Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
This topic is locked
It seems that I have been infected by a malicious ad displayed by a third-party on a site I trust. A rogue antivirus just popped up and, as usual, I located the process in Process Explorer, killed it, deleted the file, and looked for any suspicious processes, services, browser plugins, etc.
Once I was done with that, some symptoms remained:
- I would still occasionally get redirected to malicious or phishing sites when clicking on a result in Google searches.
- Advertisements would randomly open in my browser, every two hours or so.
- At one point, Firefox showed the following message: "Something is trying to trick Firefox into accepting an insecure update. Please contract your network provider and seek help."
- HTTPS traffic would be slow or unreliable, as if it was going through a poorly implemented proxy or MitM trick. Some requests to facebook and other sites would sometimes abort before a response was received (connection reset).
- Google Chrome prevented me from logging into my Google account because the SSL cert for accounts.google.com looked fishy to it. The message (translated from French) was something similar to "The security certificate of this site was signed with a weak signature algorithm."; in short, something that Google is known not to use.
I have stopped any online banking or logging into well-known sites until I get that fixed, since there definitely seems to be something listening on the line.
A freshly updated MBAM found and deleted C:\Windows\system32\findup16.dll . A similar file (findup1664.dll) reappeared the next day.
Flash Player would crash frequently, and disabling the plugin in Firefox seemed to stop the advertisements from appearing spontaneously, which leads me to suspect that it has been patched with malicious code.
DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Carl Tessier at 1:43:05 on 2012-06-27
Microsoft Windows 7 Édition Intégrale 6.1.7600.0.1252.2.1033.18.4091.1169 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\psxss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SUA\usr\sbin\init
C:\Windows\SUA\usr\sbin\syslogd
C:\Windows\SUA\usr\sbin\inetd
C:\Windows\SUA\usr\local\sbin\sshd
C:\Windows\System32\spoolsv.exe
C:\Windows\SUA\usr\sbin\cron
C:\Windows\SUA\usr\sbin\updater
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\ASNA\ASNA Services\AsnaSvcHost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\ASNA\DataGate Server\8.1\dgServer.exe
C:\Program Files (x86)\IBM\SQLLIB\BIN\db2mgmtsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files (x86)\Borland\InterBase\bin\ibguard.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQL2008\MSSQL\Binn\sqlservr.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.5\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\ShadowExplorer\sesvc.exe
C:\Windows\System32\tcpsvcs.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files (x86)\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files (x86)\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQL2008\MSSQL\Binn\fdlauncher.exe
C:\Program Files (x86)\Borland\InterBase\bin\ibserver.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQL2008\MSSQL\Binn\fdhost.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.21.111\GoogleCrashHandler64.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\AIM\aim.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files (x86)\palmOne\Hotsync.exe
C:\Program Files (x86)\Google\Google Talk\googletalk.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Zend\ZendServer\bin\zendcontroller.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\Messenger Plus! for Skype.exe
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Windows\SysWOW64\inetsrv\w3wp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\mIRC\mirc.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SoftwareDistribution\Download\Install\NDP40-KB2686827-x64.exe
h:\dc493bc6c505dcfbf707bc4230\Setup.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Windows\system32\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe
C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\system32\conhost.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = local;*.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DebugBar BHO: {69fc0024-10eb-480a-bbf2-3bf4e78e17b1} - C:\Program Files (x86)\Core Services\DebugBar\DebugInfoBar.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
BHO: Programme d'aide de l'Assistant de connexion Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
BHO: HttpWatch Basic: {f1f69322-008f-4895-b2bf-ad194219825a} - C:\Program Files (x86)\HttpWatch\httpwatchsc.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
TB: DebugBar: {3e1201f4-1707-409f-bb45-a5f192381da0} - C:\Program Files (x86)\Core Services\DebugBar\DebugToolBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Yahoo! Barre d'outils: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn1\yt.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
EB: HttpWatch Basic: {2b4c4770-27fd-4a09-b17d-33ca580965fb} - C:\Program Files (x86)\HttpWatch\httpwatch.dll
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
uRun: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [AdobeBridge]
uRun: [FeedDemon] "C:\Program Files (x86)\FeedDemon\FeedDemon.exe" /startminimized
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Facebook Update] "C:\Users\Carl Tessier\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
mRun: [googletalk] "C:\Program Files (x86)\Google\Google Talk\googletalk.exe" /autostart
mRun: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun: [Client Access Service] C:\Program Files (x86)\IBM\Client Access\cwbsvstr.exe
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [PlusService] C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
mRun: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "C:\Program Files (x86)\Labtec\WebCam10\WebCam10.exe" /hide
mRun: [MessengerPlusForSkypeService] "C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe"
StartupFolder: C:\Users\CARLTE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Carl Tessier\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\CARLTE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\FACEBO~1.LNK - C:\Users\Carl Tessier\AppData\Local\Facebook\Messenger\2.1.4554.0\FacebookMessenger.exe
StartupFolder: C:\Users\CARLTE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HOTSYN~1.LNK - C:\Program Files (x86)\palmOne\Hotsync.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ZENDCO~1.LNK - C:\Program Files (x86)\Zend\ZendServer\bin\zendcontroller.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Ajouter la cible du lien à un fichier PDF existant - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Ajouter à un fichier PDF existant - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir au format Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir la cible du lien au format Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: S'abonner avec RSS Bandit - C:\Users\Carl Tessier\AppData\Roaming\RssBandit\iecontext_subscribebandit.htm
IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: Sothink SWF Catcher - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe"
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - C:\Program Files (x86)\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MIF5BA~1\Office12\REFIEBAR.DLL
IE: {D103E85B-5D67-42c1-8C83-F01079DBAB26} - {2B4C4770-27FD-4A09-B17D-33CA580965FB} - C:\Program Files (x86)\HttpWatch\httpwatch.dll
LSP: mswsock.dll
LSP: %SystemRoot%\system32\vsocklib.dll
Trusted Zone: cascades.com\norampac.trackit
Trusted Zone: gouv.qc.ca\www.mtqsignalisation.mtq
DPF: {576756A1-D97C-45D0-A945-0324019A131E} - hxxp://ti9-testsvr.norampac.com/tiweb70/downloads/BOSIActiveXGrid.cab
DPF: {6AF2E1A7-A16E-4503-A440-07CA49122CCE} - hxxp://ti9-testsvr.norampac.com/tiweb70/downloads/BOSIActiveXMemoControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31}\14D6472716B634F6E6E6563647 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31}\14D6472716B634F6E6E6563647 : DhcpNameServer = 10.71.40.1
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31}\6574E4564777F627B6 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31}\6574E4564777F627B6 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31}\86F6D6561313 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31}\86F6D6561313 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31}\E4544574541425 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{47738D2D-5792-416D-84E8-D96A2C801C31}\E4544574541425 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DA340416-B7C1-4C26-BDFA-F5564298D5A0} : DhcpNameServer = 64.71.255.198 64.71.255.253
TCP: Interfaces\{EAF6822E-4E80-4F7D-9C8E-7AF3C867C069} : DhcpNameServer = 64.71.255.198 64.71.255.253
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
{02478D38-C3F9-4efb-9B51-7695ECA05670}
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{69FC0024-10EB-480A-BBF2-3BF4E78E17B1}
{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{9FDDE16B-836F-4806-AB1F-1455CBEFF289}
{AE7CD045-E861-484f-8273-0445EE161910}
{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
{B4F3A835-0E21-4959-BA22-42B3008E02FF}
{d2ce3e00-f94a-4740-988e-03dc2f38c34f}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{DDA57003-0068-4ed2-9D32-4D1EC707D94D}
{E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53}
{F1F69322-008F-4895-B2BF-AD194219825A}
{F4971EE7-DAA0-4053-9964-665D8EE6A077}
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
{3E1201F4-1707-409F-BB45-A5F192381DA0}
{47833539-D0C5-4125-9FA8-0819E2EAAC93}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{8dcb7100-df86-4384-8842-8fa844297b3f}
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB-X64: {5802D092-1784-4908-8CDB-99B6842D353D} - No File
EB-X64: {2B4C4770-27FD-4A09-B17D-33CA580965FB} - No File
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
mRun-x64: [googletalk] "C:\Program Files (x86)\Google\Google Talk\googletalk.exe" /autostart
mRun-x64: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
mRun-x64: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [(par défaut)]
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun-x64: [Client Access Service] C:\Program Files (x86)\IBM\Client Access\cwbsvstr.exe
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [PlusService] C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
mRun-x64: [vmware-tray] "C:\Program Files (x86)\VMware\VMware Workstation\vmware-tray.exe"
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [LogitechCommunicationsManager] "C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
mRun-x64: [LogitechQuickCamRibbon] "C:\Program Files (x86)\Labtec\WebCam10\WebCam10.exe" /hide
mRun-x64: [MessengerPlusForSkypeService] "C:\Program Files (x86)\Yuna Software\Messenger Plus! for Skype\MsgPlusForSkypeService.exe"
IE-X64: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe"
IE-X64: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
SEH-X64: {B5A7F190-DDA6-4420-B3BA-52453494E6CD}: Groove GFS Stub Execution Hook
Hosts: 67.43.56.28 cpalead.com cpalock.com www.cpalead.com www.cpalock.com adscendmedia.com www.adscendmedia.com
Hosts: 192.168.0.101 drfrankenstein.homedns.org
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Carl Tessier\AppData\Roaming\Mozilla\Firefox\Profiles\h8fonhha.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.socks - 66.167.100.59
FF - prefs.js: network.proxy.socks_port - 6649
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Program Files (x86)\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: C:\Users\Carl Tessier\AppData\Roaming\Mozilla\Firefox\Profiles\h8fonhha.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: C:\Users\Carl Tessier\AppData\Roaming\Mozilla\Firefox\Profiles\h8fonhha.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: C:\Users\Carl Tessier\AppData\Local\Facebook\Messenger\2.1.4554.0\npFbDesktopPlugin.dll
FF - plugin: C:\Users\Carl Tessier\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_257.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
FF - user.js: zend.ZDE_Path - C:\Program Files (x86)\Zend\Zend Studio - 7.0.2\ZendStudio.exe
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\system32\DRIVERS\ctxusbm.sys --> C:\Windows\system32\DRIVERS\ctxusbm.sys [?]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe [2010-7-5 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AsnaAssist;ASNA Assist;C:\Program Files (x86)\ASNA\ASNA Services\AsnaSvcHost.exe [2008-12-10 114688]
R2 AsnaRegistrar;ASNA Registrar;C:\Program Files (x86)\ASNA\ASNA Services\AsnaSvcHost.exe [2008-12-10 114688]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 DataGate Server;DataGate Server;C:\Program Files (x86)\ASNA\DataGate Server\8.1\dgServer.exe [2008-12-4 2080768]
R2 DB2MGMTSVC_DB2COPY1;DB2 Management Service (DB2COPY1);C:\Program Files (x86)\IBM\SQLLIB\BIN\db2mgmtsvc.exe [2009-4-4 38688]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 LVUSBS64;Logitech USB Monitor Filter;C:\Windows\system32\DRIVERS\LVUSBS64.sys --> C:\Windows\system32\DRIVERS\LVUSBS64.sys [?]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;C:\Windows\system32\DRIVERS\OA008Ufd.sys --> C:\Windows\system32\DRIVERS\OA008Ufd.sys [?]
R3 OA008Vid;Creative Camera OA008 Function Driver;C:\Windows\system32\DRIVERS\OA008Vid.sys --> C:\Windows\system32\DRIVERS\OA008Vid.sys [?]
R3 PsxDrv;PsxDrv;C:\Windows\system32\drivers\psxdrv.sys --> C:\Windows\system32\drivers\psxdrv.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 LVcKap64;Logitech AEC Driver;C:\Windows\system32\DRIVERS\LVcKap64.sys --> C:\Windows\system32\DRIVERS\LVcKap64.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 VBoxUSB;VirtualBox USB;C:\Windows\system32\Drivers\VBoxUSB.sys --> C:\Windows\system32\Drivers\VBoxUSB.sys [?]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
S4 RsFx0105;RsFx0105 Driver;C:\Windows\system32\DRIVERS\RsFx0105.sys --> C:\Windows\system32\DRIVERS\RsFx0105.sys [?]
.
=============== File Associations ===============
.
VBSFile=%WINDIR%\System32\CScript.exe //nologo "%1" %*
.txt=txt_auto_file
.
=============== Created Last 30 ================
.
2012-06-27 05:17:04 77312 ----a-w- C:\Windows\System32\packager.dll
2012-06-27 05:17:04 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-06-27 04:51:37 -------- d-----w- C:\lalaFix
2012-06-27 04:44:04 -------- d-----w- C:\ComboFix
2012-06-27 01:33:08 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{929841BC-E1FA-4407-8275-3ED3039B6CB4}
2012-06-26 13:32:29 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{A1D08140-60D4-44EE-819A-BC0D9A4A37D3}
2012-06-26 13:32:06 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{3AC4B15A-55CA-4FC5-B699-EF16E4FCAEFD}
2012-06-25 19:05:26 -------- d-----w- C:\Users\Carl Tessier\AppData\Roaming\Malwarebytes
2012-06-25 19:05:05 -------- d-----w- C:\ProgramData\Malwarebytes
2012-06-25 19:05:04 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-25 19:05:04 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-25 18:06:35 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{917DD91A-D8BD-4260-BFA6-B0CDAB4F0B49}
2012-06-24 12:09:35 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{DFC2A60E-B6B6-4545-9FF4-E3284E8839FB}
2012-06-23 20:49:56 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{6CF26B69-B0F6-4F45-A225-A7C916CFDE0C}
2012-06-23 20:49:40 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{3B6A86B5-DFC7-4FD0-BF2C-621BA578C493}
2012-06-23 02:56:56 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-06-23 02:45:28 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{350ABF67-88BE-4A5C-A264-E90CF01E3FA5}
2012-06-23 02:43:33 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{9294C58D-79C8-4DA8-BA1F-3561304CF32D}
2012-06-21 15:45:54 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{D91DD74B-DD1E-4E28-B627-8E1C1BBA1CF9}
2012-06-21 15:45:43 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{B758BF1F-5399-4C95-8945-3A4FC7C82FE0}
2012-06-21 03:45:12 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{2B19A32D-E8B3-4F8D-811A-7C67FAC035A4}
2012-06-20 15:44:14 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{4C55E333-BF38-4108-8477-8507714B2FC9}
2012-06-20 15:43:58 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{74DD165A-3BDC-4C61-9981-53A97C722B8D}
2012-06-18 22:41:27 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-18 22:40:38 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-18 22:39:59 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-18 22:39:59 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-18 02:11:19 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{72A7C6CA-04E6-4AAA-B497-AFA543072F8F}
2012-06-16 16:36:09 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{35BBE299-E847-47B0-86A4-4262E30E6FEA}
2012-06-15 22:45:25 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\Macromedia
2012-06-15 22:40:52 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{857C3BFF-EF30-4446-B8CC-E3733F4C515B}
2012-06-14 23:33:34 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{897BFA0C-1D60-49EB-AB44-1A35D1B7DE50}
2012-06-14 23:33:12 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{F0FC1167-D8DE-4877-8BFA-4DA81D26215F}
2012-06-13 22:37:54 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{3BA4AD1A-C7F1-4E5F-8734-04BC0BF90B78}
2012-06-13 22:37:35 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{13E745A5-1079-4C20-BEEC-3FF071E627FB}
2012-06-12 22:33:51 -------- d-----w- C:\Program Files (x86)\Common Files\Software Update Utility
2012-06-12 22:33:18 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{375F18E2-7960-4C74-B4B5-50FC39375572}
2012-06-12 22:33:00 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{042958F3-2260-4CDF-AF98-48DF09564A05}
2012-06-12 01:04:33 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{DCCD9711-9DBE-424E-A0A5-1262C6473A19}
2012-06-12 01:04:05 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{1187F8ED-8331-4FF5-9037-31FE851E22BE}
2012-06-10 16:33:18 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{1541BCFE-ECAA-4121-BF3E-B4E806654A2C}
2012-06-10 16:33:02 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{7AC41222-4776-4091-840E-3F385244BFB9}
2012-06-10 04:32:49 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{4FA6D7BD-1DBC-4B7C-8B26-8299F11397C5}
2012-06-09 16:31:58 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{EB9B6B80-8402-4DFA-8934-59D3593C9EF8}
2012-06-09 16:31:35 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{61103219-96F7-4BF6-B394-E9185CCD5B4C}
2012-06-08 23:18:35 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{889051FF-DEEE-4FD5-BF6B-CC1E5DEE7B72}
2012-06-08 23:18:14 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{A70220C4-AD51-4C9A-8556-23461C2558EB}
2012-06-07 23:16:33 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{C80423E0-ED7E-4115-8CE1-A0B56E6697C2}
2012-06-07 23:16:18 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{71FE7A76-70AB-4B96-9128-51DE1C6802EE}
2012-06-07 01:00:17 -------- d-----w- C:\Users\Carl Tessier\AppData\Roaming\GitHub
2012-06-07 01:00:13 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\GitHub
2012-06-07 00:33:04 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{A0D271DC-CB11-4217-A2A8-A0D9E0EDC871}
2012-06-07 00:32:45 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{0D5BB6CE-6AD7-4B3B-AEA7-D0AC1EC1B34C}
2012-06-05 23:03:47 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{D2FA1145-AEDE-4C88-B7C7-E9D6F477861D}
2012-06-05 23:03:29 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{DEDF4CA7-F7FC-4C01-8872-A59D43FA045A}
2012-06-05 00:01:19 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{624E74DD-0A13-4391-986E-E771E7DF2758}
2012-06-05 00:01:01 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{84CA4136-3D2C-4377-A52E-7D6E9227324A}
2012-06-04 02:57:57 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{AE406AFB-28C1-40EF-B22C-B3767B8E0A91}
2012-06-04 02:57:41 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{225D6C55-482D-424F-BB64-794959B0ED2B}
2012-06-02 15:23:50 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{16212FB0-F262-454D-8512-BE0F6F2DF411}
2012-06-02 15:23:34 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{DC49F02A-AA11-4526-8382-46790EACC93E}
2012-06-02 01:23:32 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{7C1FB752-4DA8-40E3-82FF-C1431EAEED9E}
2012-06-02 01:23:15 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{BA125CF0-B24B-4E4F-8139-DD9D15D42846}
2012-06-01 00:12:12 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{D8E02C5F-9A97-42CD-A187-1B8257E9F160}
2012-06-01 00:11:52 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{3AB03A63-4EE0-491C-852E-E3E18AACC0B8}
2012-05-30 23:06:43 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{E64471B1-766F-4E59-8BC2-0B716E9A156A}
2012-05-30 23:06:23 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{30B3AD52-6F93-4B86-B661-AEDE4083B04E}
2012-05-30 01:29:19 -------- d-----w- C:\Windows\System32\carl-deleted
2012-05-30 01:18:45 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{5B847339-A9F5-11E1-8270-B8AC6F996F26}
2012-05-30 01:18:17 62464 ---ha-w- C:\Windows\System32\findup1664.dll
2012-05-29 23:23:48 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{F4B44C35-7BBE-420B-9598-ECAC3B48FB94}
2012-05-29 23:23:33 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{D90D7A92-7D06-439B-BC3B-989737B138C5}
2012-05-28 23:12:56 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{BBB4AC32-6482-4455-ACC9-84CA8240F793}
2012-05-28 23:12:35 -------- d-----w- C:\Users\Carl Tessier\AppData\Local\{31181E3C-F258-4D43-84AF-430B7F0320A1}
.
==================== Find3M ====================
.
2012-06-23 02:47:56 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-23 02:47:56 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-06 05:32:17 4474880 ----a-w- C:\Windows\SysWow64\QtCored4.dll
2012-05-06 05:32:17 2562560 ----a-w- C:\Windows\SysWow64\QtCore4.dll
.
============= FINISH: 1:49:05,43 ===============
In GMER, the "System", "Sections", "IAT/EAT", "Devices", "Modules", "Processes", "Threads" and "Libraries" checkboxes were greyed out and unchecked, even when run as an administrator.
Here is the log.
GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-27 14:11:31 Windows 6.1.7600 Running: 3ulmpvfr.exe ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE0 0x16 0xC3 0x79 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE0 0x16 0xC3 0x79 ... Reg HKCU\Software\Microsoft\Windows Live\Companion\doktorfrankenstein@gmail.com@262dac7e5060bf1d9250a96becebc324\r\n 0x0F 0x48 0xD6 0xF9 ... ---- Files - GMER 1.0.15 ---- File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\click[1].htm 0 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\0MFWH8MJ.txt 1394 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\OIM6ACM4.txt 212 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\6EM4361K.txt 4977 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\4LGAZ0JC.txt 436 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\P99C964I.txt 3790 bytes ---- EOF - GMER 1.0.15 ----
Sysinternals' RootkitRevealer crashes while scanning.
aswMBR crashes before finishing, after finding two files infected with Sirefef-PL [Rtk] in .NET's GAC.
TDSSkiller yields a clean report.
Something's telling me that the rootkit is attempting to protect itself.
What would be the next steps for eradicating this?
Regards,
Carl.
Back to top
