Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible false positive - avast


  • This topic is locked This topic is locked
20 replies to this topic

#1 cal123

cal123

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 02 March 2011 - 02:41 PM

Hello. My antivirus software (latest Avast! Antivirus) gave me a pop up as I was working on a 2d game in C++ with DirectX last night. What I was doing when it happened was I was copying source code from the main game file into a new source file in a clean version of the folder containing the game files. The program I am working with is called DDEX4 and it is from Microsoft. As I was copying the code over, my Avast popped up with a message I did not have enough time to read. It said that a file being accessed from my game (an unknown dll) was infected with
Spyeyes trojan, I think it was. I thought this was suspicious, because previously I have run full scans with Avast! antivirus (up to date) and they always came up clean. I decided to do a full scan with malwarebytes in safe mode and nothing was detected. The next day I scan with fully updated Malwarebytes and it comes up with a very strange result. It claims Linuxlive USB creator is infected with trojan.clicker - as far as I am aware Linuxlive USB is a safe program as I have used it to put Ubuntu on a flash drive. This has never happened with avast, or windows defender.

I have posted the contents of the second Malwarebytes scan log (which was done in normal mode) when it decided to flag Linuxlive USB creator. I am not sure about whether to post a HijackThis log for the first pop up.

My system is fully updated windows 7 RTM and now with SP1 installed and all latest security updates.

Here is the Malwarebytes log complaining about Linuxlive:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5935

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

02/03/2011 18:57:39
mbam-log-2011-03-02 (18-57-22).txt

Scan type: Full scan (C:\|)
Objects scanned: 294701
Time elapsed: 28 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files (x86)\linuxlive usb creator\lili usb creator.exe (Trojan.Clicker) -> No action taken.

BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:47 PM

Posted 10 March 2011 - 04:57 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 cal123

cal123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 14 March 2011 - 06:11 PM

Hello and thanks for your reply.

My situation has now changed so I thought I should let you know.
Malware causes me great paranoia and anxiety and every time I see something strange on my computers it sets me off worrying about malicious code.
I have since my first post formatted fully all partitions of Windows 7 64 bit RTM and installed from my original installation DVD.
I now have a new, updated installation with Avast 6.0 and Comodo firewall, updated to SP1 with all current windows updates installed.
In my Comodo firewall connections log, when I boot windows up in a normal state, shortly after logging on, my firewall shows connections
being made from svchost.exe (outbound udp) to 192.168.1.255 (I cannot fully remember the address) using port 137/138.
Sometimes I will also see connections from another instance of svchost.exe to 244.0.0.22.
I know these are not internet network addresses, they do not appear to be private IP addresses either. I read somewhere they are to do with
host discovery and UPnP. I have used programs from grc.com shields up to disable UPnP DCOM etc because of their security risks to my computers.
What are these IP addresses and is their something strange acting without my knowledge or is it just Microsoft again?
Google did not reveal any information relating to whether this is intentional attacks or Microsoft programs running in the background.

Should I run a scan from DDS and post a log? Or a different program?
I do not like this behaviour.

Many thanks for your response.

#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:02:47 PM

Posted 14 March 2011 - 09:21 PM

Yes, run DDS per my previous post, and we'll get you into the fast queue.

Best Regards,
oneof4.


#5 cal123

cal123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 15 March 2011 - 10:53 AM

Hello.
Thanks again for your time.

OK I ran DDS and have posted the contents of the log below.
Here it is:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 03/03/2011 20:26:36
System Uptime: 15/03/2011 15:25:15 (0 hours ago)
.
Motherboard: Acer | | JV71TR
Processor: AMD Athlon™ II Dual-Core M300 | Socket S1G3 | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 153 GiB total, 117.223 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP16: 04/03/2011 14:24:28 - Windows 7 Service Pack 1
RP17: 04/03/2011 15:12:24 - Installation
RP18: 04/03/2011 22:51:54 - Installed Star Wars Battlefront II
RP19: 08/03/2011 14:36:07 - Windows Update
RP20: 09/03/2011 07:54:25 - Windows Update
RP21: 15/03/2011 15:29:08 - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 10 Plugin
avast! Free Antivirus
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help English
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU (KB944899)
Java Auto Updater
Java™ 6 Update 24
Microsoft SQL Server 2008 Management Objects
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU Service Pack 1 (KB945140)
Mozilla Firefox (3.6.15)
OpenOffice.org 3.3
Project64 1.6
SQL Server System CLR Types
Star Wars Battlefront II
.
==== Event Viewer Messages From Past Week ========
.
15/03/2011 15:38:42, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070422'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
11/03/2011 10:10:52, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147014847
.
==== End Of File ===========================

#6 cal123

cal123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 15 March 2011 - 10:55 AM

Sorry! I made a bad mistake - accidentally pasted the wrong log text!

Here is the text from the log I should have posted first:

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Admin at 15:43:59.77 on 15/03/2011
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.2814.1866 [GMT 0:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Admin\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
BHO-X64: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
TB-X64: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
mRun-x64: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
AppInit_DLLs-X64: C:\Windows\system32\guard64.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ei9ri0ac.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: CookieSafe: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD} - %profile%\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-3-3 505176]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-3-3 280408]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdGuard.sys [2011-1-6 250008]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2011-1-6 39888]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-14 59904]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-1-26 203776]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-1-26 354304]
R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-3-3 22360]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-3-3 64344]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-3-3 42184]
R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2011-3-3 46136]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2011-1-26 9085952]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2011-1-26 299520]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2009-6-10 270848]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-3-4 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-4 1255736]
.
=============== Created Last 30 ================
.
2011-03-15 15:29:53 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{0E34B32F-F163-48D2-A087-5833B2F7EC70}\mpengine.dll
2011-03-09 07:54:21 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2011-03-09 07:54:21 723968 ----a-w- C:\Windows\System32\EncDec.dll
2011-03-09 07:54:21 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2011-03-09 07:54:21 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-03-09 07:54:20 850944 ----a-w- C:\Windows\SysWow64\sbe.dll
2011-03-09 07:54:20 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2011-03-09 07:54:20 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2011-03-09 07:54:20 1118720 ----a-w- C:\Windows\System32\sbe.dll
2011-03-04 22:51:46 -------- d-----w- C:\Program Files (x86)\LucasArts
2011-03-04 22:47:04 753664 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2011-03-04 22:47:04 69714 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2011-03-04 22:47:04 63488 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2011-03-04 22:47:04 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2011-03-04 22:47:04 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-03-04 22:47:04 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2011-03-04 22:47:04 184320 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2011-03-04 22:46:58 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2011-03-04 22:46:56 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2011-03-04 14:24:41 -------- d-----w- C:\Windows\System32\SPReview
2011-03-04 14:23:42 -------- d-----w- C:\Windows\System32\EventProviders
2011-03-04 14:19:59 3860992 ----a-w- C:\Windows\System32\UIRibbon.dll
2011-03-04 14:18:59 406016 ----a-w- C:\Windows\System32\scesrv.dll
2011-03-04 14:17:59 899584 ----a-w- C:\Windows\System32\Bubbles.scr
2011-03-04 14:16:57 323072 ----a-w- C:\Windows\SysWow64\drvstore.dll
2011-03-04 14:16:57 257024 ----a-w- C:\Windows\SysWow64\dpx.dll
2011-03-04 14:16:53 606208 ----a-w- C:\Windows\SysWow64\wbem\fastprox.dll
2011-03-04 14:16:53 363008 ----a-w- C:\Windows\SysWow64\wbemcomn.dll
2011-03-04 14:15:27 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2011-03-04 14:15:27 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2011-03-04 14:15:27 1225216 ----a-w- C:\Windows\System32\wbem\wbemcore.dll
2011-03-04 14:15:21 933376 ----a-w- C:\Windows\System32\SmiEngine.dll
2011-03-04 14:15:17 199168 ----a-w- C:\Windows\System32\PkgMgr.exe
2011-03-04 14:15:02 422912 ----a-w- C:\Windows\System32\drvstore.dll
2011-03-04 14:15:02 399872 ----a-w- C:\Windows\System32\dpx.dll
2011-03-04 09:09:54 -------- d--h--w- C:\Windows\msdownld.tmp
2011-03-04 09:09:26 -------- d-----w- C:\Windows\SysWow64\directx
2011-03-04 09:06:51 7947600 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-03-04 04:16:58 -------- d-----w- C:\Windows\Panther
2011-03-04 01:00:49 -------- d-----w- C:\Windows\SysWow64\Wat
2011-03-04 01:00:49 -------- d-----w- C:\Windows\System32\Wat
2011-03-04 00:37:48 294912 ----a-w- C:\Windows\System32\browserchoice.exe
2011-03-04 00:29:35 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-03-04 00:29:35 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-03-04 00:24:32 612864 ----a-w- C:\Windows\System32\vbscript.dll
2011-03-04 00:24:31 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-03-04 00:24:09 715776 ----a-w- C:\Windows\System32\kerberos.dll
2011-03-04 00:24:09 542208 ----a-w- C:\Windows\SysWow64\kerberos.dll
2011-03-04 00:23:58 321024 ----a-w- C:\Windows\System32\d3d10_1core.dll
2011-03-04 00:23:58 219136 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2011-03-04 00:23:58 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2011-03-04 00:23:58 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2011-03-04 00:23:18 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-03-04 00:23:18 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-03-04 00:23:17 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-03-04 00:23:17 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-03-04 00:22:49 214016 ----a-w- C:\Windows\System32\winsrv.dll
2011-03-04 00:22:33 3129344 ----a-w- C:\Windows\System32\win32k.sys
2011-03-04 00:18:27 366592 ----a-w- C:\Windows\System32\atmfd.dll
2011-03-04 00:18:26 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2011-03-04 00:18:26 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-03-04 00:18:26 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-03-04 00:18:26 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-03-04 00:18:26 100864 ----a-w- C:\Windows\System32\fontsub.dll
2011-03-03 23:58:42 -------- d-----w- C:\Files restored from backup
2011-03-03 23:42:28 40960 ----a-r- C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2011-03-03 23:42:28 40960 ----a-r- C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2011-03-03 23:42:26 -------- d-----w- C:\Program Files (x86)\Project64 1.6
2011-03-03 23:33:11 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server
2011-03-03 23:32:01 -------- d-----w- C:\Users\Admin\AppData\Local\Microsoft Help
2011-03-03 23:30:11 -------- d-----w- C:\Program Files (x86)\Common Files\Merge Modules
2011-03-03 23:09:41 -------- d-----w- C:\C++
2011-03-03 22:54:09 -------- d-----w- C:\fd83c352153dcb401ead72760852
2011-03-03 22:44:44 -------- d-----w- C:\Windows\System32\appmgmt
2011-03-03 22:30:21 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2011-03-03 22:29:46 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-03-03 21:47:07 -------- d-----w- C:\Users\Admin\AppData\Local\Mozilla
2011-03-03 21:38:41 505176 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-03-03 21:38:38 64344 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-03-03 21:37:51 40648 ----a-w- C:\Windows\avastSS.scr
2011-03-03 21:37:48 -------- d-----w- C:\Program Files\AVAST Software
2011-03-03 21:37:48 -------- d-----w- C:\PROGRA~3\AVAST Software
2011-03-03 21:03:29 -------- d-----w- C:\Program Files\COMODO
2011-03-03 21:02:47 -------- d-----w- C:\PROGRA~3\Comodo
2011-03-03 20:54:43 -------- d-----w- C:\Users\Admin\AppData\Local\AMD
2011-03-03 20:54:30 -------- d-----w- C:\Users\Admin\AppData\Local\ATI
2011-03-03 20:53:06 0 ----a-w- C:\Windows\ativpsrm.bin
2011-03-03 20:49:38 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2011-03-03 20:49:38 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2011-03-03 20:49:34 -------- d-----w- C:\Program Files (x86)\ATI Stream
2011-03-03 20:49:20 -------- d-----w- C:\PROGRA~3\AMD
2011-03-03 20:49:16 46136 ----a-w- C:\Windows\System32\drivers\amdiox64.sys
2011-03-03 20:48:53 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2011-03-03 20:48:49 -------- d-sh--w- C:\Windows\Installer
2011-03-03 20:48:41 -------- d-----w- C:\Program Files\ATI Technologies
2011-03-03 20:48:37 -------- d-----w- C:\Program Files\ATI
2011-03-03 20:47:40 -------- d-----w- C:\ATI
2011-03-03 20:43:06 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-03-03 20:34:30 -------- d-----w- C:\AMD
.
==================== Find3M ====================
.
2011-03-04 14:32:32 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-03-04 14:32:32 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-01-26 23:37:20 9085952 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-01-26 23:22:18 22295040 ----a-w- C:\Windows\System32\atio6axx.dll
2011-01-26 23:00:44 143360 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-01-26 23:00:30 596480 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-01-26 22:59:46 17204736 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-01-26 22:59:10 708608 ----a-w- C:\Windows\System32\aticfx64.dll
2011-01-26 22:56:30 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-01-26 22:56:14 479232 ----a-w- C:\Windows\System32\atieclxx.exe
2011-01-26 22:55:36 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-01-26 22:54:20 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-01-26 22:54:00 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-01-26 22:53:54 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-01-26 22:53:42 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-01-26 22:53:36 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-01-26 22:53:32 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-01-26 22:53:26 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-01-26 22:49:44 4105728 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-01-26 22:40:02 4847616 ----a-w- C:\Windows\System32\atidxx64.dll
2011-01-26 22:32:46 1208320 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-01-26 22:32:12 1912832 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-01-26 22:32:00 3222016 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-01-26 22:28:52 4170752 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-01-26 22:27:52 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-01-26 22:27:50 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-01-26 22:27:42 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-01-26 22:27:40 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-01-26 22:27:30 6982144 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-01-26 22:25:50 5580800 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-01-26 22:24:18 3463680 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-01-26 22:21:58 5316096 ----a-w- C:\Windows\System32\atiumd64.dll
2011-01-26 22:20:46 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-01-26 22:14:14 354304 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-01-26 22:14:08 249856 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-01-26 22:13:56 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-01-26 22:13:52 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-01-26 22:13:52 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-01-26 22:13:50 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-01-26 22:13:42 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-01-26 22:13:32 299520 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-01-26 22:12:46 39936 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-01-26 22:12:40 30720 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-01-26 22:12:32 38400 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-01-26 22:12:24 28672 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-01-26 22:11:46 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-01-26 22:08:46 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-01-26 22:08:46 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-01-26 22:08:40 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-01-26 22:08:40 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-01-06 17:37:00 39888 ----a-w- C:\Windows\System32\drivers\cmdhlp.sys
2011-01-06 17:36:58 250008 ----a-w- C:\Windows\System32\drivers\cmdGuard.sys
2011-01-06 17:36:58 14184 ----a-w- C:\Windows\System32\drivers\cmderd.sys
2010-12-29 01:42:04 285480 ----a-w- C:\Windows\SysWow64\guard32.dll
2010-12-29 01:42:02 362784 ----a-w- C:\Windows\System32\guard64.dll
.
============= FINISH: 15:44:34.95 ===============

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 PM

Posted 16 March 2011 - 11:22 AM

Hello

My name is gringo and I will be Helping you from this point forward

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes unless I tell you so.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

If you have not done so please Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Here is the first thing I would like you to do.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 cal123

cal123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 16 March 2011 - 02:13 PM

Hello.

I ran ComboFix. And I have a log.

However, I proceeded to disable my antivirus protection, run the ComboFix file and it came up with a message saying "incompatible OS - Win32 only".
But when I agreed to the ComboFix disclaimer it continued to run and the scan went fine.
My operating system is Windows 7 Professional x64 bit edition. I am guessing Combofix ran on Windows 64 bit's 32 bit emulated environment as it still
continued to run. But I have the log and the scan was OK even if my machine is 64 bit.

Here is the ComboFix log you requested:

ComboFix 11-03-16.01 - Admin 16/03/2011 18:57:03.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.2814.1899 [GMT 0:00]
Running from: c:\users\Admin\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Calum\PlatinumArtsSandbox2.6.1Windows.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
.
.
2011-03-16 19:01 . 2011-03-16 19:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-15 15:29 . 2011-02-23 09:34 7947600 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0E34B32F-F163-48D2-A087-5833B2F7EC70}\mpengine.dll
2011-03-09 07:54 . 2010-12-23 10:42 961024 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-09 07:54 . 2010-12-23 10:42 723968 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 07:54 . 2010-12-23 05:54 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll
2011-03-09 07:54 . 2010-12-23 05:54 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-03-09 07:54 . 2010-12-23 10:42 1118720 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 07:54 . 2010-12-23 10:36 259072 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 07:54 . 2010-12-23 05:54 850944 ----a-w- c:\windows\SysWow64\sbe.dll
2011-03-09 07:54 . 2010-12-23 05:50 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2011-03-04 22:52 . 2011-03-04 22:52 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2011-03-04 22:51 . 2011-03-04 22:51 -------- d-----w- c:\program files (x86)\LucasArts
2011-03-04 22:46 . 2011-03-04 22:46 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2011-03-04 14:24 . 2011-03-04 14:24 -------- d-----w- c:\windows\system32\SPReview
2011-03-04 14:23 . 2011-03-04 14:23 -------- d-----w- c:\windows\system32\EventProviders
2011-03-04 14:19 . 2010-11-20 13:33 299392 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2011-03-04 14:18 . 2010-11-20 13:27 243200 ----a-w- c:\windows\system32\wow64.dll
2011-03-04 14:17 . 2010-11-20 13:27 182784 ----a-w- c:\windows\system32\WUDFPlatform.dll
2011-03-04 14:16 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
2011-03-04 14:16 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
2011-03-04 14:16 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
2011-03-04 14:16 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2011-03-04 14:15 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-03-04 14:15 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2011-03-04 14:15 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-03-04 14:15 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2011-03-04 14:15 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2011-03-04 14:15 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2011-03-04 14:15 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2011-03-04 09:09 . 2011-03-04 09:18 -------- d--h--w- c:\windows\msdownld.tmp
2011-03-04 04:16 . 2011-03-03 20:26 -------- d-----w- c:\windows\Panther
2011-03-04 01:00 . 2011-03-04 01:00 -------- d-----w- c:\windows\SysWow64\Wat
2011-03-04 01:00 . 2011-03-04 01:00 -------- d-----w- c:\windows\system32\Wat
2011-03-04 00:37 . 2010-02-23 08:16 294912 ----a-w- c:\windows\system32\browserchoice.exe
2011-03-04 00:29 . 2011-01-07 09:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-03-04 00:29 . 2011-01-07 06:01 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-03-04 00:24 . 2011-01-05 10:34 612864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-04 00:24 . 2011-01-05 05:55 428032 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-03-04 00:24 . 2010-12-17 11:40 715776 ----a-w- c:\windows\system32\kerberos.dll
2011-03-04 00:24 . 2010-12-17 07:07 542208 ----a-w- c:\windows\SysWow64\kerberos.dll
2011-03-04 00:23 . 2011-01-17 11:09 197120 ----a-w- c:\windows\system32\d3d10_1.dll
2011-03-04 00:23 . 2011-01-17 05:47 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-03-04 00:23 . 2010-11-20 13:26 321024 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-03-04 00:23 . 2010-11-20 12:18 219136 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-03-03 23:42 . 2011-03-03 23:42 -------- d-----w- c:\program files (x86)\Project64 1.6
2011-03-03 23:38 . 2011-03-03 23:38 -------- d-----w- c:\windows\SysWow64\Macromed
2011-03-03 23:33 . 2011-03-03 23:33 -------- d-----w- c:\program files (x86)\Microsoft SQL Server
2011-03-03 23:30 . 2011-03-03 23:30 -------- d-----w- c:\program files (x86)\Microsoft.NET
2011-03-03 23:30 . 2011-03-03 23:32 -------- d-----w- c:\programdata\Microsoft Help
2011-03-03 23:30 . 2011-03-03 23:31 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 9.0
2011-03-03 23:30 . 2011-03-03 23:30 -------- d-----w- c:\program files (x86)\Common Files\Merge Modules
2011-03-03 23:29 . 2011-03-03 23:29 -------- d-----w- c:\program files\Microsoft SDKs
2011-03-03 23:29 . 2011-03-03 23:29 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2011-03-03 23:09 . 2011-03-13 17:59 -------- d-----w- C:\C++
2011-03-03 22:54 . 2011-03-03 22:54 -------- d-----w- C:\fd83c352153dcb401ead72760852
2011-03-03 22:48 . 2011-03-03 22:48 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-03-03 22:47 . 2011-03-03 22:47 -------- d-----w- c:\program files (x86)\Java
2011-03-03 22:47 . 2011-03-03 22:47 -------- d-----w- c:\programdata\McAfee
2011-03-03 22:44 . 2011-03-03 22:44 -------- d-----w- c:\windows\system32\appmgmt
2011-03-03 22:36 . 2011-03-16 19:01 -------- d-----w- c:\users\Calum
2011-03-03 22:30 . 2011-03-03 22:30 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2011-03-03 22:29 . 2011-03-03 22:47 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-03-03 21:38 . 2011-02-23 14:57 280408 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-03-03 21:38 . 2011-02-23 14:54 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-03 21:38 . 2011-02-23 14:55 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-03-03 21:38 . 2011-02-23 14:55 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-03-03 21:38 . 2011-02-23 14:57 505176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-03 21:38 . 2011-02-23 15:04 238968 ----a-w- c:\windows\system32\aswBoot.exe
2011-03-03 21:38 . 2011-02-23 14:55 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-03-03 21:37 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
2011-03-03 21:37 . 2011-02-23 15:04 190016 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-03-03 21:37 . 2011-03-03 21:37 -------- d-----w- c:\programdata\AVAST Software
2011-03-03 21:37 . 2011-03-03 21:37 -------- d-----w- c:\program files\AVAST Software
2011-03-03 21:03 . 2011-03-03 21:03 -------- d-----w- c:\program files\COMODO
2011-03-03 21:02 . 2011-03-03 21:09 -------- d-----w- c:\programdata\Comodo
2011-03-03 20:54 . 2011-03-03 20:54 -------- d-----w- c:\programdata\ATI
2011-03-03 20:53 . 2011-03-03 20:53 0 ----a-w- c:\windows\ativpsrm.bin
2011-03-03 20:49 . 2011-03-03 20:49 -------- d-----w- c:\program files\Common Files\ATI Technologies
2011-03-03 20:49 . 2011-03-03 20:49 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2011-03-03 20:49 . 2011-03-03 20:49 -------- d-----w- c:\program files (x86)\ATI Stream
2011-03-03 20:49 . 2011-03-03 20:49 -------- d-----w- c:\programdata\AMD
2011-03-03 20:49 . 2010-02-18 09:18 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys
2011-03-03 20:48 . 2011-03-03 20:48 -------- d-----w- c:\program files (x86)\ATI Technologies
2011-03-03 20:48 . 2011-03-03 23:42 -------- d-sh--w- c:\windows\Installer
2011-03-03 20:48 . 2011-03-03 20:49 -------- d-----w- c:\program files\ATI Technologies
2011-03-03 20:48 . 2011-03-03 20:48 -------- d-----w- c:\program files\ATI
2011-03-03 20:47 . 2011-03-03 20:47 -------- d-----w- C:\ATI
2011-03-03 20:43 . 2011-02-02 17:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-03-03 20:34 . 2011-03-03 20:34 -------- d-----w- C:\AMD
2011-03-03 20:26 . 2011-03-04 13:49 -------- d-----w- c:\users\Admin
2011-03-03 20:26 . 2011-03-03 20:26 -------- d-----w- C:\Recovery
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-04 14:32 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-03-04 14:32 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-01-26 23:37 . 2011-01-26 23:37 9085952 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-01-26 23:22 . 2011-01-26 23:22 22295040 ----a-w- c:\windows\system32\atio6axx.dll
2011-01-26 23:00 . 2011-01-26 23:00 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2011-01-26 23:00 . 2011-01-26 23:00 596480 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-01-26 22:59 . 2011-01-26 22:59 17204736 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-01-26 22:59 . 2011-01-26 22:59 708608 ----a-w- c:\windows\system32\aticfx64.dll
2011-01-26 22:56 . 2011-01-26 22:56 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-01-26 22:56 . 2011-01-26 22:56 479232 ----a-w- c:\windows\system32\atieclxx.exe
2011-01-26 22:55 . 2011-01-26 22:55 203776 ----a-w- c:\windows\system32\atiesrxx.exe
2011-01-26 22:54 . 2011-01-26 22:54 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-01-26 22:54 . 2011-01-26 22:54 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-01-26 22:53 . 2011-01-26 22:53 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-01-26 22:53 . 2011-01-26 22:53 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-01-26 22:53 . 2011-01-26 22:53 16384 ----a-w- c:\windows\system32\atimuixx.dll
2011-01-26 22:53 . 2011-01-26 22:53 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-01-26 22:53 . 2011-01-26 22:53 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-01-26 22:49 . 2011-01-26 22:49 4105728 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-01-26 22:40 . 2011-01-26 22:40 4847616 ----a-w- c:\windows\system32\atidxx64.dll
2011-01-26 22:32 . 2011-01-26 22:32 1208320 ----a-w- c:\windows\system32\atiumd6v.dll
2011-01-26 22:32 . 2011-01-26 22:32 1912832 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-01-26 22:32 . 2011-01-26 22:32 3222016 ----a-w- c:\windows\system32\atiumd6a.dll
2011-01-26 22:28 . 2011-01-26 22:28 4170752 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-01-26 22:27 . 2011-01-26 22:27 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-01-26 22:27 . 2011-01-26 22:27 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-01-26 22:27 . 2011-01-26 22:27 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-01-26 22:27 . 2011-01-26 22:27 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-01-26 22:27 . 2011-01-26 22:27 6982144 ----a-w- c:\windows\system32\aticaldd64.dll
2011-01-26 22:25 . 2011-01-26 22:25 5580800 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-01-26 22:24 . 2011-01-26 22:24 3463680 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-01-26 22:21 . 2011-01-26 22:21 5316096 ----a-w- c:\windows\system32\atiumd64.dll
2011-01-26 22:20 . 2011-01-26 22:20 58880 ----a-w- c:\windows\system32\coinst.dll
2011-01-26 22:14 . 2011-01-26 22:14 354304 ----a-w- c:\windows\system32\atiadlxx.dll
2011-01-26 22:14 . 2011-01-26 22:14 249856 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-01-26 22:13 . 2011-01-26 22:13 14848 ----a-w- c:\windows\system32\atig6pxx.dll
2011-01-26 22:13 . 2011-01-26 22:13 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-01-26 22:13 . 2011-01-26 22:13 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-01-26 22:13 . 2011-01-26 22:13 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-01-26 22:13 . 2011-01-26 22:13 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-01-26 22:13 . 2011-01-26 22:13 299520 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-01-26 22:12 . 2011-01-26 22:12 39936 ----a-w- c:\windows\system32\atiuxp64.dll
2011-01-26 22:12 . 2011-01-26 22:12 30720 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-01-26 22:12 . 2011-01-26 22:12 38400 ----a-w- c:\windows\system32\atiu9p64.dll
2011-01-26 22:12 . 2011-01-26 22:12 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-01-26 22:11 . 2011-01-26 22:11 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-01-26 22:08 . 2011-01-26 22:08 53760 ----a-w- c:\windows\system32\atimpc64.dll
2011-01-26 22:08 . 2011-01-26 22:08 53760 ----a-w- c:\windows\system32\amdpcom64.dll
2011-01-26 22:08 . 2011-01-26 22:08 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-01-26 22:08 . 2011-01-26 22:08 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-01-06 17:37 . 2011-01-06 17:37 89840 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-01-06 17:37 . 2011-01-06 17:37 39888 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-01-06 17:36 . 2011-01-06 17:36 250008 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-01-06 17:36 . 2011-01-06 17:36 14184 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-12-29 01:42 . 2010-12-29 01:42 285480 ----a-w- c:\windows\SysWow64\guard32.dll
2010-12-29 01:42 . 2010-12-29 01:42 362784 ----a-w- c:\windows\system32\guard64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate]
@="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}"
[HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}]
2010-11-20 12:20 442880 ----a-w- c:\windows\System32\ntshrui.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 336384]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
.
R2 MMCSS;Multimedia Class Scheduler;c:\windows\system32\svchost.exe [2009-07-14 27136]
R2 sppsvc;Software Protection;c:\windows\system32\sppsvc.exe [x]
R3 1394ohci;1394 OHCI Compliant Host Controller;c:\windows\system32\drivers\1394ohci.sys [x]
R3 AcpiPmi;ACPI Power Meter Driver;c:\windows\system32\drivers\acpipmi.sys [x]
R3 adp94xx;adp94xx;c:\windows\system32\DRIVERS\adp94xx.sys [x]
R3 adpahci;adpahci;c:\windows\system32\DRIVERS\adpahci.sys [x]
R3 amdsata;amdsata;c:\windows\system32\drivers\amdsata.sys [x]
R3 amdsbs;amdsbs;c:\windows\system32\DRIVERS\amdsbs.sys [x]
R3 AppID;AppID Driver;c:\windows\system32\drivers\appid.sys [x]
R3 AppIDSvc;Application Identity;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 arcsas;arcsas;c:\windows\system32\DRIVERS\arcsas.sys [x]
R3 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\DRIVERS\bxvbda.sys [x]
R3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60a.sys [x]
R3 BDESVC;BitLocker Drive Encryption Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\DRIVERS\BrFiltLo.sys [x]
R3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\DRIVERS\BrFiltUp.sys [x]
R3 Brserid;Brother MFC Serial Port Interface Driver (WDM);c:\windows\System32\Drivers\Brserid.sys [x]
R3 BrSerWdm;Brother WDM Serial driver;c:\windows\System32\Drivers\BrSerWdm.sys [x]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\System32\Drivers\BrUsbMdm.sys [x]
R3 CertPropSvc;Certificate Propagation;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 circlass;Consumer IR Devices;c:\windows\system32\DRIVERS\circlass.sys [x]
R3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-06-10 89920]
R3 defragsvc;Disk Defragmenter;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 ebdrv;Broadcom NetXtreme II 10 GigE VBD;c:\windows\system32\DRIVERS\evbda.sys [x]
R3 elxstor;elxstor;c:\windows\system32\DRIVERS\elxstor.sys [x]
R3 Filetrace;Filetrace;c:\windows\system32\drivers\filetrace.sys [x]
R3 FsDepends;File System Dependency Minifilter;c:\windows\system32\drivers\FsDepends.sys [x]
R3 hcw85cir;Hauppauge Consumer Infrared Receiver;c:\windows\system32\drivers\hcw85cir.sys [x]
R3 HpSAMD;HpSAMD;c:\windows\system32\drivers\HpSAMD.sys [x]
R3 iaStorV;Intel RAID Controller Windows 7;c:\windows\system32\drivers\iaStorV.sys [x]
R3 IPBusEnum;PnP-X IP Bus Enumerator;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 IPMIDRV;IPMIDRV;c:\windows\system32\drivers\IPMIDrv.sys [x]
R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [x]
R3 KtmRm;KtmRm for Distributed Transaction Coordinator;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 lltdsvc;Link-Layer Topology Discovery Mapper;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 LSI_FC;LSI_FC;c:\windows\system32\DRIVERS\lsi_fc.sys [x]
R3 LSI_SAS;LSI_SAS;c:\windows\system32\DRIVERS\lsi_sas.sys [x]
R3 LSI_SAS2;LSI_SAS2;c:\windows\system32\DRIVERS\lsi_sas2.sys [x]
R3 LSI_SCSI;LSI_SCSI;c:\windows\system32\DRIVERS\lsi_scsi.sys [x]
R3 megasas;megasas;c:\windows\system32\DRIVERS\megasas.sys [x]
R3 mpio;Microsoft Multi-Path Bus Driver;c:\windows\system32\drivers\mpio.sys [x]
R3 msdsm;Microsoft Multi-Path Device Specific Module;c:\windows\system32\drivers\msdsm.sys [x]
R3 mshidkmdf;Pass-through HID to KMDF Filter Driver;c:\windows\System32\drivers\mshidkmdf.sys [x]
R3 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 MsRPC;MsRPC; [x]
R3 MTConfig;Microsoft Input Configuration Driver;c:\windows\system32\DRIVERS\MTConfig.sys [x]
R3 NdisCap;NDIS Capture LightWeight Filter;c:\windows\system32\DRIVERS\ndiscap.sys [x]
R3 nfrd960;nfrd960;c:\windows\system32\DRIVERS\nfrd960.sys [x]
R3 nvstor;nvstor;c:\windows\system32\drivers\nvstor.sys [x]
R3 PeerDistSvc;BranchCache;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 PerfHost;Performance Counter DLL Host;c:\windows\SysWow64\perfhost.exe [2009-07-14 20992]
R3 pla;Performance Logs & Alerts;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 PNRPAutoReg;PNRP Machine Name Publication Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 ql2300;ql2300;c:\windows\system32\DRIVERS\ql2300.sys [x]
R3 ql40xx;ql40xx;c:\windows\system32\DRIVERS\ql40xx.sys [x]
R3 s3cap;s3cap;c:\windows\system32\drivers\vms3cap.sys [x]
R3 scfilter;Smart card PnP Class Filter Driver;c:\windows\system32\DRIVERS\scfilter.sys [x]
R3 SCPolicySvc;Smart Card Removal Policy;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 SDRSVC;Windows Backup;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 SensrSvc;Adaptive Brightness;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 SessionEnv;Remote Desktop Configuration;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 sffp_mmc;SFF Storage Protocol Driver for MMC;c:\windows\system32\drivers\sffp_mmc.sys [x]
R3 SiSRaid4;SiSRaid4;c:\windows\system32\DRIVERS\sisraid4.sys [x]
R3 Smb;Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session);c:\windows\system32\DRIVERS\smb.sys [x]
R3 sppuinotify;SPP Notification Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 stexstor;stexstor;c:\windows\system32\DRIVERS\stexstor.sys [x]
R3 StorSvc;Storage Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [x]
R3 TabletInputService;Tablet PC Input Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 TBS;TPM Base Services;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 THREADORDER;Thread Ordering Server;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 TrustedInstaller;Windows Modules Installer;c:\windows\servicing\TrustedInstaller.exe [2010-11-20 194048]
R3 tssecsrv;Remote Desktop Services Security Filter Driver;c:\windows\system32\DRIVERS\tssecsrv.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UI0Detect;Interactive Services Detection;c:\windows\system32\UI0Detect.exe [x]
R3 uliagpkx;Uli AGP Bus Filter;c:\windows\system32\drivers\uliagpkx.sys [x]
R3 UmRdpService;Remote Desktop Services UserMode Port Redirector;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 usbcir;eHome Infrared Receiver (USBCIR);c:\windows\system32\drivers\usbcir.sys [x]
R3 VaultSvc;Credential Manager;c:\windows\system32\lsass.exe [x]
R3 vhdmp;vhdmp;c:\windows\system32\drivers\vhdmp.sys [x]
R3 VMBusHID;VMBusHID;c:\windows\system32\drivers\VMBusHID.sys [x]
R3 vsmraid;vsmraid;c:\windows\system32\DRIVERS\vsmraid.sys [x]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 wbengine;Block Level Backup Engine Service;c:\windows\system32\wbengine.exe [x]
R3 WbioSrvc;Windows Biometric Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 wcncsvc;Windows Connect Now - Config Registrar;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 WcsPlugInService;Windows Color System;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 Wd;Wd;c:\windows\system32\DRIVERS\wd.sys [x]
R3 Wecsvc;Windows Event Collector;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 wercplsupport;Problem Reports and Solutions Control Panel Support;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 WerSvc;Windows Error Reporting Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 WIMMount;WIMMount;c:\windows\system32\drivers\wimmount.sys [2009-07-14 22096]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 WPCSvc;Parental Controls;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 WPDBusEnum;Portable Device Enumerator Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
R3 WwanSvc;WWAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 27136]
R4 Mcx2Svc;Media Center Extender Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
S0 amdxata;amdxata;c:\windows\system32\drivers\amdxata.sys [x]
S0 CLFS;Common Log (CLFS);c:\windows\System32\CLFS.sys [x]
S0 CNG;CNG;c:\windows\System32\Drivers\cng.sys [x]
S0 FileInfo;File Information FS MiniFilter;c:\windows\system32\drivers\fileinfo.sys [x]
S0 fvevol;Bitlocker Drive Encryption Filter Driver;c:\windows\System32\DRIVERS\fvevol.sys [x]
S0 hwpolicy;Hardware Policy Driver;c:\windows\System32\drivers\hwpolicy.sys [x]
S0 KSecPkg;KSecPkg;c:\windows\System32\Drivers\ksecpkg.sys [x]
S0 msahci;msahci;c:\windows\system32\drivers\msahci.sys [x]
S0 msisadrv;msisadrv;c:\windows\system32\drivers\msisadrv.sys [x]
S0 pcw;Performance Counters for Windows Driver;c:\windows\System32\drivers\pcw.sys [x]
S0 rdyboost;ReadyBoost;c:\windows\System32\drivers\rdyboost.sys [x]
S0 spldr;Security Processor Loader Driver; [x]
S0 storflt;Disk Virtual Machine Bus Acceleration Filter Driver;c:\windows\system32\drivers\vmstorfl.sys [x]
S0 vdrvroot;Microsoft Virtual Drive Enumerator Driver;c:\windows\system32\drivers\vdrvroot.sys [x]
S0 vmbus;Virtual Machine Bus;c:\windows\system32\drivers\vmbus.sys [x]
S0 volmgr;Volume Manager Driver;c:\windows\system32\drivers\volmgr.sys [x]
S0 volmgrx;Dynamic Volume Manager;c:\windows\System32\drivers\volmgrx.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 blbdrive;blbdrive;c:\windows\system32\DRIVERS\blbdrive.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 CSC;Offline Files Driver;c:\windows\system32\drivers\csc.sys [x]
S1 DfsC;DFS Namespace Client Driver;c:\windows\system32\Drivers\dfsc.sys [x]
S1 discache;System Attribute Cache;c:\windows\system32\drivers\discache.sys [x]
S1 nsiproxy;NSI proxy service driver.;c:\windows\system32\drivers\nsiproxy.sys [x]
S1 RDPENCDD;RDP Encoder Mirror Driver;c:\windows\system32\drivers\rdpencdd.sys [x]
S1 RDPREFMP;Reflector Display Driver used to gain access to graphics data;c:\windows\system32\drivers\rdprefmp.sys [x]
S1 tdx;NetIO Legacy TDI Support Driver;c:\windows\system32\DRIVERS\tdx.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S1 Wanarpv6;Remote Access IPv6 ARP Driver;c:\windows\system32\DRIVERS\wanarp.sys [x]
S1 WfpLwf;WFP Lightweight Filter;c:\windows\system32\DRIVERS\wfplwf.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-26 354304]
S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 AudioEndpointBuilder;Windows Audio Endpoint Builder;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 BFE;Base Filtering Engine;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 CscService;Offline Files;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 DPS;Diagnostic Policy Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 FDResPub;Function Discovery Resource Publication;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 gpsvc;Group Policy Client;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 IKEEXT;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 iphlpsvc;IP Helper;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;c:\windows\system32\DRIVERS\lltdio.sys [x]
S2 luafv;UAC File Virtualization;c:\windows\system32\drivers\luafv.sys [x]
S2 MpsSvc;Windows Firewall;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 NlaSvc;Network Location Awareness;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 nsi;Network Store Interface Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 PcaSvc;Program Compatibility Assistant Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 PEAUTH;PEAUTH;c:\windows\system32\drivers\peauth.sys [x]
S2 Power;Power;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 ProfSvc;User Profile Service;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 RpcEptMapper;RPC Endpoint Mapper;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 SysMain;Superfetch;c:\windows\system32\svchost.exe [2009-07-14 27136]
S2 tcpipreg;TCP/IP Registry Compatibility;c:\windows\system32\drivers\tcpipreg.sys [x]
S2 UxSms;Desktop Window Manager Session Manager;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 WinDefend;Windows Defender;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 Wlansvc;WLAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 27136]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 Appinfo;Application Information;c:\windows\system32\svchost.exe [2009-07-14 27136]
S3 bowser;Browser Support Driver;c:\windows\system32\DRIVERS\bowser.sys [x]
S3 CompositeBus;Composite Bus Enumerator Driver;c:\windows\system32\drivers\CompositeBus.sys [x]
S3 DXGKrnl;LDDM Graphics Subsystem;c:\windows\System32\drivers\dxgkrnl.sys [x]
S3 fdPHost;Function Discovery Provider Host;c:\windows\system32\svchost.exe [2009-07-14 27136]
S3 HomeGroupListener;HomeGroup Listener;c:\windows\System32\svchost.exe [2009-07-14 27136]
S3 HomeGroupProvider;HomeGroup Provider;c:\windows\System32\svchost.exe [2009-07-14 27136]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 KeyIso;CNG Key Isolation;c:\windows\system32\lsass.exe [x]
S3 monitor;Microsoft Monitor Class Function Driver Service;c:\windows\system32\DRIVERS\monitor.sys [x]
S3 mpsdrv;Windows Firewall Authorization Driver;c:\windows\system32\drivers\mpsdrv.sys [x]
S3 mrxsmb10;SMB 1.x MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb10.sys [x]
S3 mrxsmb20;SMB 2.0 MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb20.sys [x]
S3 NativeWifiP;NativeWiFi Filter;c:\windows\system32\DRIVERS\nwifi.sys [x]
S3 netprofm;Network List Service;c:\windows\System32\svchost.exe [2009-07-14 27136]
S3 RasAgileVpn;WAN Miniport (IKEv2);c:\windows\system32\DRIVERS\AgileVpn.sys [x]
S3 rdpbus;Remote Desktop Device Redirector Bus Driver;c:\windows\system32\DRIVERS\rdpbus.sys [x]
S3 srv2;Server SMB 2.xxx Driver;c:\windows\system32\DRIVERS\srv2.sys [x]
S3 srvnet;srvnet;c:\windows\system32\DRIVERS\srvnet.sys [x]
S3 tunnel;Microsoft Tunnel Miniport Adapter Driver;c:\windows\system32\DRIVERS\tunnel.sys [x]
S3 umbus;UMBus Enumerator Driver;c:\windows\system32\drivers\umbus.sys [x]
S3 vwifibus;Virtual WiFi Bus Driver;c:\windows\system32\DRIVERS\vwifibus.sys [x]
S3 WdiServiceHost;Diagnostic Service Host;c:\windows\System32\svchost.exe [2009-07-14 27136]
S3 WdiSystemHost;Diagnostic System Host;c:\windows\System32\svchost.exe [2009-07-14 27136]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS QWAVE wcncsvc
DcomLaunch REG_MULTI_SZ Power PlugPlay DcomLaunch
wcssvc REG_MULTI_SZ WcsPlugInService
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
AudioSrv
FastUserSwitchingCompatibility
Nla
NWCWorkstation
SRService
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
msiscsi
schedule
SessionEnv
winmgmt
AppMgmt
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
sppuinotify
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
BthHFSrv
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate]
@="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}"
[HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}]
2010-11-20 13:27 509952 ----a-w- c:\windows\System32\ntshrui.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-01-17 8866120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Nla
NWCWorkstation
SRService
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
winmgmt
SessionEnv
browser
EapHost
schedule
hkmsvc
wercplsupport
ProfSvc
Themes
BDESVC
AppMgmt
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
homegrouplistener
StorSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
WdiServiceHost
sppuinotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetworkService
lanmanworkstation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
BthHFSrv
homegroupprovider
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ei9ri0ac.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: CookieSafe: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD} - %profile%\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-sacsvr
SafeBoot-vmms
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-03-16 19:03:50
ComboFix-quarantined-files.txt 2011-03-16 19:03
.
Pre-Run: 125,247,352,832 bytes free
Post-Run: 124,993,126,400 bytes free
.
- - End Of File - - AC9A23ACAD1BD929887FD79E8D2392DD

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 PM

Posted 16 March 2011 - 09:04 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 cal123

cal123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 16 March 2011 - 09:27 PM

Hello, thanks very much for your quick responses.

My system appears to be behaving very normally but I still get the firewall connections. I guess they are Microsoft executables.

Here is the second combofix report as requested.

Adobe Flash Player 10 Plugin
avast! Free Antivirus
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help English
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
Hotfix for Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU (KB944899)
Java Auto Updater
Java™ 6 Update 24
Microsoft SQL Server 2008 Management Objects
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual Studio 2008 Remote Debugger Light (x64) - ENU Service Pack 1 (KB945140)
Mozilla Firefox (3.6.15)
OpenOffice.org 3.3
Project64 1.6
SQL Server System CLR Types
Star Wars Battlefront II

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 PM

Posted 16 March 2011 - 10:55 PM

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 cal123

cal123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 17 March 2011 - 09:23 AM

Hello again.

OK, I have cleared my Java cache,
used TFC to delete temp files,
done a quick scan with MBAM
and got a HijackThis log.

My only problem was:

When running the HijackThis application from the desktop, it said:

"for some reason your system denied access to the hosts file. You will need to edit it manually and remove any bad entries etc"
so to get HijackThis working, I ran the executable from C:\Program Files (x86)\Trend Micro\HijackThis.exe as an administrator.
It solved the problem with the hosts file and I got a log.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6086

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

17/03/2011 13:51:34
mbam-log-2011-03-17 (13-51-34).txt

Scan type: Quick scan
Objects scanned: 171653
Time elapsed: 2 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:11:06, on 17/03/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: AMD Reservation Manager - Advanced Micro Devices - C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 5402 bytes

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 PM

Posted 17 March 2011 - 12:22 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator



  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
      O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 cal123

cal123
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 17 March 2011 - 05:19 PM

I have the log from the ESET scanner.

Thankyou very much for your time and help.

I have some questions though:

Firstly:
Was my laptop infected with any kind of malware? Did the logs show anything that shouldn't be there? (My most important question).
Is it infected now?

Secondly:
Why did ComboFix delete C:\Users\Calum\PlatinumArtsSandbox2.6.1? I know that is a safe executable.

Finally:
Those firewall connections (IP addresses 192.168.1.255, 244.0.0.2 (or similar) and 239.255.255.250 are not a result of a malware attack are they? (Microsoft?) They all appear to be from
legitimate svchost.exe processes which don't turn up as infected. That Avast pop up I mentioned in the first post was a false positive from my game I was making?

Here is the ESET scan log as requested:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-17 09:59:05
# local_time=2011-03-17 09:59:05 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 29714 29714 0 0
# compatibility_mode=3073 16777213 80 75 1210581 6813509 0 0
# compatibility_mode=5893 16776573 100 94 197424 52861867 0 0
# compatibility_mode=8192 67108863 100 0 489 489 0 0
# scanned=95780
# found=0
# cleaned=0
# scan_time=2329

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:47 PM

Posted 18 March 2011 - 03:02 AM

Firstly:
not that I had seen

Is it infected now?
No it is not

Secondly:
I don't know why - but I can fix it

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\ComboFix-quarantined-files.txt

  • click ok

copy and paste the report into this topic for me to review

Finally:
those ip's are fine

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users