Getting the tidswerv 2 pop up periodically. Have read and followed the 8-step instrictions.
Thanks in advance for your help.
Logs Below:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4155
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
5/29/2010 10:27:40 PM
mbam-log-2010-05-29 (22-27-40).txt
Scan type: Quick scan
Objects scanned: 159443
Time elapsed: 7 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Zugo (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\hclaxton.NTECH\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Search Toolbar\SearchToolbar.dll (Trojan.BHO) -> Delete on reboot.
GMR
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-29 22:39:36
Windows 6.0.6002 Service Pack 2
Running: 1n5dvb7r.exe; Driver: C:\Users\HCLAXT~1.NTE\AppData\Local\Temp\kfgoifow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp wpsdrvnt.sys
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp wpsdrvnt.sys
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
Device -> \Driver\iaStor \Device\Harddisk0\DR0 861D2D01
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\iaStor.sys suspicious modification
---- EOF - GMER 1.0.15 ----
DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by hclaxton at 22:52:26.43 on Sat 05/29/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3062.1652 [GMT -4:00]
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mcomm.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mlauncher.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k swprv
\\server1\RedirFolders\hclaxton\Desktop\Malware Tech Files\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = 192.168.201.3:8080
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\366\g2mstart.exe "/Trigger RunAtLogon"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\hclaxt~1.nte\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\SnagIt32.exe
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-system: SetVisualStyle =
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
============= SERVICES / DRIVERS ===============
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-29 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-29 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-29 60936]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 msftesql$PROPHETSQL;SQL Server FullText Search (PROPHETSQL);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2007-6-22 95592]
R2 MSSQL$PROPHETSQL;SQL Server (PROPHETSQL);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-2-14 2440120]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-11-16 187904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-11-16 48472]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-2-14 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
=============== Created Last 30 ================
2010-05-30 02:18:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-30 02:18:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-30 02:06:49 336979633 ----a-w- c:\windows\MEMORY.DMP
2010-05-29 19:18:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 19:03:45 0 d-----w- c:\program files\Windows Portable Devices
2010-05-29 19:03:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-29 18:53:45 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-05-29 18:53:44 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-05-29 18:53:44 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-05-29 18:50:58 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-05-29 18:50:57 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-05-29 18:50:57 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-29 18:38:27 0 d-----w- c:\windows\SQL9_KB970892_ENU
2010-05-29 18:35:36 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-29 18:35:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-29 18:35:33 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-29 18:29:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-29 18:29:05 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-05-29 18:27:59 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-05-29 18:27:59 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-29 18:27:59 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-29 18:27:55 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-05-29 18:27:51 243712 ----a-w- c:\windows\system32\rastls.dll
2010-05-29 18:27:47 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-29 18:27:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-29 18:27:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-29 18:26:50 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-05-29 18:26:48 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-05-29 18:25:59 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-05-29 18:25:59 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-05-29 18:25:55 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-05-29 18:25:54 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-05-29 18:25:51 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-29 18:23:22 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-05-29 17:55:06 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-29 17:55:05 0 d-----w- c:\programdata\Avira
2010-05-29 17:55:05 0 d-----w- c:\program files\Avira
2010-05-27 02:41:42 65536 --sha-w- c:\users\hclaxton.ntech\ntuser.dat{16b78664-6937-11df-a95a-001e68291fcc}.TM.blf
2010-05-27 02:41:42 524288 --sha-w- c:\users\hclaxton.ntech\ntuser.dat{16b78664-6937-11df-a95a-001e68291fcc}.TMContainer00000000000000000002.regtrans-ms
2010-05-27 02:41:42 524288 --sha-w- c:\users\hclaxton.ntech\ntuser.dat{16b78664-6937-11df-a95a-001e68291fcc}.TMContainer00000000000000000001.regtrans-ms
2010-05-25 21:27:20 0 d-----w- c:\users\hclaxt~1.nte\appdata\roaming\Malwarebytes
2010-05-25 21:27:09 0 d-----w- c:\programdata\Malwarebytes
2010-05-25 21:27:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 02:14:43 0 d-----w- c:\program files\Search Toolbar
2010-05-17 02:14:22 0 d-----w- c:\program files\File Extension Finder
2010-05-12 13:25:22 1542605 ----a-w- c:\users\hclaxton.ntech\Hotel_Equities_Brochure.pdf
2010-05-10 21:22:56 73577 ----a-w- c:\users\hclaxton.ntech\PublicAgenda-1021[1].pdf
2010-05-10 21:22:24 73552 ----a-w- c:\users\hclaxton.ntech\PublicAgenda-1020[1].pdf
2010-05-10 21:20:16 77543 ----a-w- c:\users\hclaxton.ntech\PublicAgenda-1022[1].pdf
2010-05-10 19:35:25 35328 ----a-w- c:\users\hclaxton.ntech\7_ways_to_increase_profits[1].doc
2010-05-10 02:52:25 0 ----a-w- C:\t1h8.2
2010-05-05 18:10:23 37767 ----a-w- c:\users\hclaxton.ntech\ppl grp app.pdf
==================== Find3M ====================
2010-05-29 19:03:17 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-29 19:03:17 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-29 19:03:17 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-29 19:03:17 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-04 17:33:45 430080 ----a-w- c:\windows\system32\vbscript.dll
2008-01-21 02:41:56 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-31 00:12:10 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-11-26 20:06:53 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009112620091127\index.dat
2009-12-31 00:12:10 131072 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009123020091231\index.dat
2008-07-18 06:46:01 14 --sha-r- c:\windows\system32\drivers\fbd.sys
2008-07-18 06:45:59 5 --sha-r- c:\windows\system32\drivers\taishop.sys
============= FINISH: 22:52:53.34 ===============
Thanks in advance for your help.
Logs Below:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4155
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
5/29/2010 10:27:40 PM
mbam-log-2010-05-29 (22-27-40).txt
Scan type: Quick scan
Objects scanned: 159443
Time elapsed: 7 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Zugo (Adware.Zugo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9d425283-d487-4337-bab6-ab8354a81457} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\hclaxton.NTECH\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Search Toolbar\SearchToolbar.dll (Trojan.BHO) -> Delete on reboot.
GMR
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-29 22:39:36
Windows 6.0.6002 Service Pack 2
Running: 1n5dvb7r.exe; Driver: C:\Users\HCLAXT~1.NTE\AppData\Local\Temp\kfgoifow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp wpsdrvnt.sys
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp wpsdrvnt.sys
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
Device -> \Driver\iaStor \Device\Harddisk0\DR0 861D2D01
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\iaStor.sys suspicious modification
---- EOF - GMER 1.0.15 ----
DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by hclaxton at 22:52:26.43 on Sat 05/29/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3062.1652 [GMT -4:00]
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mcomm.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mlauncher.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k swprv
\\server1\RedirFolders\hclaxton\Desktop\Malware Tech Files\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = 192.168.201.3:8080
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\366\g2mstart.exe "/Trigger RunAtLogon"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\hclaxt~1.nte\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\SnagIt32.exe
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-system: SetVisualStyle =
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
============= SERVICES / DRIVERS ===============
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-29 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-29 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-29 60936]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 msftesql$PROPHETSQL;SQL Server FullText Search (PROPHETSQL);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2007-6-22 95592]
R2 MSSQL$PROPHETSQL;SQL Server (PROPHETSQL);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-2-14 2440120]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-11-16 187904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-11-16 48472]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-2-14 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
=============== Created Last 30 ================
2010-05-30 02:18:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-30 02:18:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-30 02:06:49 336979633 ----a-w- c:\windows\MEMORY.DMP
2010-05-29 19:18:40 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 19:03:45 0 d-----w- c:\program files\Windows Portable Devices
2010-05-29 19:03:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-29 18:53:45 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-05-29 18:53:44 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-05-29 18:53:44 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-05-29 18:50:58 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-05-29 18:50:57 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-05-29 18:50:57 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-29 18:38:27 0 d-----w- c:\windows\SQL9_KB970892_ENU
2010-05-29 18:35:36 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-29 18:35:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-29 18:35:33 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-29 18:29:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-29 18:29:05 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-05-29 18:27:59 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-05-29 18:27:59 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-29 18:27:59 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-29 18:27:55 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-05-29 18:27:51 243712 ----a-w- c:\windows\system32\rastls.dll
2010-05-29 18:27:47 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-29 18:27:46 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-29 18:27:46 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-29 18:26:50 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-05-29 18:26:48 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-05-29 18:25:59 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-05-29 18:25:59 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-05-29 18:25:55 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-05-29 18:25:54 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-05-29 18:25:51 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-29 18:23:22 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-05-29 17:55:06 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-29 17:55:05 0 d-----w- c:\programdata\Avira
2010-05-29 17:55:05 0 d-----w- c:\program files\Avira
2010-05-27 02:41:42 65536 --sha-w- c:\users\hclaxton.ntech\ntuser.dat{16b78664-6937-11df-a95a-001e68291fcc}.TM.blf
2010-05-27 02:41:42 524288 --sha-w- c:\users\hclaxton.ntech\ntuser.dat{16b78664-6937-11df-a95a-001e68291fcc}.TMContainer00000000000000000002.regtrans-ms
2010-05-27 02:41:42 524288 --sha-w- c:\users\hclaxton.ntech\ntuser.dat{16b78664-6937-11df-a95a-001e68291fcc}.TMContainer00000000000000000001.regtrans-ms
2010-05-25 21:27:20 0 d-----w- c:\users\hclaxt~1.nte\appdata\roaming\Malwarebytes
2010-05-25 21:27:09 0 d-----w- c:\programdata\Malwarebytes
2010-05-25 21:27:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-17 02:14:43 0 d-----w- c:\program files\Search Toolbar
2010-05-17 02:14:22 0 d-----w- c:\program files\File Extension Finder
2010-05-12 13:25:22 1542605 ----a-w- c:\users\hclaxton.ntech\Hotel_Equities_Brochure.pdf
2010-05-10 21:22:56 73577 ----a-w- c:\users\hclaxton.ntech\PublicAgenda-1021[1].pdf
2010-05-10 21:22:24 73552 ----a-w- c:\users\hclaxton.ntech\PublicAgenda-1020[1].pdf
2010-05-10 21:20:16 77543 ----a-w- c:\users\hclaxton.ntech\PublicAgenda-1022[1].pdf
2010-05-10 19:35:25 35328 ----a-w- c:\users\hclaxton.ntech\7_ways_to_increase_profits[1].doc
2010-05-10 02:52:25 0 ----a-w- C:\t1h8.2
2010-05-05 18:10:23 37767 ----a-w- c:\users\hclaxton.ntech\ppl grp app.pdf
==================== Find3M ====================
2010-05-29 19:03:17 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-29 19:03:17 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-29 19:03:17 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-29 19:03:17 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-04 17:33:45 430080 ----a-w- c:\windows\system32\vbscript.dll
2008-01-21 02:41:56 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-31 00:12:10 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-11-26 20:06:53 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009112620091127\index.dat
2009-12-31 00:12:10 131072 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009123020091231\index.dat
2008-07-18 06:46:01 14 --sha-r- c:\windows\system32\drivers\fbd.sys
2008-07-18 06:45:59 5 --sha-r- c:\windows\system32\drivers\taishop.sys
============= FINISH: 22:52:53.34 ===============