Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Windows Vista Recovery Virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 ZachD

ZachD

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 22 May 2011 - 02:34 PM

When I first infected with this virus, I put my computer in safe mode, and then followed the instructions in the removal guide on this site. When I ran MBAM, it found 30 infections, mostly comprised of TDSS. I was able to successfully remove all detected infections, and then used the Unhide program, which successfully unhid all of my hidden files. However, after about 15 minutes, the desktop background went black again, and the majority of my icons and files again were hidden. When I left safe mode, upon starting up the computer, the WV Recovery window appears again. There are also WV Recovery and Windows Security Alert icons in the taskbar. Running RKill gets rid of the window and icons, but the virus is obviously still on my computer. Neither MBAM or TDSSKiller are able to find any infections anymore. Below I have attached the DDS scan results. I tried multiple times to run a GMER scan, but while in progress my computer blue screens, crashes and reboots.

DDS Log:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by Zach at 16:34:34 on 2011-05-21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.739 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Alienware\Command Center\PowerManagementService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\ifxspmgt.exe
C:\Windows\system32\ifxtcs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IfxPsdSv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\StkCSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Alienware\Command Center\DimApp.exe
C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\system32\ifxuagui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Infineon\Security Platform Software\PSDrt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\PCSecurityShield\BitDefender 2009\seccenter.exe
C:\Windows\system32\attrib.exe
C:\Windows\system32\attrib.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Users\Zach\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: The Shield Deluxe 2009 Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\pcsecurityshield\bitdefender 2009\IEToolbar.dll
TB: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Aim6]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MarbleStation]
uRun: [oVlLshwOTG] c:\programdata\oVlLshwOTG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [Alienware DIM Controller] "c:\program files\alienware\command center\DimApp.exe"
mRun: [AlienFX Controller] "c:\program files\alienware\command center\AlienwareAlienFXController.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [hpqSRMon]
mRun: [BDAgent] "c:\program files\pcsecurityshield\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\pcsecurityshield\bitdefender 2009\IEShow.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\zach\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\logitech webcam software\eReg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: webassign.net\www
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\zach\appdata\roaming\mozilla\firefox\profiles\rjvxxox4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\zach\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\zach\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\zach\appdata\roaming\mozilla\firefox\profiles\rjvxxox4.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============
.
R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2007-10-12 209408]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R3 AVerHybrid;AVerMedia Hybrid Tuner (NTSC/PAL/SECAM/ATSC/FM);c:\windows\system32\drivers\averhbtv.sys [2007-10-26 304640]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2007-10-26 47616]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
.
=============== Created Last 30 ================
.
2011-05-21 23:20:48 344576 ----a-w- c:\programdata\30465784.exe
2011-05-21 19:34:19 424448 ----a-w- c:\programdata\oVlLshwOTG.exe
2011-05-21 02:27:49 -------- d--h--w- c:\users\zach\appdata\local\{3029916A-EEC7-4AE9-A934-BB816D426879}
2011-05-20 17:43:46 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ee4d4416-31df-4537-9f49-31278e3aed45}\mpengine.dll
2011-05-20 06:10:44 -------- d--h--w- c:\users\zach\appdata\local\{E6430087-CDED-461B-B151-34CAAB865B73}
2011-05-20 04:50:07 -------- d-----w- C:\Download
2011-05-20 04:49:10 -------- d-----w- C:\NetmarbleGlobal
2011-05-19 18:04:36 -------- d--h--w- c:\users\zach\appdata\local\{CF42E06D-E4F5-41A7-8C17-7B9B12EE5E32}
2011-05-19 03:25:24 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-05-18 20:11:28 -------- d--h--w- c:\users\zach\appdata\local\{50801AE0-1272-4DD9-B861-F87C161F5163}
2011-05-17 03:30:55 -------- d--h--w- c:\users\zach\appdata\local\{B2DAF84A-D111-46E6-AA0A-1B4D9AF4956A}
2011-05-16 01:40:35 -------- d--h--w- c:\users\zach\appdata\local\{B781D261-589D-4BCD-9B98-92F7E6C3B40B}
2011-05-15 00:28:41 -------- d-----w- c:\programdata\Skype Extras
2011-05-15 00:22:26 -------- d--h--w- c:\users\zach\appdata\local\{4749F169-0996-4A0A-A18A-486751740237}
2011-05-14 00:51:58 -------- d--h--w- c:\users\zach\appdata\roaming\wargaming.net
2011-05-14 00:28:28 3912008 ----a-w- c:\windows\system32\GameMon.des
2011-05-14 00:27:51 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-05-14 00:27:51 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-05-14 00:27:42 -------- d-----w- c:\program files\common files\INCA Shared
2011-05-13 18:32:14 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-13 18:32:13 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-13 18:32:12 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-13 18:32:12 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-13 18:32:12 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-13 18:32:10 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-13 18:32:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-13 18:32:07 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-13 18:31:42 -------- d-----w- C:\Games
2011-05-12 00:30:36 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-12 00:21:50 -------- d--h--w- c:\users\zach\appdata\local\{CF20089C-D1BB-44AD-8487-B3E9F562C483}
2011-05-10 20:39:24 -------- d--h--w- c:\users\zach\appdata\local\{2189D9D8-37B6-4F55-92AA-478CE6CF5FF0}
2011-05-09 20:11:29 -------- d--h--w- c:\users\zach\appdata\local\{9C4F64AF-D8E9-49E5-A052-0EED50BD7FBF}
2011-05-08 20:42:23 -------- d--h--w- c:\users\zach\appdata\local\{EE415AB5-B226-486B-B333-344033799882}
2011-05-08 05:25:46 -------- d--h--w- c:\users\zach\appdata\local\{533B0D81-5E8B-4782-8C7A-CD8FFC434409}
2011-05-07 04:40:53 -------- d--h--w- c:\users\zach\appdata\local\{DD4D6B05-D94F-4418-B452-9358684F1A26}
2011-05-06 04:16:43 -------- d--h--w- c:\users\zach\appdata\local\{4A4B5FCB-C231-43E2-874F-1B0EB9ED96BE}
2011-05-05 02:00:02 -------- d--h--w- c:\users\zach\appdata\local\{26CDEF76-E254-4E81-A932-5A36814DBD92}
2011-05-04 02:30:20 -------- d--h--w- c:\users\zach\appdata\local\{DA9E2A7B-2D6E-462D-8FDE-3E81778338B8}
2011-05-03 01:11:43 -------- d--h--w- c:\users\zach\appdata\local\{D7C40E28-5B2B-48B4-8DAC-02EA2AA31AFF}
2011-05-02 03:49:09 -------- d--h--w- c:\users\zach\appdata\local\{079C95CC-DEEB-4535-87AF-340B336832C6}
2011-05-01 01:59:16 -------- d--h--w- c:\users\zach\appdata\local\{B8CD0054-453A-4120-8AAC-F8FC3F079137}
2011-04-29 17:47:27 -------- d--h--w- c:\users\zach\appdata\local\{D10A6B9A-22B2-4F08-BD2A-2106978DF9D2}
2011-04-29 00:36:57 -------- d--h--w- c:\users\zach\appdata\local\{7EE0A71C-2EEE-42FD-B251-0BCA0F6B2D9F}
2011-04-27 23:33:35 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 23:33:34 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 23:33:32 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-27 19:04:05 -------- d--h--w- c:\users\zach\appdata\local\{5E6897EB-D089-44BE-8422-F9DE4FA08EEA}
2011-04-26 23:37:17 -------- d--h--w- c:\users\zach\appdata\local\{80B442DD-1D3A-4969-BD11-089735B53EF9}
2011-04-25 21:47:15 -------- d--h--w- c:\users\zach\appdata\local\{7AEF6C53-564F-4CBE-A6F2-CA39C2F00E88}
2011-04-25 01:26:04 -------- d--h--w- c:\users\zach\appdata\local\{A388C5EF-BA03-4C0A-9C40-BFDBF81047F1}
2011-04-24 06:49:48 -------- d--h--w- c:\users\zach\appdata\local\{6B91AD68-849F-4110-8E7C-DEDD677AFB61}
2011-04-23 18:48:43 -------- d--h--w- c:\users\zach\appdata\local\{31B4F591-965C-4A04-B25E-1C7F7E2D7FAF}
2011-04-22 01:53:07 -------- d--h--w- c:\users\zach\appdata\local\{8E9A72FE-5FC8-4214-82AB-046AC856FEB5}
.
==================== Find3M ====================
.
2011-05-21 19:36:51 81984 ----a-w- c:\windows\system32\bdod.bin
2011-04-08 05:43:36 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 05:43:34 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-04-08 05:43:34 612456 ----a-w- c:\windows\system32\nvvsvc.exe
2011-04-08 05:43:34 2582120 ----a-w- c:\windows\system32\nvsvcr.dll
2011-04-08 05:43:34 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 05:43:20 3701352 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 05:43:04 2565224 ----a-w- c:\windows\system32\nvsvc.dll
2011-04-08 00:44:40 189480 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-08 00:39:25 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-04-08 00:39:03 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-02 23:17:21 138056 ---ha-w- c:\users\zach\appdata\roaming\PnkBstrK.sys
2011-04-02 23:17:02 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-04-02 04:37:53 3360624 ----a-w- c:\windows\system32\pbsvc.exe
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24:10 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24:02 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23:59 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23:55 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iastor.sys spdi.sys >>UNKNOWN [0x879DE938]<<
c:\windows\system32\drivers\iastor.sys Intel Corporation Intel Matrix Storage Manager driver
System32\Drivers\spdi.sys
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffffd07810f; }
1 ntkrnlpa!IofCallDriver[0x84A88912] -> \Device\Harddisk0\DR0[0x89CD0780]
3 CLASSPNP[0x8B3A38B3] -> ntkrnlpa!IofCallDriver[0x84A88912] -> [0x87B1B6B8]
5 acpi[0x8A9C06BC] -> ntkrnlpa!IofCallDriver[0x84A88912] -> \Device\Ide\IAAStorageDevice-0[0x88011030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV DS, BX; MOV ES, BX; MOV SI, 0x200; MOV CX, SI; CLD ; REP MOVSB ; JMP FAR 0x7a0:0xa3; }
detected disk devices:
detected hooks:
\Driver\atapi -> 0x87a281f8
user != kernel MBR !!!
Warning: possible MBR rootkit infection !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 16:41:28.50 ===============



Thank you in advance,
Zach

**UPDATE**
I was hoping to edit my original post, but I could not find where to do that, so this additional info will probably result in my post being bumped back to the beginning.

Yesterday I updated MBAM, and ran a full scan again. This time, three infections were found (MBAM called them Rogue.RecoveryConsole), which were deleted and quarantined. I then used Unhide, and my files are now all visible again. This morning when I turned on my computer, the Windows Vista Recovery window that kept popping up did not come up. I am hoping this means I am free and clear, but just to be sure, I am going to provide a DDS log from a scan I ran today, and I am hoping you could look over it and see if anything is still sticking out as abnormal.
Thank you for any help/information you can provide.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by Zach at 11:38:55 on 2011-05-25
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.959 [GMT -7:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Alienware\Command Center\PowerManagementService.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\ifxspmgt.exe
C:\Windows\system32\ifxtcs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IfxPsdSv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\StkCSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Alienware\Command Center\DimApp.exe
C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\system32\ifxuagui.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Infineon\Security Platform Software\PSDrt.exe
C:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\seccenter.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Zach\Desktop\Computer\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: The Shield Deluxe 2009 Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\pcsecurityshield\bitdefender 2009\IEToolbar.dll
TB: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Aim6]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MarbleStation]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [Alienware DIM Controller] "c:\program files\alienware\command center\DimApp.exe"
mRun: [AlienFX Controller] "c:\program files\alienware\command center\AlienwareAlienFXController.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [hpqSRMon]
mRun: [BDAgent] "c:\program files\pcsecurityshield\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\pcsecurityshield\bitdefender 2009\IEShow.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\zach\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\logitech webcam software\eReg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: webassign.net\www
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\zach\appdata\roaming\mozilla\firefox\profiles\rjvxxox4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\zach\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\zach\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\zach\appdata\roaming\mozilla\firefox\profiles\rjvxxox4.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============
.
R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2007-10-12 209408]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-1-23 39080]
R2 AlienFusionService;Alienware Fusion Service;c:\program files\alienware\command center\PowerManagementService.exe [2007-11-30 20480]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-7-27 21504]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2007-10-13 24576]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-29 24652]
R3 AVerHybrid;AVerMedia Hybrid Tuner (NTSC/PAL/SECAM/ATSC/FM);c:\windows\system32\drivers\averhbtv.sys [2007-10-26 304640]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2007-10-26 47616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 Arrakis3;The Shield Deluxe 2009 Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 172032]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-1-3 25832]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 StkCMini;Syntek AVStream USB2.0 2M WebCam;c:\windows\system32\drivers\StkCMini.sys [2007-10-13 1355520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-25 01:22:45 -------- d-----w- c:\users\zach\appdata\local\{BB2A544B-810A-404D-A315-31EE6484F4F6}
2011-05-25 00:12:14 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2c81e717-e138-4110-aa5c-6e24925c17b4}\mpengine.dll
2011-05-23 18:51:09 -------- d-----w- c:\users\zach\appdata\local\{C6D47AF6-B23A-4414-B3EF-475C12681282}
2011-05-23 03:06:39 -------- d-----w- c:\users\zach\appdata\local\{CA2D01A3-33EB-4BC4-9C05-232C7D3157AA}
2011-05-21 02:27:49 -------- d-----w- c:\users\zach\appdata\local\{3029916A-EEC7-4AE9-A934-BB816D426879}
2011-05-20 06:10:44 -------- d-----w- c:\users\zach\appdata\local\{E6430087-CDED-461B-B151-34CAAB865B73}
2011-05-20 04:50:07 -------- d-----w- C:\Download
2011-05-20 04:49:10 -------- d-----w- C:\NetmarbleGlobal
2011-05-19 18:04:36 -------- d-----w- c:\users\zach\appdata\local\{CF42E06D-E4F5-41A7-8C17-7B9B12EE5E32}
2011-05-19 03:25:24 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-05-18 20:11:28 -------- d-----w- c:\users\zach\appdata\local\{50801AE0-1272-4DD9-B861-F87C161F5163}
2011-05-17 03:30:55 -------- d-----w- c:\users\zach\appdata\local\{B2DAF84A-D111-46E6-AA0A-1B4D9AF4956A}
2011-05-16 01:40:35 -------- d-----w- c:\users\zach\appdata\local\{B781D261-589D-4BCD-9B98-92F7E6C3B40B}
2011-05-15 00:28:41 -------- d-----w- c:\programdata\Skype Extras
2011-05-15 00:22:26 -------- d-----w- c:\users\zach\appdata\local\{4749F169-0996-4A0A-A18A-486751740237}
2011-05-14 00:51:58 -------- d-----w- c:\users\zach\appdata\roaming\wargaming.net
2011-05-14 00:28:28 3912008 ----a-w- c:\windows\system32\GameMon.des
2011-05-14 00:27:51 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-05-14 00:27:51 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-05-14 00:27:42 -------- d-----w- c:\program files\common files\INCA Shared
2011-05-13 18:32:14 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-13 18:32:13 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-13 18:32:12 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-13 18:32:12 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-13 18:32:12 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-13 18:32:10 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-13 18:32:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-13 18:32:07 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-13 18:31:42 -------- d-----w- C:\Games
2011-05-12 00:30:36 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-12 00:21:50 -------- d-----w- c:\users\zach\appdata\local\{CF20089C-D1BB-44AD-8487-B3E9F562C483}
2011-05-10 20:39:24 -------- d-----w- c:\users\zach\appdata\local\{2189D9D8-37B6-4F55-92AA-478CE6CF5FF0}
2011-05-09 20:11:29 -------- d-----w- c:\users\zach\appdata\local\{9C4F64AF-D8E9-49E5-A052-0EED50BD7FBF}
2011-05-08 20:42:23 -------- d-----w- c:\users\zach\appdata\local\{EE415AB5-B226-486B-B333-344033799882}
2011-05-08 05:25:46 -------- d-----w- c:\users\zach\appdata\local\{533B0D81-5E8B-4782-8C7A-CD8FFC434409}
2011-05-07 04:40:53 -------- d-----w- c:\users\zach\appdata\local\{DD4D6B05-D94F-4418-B452-9358684F1A26}
2011-05-06 04:16:43 -------- d-----w- c:\users\zach\appdata\local\{4A4B5FCB-C231-43E2-874F-1B0EB9ED96BE}
2011-05-05 02:00:02 -------- d-----w- c:\users\zach\appdata\local\{26CDEF76-E254-4E81-A932-5A36814DBD92}
2011-05-04 02:30:20 -------- d-----w- c:\users\zach\appdata\local\{DA9E2A7B-2D6E-462D-8FDE-3E81778338B8}
2011-05-03 01:11:43 -------- d-----w- c:\users\zach\appdata\local\{D7C40E28-5B2B-48B4-8DAC-02EA2AA31AFF}
2011-05-02 03:49:09 -------- d-----w- c:\users\zach\appdata\local\{079C95CC-DEEB-4535-87AF-340B336832C6}
2011-05-01 01:59:16 -------- d-----w- c:\users\zach\appdata\local\{B8CD0054-453A-4120-8AAC-F8FC3F079137}
2011-04-29 17:47:27 -------- d-----w- c:\users\zach\appdata\local\{D10A6B9A-22B2-4F08-BD2A-2106978DF9D2}
2011-04-29 00:36:57 -------- d-----w- c:\users\zach\appdata\local\{7EE0A71C-2EEE-42FD-B251-0BCA0F6B2D9F}
2011-04-27 23:33:35 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 23:33:34 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 23:33:32 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-27 19:04:05 -------- d-----w- c:\users\zach\appdata\local\{5E6897EB-D089-44BE-8422-F9DE4FA08EEA}
2011-04-26 23:37:17 -------- d-----w- c:\users\zach\appdata\local\{80B442DD-1D3A-4969-BD11-089735B53EF9}
2011-04-25 21:47:15 -------- d-----w- c:\users\zach\appdata\local\{7AEF6C53-564F-4CBE-A6F2-CA39C2F00E88}
.
==================== Find3M ====================
.
2011-05-24 22:43:10 81984 ----a-w- c:\windows\system32\bdod.bin
2011-04-08 05:43:36 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 05:43:34 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-04-08 05:43:34 612456 ----a-w- c:\windows\system32\nvvsvc.exe
2011-04-08 05:43:34 2582120 ----a-w- c:\windows\system32\nvsvcr.dll
2011-04-08 05:43:34 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 05:43:20 3701352 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 05:43:04 2565224 ----a-w- c:\windows\system32\nvsvc.dll
2011-04-08 00:44:40 189480 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-08 00:39:25 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-04-08 00:39:03 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-02 23:17:21 138056 ----a-w- c:\users\zach\appdata\roaming\PnkBstrK.sys
2011-04-02 23:17:02 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-04-02 04:37:53 3360624 ----a-w- c:\windows\system32\pbsvc.exe
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
.
============= FINISH: 11:40:25.72 ===============

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 25 May 2011 - 07:17 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:14 AM

Posted 30 May 2011 - 06:26 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 ZachD

ZachD
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 31 May 2011 - 03:27 PM

Yes, I am here, and still have this topic set to watch.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:14 AM

Posted 31 May 2011 - 06:25 PM

You have suspicious files on the machine and the Gmer scan which did run shows an infection existed at the time.

Please rerun DDS first so we can see what still remains.
Posted Image
m0le is a proud member of UNITE

#5 ZachD

ZachD
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 01 June 2011 - 03:40 PM

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by Zach at 13:33:22 on 2011-06-01
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.886 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Alienware\Command Center\PowerManagementService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\ifxspmgt.exe
C:\Windows\system32\ifxtcs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IfxPsdSv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\StkCSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Alienware\Command Center\DimApp.exe
C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\system32\ifxuagui.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Infineon\Security Platform Software\PSDrt.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Infineon\Security Platform Software\SpTna.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\PCSecurityShield\BitDefender 2009\seccenter.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Zach\Desktop\Computer\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: The Shield Deluxe 2009 Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\pcsecurityshield\bitdefender 2009\IEToolbar.dll
TB: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Aim6]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MarbleStation]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [Alienware DIM Controller] "c:\program files\alienware\command center\DimApp.exe"
mRun: [AlienFX Controller] "c:\program files\alienware\command center\AlienwareAlienFXController.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdc.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [hpqSRMon]
mRun: [BDAgent] "c:\program files\pcsecurityshield\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\pcsecurityshield\bitdefender 2009\IEShow.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\zach\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\logitech webcam software\eReg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: webassign.net\www
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\zach\appdata\roaming\mozilla\firefox\profiles\rjvxxox4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\zach\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\zach\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\zach\appdata\roaming\mozilla\firefox\profiles\rjvxxox4.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============
.
R0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\drivers\iaNvStor.sys [2007-10-12 209408]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-1-23 39080]
R2 AlienFusionService;Alienware Fusion Service;c:\program files\alienware\command center\PowerManagementService.exe [2007-11-30 20480]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-7-27 21504]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2007-10-13 24576]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-3-3 428640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-29 24652]
R3 AVerHybrid;AVerMedia Hybrid Tuner (NTSC/PAL/SECAM/ATSC/FM);c:\windows\system32\drivers\averhbtv.sys [2011-5-25 304128]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2007-10-26 47616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 Arrakis3;The Shield Deluxe 2009 Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 172032]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-1-3 25832]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 StkCMini;Syntek AVStream USB2.0 2M WebCam;c:\windows\system32\drivers\StkCMini.sys [2007-10-13 1355520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-31 20:18:49 -------- d-----w- c:\users\zach\appdata\local\{FCCB372B-CAA9-4D9C-9A3A-D5855932C43A}
2011-05-31 06:37:39 -------- d-----w- c:\users\zach\appdata\local\{5CF3F845-9F09-4348-9011-EDC313436A22}
2011-05-30 18:36:23 -------- d-----w- c:\users\zach\appdata\local\{A23C166C-F4FE-4BB0-AD75-B85200BF716E}
2011-05-29 18:50:06 -------- d-----w- c:\users\zach\appdata\local\{9782BDAC-82D5-488F-B6D7-25A9D4BB4F2F}
2011-05-29 04:45:11 -------- d-----w- c:\users\zach\appdata\local\{D662BC56-DA0B-47EE-AA53-4A6CABE49359}
2011-05-27 19:09:35 -------- d-----w- c:\users\zach\appdata\local\{C85555F5-357E-43C8-9A61-43D72F7836EB}
2011-05-27 02:09:47 -------- d-----w- c:\users\zach\appdata\local\{76CA133B-29E2-4739-A1F1-8A117E68AAB6}
2011-05-26 04:31:51 -------- d-----w- c:\users\zach\{dff3c457-4cdf-4ba7-a8a8-abfbf58be12b}
2011-05-26 04:30:04 304128 ----a-w- c:\windows\system32\drivers\averhbtv.sys
2011-05-26 04:30:04 -------- d-----w- c:\windows\Driver Cache
2011-05-26 04:29:52 -------- d-----w- C:\Drivers
2011-05-25 21:50:05 -------- d-----w- c:\users\zach\appdata\local\{807F31F5-304A-4BBE-95AC-F66EDEAD1C0E}
2011-05-25 01:22:45 -------- d-----w- c:\users\zach\appdata\local\{BB2A544B-810A-404D-A315-31EE6484F4F6}
2011-05-25 00:12:14 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{2c81e717-e138-4110-aa5c-6e24925c17b4}\mpengine.dll
2011-05-23 18:51:09 -------- d-----w- c:\users\zach\appdata\local\{C6D47AF6-B23A-4414-B3EF-475C12681282}
2011-05-23 03:06:39 -------- d-----w- c:\users\zach\appdata\local\{CA2D01A3-33EB-4BC4-9C05-232C7D3157AA}
2011-05-21 02:27:49 -------- d-----w- c:\users\zach\appdata\local\{3029916A-EEC7-4AE9-A934-BB816D426879}
2011-05-20 06:10:44 -------- d-----w- c:\users\zach\appdata\local\{E6430087-CDED-461B-B151-34CAAB865B73}
2011-05-20 04:50:07 -------- d-----w- C:\Download
2011-05-20 04:49:10 -------- d-----w- C:\NetmarbleGlobal
2011-05-19 18:04:36 -------- d-----w- c:\users\zach\appdata\local\{CF42E06D-E4F5-41A7-8C17-7B9B12EE5E32}
2011-05-19 03:25:24 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-05-18 20:11:28 -------- d-----w- c:\users\zach\appdata\local\{50801AE0-1272-4DD9-B861-F87C161F5163}
2011-05-17 03:30:55 -------- d-----w- c:\users\zach\appdata\local\{B2DAF84A-D111-46E6-AA0A-1B4D9AF4956A}
2011-05-16 01:40:35 -------- d-----w- c:\users\zach\appdata\local\{B781D261-589D-4BCD-9B98-92F7E6C3B40B}
2011-05-15 00:28:41 -------- d-----w- c:\programdata\Skype Extras
2011-05-15 00:22:26 -------- d-----w- c:\users\zach\appdata\local\{4749F169-0996-4A0A-A18A-486751740237}
2011-05-14 00:51:58 -------- d-----w- c:\users\zach\appdata\roaming\wargaming.net
2011-05-14 00:28:28 3912008 ----a-w- c:\windows\system32\GameMon.des
2011-05-14 00:27:51 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-05-14 00:27:51 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-05-14 00:27:42 -------- d-----w- c:\program files\common files\INCA Shared
2011-05-13 18:32:14 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-13 18:32:13 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-13 18:32:12 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-13 18:32:12 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-13 18:32:12 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-13 18:32:10 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-13 18:32:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-13 18:32:07 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-13 18:31:42 -------- d-----w- C:\Games
2011-05-12 00:30:36 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-12 00:21:50 -------- d-----w- c:\users\zach\appdata\local\{CF20089C-D1BB-44AD-8487-B3E9F562C483}
2011-05-10 20:39:24 -------- d-----w- c:\users\zach\appdata\local\{2189D9D8-37B6-4F55-92AA-478CE6CF5FF0}
2011-05-09 20:11:29 -------- d-----w- c:\users\zach\appdata\local\{9C4F64AF-D8E9-49E5-A052-0EED50BD7FBF}
2011-05-08 20:42:23 -------- d-----w- c:\users\zach\appdata\local\{EE415AB5-B226-486B-B333-344033799882}
2011-05-08 05:25:46 -------- d-----w- c:\users\zach\appdata\local\{533B0D81-5E8B-4782-8C7A-CD8FFC434409}
2011-05-07 04:40:53 -------- d-----w- c:\users\zach\appdata\local\{DD4D6B05-D94F-4418-B452-9358684F1A26}
2011-05-06 04:16:43 -------- d-----w- c:\users\zach\appdata\local\{4A4B5FCB-C231-43E2-874F-1B0EB9ED96BE}
2011-05-05 02:00:02 -------- d-----w- c:\users\zach\appdata\local\{26CDEF76-E254-4E81-A932-5A36814DBD92}
2011-05-04 02:30:20 -------- d-----w- c:\users\zach\appdata\local\{DA9E2A7B-2D6E-462D-8FDE-3E81778338B8}
2011-05-03 01:11:43 -------- d-----w- c:\users\zach\appdata\local\{D7C40E28-5B2B-48B4-8DAC-02EA2AA31AFF}
.
==================== Find3M ====================
.
2011-05-31 07:03:29 81984 ----a-w- c:\windows\system32\bdod.bin
2011-04-08 05:43:36 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 05:43:34 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-04-08 05:43:34 612456 ----a-w- c:\windows\system32\nvvsvc.exe
2011-04-08 05:43:34 2582120 ----a-w- c:\windows\system32\nvsvcr.dll
2011-04-08 05:43:34 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 05:43:20 3701352 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 05:43:04 2565224 ----a-w- c:\windows\system32\nvsvc.dll
2011-04-08 00:44:40 189480 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-08 00:39:25 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-04-08 00:39:03 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-02 23:17:21 138056 ----a-w- c:\users\zach\appdata\roaming\PnkBstrK.sys
2011-04-02 23:17:02 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-04-02 04:37:53 3360624 ----a-w- c:\windows\system32\pbsvc.exe
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-04 01:30:26 4333024 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2011-03-04 01:30:04 539232 ----a-w- c:\windows\system32\LVUI2RC.dll
2011-03-04 01:29:44 543328 ----a-w- c:\windows\system32\LVUI2.dll
2011-03-04 01:29:00 291424 ----a-w- c:\windows\system32\drivers\lvrs.sys
2011-03-04 01:28:18 195168 ----a-w- c:\windows\system32\lvci13201174.dll
2011-03-04 01:27:56 301664 ----a-w- c:\windows\system32\lvcodec2.dll
2011-03-04 01:26:22 10877272 ----a-w- c:\windows\system32\LogiDPP.dll
2011-03-04 01:26:22 102744 ----a-w- c:\windows\system32\LogiDPPApp.exe
2011-03-04 01:26:16 331608 ----a-w- c:\windows\system32\DevManagerCore.dll
2011-03-04 01:15:12 39318 ----a-w- c:\windows\system32\Repository.reg
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iastor.sys iaNvStor.sys
c:\windows\system32\drivers\iastor.sys Intel Corporation Intel Matrix Storage Manager driver
c:\windows\system32\drivers\iaNvStor.sys Intel Corporation Intel® Turbo Memory Driver
1 ntkrnlpa!IofCallDriver[0x84A4B912] -> \Device\Harddisk0\DR0[0x897E0780]
3 CLASSPNP[0x8B1A28B3] -> ntkrnlpa!IofCallDriver[0x84A4B912] -> [0x87A487F0]
5 acpi[0x8A89B6BC] -> ntkrnlpa!IofCallDriver[0x84A4B912] -> \Device\Ide\IAAStorageDevice-0[0x87A4E030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV DS, BX; MOV ES, BX; MOV SI, 0x200; MOV CX, SI; CLD ; REP MOVSB ; JMP FAR 0x7a0:0xa3; }
user != kernel MBR !!!
.
============= FINISH: 13:35:45.83 ===============

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:14 AM

Posted 01 June 2011 - 07:21 PM

The MBR couldn't be checked on the DDS run so please try this program

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#7 ZachD

ZachD
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 02 June 2011 - 01:47 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ASUSTeK Computer Inc.
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Alienware
System Product Name: m17x - R1 Series
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 176):
0x84A07000 \SystemRoot\system32\ntkrnlpa.exe
0x84DC1000 \SystemRoot\system32\hal.dll
0x8040F000 \SystemRoot\system32\kdcom.dll
0x80416000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80486000 \SystemRoot\system32\PSHED.dll
0x80497000 \SystemRoot\system32\BOOTVID.dll
0x8049F000 \SystemRoot\system32\CLFS.SYS
0x804E0000 \SystemRoot\system32\CI.dll
0x8060C000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80688000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80695000 \SystemRoot\system32\drivers\acpi.sys
0x806DB000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E4000 \SystemRoot\system32\drivers\msisadrv.sys
0x806EC000 \SystemRoot\system32\drivers\pci.sys
0x80713000 \SystemRoot\System32\drivers\partmgr.sys
0x80722000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80725000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8072F000 \SystemRoot\system32\drivers\volmgr.sys
0x8073E000 \SystemRoot\System32\drivers\volmgrx.sys
0x80788000 \SystemRoot\system32\DRIVERS\intelide.sys
0x8078F000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x8079D000 \SystemRoot\System32\drivers\mountmgr.sys
0x85405000 \SystemRoot\system32\drivers\iastor.sys
0x854C3000 \SystemRoot\system32\drivers\iastorv.sys
0x85563000 \SystemRoot\system32\DRIVERS\iaNvStor.sys
0x8559F000 \SystemRoot\system32\drivers\atapi.sys
0x855A7000 \SystemRoot\system32\drivers\ataport.SYS
0x855C5000 \SystemRoot\system32\drivers\jraid.sys
0x855D1000 \SystemRoot\system32\drivers\SCSIPORT.SYS
0x807AD000 \SystemRoot\system32\drivers\fltmgr.sys
0x807DF000 \SystemRoot\system32\drivers\fileinfo.sys
0x855F7000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x85605000 \SystemRoot\System32\Drivers\ksecdd.sys
0x85676000 \SystemRoot\system32\drivers\ndis.sys
0x85781000 \SystemRoot\system32\drivers\msrpc.sys
0x857AC000 \SystemRoot\system32\drivers\NETIO.SYS
0x8A80F000 \SystemRoot\System32\drivers\tcpip.sys
0x8A8F9000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8AA03000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8AB13000 \SystemRoot\system32\drivers\volsnap.sys
0x8AB4C000 \SystemRoot\System32\Drivers\spldr.sys
0x8AB54000 \SystemRoot\System32\Drivers\mup.sys
0x8AB63000 \SystemRoot\system32\drivers\jgogo.sys
0x8AB65000 \SystemRoot\System32\drivers\ecache.sys
0x8AB8C000 \SystemRoot\system32\drivers\disk.sys
0x8AB9D000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8ABBE000 \SystemRoot\system32\drivers\crcdisk.sys
0x8ABD4000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8ABDF000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8ABE8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8FA00000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x90431000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x90433000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x904D3000 \SystemRoot\System32\drivers\watchdog.sys
0x904DF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x904EA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x90528000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x90537000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x905C4000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x90601000 \SystemRoot\system32\DRIVERS\NETw4v32.sys
0x90828000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x90840000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x90846000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x90856000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x90864000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x9087E000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x9088D000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x908A1000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x908F2000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x90905000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x90910000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x9093D000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9093F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x9094A000 \SystemRoot\system32\DRIVERS\itecir.sys
0x909A1000 \SystemRoot\system32\drivers\tpm.sys
0x909AF000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x909B3000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x909BC000 \SystemRoot\system32\DRIVERS\ATKACPI.sys
0x909C4000 \SystemRoot\System32\Drivers\tosrfcom.sys
0x805C0000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x90C0A000 \SystemRoot\system32\DRIVERS\storport.sys
0x90C4B000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x90C56000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x90C6D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x90C78000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x90C9B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x90CAA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x90CBE000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x90CD3000 \SystemRoot\system32\DRIVERS\termdd.sys
0x90CE3000 \SystemRoot\system32\DRIVERS\swenum.sys
0x90CE5000 \SystemRoot\system32\DRIVERS\ks.sys
0x90D0F000 \SystemRoot\system32\DRIVERS\circlass.sys
0x90D1D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x90D27000 \SystemRoot\system32\DRIVERS\AmdLLD.sys
0x90D36000 \SystemRoot\system32\DRIVERS\umbus.sys
0x90D43000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x90D78000 \SystemRoot\system32\DRIVERS\tosporte.sys
0x90D83000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9400D000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x9421D000 \SystemRoot\system32\drivers\portcls.sys
0x9424A000 \SystemRoot\system32\drivers\drmk.sys
0x9426F000 \SystemRoot\system32\DRIVERS\hidir.sys
0x9427A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x9428A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x94291000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x9429A000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x942A2000 \SystemRoot\System32\drivers\psd.sys
0x942AA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x942B3000 \SystemRoot\System32\Drivers\Null.SYS
0x942BA000 \SystemRoot\System32\Drivers\Beep.SYS
0x942C1000 \SystemRoot\System32\drivers\vga.sys
0x942CD000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x942EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x942F6000 \SystemRoot\system32\drivers\rdpencdd.sys
0x942FE000 \SystemRoot\System32\Drivers\Msfs.SYS
0x94309000 \SystemRoot\System32\Drivers\Npfs.SYS
0x94317000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x94320000 \SystemRoot\system32\DRIVERS\tdx.sys
0x94336000 \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
0x94356000 \SystemRoot\system32\DRIVERS\smb.sys
0x9436A000 \SystemRoot\system32\drivers\afd.sys
0x943B2000 \SystemRoot\System32\DRIVERS\netbt.sys
0x943E4000 \SystemRoot\system32\DRIVERS\pacer.sys
0x90D94000 \SystemRoot\system32\DRIVERS\netbios.sys
0x90DA2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x90DB5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x94000000 \SystemRoot\system32\drivers\nsiproxy.sys
0x909D4000 \SystemRoot\System32\Drivers\dfsc.sys
0x909EB000 \SystemRoot\system32\DRIVERS\ctxusbm.sys
0x90DF1000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8A914000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x90C00000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x9F801000 \SystemRoot\system32\drivers\averhbtv.sys
0x9F84C000 \SystemRoot\system32\drivers\BdaSup.SYS
0xA0450000 \SystemRoot\System32\win32k.sys
0x9F84F000 \SystemRoot\System32\drivers\Dxapi.sys
0x9F859000 \SystemRoot\system32\DRIVERS\tosrfusb.sys
0x9F864000 \SystemRoot\system32\DRIVERS\tosrfbd.sys
0x9F880000 \SystemRoot\system32\DRIVERS\Tosrfhid.sys
0x9F892000 \SystemRoot\System32\Drivers\tosrfbnp.sys
0x9F89B000 \SystemRoot\system32\DRIVERS\tosrfnds.sys
0x9F8A0000 \SystemRoot\system32\DRIVERS\monitor.sys
0x9F8AF000 \SystemRoot\system32\drivers\Toshidpt.sys
0xA0670000 \SystemRoot\System32\TSDDD.dll
0xA0690000 \SystemRoot\System32\cdd.dll
0x9F8B0000 \SystemRoot\system32\drivers\luafv.sys
0x9F8D3000 \SystemRoot\system32\drivers\spsys.sys
0x9F983000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9F993000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9F9BD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9F9C7000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x83409000 \SystemRoot\system32\drivers\HTTP.sys
0x83476000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x83493000 \SystemRoot\system32\DRIVERS\bowser.sys
0x834AC000 \SystemRoot\System32\drivers\mpsdrv.sys
0x834C1000 \SystemRoot\system32\drivers\mrxdav.sys
0x834E2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x83501000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x8353A000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x83552000 \SystemRoot\System32\DRIVERS\srv2.sys
0x8357A000 \SystemRoot\System32\DRIVERS\srv.sys
0xA7C04000 \SystemRoot\system32\drivers\peauth.sys
0xA7CE2000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA7CEC000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA7CF8000 \??\C:\Program Files\CyberLink\PowerDVD\000.fcl
0xA7CFA000 \SystemRoot\system32\DRIVERS\bdfsfltr.sys
0xA7D34000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
0xA7D39000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xA7D4F000 \??\C:\Program Files\PCSecurityShield\BitDefender 2009\bdselfpr.sys
0xA7D52000 \SystemRoot\system32\drivers\bdfm.sys
0xA7D6C000 \SystemRoot\system32\drivers\MSPQM.sys
0xA7D6E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBD000000 \SystemRoot\system32\DRIVERS\lvuvc.sys
0xBD421000 \SystemRoot\system32\drivers\usbaudio.sys
0xBD433000 \SystemRoot\system32\DRIVERS\lvrs.sys
0x77590000 \Windows\System32\ntdll.dll

Processes (total 107):
0 System Idle Process
4 System
580 C:\Windows\System32\smss.exe
656 csrss.exe
844 C:\Windows\System32\wininit.exe
856 csrss.exe
888 C:\Windows\System32\services.exe
900 C:\Windows\System32\lsass.exe
908 C:\Windows\System32\lsm.exe
1060 C:\Windows\System32\svchost.exe
1108 C:\Windows\System32\nvvsvc.exe
1140 C:\Windows\System32\svchost.exe
1180 C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
1212 C:\Program Files\PCSecurityShield\BitDefender 2009\vsserv.exe
1284 C:\Windows\System32\svchost.exe
1316 C:\Windows\System32\svchost.exe
1328 C:\Windows\System32\svchost.exe
1400 C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
1468 C:\Windows\System32\audiodg.exe
1492 C:\Windows\System32\winlogon.exe
1540 C:\Windows\System32\svchost.exe
1556 C:\Windows\System32\SLsvc.exe
1592 C:\Windows\System32\svchost.exe
1728 C:\Windows\System32\svchost.exe
1856 C:\Program Files\ATK Hotkey\AsLdrSrv.exe
1964 C:\Windows\System32\spoolsv.exe
1988 C:\Windows\System32\svchost.exe
628 C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
644 C:\Program Files\Alienware\Command Center\PowerManagementService.exe
1124 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1628 C:\Program Files\Bonjour\mDNSResponder.exe
1700 C:\Windows\System32\svchost.exe
1996 C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
2152 C:\Windows\System32\svchost.exe
2192 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
2244 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
2260 C:\Windows\System32\nvvsvc.exe
2380 C:\Windows\System32\IFXSPMGT.exe
2424 C:\Windows\System32\IFXTCS.exe
2504 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
2604 C:\Windows\System32\svchost.exe
2668 C:\Windows\System32\IfxPsdSv.exe
2696 C:\Windows\System32\svchost.exe
2724 C:\Windows\System32\PnkBstrA.exe
2772 C:\Windows\System32\PnkBstrB.exe
2804 C:\Windows\System32\svchost.exe
2824 C:\Windows\System32\svchost.exe
2840 C:\Windows\System32\StkCSrv.exe
2916 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
2988 C:\Program Files\Viewpoint\Common\ViewpointService.exe
3008 C:\Windows\System32\svchost.exe
3036 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
3076 C:\Windows\System32\SearchIndexer.exe
3104 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
3124 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
3620 C:\Windows\System32\dwm.exe
3684 C:\Windows\explorer.exe
3728 C:\Windows\System32\taskeng.exe
3920 C:\Program Files\ATK Hotkey\HControl.exe
3940 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
3956 C:\Program Files\Synaptics\SynTP\SynTPStart.exe
3980 C:\Program Files\Alienware\Command Center\DimApp.exe
3992 C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
4016 C:\Program Files\ATK Hotkey\ATKOSD.exe
4056 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
4084 C:\Windows\WindowsMobile\wmdc.exe
2408 C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
2652 C:\Windows\RtHDVCpl.exe
2888 C:\Program Files\ATK Hotkey\WDC.exe
1832 C:\Program Files\PCSecurityShield\BitDefender 2009\bdagent.exe
3812 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3736 C:\Program Files\Citrix\ICA Client\concentr.exe
1068 C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
2524 C:\Program Files\iTunes\iTunesHelper.exe
368 C:\Windows\ehome\ehtray.exe
2064 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
612 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
3876 C:\Windows\ehome\ehmsas.exe
1296 C:\Program Files\Citrix\ICA Client\wfcrun32.exe
4272 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
4288 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
4296 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
4348 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
4396 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
4764 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
5128 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
5172 C:\Program Files\PCSecurityShield\BitDefender 2009\seccenter.exe
5376 C:\Windows\System32\svchost.exe
5540 C:\Program Files\iPod\bin\iPodService.exe
5616 C:\Windows\System32\IfxUAGUI.exe
5756 C:\Program Files\Infineon\Security Platform Software\PSDrt.exe
5800 C:\Program Files\Infineon\Security Platform Software\SpTNA.exe
5848 WmiPrvSE.exe
4104 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
4268 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
4444 C:\Windows\System32\svchost.exe
4720 C:\Windows\System32\mobsync.exe
5624 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
3616 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3756 C:\Program Files\Windows Media Player\wmpnetwk.exe
4188 C:\Windows\System32\taskeng.exe
1808 WmiPrvSE.exe
4804 C:\Windows\servicing\TrustedInstaller.exe
6844 taskeng.exe
7384 C:\Windows\System32\SearchProtocolHost.exe
7436 C:\Windows\System32\SearchFilterHost.exe
6492 C:\Users\Zach\Desktop\Computer\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST9160823AS, Rev: 3.ADC

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 64D56F431117112951BA9F35884628D0327ABAA5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:14 AM

Posted 02 June 2011 - 06:21 PM

Please do the following:

Run MBRCheck again

When prompted, Enter 'Y' and hit ENTER for more options
When you see: "Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit):"

Enter 0 to dump the MBR to the physical disk.

Name the dumped file as dump0.dat

Enter -1 to exit.

Please then locate the files and visit this site and follow the instructions for uploading the file.
Posted Image
m0le is a proud member of UNITE

#9 ZachD

ZachD
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 03 June 2011 - 05:23 PM

I submitted the file.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:14 AM

Posted 03 June 2011 - 06:53 PM

The MBR is fine so we can now run Combofix without the chance of it failing

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 ZachD

ZachD
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 06 June 2011 - 12:27 AM

I apologize for taking a couple days to respond, I've been pretty busy lately.

ComboFix 11-06-05.06 - Zach 06/05/2011 20:04:50.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1078 [GMT -7:00]
Running from: c:\users\Zach\Desktop\Computer\comfix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
.
.
2011-06-06 03:17 . 2011-06-06 03:17 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-06-06 03:17 . 2011-06-06 03:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-06 02:28 . 2011-06-06 03:17 -------- d-----w- c:\users\Zach\AppData\Local\temp
2011-06-06 02:02 . 2011-06-06 02:02 -------- d-----w- C:\comfix
2011-06-04 22:42 . 2011-06-04 22:43 -------- d-----w- c:\users\Zach\AppData\Local\{9062ACB3-7A76-4414-83EC-0CD0009FABE9}
2011-06-02 20:54 . 2011-06-02 20:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 18:38 . 2011-06-02 18:38 -------- d-----w- c:\users\Zach\AppData\Local\{6250DD7C-8D73-44B7-8D36-6F05E458564B}
2011-06-01 20:37 . 2011-06-01 20:37 -------- d-----w- c:\users\Zach\AppData\Local\{CD5A3F23-8D8D-4327-8A7C-FDB614C7001E}
2011-05-31 20:18 . 2011-05-31 20:19 -------- d-----w- c:\users\Zach\AppData\Local\{FCCB372B-CAA9-4D9C-9A3A-D5855932C43A}
2011-05-31 06:37 . 2011-05-31 06:38 -------- d-----w- c:\users\Zach\AppData\Local\{5CF3F845-9F09-4348-9011-EDC313436A22}
2011-05-30 18:36 . 2011-05-30 18:36 -------- d-----w- c:\users\Zach\AppData\Local\{A23C166C-F4FE-4BB0-AD75-B85200BF716E}
2011-05-29 18:50 . 2011-05-29 18:50 -------- d-----w- c:\users\Zach\AppData\Local\{9782BDAC-82D5-488F-B6D7-25A9D4BB4F2F}
2011-05-29 04:45 . 2011-05-29 04:45 -------- d-----w- c:\users\Zach\AppData\Local\{D662BC56-DA0B-47EE-AA53-4A6CABE49359}
2011-05-27 19:09 . 2011-05-27 19:10 -------- d-----w- c:\users\Zach\AppData\Local\{C85555F5-357E-43C8-9A61-43D72F7836EB}
2011-05-27 02:09 . 2011-05-27 02:10 -------- d-----w- c:\users\Zach\AppData\Local\{76CA133B-29E2-4739-A1F1-8A117E68AAB6}
2011-05-26 04:31 . 2011-05-26 04:31 -------- d-----w- c:\users\Zach\{dff3c457-4cdf-4ba7-a8a8-abfbf58be12b}
2011-05-26 04:30 . 2011-05-26 04:30 -------- d-----w- c:\windows\Driver Cache
2011-05-26 04:30 . 2007-08-10 02:23 304128 ----a-w- c:\windows\system32\drivers\averhbtv.sys
2011-05-26 04:29 . 2011-05-26 04:29 -------- d-----w- C:\Drivers
2011-05-25 21:50 . 2011-05-25 21:50 -------- d-----w- c:\users\Zach\AppData\Local\{807F31F5-304A-4BBE-95AC-F66EDEAD1C0E}
2011-05-25 01:22 . 2011-05-25 01:23 -------- d-----w- c:\users\Zach\AppData\Local\{BB2A544B-810A-404D-A315-31EE6484F4F6}
2011-05-25 00:12 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C81E717-E138-4110-AA5C-6E24925C17B4}\mpengine.dll
2011-05-23 18:51 . 2011-05-23 18:51 -------- d-----w- c:\users\Zach\AppData\Local\{C6D47AF6-B23A-4414-B3EF-475C12681282}
2011-05-23 03:06 . 2011-05-23 03:07 -------- d-----w- c:\users\Zach\AppData\Local\{CA2D01A3-33EB-4BC4-9C05-232C7D3157AA}
2011-05-21 02:27 . 2011-05-21 02:28 -------- d-----w- c:\users\Zach\AppData\Local\{3029916A-EEC7-4AE9-A934-BB816D426879}
2011-05-20 06:10 . 2011-05-20 06:11 -------- d-----w- c:\users\Zach\AppData\Local\{E6430087-CDED-461B-B151-34CAAB865B73}
2011-05-20 04:50 . 2011-05-20 04:50 -------- d-----w- C:\Download
2011-05-20 04:49 . 2011-05-21 18:40 -------- d-----w- C:\NetmarbleGlobal
2011-05-20 04:49 . 2011-05-21 18:40 -------- d-----w- c:\users\Zach\AppData\Roaming\InstallShield Installation Information
2011-05-19 18:04 . 2011-05-19 18:05 -------- d-----w- c:\users\Zach\AppData\Local\{CF42E06D-E4F5-41A7-8C17-7B9B12EE5E32}
2011-05-19 03:25 . 2011-05-19 03:25 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-05-18 20:11 . 2011-05-18 20:11 -------- d-----w- c:\users\Zach\AppData\Local\{50801AE0-1272-4DD9-B861-F87C161F5163}
2011-05-17 03:30 . 2011-05-17 03:31 -------- d-----w- c:\users\Zach\AppData\Local\{B2DAF84A-D111-46E6-AA0A-1B4D9AF4956A}
2011-05-16 01:40 . 2011-05-16 01:41 -------- d-----w- c:\users\Zach\AppData\Local\{B781D261-589D-4BCD-9B98-92F7E6C3B40B}
2011-05-15 00:28 . 2011-05-23 04:24 -------- d-----w- c:\programdata\Skype Extras
2011-05-15 00:22 . 2011-05-15 00:22 -------- d-----w- c:\users\Zach\AppData\Local\{4749F169-0996-4A0A-A18A-486751740237}
2011-05-14 00:51 . 2011-05-14 00:53 -------- d-----w- c:\users\Zach\AppData\Roaming\wargaming.net
2011-05-14 00:28 . 2011-03-01 19:29 3912008 ----a-w- c:\windows\system32\GameMon.des
2011-05-14 00:27 . 2005-01-02 12:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-05-14 00:27 . 2003-07-18 21:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-05-14 00:27 . 2011-05-14 00:27 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-05-13 18:32 . 2011-05-13 18:32 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-13 18:32 . 2011-05-13 18:32 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-13 18:32 . 2011-05-13 18:32 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-13 18:32 . 2011-05-13 18:32 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-13 18:32 . 2011-05-13 18:32 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-13 18:32 . 2011-05-13 18:32 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-13 18:32 . 2011-05-13 18:32 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-13 18:32 . 2011-05-13 18:32 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-13 18:31 . 2011-05-13 18:31 -------- d-----w- C:\Games
2011-05-12 00:30 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-12 00:21 . 2011-05-12 00:22 -------- d-----w- c:\users\Zach\AppData\Local\{CF20089C-D1BB-44AD-8487-B3E9F562C483}
2011-05-10 20:39 . 2011-05-10 20:39 -------- d-----w- c:\users\Zach\AppData\Local\{2189D9D8-37B6-4F55-92AA-478CE6CF5FF0}
2011-05-09 20:11 . 2011-05-09 20:12 -------- d-----w- c:\users\Zach\AppData\Local\{9C4F64AF-D8E9-49E5-A052-0EED50BD7FBF}
2011-05-08 20:42 . 2011-05-08 20:42 -------- d-----w- c:\users\Zach\AppData\Local\{EE415AB5-B226-486B-B333-344033799882}
2011-05-08 05:25 . 2011-05-08 05:26 -------- d-----w- c:\users\Zach\AppData\Local\{533B0D81-5E8B-4782-8C7A-CD8FFC434409}
2011-05-07 04:40 . 2011-05-07 04:41 -------- d-----w- c:\users\Zach\AppData\Local\{DD4D6B05-D94F-4418-B452-9358684F1A26}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-01 17:03 . 2011-05-01 17:03 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-05-01 17:03 . 2011-05-01 17:03 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-01 17:03 . 2011-05-01 17:03 161792 ----a-w- c:\windows\system32\msls31.dll
2011-05-01 17:03 . 2011-05-01 17:03 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-05-01 17:03 . 2011-05-01 17:03 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-01 17:03 . 2011-05-01 17:03 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-05-01 17:03 . 2011-05-01 17:03 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-05-01 17:03 . 2011-05-01 17:03 367104 ----a-w- c:\windows\system32\html.iec
2011-05-01 17:03 . 2011-05-01 17:03 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-05-01 17:03 . 2011-05-01 17:03 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-01 17:03 . 2011-05-01 17:03 152064 ----a-w- c:\windows\system32\wextract.exe
2011-05-01 17:03 . 2011-05-01 17:03 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-05-01 17:03 . 2011-05-01 17:03 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-01 17:03 . 2011-05-01 17:03 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-05-01 17:03 . 2011-05-01 17:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-01 17:03 . 2011-05-01 17:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-01 17:03 . 2011-05-01 17:03 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-05-01 17:03 . 2011-05-01 17:03 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-05-01 17:03 . 2011-05-01 17:03 11776 ----a-w- c:\windows\system32\mshta.exe
2011-05-01 17:03 . 2011-05-01 17:03 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-01 17:03 . 2011-05-01 17:03 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-14 12:07 . 2010-08-30 16:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-08 05:43 . 2011-04-08 05:43 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 05:43 . 2011-04-08 05:43 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-04-08 05:43 . 2011-04-08 05:43 612456 ----a-w- c:\windows\system32\nvvsvc.exe
2011-04-08 05:43 . 2011-04-08 05:43 2582120 ----a-w- c:\windows\system32\nvsvcr.dll
2011-04-08 05:43 . 2011-04-08 05:43 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 05:43 . 2011-04-08 05:43 3701352 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 05:43 . 2011-04-08 05:43 2565224 ----a-w- c:\windows\system32\nvsvc.dll
2011-04-08 05:14 . 2011-05-19 00:06 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-04-08 05:14 . 2007-10-17 13:37 2034280 ----a-w- c:\windows\system32\nvapi.dll
2011-04-08 00:44 . 2011-04-02 23:21 189480 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-08 00:39 . 2008-07-31 04:20 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-04-08 00:39 . 2008-07-31 04:19 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-02 23:17 . 2008-07-31 04:20 138056 ----a-w- c:\users\Zach\AppData\Roaming\PnkBstrK.sys
2011-04-02 23:17 . 2008-07-31 04:19 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-04-02 04:37 . 2008-11-15 18:22 3360624 ----a-w- c:\windows\system32\pbsvc.exe
2011-03-15 17:19 . 2010-06-24 19:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-12 21:55 . 2011-04-27 23:33 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03 . 2011-04-15 14:24 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-15 14:24 1136640 ----a-w- c:\windows\system32\mfc42.dll
2009-09-13 07:05 . 2009-09-13 07:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 07:06 . 2009-09-13 07:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 07:06 . 2009-09-13 07:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 07:06 . 2009-09-13 07:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 07:06 . 2009-09-13 07:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 07:07 . 2009-09-13 07:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 07:06 . 2009-09-13 07:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 07:06 . 2009-09-13 07:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 21:33 . 2009-08-14 21:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 07:06 . 2009-09-13 07:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-05-13 18:32 . 2011-05-13 18:32 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-03-06 01:08 . 2009-08-07 17:50 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\Vid.exe" [2010-02-13 5933912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-24 174616]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-07-24 33304]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-17 102400]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-26 677408]
"Alienware DIM Controller"="c:\program files\Alienware\Command Center\DimApp.exe" [2007-11-30 24576]
"AlienFX Controller"="c:\program files\Alienware\Command Center\AlienwareAlienFXController.exe" [2007-11-30 94208]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdc.exe" [2007-01-24 563080]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-07 6265376]
"Skytel"="Skytel.exe" [2008-08-07 1833504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\users\Zach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-8-2 2760704]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 133104]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 dump_wmimmc;dump_wmimmc;c:\netmarbleglobal\GV Online Eg\GameGuard\dump_wmimmc.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 133104]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-03-01 3912008]
R3 StkCMini;Syntek AVStream USB2.0 2M WebCam;c:\windows\system32\Drivers\StkCMini.sys [2007-09-26 1355520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-08-14 717296]
S0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2007-07-09 209408]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-09 65584]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-01-24 39080]
S2 AlienFusionService;Alienware Fusion Service;c:\program files\Alienware\Command Center\PowerManagementService.exe [2007-11-30 20480]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
S2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\System32\StkCSrv.exe [2007-09-17 24576]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-03-04 428640]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 AVerHybrid;AVerMedia Hybrid Tuner (NTSC/PAL/SECAM/ATSC/FM);c:\windows\system32\drivers\averhbtv.sys [2007-08-10 304128]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-04-20 47616]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-11 21:55]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 18:38]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 18:38]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: webassign.net\www
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\rjvxxox4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-05 20:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-79873633-1873531018-2987022950-1000\Software\SecuROM\License information*]
"datasecu"=hex:1a,d5,b8,a1,25,55,bd,2e,b1,95,28,ce,87,02,7a,f1,90,b4,39,0e,db,
79,4c,b6,e8,98,96,6b,ba,28,83,83,f0,2e,73,98,e8,9a,95,36,36,9d,b7,81,23,17,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
Completion time: 2011-06-05 20:21:05
ComboFix-quarantined-files.txt 2011-06-06 03:21
ComboFix2.txt 2011-06-06 01:37
.
Pre-Run: 14,365,036,544 bytes free
Post-Run: 16,139,763,712 bytes free
.
- - End Of File - - 1A66402C45AD7055B21FD5326F1378C5

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:14 AM

Posted 06 June 2011 - 02:48 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\users\Zach\AppData\Local\{9062ACB3-7A76-4414-83EC-0CD0009FABE9}
c:\users\Zach\AppData\Local\{6250DD7C-8D73-44B7-8D36-6F05E458564B}
c:\users\Zach\AppData\Local\{CD5A3F23-8D8D-4327-8A7C-FDB614C7001E}
c:\users\Zach\AppData\Local\{FCCB372B-CAA9-4D9C-9A3A-D5855932C43A}
c:\users\Zach\AppData\Local\{5CF3F845-9F09-4348-9011-EDC313436A22}
c:\users\Zach\AppData\Local\{A23C166C-F4FE-4BB0-AD75-B85200BF716E}
c:\users\Zach\AppData\Local\{9782BDAC-82D5-488F-B6D7-25A9D4BB4F2F}
c:\users\Zach\AppData\Local\{D662BC56-DA0B-47EE-AA53-4A6CABE49359}
c:\users\Zach\AppData\Local\{C85555F5-357E-43C8-9A61-43D72F7836EB}
c:\users\Zach\AppData\Local\{76CA133B-29E2-4739-A1F1-8A117E68AAB6}
c:\users\Zach\{dff3c457-4cdf-4ba7-a8a8-abfbf58be12b}
c:\users\Zach\AppData\Local\{807F31F5-304A-4BBE-95AC-F66EDEAD1C0E}
c:\users\Zach\AppData\Local\{BB2A544B-810A-404D-A315-31EE6484F4F6}
c:\users\Zach\AppData\Local\{C6D47AF6-B23A-4414-B3EF-475C12681282}
c:\users\Zach\AppData\Local\{CA2D01A3-33EB-4BC4-9C05-232C7D3157AA}
c:\users\Zach\AppData\Local\{3029916A-EEC7-4AE9-A934-BB816D426879}
c:\users\Zach\AppData\Local\{E6430087-CDED-461B-B151-34CAAB865B73}
c:\users\Zach\AppData\Local\{CF42E06D-E4F5-41A7-8C17-7B9B12EE5E32}
c:\users\Zach\AppData\Local\{50801AE0-1272-4DD9-B861-F87C161F5163}
c:\users\Zach\AppData\Local\{B2DAF84A-D111-46E6-AA0A-1B4D9AF4956A}
c:\users\Zach\AppData\Local\{B781D261-589D-4BCD-9B98-92F7E6C3B40B}
c:\users\Zach\AppData\Local\{4749F169-0996-4A0A-A18A-486751740237}
c:\users\Zach\AppData\Local\{CF20089C-D1BB-44AD-8487-B3E9F562C483}
c:\users\Zach\AppData\Local\{2189D9D8-37B6-4F55-92AA-478CE6CF5FF0}
c:\users\Zach\AppData\Local\{9C4F64AF-D8E9-49E5-A052-0EED50BD7FBF}
c:\users\Zach\AppData\Local\{EE415AB5-B226-486B-B333-344033799882}
c:\users\Zach\AppData\Local\{533B0D81-5E8B-4782-8C7A-CD8FFC434409}
c:\users\Zach\AppData\Local\{DD4D6B05-D94F-4418-B452-9358684F1A26}


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 ZachD

ZachD
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 06 June 2011 - 07:03 PM

ComboFix 11-06-06.02 - Zach 06/06/2011 16:18:56.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.966 [GMT -7:00]
Running from: c:\users\Zach\Desktop\Computer\comfix.exe
Command switches used :: c:\users\Zach\Desktop\Computer\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Zach\{dff3c457-4cdf-4ba7-a8a8-abfbf58be12b}"
"c:\users\Zach\AppData\Local\{2189D9D8-37B6-4F55-92AA-478CE6CF5FF0}"
"c:\users\Zach\AppData\Local\{3029916A-EEC7-4AE9-A934-BB816D426879}"
"c:\users\Zach\AppData\Local\{4749F169-0996-4A0A-A18A-486751740237}"
"c:\users\Zach\AppData\Local\{50801AE0-1272-4DD9-B861-F87C161F5163}"
"c:\users\Zach\AppData\Local\{533B0D81-5E8B-4782-8C7A-CD8FFC434409}"
"c:\users\Zach\AppData\Local\{5CF3F845-9F09-4348-9011-EDC313436A22}"
"c:\users\Zach\AppData\Local\{6250DD7C-8D73-44B7-8D36-6F05E458564B}"
"c:\users\Zach\AppData\Local\{76CA133B-29E2-4739-A1F1-8A117E68AAB6}"
"c:\users\Zach\AppData\Local\{807F31F5-304A-4BBE-95AC-F66EDEAD1C0E}"
"c:\users\Zach\AppData\Local\{9062ACB3-7A76-4414-83EC-0CD0009FABE9}"
"c:\users\Zach\AppData\Local\{9782BDAC-82D5-488F-B6D7-25A9D4BB4F2F}"
"c:\users\Zach\AppData\Local\{9C4F64AF-D8E9-49E5-A052-0EED50BD7FBF}"
"c:\users\Zach\AppData\Local\{A23C166C-F4FE-4BB0-AD75-B85200BF716E}"
"c:\users\Zach\AppData\Local\{B2DAF84A-D111-46E6-AA0A-1B4D9AF4956A}"
"c:\users\Zach\AppData\Local\{B781D261-589D-4BCD-9B98-92F7E6C3B40B}"
"c:\users\Zach\AppData\Local\{BB2A544B-810A-404D-A315-31EE6484F4F6}"
"c:\users\Zach\AppData\Local\{C6D47AF6-B23A-4414-B3EF-475C12681282}"
"c:\users\Zach\AppData\Local\{C85555F5-357E-43C8-9A61-43D72F7836EB}"
"c:\users\Zach\AppData\Local\{CA2D01A3-33EB-4BC4-9C05-232C7D3157AA}"
"c:\users\Zach\AppData\Local\{CD5A3F23-8D8D-4327-8A7C-FDB614C7001E}"
"c:\users\Zach\AppData\Local\{CF20089C-D1BB-44AD-8487-B3E9F562C483}"
"c:\users\Zach\AppData\Local\{CF42E06D-E4F5-41A7-8C17-7B9B12EE5E32}"
"c:\users\Zach\AppData\Local\{D662BC56-DA0B-47EE-AA53-4A6CABE49359}"
"c:\users\Zach\AppData\Local\{DD4D6B05-D94F-4418-B452-9358684F1A26}"
"c:\users\Zach\AppData\Local\{E6430087-CDED-461B-B151-34CAAB865B73}"
"c:\users\Zach\AppData\Local\{EE415AB5-B226-486B-B333-344033799882}"
"c:\users\Zach\AppData\Local\{FCCB372B-CAA9-4D9C-9A3A-D5855932C43A}"
.
.
((((((((((((((((((((((((( Files Created from 2011-05-06 to 2011-06-06 )))))))))))))))))))))))))))))))
.
.
2011-06-06 23:28 . 2011-06-06 23:39 -------- d-----w- c:\users\Zach\AppData\Local\temp
2011-06-06 23:28 . 2011-06-06 23:28 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-06-06 23:28 . 2011-06-06 23:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-06 02:02 . 2011-06-06 02:02 -------- d-----w- C:\comfix
2011-06-04 22:42 . 2011-06-04 22:43 -------- d-----w- c:\users\Zach\AppData\Local\{9062ACB3-7A76-4414-83EC-0CD0009FABE9}
2011-06-02 20:54 . 2011-06-02 20:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 18:38 . 2011-06-02 18:38 -------- d-----w- c:\users\Zach\AppData\Local\{6250DD7C-8D73-44B7-8D36-6F05E458564B}
2011-06-01 20:37 . 2011-06-01 20:37 -------- d-----w- c:\users\Zach\AppData\Local\{CD5A3F23-8D8D-4327-8A7C-FDB614C7001E}
2011-05-31 20:18 . 2011-05-31 20:19 -------- d-----w- c:\users\Zach\AppData\Local\{FCCB372B-CAA9-4D9C-9A3A-D5855932C43A}
2011-05-31 06:37 . 2011-05-31 06:38 -------- d-----w- c:\users\Zach\AppData\Local\{5CF3F845-9F09-4348-9011-EDC313436A22}
2011-05-30 18:36 . 2011-05-30 18:36 -------- d-----w- c:\users\Zach\AppData\Local\{A23C166C-F4FE-4BB0-AD75-B85200BF716E}
2011-05-29 18:50 . 2011-05-29 18:50 -------- d-----w- c:\users\Zach\AppData\Local\{9782BDAC-82D5-488F-B6D7-25A9D4BB4F2F}
2011-05-29 04:45 . 2011-05-29 04:45 -------- d-----w- c:\users\Zach\AppData\Local\{D662BC56-DA0B-47EE-AA53-4A6CABE49359}
2011-05-27 19:09 . 2011-05-27 19:10 -------- d-----w- c:\users\Zach\AppData\Local\{C85555F5-357E-43C8-9A61-43D72F7836EB}
2011-05-27 02:09 . 2011-05-27 02:10 -------- d-----w- c:\users\Zach\AppData\Local\{76CA133B-29E2-4739-A1F1-8A117E68AAB6}
2011-05-26 04:31 . 2011-05-26 04:31 -------- d-----w- c:\users\Zach\{dff3c457-4cdf-4ba7-a8a8-abfbf58be12b}
2011-05-26 04:30 . 2011-05-26 04:30 -------- d-----w- c:\windows\Driver Cache
2011-05-26 04:30 . 2007-08-10 02:23 304128 ----a-w- c:\windows\system32\drivers\averhbtv.sys
2011-05-26 04:29 . 2011-05-26 04:29 -------- d-----w- C:\Drivers
2011-05-25 21:50 . 2011-05-25 21:50 -------- d-----w- c:\users\Zach\AppData\Local\{807F31F5-304A-4BBE-95AC-F66EDEAD1C0E}
2011-05-25 01:22 . 2011-05-25 01:23 -------- d-----w- c:\users\Zach\AppData\Local\{BB2A544B-810A-404D-A315-31EE6484F4F6}
2011-05-25 00:12 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C81E717-E138-4110-AA5C-6E24925C17B4}\mpengine.dll
2011-05-23 18:51 . 2011-05-23 18:51 -------- d-----w- c:\users\Zach\AppData\Local\{C6D47AF6-B23A-4414-B3EF-475C12681282}
2011-05-23 03:06 . 2011-05-23 03:07 -------- d-----w- c:\users\Zach\AppData\Local\{CA2D01A3-33EB-4BC4-9C05-232C7D3157AA}
2011-05-21 02:27 . 2011-05-21 02:28 -------- d-----w- c:\users\Zach\AppData\Local\{3029916A-EEC7-4AE9-A934-BB816D426879}
2011-05-20 06:10 . 2011-05-20 06:11 -------- d-----w- c:\users\Zach\AppData\Local\{E6430087-CDED-461B-B151-34CAAB865B73}
2011-05-20 04:50 . 2011-05-20 04:50 -------- d-----w- C:\Download
2011-05-20 04:49 . 2011-05-21 18:40 -------- d-----w- C:\NetmarbleGlobal
2011-05-20 04:49 . 2011-05-21 18:40 -------- d-----w- c:\users\Zach\AppData\Roaming\InstallShield Installation Information
2011-05-19 18:04 . 2011-05-19 18:05 -------- d-----w- c:\users\Zach\AppData\Local\{CF42E06D-E4F5-41A7-8C17-7B9B12EE5E32}
2011-05-19 03:25 . 2011-05-19 03:25 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-05-18 20:11 . 2011-05-18 20:11 -------- d-----w- c:\users\Zach\AppData\Local\{50801AE0-1272-4DD9-B861-F87C161F5163}
2011-05-17 03:30 . 2011-05-17 03:31 -------- d-----w- c:\users\Zach\AppData\Local\{B2DAF84A-D111-46E6-AA0A-1B4D9AF4956A}
2011-05-16 01:40 . 2011-05-16 01:41 -------- d-----w- c:\users\Zach\AppData\Local\{B781D261-589D-4BCD-9B98-92F7E6C3B40B}
2011-05-15 00:28 . 2011-05-23 04:24 -------- d-----w- c:\programdata\Skype Extras
2011-05-15 00:22 . 2011-05-15 00:22 -------- d-----w- c:\users\Zach\AppData\Local\{4749F169-0996-4A0A-A18A-486751740237}
2011-05-14 00:51 . 2011-05-14 00:53 -------- d-----w- c:\users\Zach\AppData\Roaming\wargaming.net
2011-05-14 00:28 . 2011-03-01 19:29 3912008 ----a-w- c:\windows\system32\GameMon.des
2011-05-14 00:27 . 2005-01-02 12:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2011-05-14 00:27 . 2003-07-18 21:17 5174 ----a-w- c:\windows\system32\nppt9x.vxd
2011-05-14 00:27 . 2011-05-14 00:27 -------- d-----w- c:\program files\Common Files\INCA Shared
2011-05-13 18:32 . 2011-05-13 18:32 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-13 18:32 . 2011-05-13 18:32 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-13 18:32 . 2011-05-13 18:32 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-13 18:32 . 2011-05-13 18:32 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-13 18:32 . 2011-05-13 18:32 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-13 18:32 . 2011-05-13 18:32 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-13 18:32 . 2011-05-13 18:32 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-13 18:32 . 2011-05-13 18:32 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-13 18:31 . 2011-05-13 18:31 -------- d-----w- C:\Games
2011-05-12 00:30 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-12 00:21 . 2011-05-12 00:22 -------- d-----w- c:\users\Zach\AppData\Local\{CF20089C-D1BB-44AD-8487-B3E9F562C483}
2011-05-10 20:39 . 2011-05-10 20:39 -------- d-----w- c:\users\Zach\AppData\Local\{2189D9D8-37B6-4F55-92AA-478CE6CF5FF0}
2011-05-09 20:11 . 2011-05-09 20:12 -------- d-----w- c:\users\Zach\AppData\Local\{9C4F64AF-D8E9-49E5-A052-0EED50BD7FBF}
2011-05-08 20:42 . 2011-05-08 20:42 -------- d-----w- c:\users\Zach\AppData\Local\{EE415AB5-B226-486B-B333-344033799882}
2011-05-08 05:25 . 2011-05-08 05:26 -------- d-----w- c:\users\Zach\AppData\Local\{533B0D81-5E8B-4782-8C7A-CD8FFC434409}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-01 17:03 . 2011-05-01 17:03 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-05-01 17:03 . 2011-05-01 17:03 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-01 17:03 . 2011-05-01 17:03 161792 ----a-w- c:\windows\system32\msls31.dll
2011-05-01 17:03 . 2011-05-01 17:03 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-05-01 17:03 . 2011-05-01 17:03 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-01 17:03 . 2011-05-01 17:03 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-05-01 17:03 . 2011-05-01 17:03 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-05-01 17:03 . 2011-05-01 17:03 367104 ----a-w- c:\windows\system32\html.iec
2011-05-01 17:03 . 2011-05-01 17:03 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-05-01 17:03 . 2011-05-01 17:03 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-01 17:03 . 2011-05-01 17:03 152064 ----a-w- c:\windows\system32\wextract.exe
2011-05-01 17:03 . 2011-05-01 17:03 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-05-01 17:03 . 2011-05-01 17:03 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-01 17:03 . 2011-05-01 17:03 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-05-01 17:03 . 2011-05-01 17:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-01 17:03 . 2011-05-01 17:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-01 17:03 . 2011-05-01 17:03 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-05-01 17:03 . 2011-05-01 17:03 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-05-01 17:03 . 2011-05-01 17:03 11776 ----a-w- c:\windows\system32\mshta.exe
2011-05-01 17:03 . 2011-05-01 17:03 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-01 17:03 . 2011-05-01 17:03 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-14 12:07 . 2010-08-30 16:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-08 05:43 . 2011-04-08 05:43 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 05:43 . 2011-04-08 05:43 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-04-08 05:43 . 2011-04-08 05:43 612456 ----a-w- c:\windows\system32\nvvsvc.exe
2011-04-08 05:43 . 2011-04-08 05:43 2582120 ----a-w- c:\windows\system32\nvsvcr.dll
2011-04-08 05:43 . 2011-04-08 05:43 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 05:43 . 2011-04-08 05:43 3701352 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 05:43 . 2011-04-08 05:43 2565224 ----a-w- c:\windows\system32\nvsvc.dll
2011-04-08 05:14 . 2011-05-19 00:06 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-04-08 05:14 . 2007-10-17 13:37 2034280 ----a-w- c:\windows\system32\nvapi.dll
2011-04-08 00:44 . 2011-04-02 23:21 189480 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-04-08 00:39 . 2008-07-31 04:20 137544 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-04-08 00:39 . 2008-07-31 04:19 189480 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-04-02 23:17 . 2008-07-31 04:20 138056 ----a-w- c:\users\Zach\AppData\Roaming\PnkBstrK.sys
2011-04-02 23:17 . 2008-07-31 04:19 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-04-02 04:37 . 2008-11-15 18:22 3360624 ----a-w- c:\windows\system32\pbsvc.exe
2011-03-15 17:19 . 2010-06-24 19:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-12 21:55 . 2011-04-27 23:33 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03 . 2011-04-15 14:24 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-15 14:24 1136640 ----a-w- c:\windows\system32\mfc42.dll
2009-09-13 07:05 . 2009-09-13 07:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 07:06 . 2009-09-13 07:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 07:06 . 2009-09-13 07:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 07:06 . 2009-09-13 07:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 07:06 . 2009-09-13 07:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 07:07 . 2009-09-13 07:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 07:06 . 2009-09-13 07:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 07:06 . 2009-09-13 07:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-08-14 21:33 . 2009-08-14 21:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 07:06 . 2009-09-13 07:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-05-13 18:32 . 2011-05-13 18:32 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-03-06 01:08 . 2009-08-07 17:50 49664 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 16:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\Vid.exe" [2010-02-13 5933912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-24 174616]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-07-24 33304]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-17 102400]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-02-26 677408]
"Alienware DIM Controller"="c:\program files\Alienware\Command Center\DimApp.exe" [2007-11-30 24576]
"AlienFX Controller"="c:\program files\Alienware\Command Center\AlienwareAlienFXController.exe" [2007-11-30 94208]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdc.exe" [2007-01-24 563080]
"RtHDVCpl"="RtHDVCpl.exe" [2008-08-07 6265376]
"Skytel"="Skytel.exe" [2008-08-07 1833504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\users\Zach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Logitech\Logitech WebCam Software\eReg.exe [2009-10-14 517384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-8-2 2760704]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 133104]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 dump_wmimmc;dump_wmimmc;c:\netmarbleglobal\GV Online Eg\GameGuard\dump_wmimmc.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 133104]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2011-03-01 3912008]
R3 StkCMini;Syntek AVStream USB2.0 2M WebCam;c:\windows\system32\Drivers\StkCMini.sys [2007-09-26 1355520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-08-14 717296]
S0 iaNvStor;Intel® Turbo Memory Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2007-07-09 209408]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-09 65584]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [2007-01-24 39080]
S2 AlienFusionService;Alienware Fusion Service;c:\program files\Alienware\Command Center\PowerManagementService.exe [2007-11-30 20480]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
S2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\System32\StkCSrv.exe [2007-09-17 24576]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-03-04 428640]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 AVerHybrid;AVerMedia Hybrid Tuner (NTSC/PAL/SECAM/ATSC/FM);c:\windows\system32\drivers\averhbtv.sys [2007-08-10 304128]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-04-20 47616]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-11 21:55]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 18:38]
.
2011-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 18:38]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: webassign.net\www
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\rjvxxox4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-06 16:39
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-79873633-1873531018-2987022950-1000\Software\SecuROM\License information*]
"datasecu"=hex:1a,d5,b8,a1,25,55,bd,2e,b1,95,28,ce,87,02,7a,f1,90,b4,39,0e,db,
79,4c,b6,e8,98,96,6b,ba,28,83,83,f0,2e,73,98,e8,9a,95,36,36,9d,b7,81,23,17,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
Completion time: 2011-06-06 16:41:49
ComboFix-quarantined-files.txt 2011-06-06 23:41
ComboFix2.txt 2011-06-06 03:21
ComboFix3.txt 2011-06-06 01:37
.
Pre-Run: 14,864,306,176 bytes free
Post-Run: 14,713,511,936 bytes free
.
- - End Of File - - 580A75AAC1900E0C91D37807C89C8881

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:14 AM

Posted 07 June 2011 - 08:37 PM

Please run MBAM next

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#15 ZachD

ZachD
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:14 PM

Posted 10 June 2011 - 12:05 AM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6822

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/9/2011 8:52:46 PM
mbam-log-2011-06-09 (20-52-46).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 446746
Time elapsed: 1 hour(s), 36 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users