Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Ezula


  • This topic is locked This topic is locked
19 replies to this topic

#1 Crystalis

Crystalis

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 13 August 2009 - 09:46 PM

:thumbup2: Please help

A scan with Security 360 found "Trojan.Ezula". The Trojan is now quarantined. However, I am left with an uneasy feeling there may be more. Could you please take a look at my logs to see if there are any other problems.

In regards to symptoms, the computer at first started slowing down about a week ago, and the longer it was on the slower it would get. I did several scans with several different spyware programs but they did not find anything. I also cleaned with Advance SystemCare, Comodo System Cleaner and then defragged. This did help at first but then it would gradually slow down. Two days ago my task bar icons doubled then tripled on my task bar and then the pc immediately crashed. I booted up again and downloaded Iobit Security 360 which found the Ezula trojan.

Thank you in advance for your help.

Here are my logs.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Charlie at 20:45:11.87 on Thu 08/13/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3316.1805 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
F:\Spyware Doctor\pctsAuxs.exe
F:\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
F:\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
F:\ThreatFire\TFTray.exe
C:\Program Files\COMODO\CBOClean\BOC427.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
F:\Spyware Doctor\pctsTray.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Charlie\Desktop\adds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-

viewer\PDFXCviewIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
mRun: [ThreatFire] f:\threatfire\TFTray.exe
mRun: [BOC-427] c:\progra~1\comodo\cboclean\BOC427.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "f:\spyware doctor\pctsTray.exe"
uPolicies-explorer: Start_NotifyNewApps = 1 (0x1)
uPolicies-explorer: NoUserFolderInStartMenu = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249416514360
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246985117006
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\charlie\appdata\roaming\mozilla\firefox\profiles\ezw8rad2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - plugin: f:\firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: f:\firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: f:\pdf xchange viewer\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
f:\firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
f:\firefox\greprefs\all.js - pref("media.cache_size", 51200);
f:\firefox\greprefs\all.js - pref("media.ogg.enabled", true);
f:\firefox\greprefs\all.js - pref("media.wave.enabled", true);
f:\firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
f:\firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
f:\firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
f:\firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
f:\firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
f:\firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
f:\firefox\greprefs\all.js - pref("layout.css.dpi", -1);
f:\firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
f:\firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
f:\firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
f:\firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
f:\firefox\greprefs\all.js - pref("geo.enabled", true);
f:\firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
f:\firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
f:\firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
f:\firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-23 130936]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-5 128888]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-5 29520]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-6 108289]
R2 BOCore;BOCore;c:\program files\comodo\cboclean\BOCore.exe [2009-2-7 73464]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-8-12 307472]
R2 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsAuxs.exe [2008-12-3 348752]
R2 ThreatFire;ThreatFire;f:\threatfire\tfservice.exe service --> f:\threatfire\TFService.exe service [?]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
R4 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-08-12 16:23 <DIR> --d----- c:\users\charlie\.housecall6.6
2009-08-12 00:43 <DIR> --d----- c:\programdata\IObit
2009-08-12 00:43 <DIR> --d----- c:\progra~2\IObit
2009-08-11 19:50 <DIR> --d----- c:\programdata\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\progra~2\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\program files\Security Task Manager
2009-08-11 18:29 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-11 18:29 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-11 18:29 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-11 18:29 270,848 a------- c:\windows\system32\schannel.dll
2009-08-11 18:29 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-11 18:29 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-11 18:29 72,704 a------- c:\windows\system32\secur32.dll
2009-08-11 18:29 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 18:07 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 18:07 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 18:07 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 18:07 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 18:07 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 18:06 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 18:06 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 18:06 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 18:06 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 18:06 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 18:06 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-04 23:34 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 23:34 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-04 23:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 18:46 <DIR> --d----- c:\programdata\NOS
2009-07-28 10:47 <DIR> --d----- c:\program files\Tracker Software

==================== Find3M ====================

2009-08-12 11:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-11 18:43 86,016 a------- c:\windows\inf\infstor.dat
2009-08-11 18:43 51,200 a------- c:\windows\inf\infpub.dat
2009-08-11 18:43 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-06 19:23 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-21 16:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 16:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 16:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 15:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-11 09:16 179,792 a------- c:\windows\system32\guard32.dll
2009-07-11 09:16 128,888 a------- c:\windows\system32\drivers\cmdguard.sys
2009-07-06 02:35 29,520 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-07-05 23:23 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-30 11:28 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-06-24 18:14 272 a------- c:\windows\system32\drivers\sfi.dat
2009-06-17 07:20 12,648 a------- c:\windows\system32\drivers\psi_mf.sys
2009-06-15 09:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 09:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 09:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 09:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 07:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-14 13:47 174 a--sh--- c:\program files\desktop.ini
2009-06-14 12:38 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-06-14 12:37 82,432 a------- c:\windows\system32\axaltocm.dll
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-02 19:04 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet

files\content.ie5\index.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-21 14:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:48:42.55 ===============

After posting I Did online scan with Kaspersky = 0 infections and scanned with Maleware Bytes = 0 infections

Attached Files


Edited by Crystalis, 14 August 2009 - 12:16 PM.

"When the power of loveovercomestheloveofpowertheworldwillfinallyknowpeace"
Jimi Hendrix


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:15 PM

Posted 24 August 2009 - 11:20 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Crystalis

Crystalis
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 25 August 2009 - 08:01 PM

Thank you for responding to my call for help. I will not be able to access my computer until tomorrow. I will follow your directions and upload the results then.

"When the power of loveovercomestheloveofpowertheworldwillfinallyknowpeace"
Jimi Hendrix


#4 Crystalis

Crystalis
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 27 August 2009 - 12:55 PM

Since my original post, I download and I am using the trial version of AVG Internet Security. Thus, I am using two firewalls at the moment. This has stopped the multitude of active port connections that were being established before when only running Comodo Internet Security alone. Monitoring the ports I would see a couple to over 400 connections at any one time. It was not uncommon to see 50+ Svchost.exe ports established. I do not know if this means anything, but I thought I would include this information for your review.

I disabled all of my anti-virus/anti-malware programs and ran the DDS program.

During the scan, Comodo Internet Security Defense+ popped up with a warning. WREGS.exe is trying to execute WREGS.exe. What would you like to do? I allowed the request.

Here is my DDS.txt Log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Charlie at 11:23:14.10 on Thu 08/27/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3316.2194 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
F:\ThreatFire\TFTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSUI.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Windows\system32\AERTSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
F:\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
F:\FireFox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Downloads\DDS.SCR\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
mRun: [ThreatFire] f:\threatfire\TFTray.exe
mRun: [BOC-427] c:\progra~1\comodo\cboclean\BOC427.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
uPolicies-explorer: Start_NotifyNewApps = 1 (0x1)
uPolicies-explorer: NoUserFolderInStartMenu = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249416514360
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246985117006
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll,avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\charlie\appdata\roaming\mozilla\firefox\profiles\ezw8rad2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - plugin: f:\firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: f:\firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: f:\pdf xchange viewer\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
f:\firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
f:\firefox\greprefs\all.js - pref("media.cache_size", 51200);
f:\firefox\greprefs\all.js - pref("media.ogg.enabled", true);
f:\firefox\greprefs\all.js - pref("media.wave.enabled", true);
f:\firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
f:\firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
f:\firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
f:\firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
f:\firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
f:\firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
f:\firefox\greprefs\all.js - pref("layout.css.dpi", -1);
f:\firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
f:\firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
f:\firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
f:\firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
f:\firefox\greprefs\all.js - pref("geo.enabled", true);
f:\firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
f:\firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
f:\firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
f:\firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-15 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-23 130936]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-14 114768]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2009-8-15 23832]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-15 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-15 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-5 128888]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-5 29520]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-6 108289]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-14 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-8-14 53328]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-15 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-8-15 1370488]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 BOCore;BOCore;c:\program files\comodo\cboclean\BOCore.exe [2009-2-7 73464]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-8-22 305936]
R2 ThreatFire;ThreatFire;f:\threatfire\tfservice.exe service --> f:\threatfire\TFService.exe service [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_vista\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_vista\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_vista\AVGIDSShim.sys [2009-2-26 29136]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsAuxs.exe [2008-12-3 348752]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-08-25 22:48 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-25 22:48 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-15 02:50 <DIR> --d----- c:\programdata\AVG Security Toolbar
2009-08-15 02:50 <DIR> --d----- c:\progra~2\AVG Security Toolbar
2009-08-15 02:15 <DIR> --d----- c:\programdata\Downloaded Installations
2009-08-15 02:15 <DIR> --d----- c:\progra~2\Downloaded Installations
2009-08-15 02:15 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-15 02:15 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-08-15 02:15 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-15 02:15 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 02:15 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-15 02:14 23,832 a------- c:\windows\system32\drivers\avgfwd6x.sys
2009-08-15 02:14 <DIR> --d----- c:\programdata\avg8
2009-08-15 02:14 <DIR> --d----- c:\program files\AVG
2009-08-15 02:14 <DIR> --d----- c:\progra~2\avg8
2009-08-14 22:29 53,328 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-14 17:02 <DIR> --d----- c:\program files\a-squared Free
2009-08-12 16:23 <DIR> --d----- c:\users\charlie\.housecall6.6
2009-08-12 00:43 <DIR> --d----- c:\programdata\IObit
2009-08-12 00:43 <DIR> --d----- c:\progra~2\IObit
2009-08-11 19:50 <DIR> --d----- c:\programdata\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\progra~2\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\program files\Security Task Manager
2009-08-11 18:29 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-11 18:29 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-11 18:29 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-11 18:29 270,848 a------- c:\windows\system32\schannel.dll
2009-08-11 18:29 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-11 18:29 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-11 18:29 72,704 a------- c:\windows\system32\secur32.dll
2009-08-11 18:29 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 18:07 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 18:07 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 18:07 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 18:07 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 18:07 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 18:06 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 18:06 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 18:06 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 18:06 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 18:06 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 18:06 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-04 23:34 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-04 23:34 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-04 23:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 18:46 <DIR> --d----- c:\programdata\NOS

==================== Find3M ====================

2009-08-15 02:14 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-15 02:14 51,200 a------- c:\windows\inf\infpub.dat
2009-08-15 02:14 86,016 a------- c:\windows\inf\infstor.dat
2009-08-12 11:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-06 19:23 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-21 16:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 16:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 16:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 15:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-11 09:16 179,792 a------- c:\windows\system32\guard32.dll
2009-07-11 09:16 128,888 a------- c:\windows\system32\drivers\cmdguard.sys
2009-07-06 02:35 29,520 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-07-05 23:23 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-30 11:28 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-06-15 09:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 09:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 09:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 09:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 07:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-14 13:47 174 a--sh--- c:\program files\desktop.ini
2009-06-14 12:38 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-06-14 12:37 82,432 a------- c:\windows\system32\axaltocm.dll
2009-06-05 06:56 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-06-05 06:56 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-06-05 06:56 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-06-05 06:56 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-02 19:04 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-21 14:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 11:38:44.27 ===============

Here is my Attach.txt log:

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 PM

Posted 31 August 2009 - 06:02 PM

Hello again.

I apologize for the delay. Let's continue with two more scans please.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms to update for me.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 Crystalis

Crystalis
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 01 September 2009 - 04:20 PM

Thanks for responding, :thumbup2:

I ran RootRepeal as you instructed.

Note
- during the scan RootRepeal issued 2 popup messages.

The first message, "RootRepeal Error: Could not initialize driver! Please contact the author."
The second message, "Root Repeal Error: Could not scan drive D (error 0x0000001)" Drive D:\ is the Dell preinstalled backup partition

RootRepeal Log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/01 15:27
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAFDC4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\{2b05f9c3-9278-11de-90db-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{45c128f7-971a-11de-b834-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{45c12900-971a-11de-b834-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{45c12904-971a-11de-b834-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{55115bba-9318-11de-96d8-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{55115c72-9318-11de-96d8-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7dc35c53-949e-11de-8bf8-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7dc35dee-949e-11de-8bf8-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{e191ad88-93f0-11de-b0ef-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{e8c2a7a4-936b-11de-a970-001aa08acc23}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine
Status: Locked to the Windows API!

Path: C:\Windows\inf\.NET Data Provider for Oracle\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\System32\drivers\sfi.dat
Status: Locked to the Windows API!

Path: C:\Windows\System32\XPSViewer\XPSVIE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_cs-cz_d9f4bc64420b8d63\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_da-dk_772e9c8b38518962\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_de-de_745a31c73a27ddfc\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_el-gr_1cf05f5a293d468a\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_en-us_1d4b07c02905e9c1\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_es-es_1d1664a4292cdb66\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_fr-fr_bfcddaa31bfef1c8\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_hu-hu_073e5aeb005ec0e4\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_it-it_a9f5d0e9f330d746\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_ja-jp_4c1b4ff6e64be921\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_ko-kr_ef852cabd8bcb037\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_nb-no_d817ade0b0e1dbf3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_nl-nl_d656f91eb20de5c8\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_1ee73e4495b9e760\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_pt-pt_1fc90db09529573c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_ru-ru_666c1f747a0ae568\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_026709e97133efc3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_tr-tr_ab7454305feff1b4\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_zh-cn_7cd1722e1027c3d3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_zh-hk_7b7c6abc11033663\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_da-dk_10c2bcd25a6f45eb\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_de-de_0dee520e5c459a85\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_el-gr_b6847fa14b5b0313\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_en-us_b6df28074b23a64a\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_es-es_b6aa84eb4b4a97ef\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_fi-fi_55c5899840648a19\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_fr-fr_5961faea3e1cae51\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_fi-fi_bc3169511e46cd90\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_1c9353a09730537c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_zh-tw_80cdaf840d98a043\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_it-it_4389f131154e93cf\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_ja-jp_e5af703e0869a5aa\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_ko-kr_89194cf2fada6cc0\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_nb-no_71abce27d2ff987c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_nl-nl_6feb1965d42ba251\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_b62773e7b94e1005\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_b87b5e8bb7d7a3e9\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_ru-ru_00003fbb9c28a1f1\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_9bfb2a309351ac4c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_tr-tr_45087477820dae3d\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_zh-cn_166592753245805c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_zh-hk_15108b033320f2ec\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_zh-tw_1a61cfcb2fb65ccc\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_el-gr_9c85d8321884ca1a\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_ko-kr_6f1aa583c80433c7\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_en-us_9ce08098184d6d51\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_es-es_9cabdd7c18745ef6\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_fi-fi_3bc6e2290d8e5120\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_fr-fr_3f63537b0b467558\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_hu-hu_86d3d3c2efa64474\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_it-it_298b49c1e2785ad6\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_ja-jp_cbb0c8ced5936cb1\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_nb-no_57ad26b8a0295f83\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_nl-nl_55ec71f6a1556958\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_9c28cc788677d70c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_9e7cb71c85016af0\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_pt-pt_9f5e86888470dacc\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_ru-ru_e601984c695268f8\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_81fc82c1607b7353\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_zh-cn_fc66eb05ff6f4763\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_zh-hk_fb11e394004ab9f3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_zh-tw_0063285bfce023d3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.0.6002.18005_none_8f8f0d20ba53c683\MICROS~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_tr-tr_2b09cd084f377544\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_pt-pt_b95d2df7b74713c5\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16866_none_3fdf3668c441aa88\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.21062_none_4064aa2ddd631838\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18000_none_42004f0ec13d017b\WGXINS~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6002.18005_en-us_a2b5d6f9369b0105\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6002.18005_en-us_a2b5d6f9369b0105\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.16708_en-us_9eec237d3c4b6ca7\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.16708_en-us_9eec237d3c4b6ca7\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.20864_en-us_9f30df98559d4ebb\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6000.20864_en-us_9f30df98559d4ebb\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6001.18000_en-us_a0ca5ded397935b9\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6001.18000_en-us_a0ca5ded397935b9\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6001.18096_en-us_a06f105d39bcc93c\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6001.18096_en-us_a06f105d39bcc93c\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6001.22208_en-us_a15bfeee528f9d62\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.0.6001.22208_en-us_a15bfeee528f9d62\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6000.16720_none_85fe1e046d872951\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6000.16720_none_85fe1e046d872951\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6000.20883_none_6f3634a887296e44\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6000.20883_none_6f3634a887296e44\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.18000_none_85d8195c6dda02a9\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.18000_none_85d8195c6dda02a9\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.18111_none_85d902ba6dd935f2\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.18111_none_85d902ba6dd935f2\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.22230_none_6f0d7356877eaf05\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6001.22230_none_6f0d7356877eaf05\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6002.18005_none_85b39e986e2b96bd\_DATAO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.0.6002.18005_none_85b39e986e2b96bd\_DATAO~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6000.16708_none_f87832f6f02b1a0c\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6000.20864_none_f8bcef12097cfc20\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6001.18096_none_f9fb1fd6ed9c76a1\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6001.22208_none_fae80e68066f4ac7\_SERVI~1.H
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_c1843fad322b4004\_servicemodeloperationperfcounters_d.ini
Status: Allocation size mismatch (API: 245760, Raw: 56)

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_c1c8fbc84b7d2218\_servicemodeloperationperfcounters_d.ini
Status: Allocation size mismatch (API: 245760, Raw: 56)

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.18000_none_c3627a1d2f590916\_servicemodeloperationperfcounters_d.ini
Status: Allocation size mismatch (API: 245760, Raw: 56)

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_c3072c8d2f9c9c99\_servicemodeloperationperfcounters_d.ini
Status: Allocation size mismatch (API: 245760, Raw: 56)

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_c3f41b1e486f70bf\_servicemodeloperationperfcounters_d.ini
Status: Allocation size mismatch (API: 245760, Raw: 56)

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6002.18005_none_c54df3292c7ad462\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6000.16708_none_b25b01638e2dbfa3\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6000.20864_none_b29fbd7ea77fa1b7\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6001.18096_none_b3ddee438b9f1c38\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6001.22208_none_b4cadcd4a471f05e\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.16720_none_7b4eba45cecd6936\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.20883_none_6486d0e9e86fae29\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.18111_none_7b299efbcf1f75d7\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.22230_none_645e0f97e8c4eeea\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.16708_none_78c5c5708f85fc49\_servicemodelserviceperfcounters_d.ini
Status: Allocation size mismatch (API: 561152, Raw: 56)

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.20864_none_790a818ba8d7de5d\_servicemodelserviceperfcounters_d.ini
Status: Allocation size mismatch (API: 561152, Raw: 56)

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.18000_none_7aa3ffe08cb3c55b\_servicemodelserviceperfcounters_d.ini
Status: Allocation size mismatch (API: 561152, Raw: 56)

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.18096_none_7a48b2508cf758de\_servicemodelserviceperfcounters_d.ini
Status: Allocation size mismatch (API: 561152, Raw: 56)

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.22208_none_7b35a0e1a5ca2d04\_servicemodelserviceperfcounters_d.ini
Status: Allocation size mismatch (API: 561152, Raw: 56)

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6000.16708_none_7aa059d88e5323b0\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6000.20864_none_7ae515f3a7a505c4\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6001.18096_none_7c2346b88bc48045\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6001.22208_none_7d103549a497546b\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-xpsviewermanifestxml_31bf3856ad364e35_6.0.6000.16708_none_ddb4cf58a13aa0ca\XPSVIE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-xpsviewermanifestxml_31bf3856ad364e35_6.0.6000.20864_none_ddf98b73ba8c82de\XPSVIE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6000.16708_none_807ba2c12fe38edc\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6000.20864_none_80c05edc493570f0\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6001.18096_none_81fe8fa12d54eb71\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6001.22208_none_82eb7e324627bf97\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.16708_none_ac1fffb2b6ba9be9\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6000.20864_none_ac64bbcdd00c7dfd\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.18096_none_ada2ec92b42bf87e\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wpf-globaluserinterfacecf_31bf3856ad364e35_6.0.6001.22208_none_ae8fdb23ccfecca4\GLOBAL~1.COM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6000.16708_none_c71adcbf2e98b7f5\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6000.20864_none_c75f98da47ea9a09\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6001.18096_none_c89dc99f2c0a148a\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6001.22208_none_c98ab83044dce8b0\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6000.16708_none_9958372092944487\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\WiProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1820 Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116611c

#: 021 Function Name: NtAlpcConnectPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x911670ea

#: 022 Function Name: NtAlpcCreatePort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91166302

#: 054 Function Name: NtConnectPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116547c

#: 060 Function Name: NtCreateFile
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91165cc0

#: 071 Function Name: NtCreatePort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116515a

#: 072 Function Name: NtCreateProcess
Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x805cd282

#: 073 Function Name: NtCreateProcessEx
Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x805cd474

#: 075 Function Name: NtCreateSection
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91165b16

#: 077 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91166da4

#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xa9d3c6ac

#: 129 Function Name: NtDuplicateObject
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91164a82

#: 165 Function Name: NtLoadDriver
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91166a26

#: 174 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91165700

#: 186 Function Name: NtOpenFile
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91165f04

#: 194 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xa9d3c698

#: 197 Function Name: NtOpenSection
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91165990

#: 201 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xa9d3c69d

#: 276 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91165278

#: 286 Function Name: NtSecureConnectPort
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x911667c2

#: 317 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91166bd4

#: 326 Function Name: NtShutdownSystem
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116569a

#: 332 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91165884

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xa9d3c6a7

#: 335 Function Name: NtTerminateThread
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91164ef2

#: 382 Function Name: NtCreateThreadEx
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116640e

#: 383 Function Name: NtCreateUserProcess
Status: Hooked by "C:\Windows\system32\drivers\PCTCore.sys" at address 0x805cd67c

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91168fea

#: 124 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91169714

#: 235 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116911e

#: 241 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x911695ce

#: 245 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116925e

#: 301 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91169392

#: 320 Function Name: NtUserBlockInput
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91168e6a

#: 329 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x911680bc

#: 397 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91168b3a

#: 403 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x911694cc

#: 428 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x911688a8

#: 430 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x911689ea

#: 479 Function Name: NtUserMessageCall
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116858c

#: 484 Function Name: NtUserMoveWindow
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91167df4

#: 497 Function Name: NtUserPostMessage
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116823e

#: 498 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x911683ea

#: 513 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91168c8a

#: 525 Function Name: NtUserSendInput
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116874e

#: 532 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91168d80

#: 550 Function Name: NtUserSetParent
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x91167f64

#: 573 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x9116977a

#: 576 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\Windows\System32\DRIVERS\cmdguard.sys" at address 0x911699ae

==EOF==

I will complete the second part of your instructions with the Malwarebytes Anti-Malware now and post the log as soon as it is finished.

#7 Crystalis

Crystalis
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 01 September 2009 - 04:55 PM

Here is the Malwarebytes Log:

Malwarebytes' Anti-Malware 1.40
Database version: 2727
Windows 6.0.6002 Service Pack 2

9/1/2009 4:52:29 PM
mbam-log-2009-09-01 (16-52-29).txt

Scan type: Quick Scan
Objects scanned: 78341
Time elapsed: 7 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Crystalis

Crystalis
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 01 September 2009 - 06:06 PM

:thumbup2:

Woops,

Here is my new DDS log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Charlie at 17:36:03.11 on Tue 09/01/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3316.2148 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
F:\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
F:\ThreatFire\TFTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSUI.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
F:\FireFox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Charlie\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
mRun: [ThreatFire] f:\threatfire\TFTray.exe
mRun: [BOC-427] c:\progra~1\comodo\cboclean\BOC427.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [IObit Security 360] c:\program files\iobit\iobit security 360\IS360tray.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
uPolicies-explorer: Start_NotifyNewApps = 1 (0x1)
uPolicies-explorer: NoUserFolderInStartMenu = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249416514360
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246985117006
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ,avgrsstx.dll c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\charlie\appdata\roaming\mozilla\firefox\profiles\ezw8rad2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - plugin: f:\firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: f:\firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: f:\pdf xchange viewer\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
f:\firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
f:\firefox\greprefs\all.js - pref("media.cache_size", 51200);
f:\firefox\greprefs\all.js - pref("media.ogg.enabled", true);
f:\firefox\greprefs\all.js - pref("media.wave.enabled", true);
f:\firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
f:\firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
f:\firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
f:\firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
f:\firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
f:\firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
f:\firefox\greprefs\all.js - pref("layout.css.dpi", -1);
f:\firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
f:\firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
f:\firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
f:\firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
f:\firefox\greprefs\all.js - pref("geo.enabled", true);
f:\firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
f:\firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
f:\firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
f:\firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-15 12552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-23 130936]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-8-14 114768]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2009-8-15 23832]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-15 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-15 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-5 128888]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-5 29520]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-6 108289]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-8-14 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-8-14 53328]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-15 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-15 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-8-15 1370488]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 BOCore;BOCore;c:\program files\comodo\cboclean\BOCore.exe [2009-2-7 73464]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-8-22 305936]
R2 ThreatFire;ThreatFire;f:\threatfire\tfservice.exe service --> f:\threatfire\TFService.exe service [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_vista\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_vista\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_vista\AVGIDSShim.sys [2009-2-26 29136]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsAuxs.exe [2008-12-3 348752]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-09-01 16:34 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 16:34 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-01 16:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 22:48 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-25 22:48 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-15 02:50 <DIR> --d----- c:\programdata\AVG Security Toolbar
2009-08-15 02:50 <DIR> --d----- c:\progra~2\AVG Security Toolbar
2009-08-15 02:15 <DIR> --d----- c:\programdata\Downloaded Installations
2009-08-15 02:15 <DIR> --d----- c:\progra~2\Downloaded Installations
2009-08-15 02:15 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-15 02:15 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-08-15 02:15 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-15 02:15 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-15 02:15 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-15 02:14 23,832 a------- c:\windows\system32\drivers\avgfwd6x.sys
2009-08-15 02:14 <DIR> --d----- c:\programdata\avg8
2009-08-15 02:14 <DIR> --d----- c:\program files\AVG
2009-08-15 02:14 <DIR> --d----- c:\progra~2\avg8
2009-08-14 22:29 53,328 a------- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-14 17:02 <DIR> --d----- c:\program files\a-squared Free
2009-08-12 16:23 <DIR> --d----- c:\users\charlie\.housecall6.6
2009-08-12 00:43 <DIR> --d----- c:\programdata\IObit
2009-08-12 00:43 <DIR> --d----- c:\progra~2\IObit
2009-08-11 19:50 <DIR> --d----- c:\programdata\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\progra~2\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\program files\Security Task Manager
2009-08-11 18:29 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-11 18:29 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-11 18:29 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-11 18:29 270,848 a------- c:\windows\system32\schannel.dll
2009-08-11 18:29 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-11 18:29 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-11 18:29 72,704 a------- c:\windows\system32\secur32.dll
2009-08-11 18:29 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 18:07 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 18:07 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 18:07 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 18:07 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 18:07 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 18:06 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 18:06 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 18:06 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 18:06 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 18:06 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 18:06 18,432 a------- c:\windows\system32\amcompat.tlb

==================== Find3M ====================

2009-08-30 23:24 179,792 a------- c:\windows\system32\guard32.dll
2009-08-30 23:24 128,888 a------- c:\windows\system32\drivers\cmdguard.sys
2009-08-30 23:24 29,520 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-08-15 02:14 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-15 02:14 51,200 a------- c:\windows\inf\infpub.dat
2009-08-15 02:14 86,016 a------- c:\windows\inf\infstor.dat
2009-08-12 11:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-06 19:23 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-21 16:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 16:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 16:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 15:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-05 23:23 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-15 09:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 09:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 09:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 09:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 07:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-14 13:47 174 a--sh--- c:\program files\desktop.ini
2009-06-14 12:38 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-06-14 12:37 82,432 a------- c:\windows\system32\axaltocm.dll
2009-06-05 06:56 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-06-05 06:56 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-06-05 06:56 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-06-05 06:56 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-02 19:04 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-21 14:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 17:36:42.71 ===============

Attached Files


"When the power of loveovercomestheloveofpowertheworldwillfinallyknowpeace"
Jimi Hendrix


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 PM

Posted 02 September 2009 - 11:42 AM

Hello.

You have way to many security programs installed and running simultaneously..

I see the following security programs installed. There are more but we'll focus on these ones:

IObit Security 360 RC
a-squared Free 4.5
avast! Antivirus
AVG 8.5
Avira AntiVir Personal - Free Antivirus
COMODO Internet Security
Spyware Doctor 6.0


You can uninstall Spyware Doctor 6.0 unless you are going to purchase it as if you don't it doesn't help you remove anything. Not necessary to have and installed on your machine.

You have more than ONE anti-virus software installed on your system.

Why shouldn't I have more than one anti-virus/firewall software installed on my system?

2 Anti-virus/Firewall Programs Running Simultaenously Warning

I do not recommend that you have more than one anti virus or firewall product installed and running on your computer at a time. In addition to wasting resources, if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to Programs and features and uninstall any 5 of the security programs below until you only have ONE left.

IObit Security 360 RC
a-squared Free 4.5
avast! Antivirus
AVG 8.5
Avira AntiVir Personal - Free Antivirus
COMODO Internet Security


Please uninstall them until you are only running one antivirus using Add/Remove Programs if you are using XP or remove it via Programs and Features if you are using Vista.

Then... post re-run DDS and post back with the new set of logs.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Crystalis

Crystalis
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 03 September 2009 - 03:20 PM

Hello back,

I do have the paid version of Spyware Doctor. However, I previously had it disabled and only turned it on to run scans. So I did not delete it but I have disabled it. Avast and a-squared were also previously disabled and I just used them to run periodic scans too. But I have uninstalled them along with Avira and Iobit. I still have BOclean and Threatfire running as they you did not include them in the list, I have now rebooted and will now run DDS and post as soon as it is complete.

Thank you for you ongoing help!

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 PM

Posted 03 September 2009 - 03:35 PM

Okay. Post the logs once they are complete.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Crystalis

Crystalis
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 03 September 2009 - 03:38 PM

Here is my DDS logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Charlie at 15:22:43.75 on Thu 09/03/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3316.2374 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
F:\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
F:\ThreatFire\TFTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Charlie\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
mRun: [ThreatFire] f:\threatfire\TFTray.exe
mRun: [BOC-427] c:\progra~1\comodo\cboclean\BOC427.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
uPolicies-explorer: Start_NotifyNewApps = 1 (0x1)
uPolicies-explorer: NoUserFolderInStartMenu = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249416514360
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246985117006
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\charlie\appdata\roaming\mozilla\firefox\profiles\ezw8rad2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - plugin: f:\firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: f:\firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: f:\pdf xchange viewer\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
f:\firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
f:\firefox\greprefs\all.js - pref("media.cache_size", 51200);
f:\firefox\greprefs\all.js - pref("media.ogg.enabled", true);
f:\firefox\greprefs\all.js - pref("media.wave.enabled", true);
f:\firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
f:\firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
f:\firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
f:\firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
f:\firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
f:\firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
f:\firefox\greprefs\all.js - pref("layout.css.dpi", -1);
f:\firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
f:\firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
f:\firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
f:\firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
f:\firefox\greprefs\all.js - pref("geo.enabled", true);
f:\firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
f:\firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
f:\firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
f:\firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-23 130936]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-5 128888]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-5 29520]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 BOCore;BOCore;c:\program files\comodo\cboclean\BOCore.exe [2009-2-7 73464]
R2 ThreatFire;ThreatFire;f:\threatfire\tfservice.exe service --> f:\threatfire\TFService.exe service [?]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsAuxs.exe [2008-12-3 348752]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-09-03 13:04 2,048 a------- c:\windows\system32\tzres.dll
2009-09-02 23:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 23:44 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-01 16:34 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 16:34 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-01 16:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-15 02:15 <DIR> --d----- c:\programdata\Downloaded Installations
2009-08-15 02:15 <DIR> --d----- c:\progra~2\Downloaded Installations
2009-08-15 02:14 <DIR> --d----- c:\program files\AVG
2009-08-12 16:23 <DIR> --d----- c:\users\charlie\.housecall6.6
2009-08-12 00:43 <DIR> --d----- c:\programdata\IObit
2009-08-12 00:43 <DIR> --d----- c:\progra~2\IObit
2009-08-11 19:50 <DIR> --d----- c:\programdata\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\progra~2\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\program files\Security Task Manager
2009-08-11 18:29 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-11 18:29 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-11 18:29 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-11 18:29 270,848 a------- c:\windows\system32\schannel.dll
2009-08-11 18:29 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-11 18:29 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-11 18:29 72,704 a------- c:\windows\system32\secur32.dll
2009-08-11 18:29 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 18:07 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 18:07 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 18:07 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 18:07 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 18:07 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 18:06 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 18:06 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 18:06 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 18:06 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 18:06 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 18:06 18,432 a------- c:\windows\system32\amcompat.tlb

==================== Find3M ====================

2009-09-03 14:25 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-03 14:25 86,016 a------- c:\windows\inf\infstor.dat
2009-09-03 14:25 51,200 a------- c:\windows\inf\infpub.dat
2009-08-30 23:24 179,792 a------- c:\windows\system32\guard32.dll
2009-08-30 23:24 128,888 a------- c:\windows\system32\drivers\cmdguard.sys
2009-08-30 23:24 29,520 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-08-28 21:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 21:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 21:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 21:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-12 11:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-06 19:23 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-21 16:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 16:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 16:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 15:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-05 23:23 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-15 09:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 09:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 09:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 09:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 07:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-14 13:47 174 a--sh--- c:\program files\desktop.ini
2009-06-14 12:38 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-06-14 12:37 82,432 a------- c:\windows\system32\axaltocm.dll
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-02 19:04 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-21 14:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:23:24.70 ===============

Attached Files



#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 PM

Posted 03 September 2009 - 03:48 PM

Hello.

I personally don't like ThreatFire. From logs I have seen ThreatFire hooks on to several files and causes performance issues. You can keep it if you wish however.

--

Let's run an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Crystalis

Crystalis
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 04 September 2009 - 01:34 AM

Extremeboy,

Thanks for the insight on ThreatFire. I considered your advise and went ahead and uninstalled it.

Also, thank you for the help so far. I really appreciate your patience and effort.

I ran Kapersky Online Scanner twice. There were 0 infections in each category. No report to save.


Here are my new DDS logs:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Charlie at 20:51:50.00 on Thu 09/03/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3316.2399 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Charlie\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: PDF-XChange Viewer IE-Plugin: {c5d07eb6-bbce-4dae-acbb-d13a8d28cb1f} - c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\PDFXCviewIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
mRun: [BOC-427] c:\progra~1\comodo\cboclean\BOC427.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
uPolicies-explorer: Start_NotifyNewApps = 1 (0x1)
uPolicies-explorer: NoUserFolderInStartMenu = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249416514360
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246985117006
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\charlie\appdata\roaming\mozilla\firefox\profiles\ezw8rad2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\tracker software\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - plugin: f:\firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: f:\firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: f:\pdf xchange viewer\pdf-xchange viewer\pdf-viewer\npPDFXCviewNPPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - f:\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
f:\firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
f:\firefox\greprefs\all.js - pref("media.cache_size", 51200);
f:\firefox\greprefs\all.js - pref("media.ogg.enabled", true);
f:\firefox\greprefs\all.js - pref("media.wave.enabled", true);
f:\firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
f:\firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
f:\firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
f:\firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
f:\firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
f:\firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
f:\firefox\greprefs\all.js - pref("layout.css.dpi", -1);
f:\firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
f:\firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
f:\firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
f:\firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
f:\firefox\greprefs\all.js - pref("geo.enabled", true);
f:\firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
f:\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
f:\firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
f:\firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
f:\firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
f:\firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
f:\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
f:\firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-23 130936]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-3-5 128888]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-3-5 29520]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
S2 BOCore;BOCore;c:\program files\comodo\cboclean\BOCore.exe [2009-2-7 73464]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-1-5 103936]
S3 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\pctsAuxs.exe [2008-12-3 348752]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-09-03 13:04 2,048 a------- c:\windows\system32\tzres.dll
2009-09-02 23:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 23:44 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-01 16:34 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 16:34 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-01 16:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-15 02:15 <DIR> --d----- c:\programdata\Downloaded Installations
2009-08-15 02:15 <DIR> --d----- c:\progra~2\Downloaded Installations
2009-08-15 02:14 <DIR> --d----- c:\program files\AVG
2009-08-12 16:23 <DIR> --d----- c:\users\charlie\.housecall6.6
2009-08-12 00:43 <DIR> --d----- c:\programdata\IObit
2009-08-12 00:43 <DIR> --d----- c:\progra~2\IObit
2009-08-11 19:50 <DIR> --d----- c:\programdata\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\progra~2\SecTaskMan
2009-08-11 19:50 <DIR> --d----- c:\program files\Security Task Manager
2009-08-11 18:29 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-11 18:29 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-11 18:29 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-11 18:29 270,848 a------- c:\windows\system32\schannel.dll
2009-08-11 18:29 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-11 18:29 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-11 18:29 72,704 a------- c:\windows\system32\secur32.dll
2009-08-11 18:29 9,728 a------- c:\windows\system32\lsass.exe
2009-08-11 18:07 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-11 18:07 71,680 a------- c:\windows\system32\atl.dll
2009-08-11 18:07 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-11 18:07 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-11 18:07 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-11 18:06 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-11 18:06 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-11 18:06 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-11 18:06 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-11 18:06 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-11 18:06 18,432 a------- c:\windows\system32\amcompat.tlb

==================== Find3M ====================

2009-09-03 14:25 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-03 14:25 86,016 a------- c:\windows\inf\infstor.dat
2009-09-03 14:25 51,200 a------- c:\windows\inf\infpub.dat
2009-08-30 23:24 179,792 a------- c:\windows\system32\guard32.dll
2009-08-30 23:24 128,888 a------- c:\windows\system32\drivers\cmdguard.sys
2009-08-30 23:24 29,520 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-08-28 21:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 21:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 21:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 21:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-12 11:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-06 19:23 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-21 16:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 16:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 16:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 15:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-05 23:23 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-15 09:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 09:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 09:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 09:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 07:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-14 13:47 174 a--sh--- c:\program files\desktop.ini
2009-06-14 12:38 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-06-14 12:37 82,432 a------- c:\windows\system32\axaltocm.dll
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-02 19:04 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-02 19:04 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-21 14:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:52:22.72 ===============

Attached File  Attach3.zip   2.43KB   9 downloads

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 PM

Posted 04 September 2009 - 11:00 AM

Hello.

Log looks good. How's your computer running any more symptoms or problems left?

If not, we can cleanup next post.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users