers\KLIF.sys [268376 2011-04-11] (Kaspersky Lab)
1 KLIM6; C:\Windows\System32\Drivers\KLIM6.sys [27736 2011-04-11] (Kaspersky Lab ZAO)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
1 mozyentFilter; C:\Windows\System32\DRIVERS\mozyent.sys [66552 2011-08-16] (Mozy, Inc.)
3 MQAC; C:\Windows\System32\Drivers\MQAC.sys [189440 2009-07-13] (Microsoft Corporation)
3 prepdrvr; \??\C:\Windows\SysWOW64\CCM\prepdrv.sys [26992 2009-09-18] (Microsoft Corporation)
3 VSPerfDrv90; \??\C:\Program Files (x86)\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\x64\VSPerfDrv90.sys [71024 2007-09-04] (Microsoft Corporation)
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-07-26 10:07 - 2012-07-26 10:07 - 00000000 ____D C:\FRST
2012-07-25 13:29 - 2012-07-25 13:29 - 00002189 ____A C:\Users\maaldridge\Desktop\aswMBR.txt
2012-07-25 13:29 - 2012-07-25 13:29 - 00000512 ____A C:\Users\maaldridge\Desktop\MBR.dat
2012-07-25 13:18 - 2012-07-25 13:18 - 04731392 ____A (AVAST Software) C:\Users\maaldridge\Desktop\aswMBR.exe
2012-07-25 13:16 - 2012-07-25 13:16 - 00002377 ____A C:\Users\maaldridge\Desktop\RKreport[1].txt
2012-07-25 13:15 - 2012-07-25 13:16 - 00000000 ____D C:\Users\maaldridge\Desktop\RK_Quarantine
2012-07-25 13:15 - 2012-07-25 13:15 - 01552384 ____A C:\Users\maaldridge\Desktop\RogueKiller.exe
2012-07-25 11:09 - 2012-07-25 11:09 - 00607260 ____R (Swearware) C:\Users\maaldridge\Desktop\dds.scr
2012-07-25 11:06 - 2012-07-25 11:06 - 00000000 ____A C:\Users\maaldridge\Desktop\t6de78yz.reg
2012-07-25 11:06 - 2012-07-25 11:06 - 00000000 ____A C:\Users\maaldridge\Desktop\t6de78yz.bat
2012-07-25 10:48 - 2012-07-25 11:05 - 00000619 ____A C:\Users\maaldridge\Desktop\gmer.log
2012-07-25 10:27 - 2012-07-25 10:27 - 00302592 ____A C:\Users\maaldridge\Desktop\t6de78yz.exe
2012-07-25 09:35 - 2012-07-25 09:35 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\maaldridge\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-25 09:35 - 2012-07-25 09:35 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-25 09:35 - 2012-07-25 09:35 - 00000000 ____D C:\Users\maaldridge\AppData\Roaming\Malwarebytes
2012-07-25 09:35 - 2012-07-25 09:35 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-25 09:35 - 2012-07-25 09:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-25 09:35 - 2012-07-03 12:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-25 09:19 - 2012-07-25 09:19 - 00007597 ____A C:\Users\maaldridge\AppData\Local\Resmon.ResmonCfg
2012-07-25 08:56 - 2012-07-26 08:45 - 00001164 ____A C:\Windows\setupact.log
2012-07-25 06:22 - 2012-07-25 06:22 - 00479744 ____A (Allscripts Healthcare Solutions, Inc.) C:\Windows\SysWOW64\RTFConv.dll
2012-07-24 22:20 - 2012-07-24 22:20 - 00000000 ____D C:\Users\maaldridge\Documents\ProcAlyzer Dumps
2012-07-24 21:25 - 2012-07-24 21:25 - 00000121 ____A C:\Windows\wininit.ini
2012-07-24 21:05 - 2012-07-24 22:34 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2012-07-24 21:05 - 2012-07-24 22:25 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
2012-07-24 21:05 - 2012-07-24 21:05 - 00002179 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2012-07-24 21:05 - 2009-01-25 12:14 - 00017272 ____A (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe
2012-07-24 19:34 - 2012-07-24 19:36 - 40095152 ___AH C:\Users\maaldridge\Documents\sdo_gb.pdf.2d92.part
2012-07-24 13:32 - 2012-07-24 13:32 - 00000000 ____D C:\Users\maaldridge\AppData\Local\visi_coupon
2012-07-24 13:30 - 2012-07-24 13:34 - 00000000 ____D C:\Users\All Users\Yahoo!
2012-07-24 13:30 - 2012-07-24 13:34 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2012-07-24 12:54 - 2012-07-24 12:54 - 00000000 ____D C:\Users\maaldridge\AppData\Local\Microsoft_Corporation
2012-07-23 08:59 - 2012-07-23 08:59 - 00000000 ____D C:\Users\maaldridge\AppData\Roaming\Apple Computer
2012-07-22 14:41 - 2012-07-24 13:35 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-07-22 14:40 - 2012-07-22 14:40 - 00000000 ____D C:\Users\maaldridge\AppData\Local\Apple
2012-07-22 14:40 - 2012-07-22 14:40 - 00000000 ____D C:\Users\All Users\Apple
2012-07-20 10:34 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-20 10:33 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-20 10:33 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-20 10:33 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-20 10:33 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-20 10:33 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-20 10:33 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-20 10:33 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-20 10:33 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-20 10:33 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-20 10:33 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-20 10:33 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-20 10:33 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-20 10:33 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-20 10:33 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-20 10:33 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-20 10:33 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-20 10:33 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-20 10:30 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-20 10:30 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-12 20:33 - 2012-07-12 20:33 - 00114176 ____A (Allscripts Healthcare Solutions, Inc.) C:\Windows\SysWOW64\Eclipsys.Platform.LdapReader.dll
2012-07-12 14:16 - 2012-07-12 14:18 - 00000000 ___HD C:\Windows\AxInstSV
2012-07-11 10:53 - 2012-07-11 10:53 - 00000000 ____A C:\Windows\BulkUnld.INI
2012-07-03 08:27 - 2012-04-30 21:40 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-07-03 08:27 - 2012-04-23 21:37 - 01462272 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-07-03 08:27 - 2012-04-23 21:37 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-07-03 08:27 - 2012-04-23 21:37 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-07-03 08:27 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-07-03 08:27 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-07-03 08:27 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-07-03 08:27 - 2012-04-16 21:31 - 00918016 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-03 08:27 - 2012-04-16 20:34 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-03 08:27 - 2012-04-07 04:31 - 03216384 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
2012-07-03 08:27 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2012-06-28 12:26 - 2012-06-28 12:26 - 03065187 ____A C:\Users\maaldridge\Documents\TheStepsOfAgile.AgileBill.1103a.pptx
============ 3 Months Modified Files ========================
2012-07-26 09:04 - 2011-04-11 10:29 - 01060961 ____A C:\Windows\WindowsUpdate.log
2012-07-26 08:54 - 2009-07-13 21:13 - 00871340 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-26 08:52 - 2009-07-13 20:45 - 00012608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-26 08:52 - 2009-07-13 20:45 - 00012608 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-26 08:46 - 2011-04-12 08:17 - 00000462 ____A C:\Windows\SMSCFG.ini
2012-07-26 08:45 - 2012-07-25 08:56 - 00001164 ____A C:\Windows\setupact.log
2012-07-26 08:45 - 2011-10-18 13:10 - 00001960 ____A C:\Windows\System32\config\netlogon.ftl
2012-07-26 08:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 14:43 - 2011-12-12 10:08 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73361282-1014109674-949316387-64872UA.job
2012-07-25 13:29 - 2012-07-25 13:29 - 00002189 ____A C:\Users\maaldridge\Desktop\aswMBR.txt
2012-07-25 13:29 - 2012-07-25 13:29 - 00000512 ____A C:\Users\maaldridge\Desktop\MBR.dat
2012-07-25 13:18 - 2012-07-25 13:18 - 04731392 ____A (AVAST Software) C:\Users\maaldridge\Desktop\aswMBR.exe
2012-07-25 13:16 - 2012-07-25 13:16 - 00002377 ____A C:\Users\maaldridge\Desktop\RKreport[1].txt
2012-07-25 13:15 - 2012-07-25 13:15 - 01552384 ____A C:\Users\maaldridge\Desktop\RogueKiller.exe
2012-07-25 12:22 - 2010-11-20 14:04 - 00165874 ____A C:\Windows\PFRO.log
2012-07-25 11:09 - 2012-07-25 11:09 - 00607260 ____R (Swearware) C:\Users\maaldridge\Desktop\dds.scr
2012-07-25 11:06 - 2012-07-25 11:06 - 00000000 ____A C:\Users\maaldridge\Desktop\t6de78yz.reg
2012-07-25 11:06 - 2012-07-25 11:06 - 00000000 ____A C:\Users\maaldridge\Desktop\t6de78yz.bat
2012-07-25 11:05 - 2012-07-25 10:48 - 00000619 ____A C:\Users\maaldridge\Desktop\gmer.log
2012-07-25 10:27 - 2012-07-25 10:27 - 00302592 ____A C:\Users\maaldridge\Desktop\t6de78yz.exe
2012-07-25 09:35 - 2012-07-25 09:35 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\maaldridge\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-25 09:35 - 2012-07-25 09:35 - 00001115 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-25 09:19 - 2012-07-25 09:19 - 00007597 ____A C:\Users\maaldridge\AppData\Local\Resmon.ResmonCfg
2012-07-25 08:43 - 2011-12-12 10:08 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73361282-1014109674-949316387-64872Core.job
2012-07-25 06:22 - 2012-07-25 06:22 - 00479744 ____A (Allscripts Healthcare Solutions, Inc.) C:\Windows\SysWOW64\RTFConv.dll
2012-07-24 21:25 - 2012-07-24 21:25 - 00000121 ____A C:\Windows\wininit.ini
2012-07-24 21:05 - 2012-07-24 21:05 - 00002179 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2012-07-24 19:36 - 2012-07-24 19:34 - 40095152 ___AH C:\Users\maaldridge\Documents\sdo_gb.pdf.2d92.part
2012-07-24 13:35 - 2011-10-18 13:16 - 00040165 _RASH C:\Users\All Users\ntuser.pol
2012-07-24 09:53 - 2010-11-08 12:18 - 00004142 ____A C:\Windows\mozyent.blk
2012-07-24 09:53 - 2010-11-08 12:18 - 00003748 ____A C:\Windows\mozyent.flt
2012-07-23 08:55 - 2009-07-13 15:19 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-23 08:50 - 2011-04-11 10:34 - 00153053 ____A C:\Windows\System32\Drivers\klin.dat
2012-07-23 08:50 - 2011-04-11 10:34 - 00107384 ____A C:\Windows\System32\Drivers\klick.dat
2012-07-20 13:37 - 2011-10-19 08:32 - 00011278 _RASH C:\Users\maaldridge\ntuser.pol
2012-07-20 13:36 - 2009-07-13 20:45 - 00423888 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-20 10:31 - 2010-11-20 13:53 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-13 15:25 - 2011-10-25 09:21 - 00002006 ___AH C:\Users\maaldridge\Documents\Default.rdp
2012-07-13 14:13 - 2011-12-12 10:09 - 00002390 ____A C:\Users\maaldridge\Desktop\Google Chrome.lnk
2012-07-12 20:33 - 2012-07-12 20:33 - 00114176 ____A (Allscripts Healthcare Solutions, Inc.) C:\Windows\SysWOW64\Eclipsys.Platform.LdapReader.dll
2012-07-11 10:53 - 2012-07-11 10:53 - 00000000 ____A C:\Windows\BulkUnld.INI
2012-07-03 12:46 - 2012-07-25 09:35 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-03 08:27 - 2011-04-12 08:17 - 00865556 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-28 12:26 - 2012-06-28 12:26 - 03065187 ____A C:\Users\maaldridge\Documents\TheStepsOfAgile.AgileBill.1103a.pptx
2012-06-20 11:41 - 2012-06-20 11:41 - 00000937 ____A C:\Users\maaldridge\Desktop\join.me.lnk
2012-06-18 11:17 - 2012-06-18 11:17 - 648568960 ____A C:\Windows\MEMORY.DMP
2012-06-18 11:17 - 2012-06-18 11:17 - 00270416 ____A C:\Windows\Minidump\061812-13540-01.dmp
2012-06-11 19:08 - 2012-07-20 10:34 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-11 14:03 - 2011-04-14 07:16 - 00000411 ____A C:\Windows\ODBC.INI
2012-06-08 21:43 - 2012-07-20 10:33 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-20 10:33 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-20 10:33 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-20 10:33 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-20 10:30 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-20 10:33 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-20 10:33 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-20 10:30 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-12 08:26 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-12 08:26 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-12 08:26 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-12 08:25 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-12 08:25 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:19 - 2012-06-12 08:25 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-12 08:26 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-12 08:25 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-12 08:25 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:50 - 2012-07-20 10:33 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-20 10:33 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-20 10:33 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-20 10:33 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-20 10:33 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-20 10:33 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-20 10:33 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-20 10:33 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-20 10:33 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-31 11:25 - 2010-11-20 13:17 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-14 20:01 - 2012-06-21 08:51 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 19:59 - 2012-06-21 08:51 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 19:03 - 2012-06-21 08:51 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 19:00 - 2012-06-21 08:51 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-14 11:09 - 2012-05-10 14:45 - 00000123 ____A C:\Users\maaldridge\Desktop\Microsoft Fix it.url
2012-05-05 11:51 - 2012-04-13 12:25 - 08769696 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-04 03:06 - 2012-06-13 21:01 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-13 21:01 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 21:01 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-30 21:40 - 2012-07-03 08:27 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 20:35 - 2012-04-30 20:35 - 00001002 ____A C:\Users\maaldridge\Desktop\BrettspielWelt.lnk
2012-04-30 10:19 - 2011-04-12 08:15 - 00111728 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

ZeroAccess:
C:\Windows\Installer\{3135917d-3e18-e023-cb24-6460c7602ab6}
C:\Windows\Installer\{3135917d-3e18-e023-cb24-6460c7602ab6}\@
C:\Windows\Installer\{3135917d-3e18-e023-cb24-6460c7602ab6}\L
C:\Windows\Installer\{3135917d-3e18-e023-cb24-6460c7602ab6}\U
C:\Windows\Installer\{3135917d-3e18-e023-cb24-6460c7602ab6}\U\00000004.@
ZeroAccess:
C:\Users\maaldridge\AppData\Local\{3135917d-3e18-e023-cb24-6460c7602ab6}
C:\Users\maaldridge\AppData\Local\{3135917d-3e18-e023-cb24-6460c7602ab6}\@
C:\Users\maaldridge\AppData\Local\{3135917d-3e18-e023-cb24-6460c7602ab6}\L
C:\Users\maaldridge\AppData\Local\{3135917d-3e18-e023-cb24-6460c7602ab6}\U
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe FCB084FA3DCB7449F3BAA13312A215B4 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 18%
Total physical RAM: 3976.9 MB
Available physical RAM: 3246.09 MB
Total Pagefile: 3975.05 MB
Available Pagefile: 3245.42 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: (OSDisk) (Fixed) (Total:118.94 GB) (Free:18.35 GB) NTFS
3 Drive f: () (Removable) (Total:0.99 GB) (Free:0.89 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (BDEDrive) (Fixed) (Total:0.29 GB) (Free:0.24 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 119 GB 9 MB
Disk 1 Online 1010 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 118 GB 1024 KB
Partition 2 Primary 300 MB 118 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OSDisk NTFS Partition 118 GB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y BDEDrive NTFS Partition 300 MB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1010 MB 16 KB
==================================================================================
Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT Removable 1010 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-21 05:22
======================= End Of Log ==========================

Search.txt

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-26 10:11:20
Running from F:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2012-07-23 08:55] - 0328704 ____A (Microsoft Corporation) FCB084FA3DCB7449F3BAA13312A215B4
====== End Of Search ======

 

[doubleTrouble]

Are we getting close to fixing this thing?

 

[Broni]

First of all be patient and do NOT bump!
We're just volunteers providing free help.
We do work, we do sleep and we have our private lives.
We do NOT provide 911 services.

Now...hold on until I compose a fix for you.

 

[Broni]

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[doubleTrouble]

Hi,

Sorry about trying to bump/being impatient.

I can't disable my anti-virus (Kapersky). My machine is on a network server, and they will not allow me to disable it.
(Even running the Farbar tool was hard as they first refused to give me access. They finally conceded and gave me temporary admin access).

Can I run the Combofix in the safemode without network?
Or, is there any way around it?

Thanks in advance.

 

[Broni]

Can I run the Combofix in the safemode without network?

Yes.

I still need a log from FRST fix.

 

[doubleTrouble]

I can't figure out how to disable spybot. I had a look at the instructions, but the newer spybot does not have those options. Spybot 2.0.9.0.

 

[doubleTrouble]

Here is the fixlog.
I couldn't run the combo fix yet, as I cannot figure out how to turn off the spybot. In safemode without network, it hasn't complained about kapersky yet. I don't have permission to disable kapersky either.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-26 13:59:40 Run:1
Running from F:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
C:\Windows\Installer\{3135917d-3e18-e023-cb24-6460c7602ab6} moved successfully.
C:\Users\maaldridge\AppData\Local\{3135917d-3e18-e023-cb24-6460c7602ab6} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====

 

[Broni]

According to Spybot forum the only way to do it is to disable it through Windows services.
Personally I consider Spybot as a tool of the past.

 

[doubleTrouble]

Here is the combofix log.

ComboFix 12-07-27.02 - maaldridge 07/26/2012 15:41:56.1.4 - x64 MINIMAL
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3977.3298 [GMT -7:00]
Running from: c:\users\maaldridge\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
FW: Kaspersky Anti-Virus *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
SP: Kaspersky Anti-Virus *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Spybot - Search and Destroy *Disabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Administrator\AppData\Local\assembly\tmp
c:\users\maaldridge\AppData\Local\assembly\tmp
c:\users\maaldridge\AppData\Local\VS Revo Group\yzxxvcqk.dll
c:\windows\SysWow64\html
c:\windows\SysWow64\html\calendar.html
c:\windows\SysWow64\html\calendarbottom.html
c:\windows\SysWow64\html\calendartop.html
c:\windows\SysWow64\html\crystalexportdialog.htm
c:\windows\SysWow64\html\crystalprinthost.html
c:\windows\SysWow64\images
c:\windows\SysWow64\images\toolbar\calendar.gif
c:\windows\SysWow64\images\toolbar\crlogo.gif
c:\windows\SysWow64\images\toolbar\export.gif
c:\windows\SysWow64\images\toolbar\export_over.gif
c:\windows\SysWow64\images\toolbar\exportd.gif
c:\windows\SysWow64\images\toolbar\First.gif
c:\windows\SysWow64\images\toolbar\first_over.gif
c:\windows\SysWow64\images\toolbar\Firstd.gif
c:\windows\SysWow64\images\toolbar\gotopage.gif
c:\windows\SysWow64\images\toolbar\gotopage_over.gif
c:\windows\SysWow64\images\toolbar\gotopaged.gif
c:\windows\SysWow64\images\toolbar\grouptree.gif
c:\windows\SysWow64\images\toolbar\grouptree_over.gif
c:\windows\SysWow64\images\toolbar\grouptreed.gif
c:\windows\SysWow64\images\toolbar\grouptreepressed.gif
c:\windows\SysWow64\images\toolbar\Last.gif
c:\windows\SysWow64\images\toolbar\last_over.gif
c:\windows\SysWow64\images\toolbar\Lastd.gif
c:\windows\SysWow64\images\toolbar\Next.gif
c:\windows\SysWow64\images\toolbar\next_over.gif
c:\windows\SysWow64\images\toolbar\Nextd.gif
c:\windows\SysWow64\images\toolbar\Prev.gif
c:\windows\SysWow64\images\toolbar\prev_over.gif
c:\windows\SysWow64\images\toolbar\Prevd.gif
c:\windows\SysWow64\images\toolbar\print.gif
c:\windows\SysWow64\images\toolbar\print_over.gif
c:\windows\SysWow64\images\toolbar\printd.gif
c:\windows\SysWow64\images\toolbar\Refresh.gif
c:\windows\SysWow64\images\toolbar\refresh_over.gif
c:\windows\SysWow64\images\toolbar\refreshd.gif
c:\windows\SysWow64\images\toolbar\Search.gif
c:\windows\SysWow64\images\toolbar\search_over.gif
c:\windows\SysWow64\images\toolbar\searchd.gif
c:\windows\SysWow64\images\toolbar\up.gif
c:\windows\SysWow64\images\toolbar\up_over.gif
c:\windows\SysWow64\images\toolbar\upd.gif
c:\windows\SysWow64\images\tree\begindots.gif
c:\windows\SysWow64\images\tree\beginminus.gif
c:\windows\SysWow64\images\tree\beginplus.gif
c:\windows\SysWow64\images\tree\blank.gif
c:\windows\SysWow64\images\tree\blankdots.gif
c:\windows\SysWow64\images\tree\dots.gif
c:\windows\SysWow64\images\tree\lastdots.gif
c:\windows\SysWow64\images\tree\lastminus.gif
c:\windows\SysWow64\images\tree\lastplus.gif
c:\windows\SysWow64\images\tree\Magnify.gif
c:\windows\SysWow64\images\tree\minus.gif
c:\windows\SysWow64\images\tree\minusbox.gif
c:\windows\SysWow64\images\tree\plus.gif
c:\windows\SysWow64\images\tree\plusbox.gif
c:\windows\SysWow64\images\tree\singleminus.gif
c:\windows\SysWow64\images\tree\singleplus.gif
.
.
((((((((((((((((((((((((( Files Created from 2012-06-26 to 2012-07-26 )))))))))))))))))))))))))))))))
.
.
2012-07-26 22:45 . 2012-07-26 22:45 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-26 22:45 . 2012-07-26 22:45 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2012-07-26 18:07 . 2012-07-26 18:07 -------- d-----w- C:\FRST
2012-07-25 17:35 . 2012-07-25 17:35 -------- d-----w- c:\users\maaldridge\AppData\Roaming\Malwarebytes
2012-07-25 17:35 . 2012-07-25 17:35 -------- d-----w- c:\programdata\Malwarebytes
2012-07-25 17:35 . 2012-07-25 17:35 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-25 17:35 . 2012-07-03 20:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-25 14:22 . 2012-07-25 14:22 479744 ----a-w- c:\windows\SysWow64\RTFConv.dll
2012-07-25 05:05 . 2012-07-25 06:25 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-07-25 05:05 . 2009-01-25 20:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2012-07-25 05:05 . 2012-07-25 06:34 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2012-07-24 21:32 . 2012-07-24 21:32 -------- d-----w- c:\users\maaldridge\AppData\Local\visi_coupon
2012-07-24 21:30 . 2012-07-24 21:34 -------- d-----w- c:\programdata\Yahoo!
2012-07-24 21:30 . 2012-07-24 21:34 -------- d-----w- c:\program files (x86)\Yahoo!
2012-07-24 20:54 . 2012-07-24 20:54 -------- d-----w- c:\users\maaldridge\AppData\Local\Microsoft_Corporation
2012-07-23 16:59 . 2012-07-23 16:59 -------- d-----w- c:\users\maaldridge\AppData\Roaming\Apple Computer
2012-07-22 22:41 . 2012-07-22 22:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-07-22 22:41 . 2012-07-22 22:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-07-22 22:41 . 2012-07-22 22:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-07-22 22:41 . 2012-07-22 22:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-07-22 22:41 . 2012-07-22 22:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-07-22 22:41 . 2012-07-22 22:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-07-22 22:41 . 2012-07-22 22:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-07-22 22:41 . 2012-07-24 21:35 -------- d-----w- c:\program files (x86)\QuickTime
2012-07-22 22:40 . 2012-07-22 22:40 -------- d-----w- c:\users\maaldridge\AppData\Local\Apple
2012-07-22 22:40 . 2012-07-22 22:40 -------- d-----w- c:\programdata\Apple
2012-07-20 18:34 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-20 18:30 . 2012-06-06 06:05 1499136 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-20 18:30 . 2012-06-06 06:05 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2012-07-20 18:30 . 2012-06-06 06:02 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-07-20 18:30 . 2012-06-06 05:05 212992 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2012-07-20 18:30 . 2012-06-06 05:05 1019904 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2012-07-20 18:30 . 2012-06-06 05:03 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-07-20 18:30 . 2012-06-06 06:05 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2012-07-20 18:30 . 2012-06-06 06:05 61440 ----a-w- c:\program files\Common Files\System\ado\msador15.dll
2012-07-20 18:30 . 2012-06-06 06:05 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2012-07-20 18:30 . 2012-06-06 05:05 143360 ----a-w- c:\program files (x86)\Common Files\System\ado\msjro.dll
2012-07-20 18:30 . 2012-06-06 05:05 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2012-07-20 18:30 . 2012-06-06 05:05 57344 ----a-w- c:\program files (x86)\Common Files\System\ado\msador15.dll
2012-07-20 18:30 . 2012-06-06 05:05 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2012-07-13 04:33 . 2012-07-13 04:33 114176 ----a-w- c:\windows\SysWow64\Eclipsys.Platform.LdapReader.dll
2012-07-12 22:16 . 2012-07-12 22:18 -------- d--h--w- c:\windows\AxInstSV
2012-07-03 16:27 . 2012-04-17 05:31 918016 ----a-w- c:\windows\system32\jscript.dll
2012-07-03 16:27 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-07-03 16:27 . 2012-04-07 12:31 3216384 ----a-w- c:\windows\system32\msi.dll
2012-07-03 16:27 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\SysWow64\msi.dll
2012-07-03 16:27 . 2012-04-24 05:37 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-03 16:27 . 2012-04-24 05:37 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-03 16:27 . 2012-04-24 05:37 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-07-03 16:27 . 2012-04-24 04:36 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-07-03 16:27 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-07-03 16:27 . 2012-04-24 04:36 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-26 22:46 . 2011-10-25 17:10 4194304 ----a-w- c:\windows\ServiceProfiles\NetworkService\msmqlog.bin
2012-07-20 18:31 . 2010-11-20 21:53 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-02 22:19 . 2012-06-12 16:25 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-12 16:26 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-12 16:26 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-12 16:26 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-12 16:25 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-12 16:25 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-12 16:26 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-12 16:25 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:15 . 2012-06-12 16:25 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-05-31 19:25 . 2010-11-20 21:17 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-18 21:31 . 2011-04-14 20:49 2480768 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-05-15 04:01 . 2012-06-21 16:51 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-21 16:51 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-21 16:51 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-05 19:51 . 2012-04-13 20:25 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-05-04 11:06 . 2012-06-14 05:01 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-14 05:01 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-14 05:01 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-28 05:32 . 2012-06-14 05:01 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-28 03:55 . 2012-06-14 05:01 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"="c:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-07-04 3527176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2010-10-22 11937552]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2012-07-04 3921432]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" [2010-03-12 311680]
.
c:\users\maaldridge\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2011-11-8 576000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files (x86)\Digital Line Detect\DLG.exe [2011-9-19 50688]
MozyEnterprise Status.lnk - c:\program files\MozyEnterprise\mozyentstat.exe [2012-6-4 6270088]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2119488]
WDSmartWare.lnk - c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-11-13 9117504]
WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK.EXE [2007-5-15 394856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 GatewayAgent30;Allscripts Gateway Agent - 3.0;c:\program files (x86)\Allscripts Sunrise\Helios\3.0\Gateway\Eclipsys.Infrastructure.WindowsServices.exe [2011-03-22 32768]
R2 GatewayAgent31;Allscripts Gateway Agent - 3.1;c:\program files (x86)\Allscripts Sunrise\Helios\3.1\Gateway\Eclipsys.Infrastructure.WindowsServices.exe [x]
R2 GatewayAgent60;Allscripts Gateway Agent - 6.0;c:\program files (x86)\Allscripts Sunrise\Helios\6.0\Gateway\Eclipsys.Infrastructure.WindowsServices.exe [2012-07-13 40960]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
R2 mozyentbackup;MozyEnterprise Backup Service;c:\program files\MozyEnterprise\mozyentbackup.exe [2010-11-08 51536]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-02-07 2009704]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2010-03-19 81920]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2009-11-06 293552]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-27 151936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2011-02-07 173160]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-01-19 68440]
R3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files (x86)\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\x64\VSPerfDrv90.sys [2007-09-04 71024]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-20 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x64\msvsmon.exe [2005-09-23 4476096]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2011-02-04 25960]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 21616]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-04-11 27736]
S1 mozyentFilter;mozyentFilter;c:\windows\system32\DRIVERS\mozyent.sys [2011-08-16 66552]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2009-03-03 89600]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2011-05-13 1043872]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2011-05-13 36768]
S2 klnagent;Kaspersky Lab Network Agent;c:\program files (x86)\Kaspersky Lab\NetworkAgent 8\klnagent.exe [2010-10-20 141688]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-03 378472]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2011-07-01 1600000]
S2 WDDMService;WD SmartWare Drive Manager Service;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 129536]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-12-13 27760]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2011-05-10 38504]
S3 dcdbas;System Management Driver;c:\windows\system32\DRIVERS\dcdbas64.sys [2010-11-25 38472]
S3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [2010-10-28 315568]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2009-09-03 30736]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73361282-1014109674-949316387-64872Core.job
- c:\users\maaldridge\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-12 18:08]
.
2012-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73361282-1014109674-949316387-64872UA.job
- c:\users\maaldridge\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-12 18:08]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2011-05-28 00:46 139128 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozyent]
@="{567f4262-b8b0-578b-e7bc-b384643f0d85}"
[HKEY_CLASSES_ROOT\CLSID\{567f4262-b8b0-578b-e7bc-b384643f0d85}]
2012-06-04 22:34 6299784 ----a-w- c:\program files\MozyEnterprise\mozyentshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozyent2]
@="{5efb374b-ea9d-fd9e-528a-5f53484cb3dc}"
[HKEY_CLASSES_ROOT\CLSID\{5efb374b-ea9d-fd9e-528a-5f53484cb3dc}]
2012-06-04 22:34 6299784 ----a-w- c:\program files\MozyEnterprise\mozyentshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozyent3]
@="{1b4d21fd-1325-b7e3-a45e-07804bf4fc8c}"
[HKEY_CLASSES_ROOT\CLSID\{1b4d21fd-1325-b7e3-a45e-07804bf4fc8c}]
2012-06-04 22:34 6299784 ----a-w- c:\program files\MozyEnterprise\mozyentshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayAdd]
@="{D4DD7FC6-066F-442a-A200-DD21649CF378}"
[HKEY_CLASSES_ROOT\CLSID\{D4DD7FC6-066F-442a-A200-DD21649CF378}]
2011-12-07 03:42 292168 ----a-w- c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayControlled]
@="{EFF5DF4C-7662-4ed7-B533-837D3319D311}"
[HKEY_CLASSES_ROOT\CLSID\{EFF5DF4C-7662-4ed7-B533-837D3319D311}]
2011-12-07 03:42 292168 ----a-w- c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayEdit]
@="{FF529703-3398-4c98-B88D-13F784CB10A2}"
[HKEY_CLASSES_ROOT\CLSID\{FF529703-3398-4c98-B88D-13F784CB10A2}]
2011-12-07 03:42 292168 ----a-w- c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayLock]
@="{EAB6FC01-3462-4dc9-8C94-75582E3DC3CA}"
[HKEY_CLASSES_ROOT\CLSID\{EAB6FC01-3462-4dc9-8C94-75582E3DC3CA}]
2011-12-07 03:42 292168 ----a-w- c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TfsOverlayRename]
@="{F15E94B9-9522-42bd-8A73-569BCBE5A5EA}"
[HKEY_CLASSES_ROOT\CLSID\{F15E94B9-9522-42bd-8A73-569BCBE5A5EA}]
2011-12-07 03:42 292168 ----a-w- c:\program files (x86)\Microsoft Team Foundation Server 2010 Power Tools\TfsShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2011-05-28 00:46 139128 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-07-20 611192]
"FreeFallProtection"="c:\program files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe" [2010-12-15 686704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-12-08 525312]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-15 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-15 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-15 418328]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-02-03 312936]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-12-30 1875048]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2011-01-18 6492672]
"TdmNotify"="c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe" [2011-05-28 257392]
"MsmqIntCert"="mqrt.dll" [2010-11-20 247808]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"combofix"="c:\combofix\CF8037.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://inside.allscripts.com
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: a4healthsystems.com
Trusted Zone: adp.com
Trusted Zone: allscripts.com
Trusted Zone: allscripts.com\clarity.corp
Trusted Zone: allscripts.com\servicedesk.corp
Trusted Zone: books24x7.com
Trusted Zone: brainshark.com
Trusted Zone: clarity
Trusted Zone: codecorrect.com
Trusted Zone: delvenetworks.com\assets
Trusted Zone: diagnostix.com
Trusted Zone: eternal
Trusted Zone: force.com
Trusted Zone: force.com\*.na0.visual
Trusted Zone: fpx.com\od1
Trusted Zone: global.ad\servicedesk.misys
Trusted Zone: gotrain.net
Trusted Zone: intersourcing.com\www
Trusted Zone: intra
Trusted Zone: llnwd.net\*.fcod
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: misys.com\clarity
Trusted Zone: misys.com\servicedesk
Trusted Zone: misysgold
Trusted Zone: misyshealthcare.com
Trusted Zone: misyshealthcare.com\kb
Trusted Zone: misysimentor.com
Trusted Zone: mlv-ris-app-e
Trusted Zone: mlv-ris-app-f
Trusted Zone: mlv-ris-app-o
Trusted Zone: on24.com
Trusted Zone: onemisys.com\clarity
Trusted Zone: onemisys.com\eternal
Trusted Zone: onemisys.com\intra
Trusted Zone: onemisys.com\misysgold
Trusted Zone: payerpath.com
Trusted Zone: salesforce.com
Trusted Zone: servicedesk
Trusted Zone: skilldialogue.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: skillsoftcompliance.com
Trusted Zone: skillwsa.com
Trusted Zone: symantecliveupdate.com
Trusted Zone: velaro.com
Trusted Zone: windowsupdate.com
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-VS Revo Group - c:\users\maaldridge\AppData\Local\VS Revo Group\yzxxvcqk.dll
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-898976328-1975694646-3752162016-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,99,2d,f0,b2,41,18,4b,8d,46,c7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,99,2d,f0,b2,41,18,4b,8d,46,c7,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
c:\windows\SysWOW64\CCM\CcmExec.exe
.
**************************************************************************
.
Completion time: 2012-07-26 15:48:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-26 22:48
.
Pre-Run: 20,409,544,704 bytes free
Post-Run: 22,841,856,000 bytes free
.
- - End Of File - - D7C148B28739A84495AF7DE37925FA5F