Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer bogged down


  • This topic is locked This topic is locked
23 replies to this topic

#1 Skizzle

Skizzle

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 20 August 2011 - 09:57 PM

Recently, My computer has been bogged down. Programs lock up, IE crashes/takes forever to open, and games are laggy. My computer has been running great, but as of the past month I have run it, its gotten worse. I have pretty good computer knowledge and tried everything before I decided to come here. Unfortunately a few days ago I ran combofix just in case, not aware you request it not be run yet.(Sorry)

I have run malware and virus scanners. 3 different scanners. AVG, Comodo, And Bitdefender online.
Computer was opened and cleaned using compressed air. I have 5 case fans on it, rooms around 67 degrees.

I am running windows 7 on:
ASUSTeK M4A78-E
AMD Phenom II x4 955 Black Edition @ 3.2ghz (NOT OC)
4Gig ram
Geforce 8800 GT OC edition (Not user OC)
600watt P/S

I looked at my logs but nothing sticks out:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:54:13 PM, on 8/20/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\DAODx.exe
D:\Advanced SystemCare 4\PMonitor.exe
D:\Advanced SystemCare 4\ASCTray.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
D:\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files (x86)\Hijack\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\AMD\OverDrive\AMD OverDrive.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: TVersitybar Toolbar - {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: TVersitybar Toolbar - {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: TVersitybar Toolbar - {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [TkBellExe] "D:\RealPlayer\update\realsched.exe" -osboot
O4 - HKCU\..\Run: [Advanced SystemCare 4] D:\Advanced SystemCare 4\ASCTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Desura] D:\Games\Desura\desura.exe -autostart
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (13.0)) - http://napaaccount.com/rfmweb/LTOCX13N.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/select/asusTek_sys_ctrl3.cab
O16 - DPF: {23A2712A-7A4F-4D0C-822C-D7BA9974447B} (SettingsHelper Class) - https://registration.rr.com/RegHelper.cab
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - https://picasaweb.google.com/s/v/77.22/uploader2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://napaaccount.com/rfmweb/comdlg32.cab
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - D:\Advanced SystemCare 4\ASCService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Desura Install Service - Desura Pty Ltd - C:\Program Files (x86)\Common Files\Desura\desura_service.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FordEcatAppServer - Unknown owner - D:\Ecat\runtimes\applicationserver\lib\appservService.exe (file missing)
O23 - Service: FordEcatUpdateTaskScheduler - Unknown owner - D:\Ecat\applications\updatescheduler\bin\JavaService.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: TVersity Media Server (TVersityMediaServer) - Unknown owner - C:\ProgramData\TVersity\Media Server\MediaServer.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9313 bytes






.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 2/18/2011 2:55:20 PM
System Uptime: 8/20/2011 5:13:28 PM (5 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | M4A78-E
Processor: AMD Phenom™ II X4 955 Processor | AM2 | 3210/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 99.084 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 283.911 GiB free.
E: is CDROM ()
F: is CDROM (CDFS)
G: is Removable
H: is Removable
I: is Removable
J: is Removable
L: is FIXED (NTFS) - 1397 GiB total, 1132.708 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:
.
Class GUID: {6bdd1fc1-810f-11d0-bec7-08002be2092f}
Description: VIA 1394 OHCI Compliant Host Controller
Device ID: PCI\VEN_1106&DEV_3403&SUBSYS_83841043&REV_00\4&32CBD392&0&0038
Manufacturer: VIA
Name: VIA 1394 OHCI Compliant Host Controller
PNP Device ID: PCI\VEN_1106&DEV_3403&SUBSYS_83841043&REV_00\4&32CBD392&0&0038
Service: 1394ohci
.
==== System Restore Points ===================
.
RP45: 7/14/2011 1:29:45 AM - Scheduled Checkpoint
RP46: 7/22/2011 2:12:08 AM - Scheduled Checkpoint
RP47: 7/28/2011 6:00:20 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP48: 8/5/2011 12:11:25 AM - Scheduled Checkpoint
RP49: 8/13/2011 3:25:58 AM - Scheduled Checkpoint
RP50: 8/14/2011 2:52:44 PM - Installed UE3Redist
RP51: 8/14/2011 2:53:46 PM - Installed DirectX
RP52: 8/20/2011 4:41:36 PM - Installed HiJackThis
.
==== Installed Programs ======================
.
Ad-Aware
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Reader X (10.0.1)
Advanced SystemCare 4
AIM 7
AIO_Scan
Akamai NetSession Interface
AMD OverDrive
Amnesia - The Dark Descent
AnswerWorks 5.0 English Runtime
AV VoizGame 6.0
BufferChm
Call of Duty: Black Ops - Multiplayer
Cheat Engine 6.1
Combined Community Codec Pack 2010-10-10
COMODO GeekBuddy
Copy
Counter-Strike: Condition Zero
Counter-Strike: Source
CrimeCraft
Destinations
Desura
DeviceDiscovery
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
DocLock
Download Updater (AOL LLC)
F4100
F4100_Help
Fallout New Vegas
Fantastic Flame Screensaver
ffdshow v1.1.3760 [2011-02-18]
foobar2000 v1.1.6
FrostWire 4.21.3
Game Booster
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService2
HiJackThis
HP Update
HPPhotoGadget
HPPhotoSmartDiscLabelContent1
HPPhotosmartEssential
HPProductAssistant
HPSSupply
HxD Hex Editor version 1.7.7.0
Inpaint 3.0
Java Auto Updater
Java™ 6 Update 24
JDownloader
Killing Floor
League of Legends
MagicDisc 2.7.106
MarketResearch
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (FORDECATDB)
Microsoft SQL Server Setup Support Files (English)
Microsoft VC90 CRT + OMP
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MicroVolts
MotoHelper MergeModules
Mozilla Firefox 4.0.1 (x86 en-US)
Mozilla Thunderbird (6.0)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA PhysX
Office Password Recovery PRO v1.0 (remove only)
Pando Media Booster
Platform
Quicken 2011
RapidShare Manager
Realm Of The Titans
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Scan
SmartWebPrinting
SolutionCenter
Status
Steam
Tixati
Toolbox
TrayApp
TVersity Codec Pack 1.4
TVersity Media Server 1.9.3
TVersitybar Toolbar
UE3Redist
UnloadSupport
VIA Platform Device Manager
VLC media player 1.1.9
WebReg
Windows 7 Codec Pack 3.0.0
Wondershare Photo Recovery (build 3.0.1)
Xfire (remove only)
Zuma's Revenge!
.
==== Event Viewer Messages From Past Week ========
.
8/20/2011 5:14:39 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the TVersity Media Server service to connect.
8/20/2011 5:13:57 PM, Error: Service Control Manager [7000] - The MotoHelper Service service failed to start due to the following error: The system cannot find the file specified.
8/20/2011 5:13:57 PM, Error: Service Control Manager [7000] - The FordEcatUpdateTaskScheduler service failed to start due to the following error: The system cannot find the file specified.
8/20/2011 5:13:57 PM, Error: Service Control Manager [7000] - The FordEcatAppServer service failed to start due to the following error: The system cannot find the file specified.
8/20/2011 5:12:04 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
8/20/2011 5:07:24 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
8/20/2011 4:53:34 PM, Error: Service Control Manager [7034] - The hpqcxs08 service terminated unexpectedly. It has done this 3 time(s).
8/20/2011 4:53:34 PM, Error: Service Control Manager [7031] - The Akamai NetSession Interface service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
8/20/2011 4:53:27 PM, Error: Service Control Manager [7034] - The hpqcxs08 service terminated unexpectedly. It has done this 2 time(s).
8/20/2011 4:53:27 PM, Error: Service Control Manager [7031] - The Akamai NetSession Interface service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
8/20/2011 4:52:57 PM, Error: Service Control Manager [7034] - The hpqcxs08 service terminated unexpectedly. It has done this 1 time(s).
8/20/2011 4:52:57 PM, Error: Service Control Manager [7034] - The HP CUE DeviceDiscovery Service service terminated unexpectedly. It has done this 1 time(s).
8/20/2011 4:52:57 PM, Error: Service Control Manager [7031] - The Akamai NetSession Interface service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
8/20/2011 4:47:25 PM, Error: Service Control Manager [7034] - The TVersity Media Server service terminated unexpectedly. It has done this 1 time(s).
8/20/2011 10:01:17 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk6\DR6.
8/16/2011 11:03:46 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
8/14/2011 4:22:26 PM, Error: Microsoft-Windows-WHEA-Logger [20] - A fatal hardware error has occurred. Component: AMD Northbridge Error Source: Machine Check Exception Error Type: HyperTransport Watchdog Timeout Error Processor ID: 0 The details view of this entry contains further information.
8/14/2011 4:22:06 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SQL Server (FORDECATDB) service to connect.
8/14/2011 4:22:06 PM, Error: Service Control Manager [7000] - The SQL Server (FORDECATDB) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/14/2011 4:21:25 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000124 (0x0000000000000000, 0xfffffa80049aa8f8, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\Minidump\081411-20592-01.dmp. Report Id: 081411-20592-01.
.
==== End Of File ===========================

Edited by Skizzle, 20 August 2011 - 10:00 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 25 August 2011 - 10:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415380 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Skizzle

Skizzle
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 26 August 2011 - 07:29 PM

Computer running slow and laggy, games lag, and I get an error randomly in IE after the page loads that says it cant load the page and then goes to a blank page. See attatched.

Posted Image


.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Skizzle at 20:08:12 on 2011-08-26
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2600 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: COMODO Antivirus *Enabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
D:\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
D:\Advanced SystemCare 4\ASCService.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\ProgramData\TVersity\Media Server\MediaServer.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
D:\Game Booster\gbtray.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Skizzle\Desktop\gmer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
mURLSearchHooks: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Advanced SystemCare 4] D:\Advanced SystemCare 4\ASCTray.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Desura] D:\Games\Desura\desura.exe -autostart
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun: [TkBellExe] "D:\RealPlayer\update\realsched.exe" -osboot
StartupFolder: C:\Users\Skizzle\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://napaaccount.com/rfmweb/LTOCX13N.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab
DPF: {23A2712A-7A4F-4D0C-822C-D7BA9974447B} - hxxps://registration.rr.com/RegHelper.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxps://picasaweb.google.com/s/v/77.22/uploader2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} - hxxp://napaaccount.com/rfmweb/comdlg32.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{85B48ED3-1BE8-4626-A1BF-FEB430BC02D2} : DhcpNameServer = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\PKMCDO.DLL
AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: TVersitybar Toolbar: {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun-x64: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun-x64: [TkBellExe] "D:\RealPlayer\update\realsched.exe" -osboot
AppInit_DLLs-X64: C:\Windows\SysWOW64\guard32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Skizzle\AppData\Roaming\Mozilla\Firefox\Profiles\kumon8qn.default\
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: D:\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: D:\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: D:\RealPlayer\Netscape6\nprpjplug.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\system32\DRIVERS\cmderd.sys --> C:\Windows\system32\DRIVERS\cmderd.sys [?]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
R1 GizmoDrv;Gizmo Device Driver;C:\Windows\system32\drivers\GizmoDrv.sys --> C:\Windows\system32\drivers\GizmoDrv.sys [?]
R2 AdvancedSystemCareService;Advanced SystemCare Service;D:\Advanced SystemCare 4\ASCService.exe [2011-5-26 353168]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 CLPSLS;COMODO livePCsupport Service;C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-2-7 158112]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-4-29 2151640]
R2 MSSQL$FORDECATDB;SQL Server (FORDECATDB);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2011-1-11 29178224]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-5-8 17152]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);C:\Windows\system32\DRIVERS\vcsvad.sys --> C:\Windows\system32\DRIVERS\vcsvad.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S2 FordEcatAppServer;FordEcatAppServer;D:\Ecat\runtimes\applicationserver\lib\appservService.exe "\"D:\Ecat\runtimes\applicationserver\bin\asadmin.bat\" start-domain --user admin --passwordfile \"D:\Ecat\runtimes\applicationserver\password.txt\" domain1" "\"D:\Ecat\runtimes\applicationserver\bin\asadmin.bat\" stop-domain domain1\" --> D:\Ecat\runtimes\applicationserver\lib\appservService.exe \D:\Ecat\runtimes\applicationserver\bin\asadmin.bat\ [?]
S2 FordEcatUpdateTaskScheduler;FordEcatUpdateTaskScheduler;D:\Ecat\applications\updatescheduler\bin\JavaService.exe --> D:\Ecat\applications\updatescheduler\bin\JavaService.exe [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-18 136176]
S2 MotoHelper;MotoHelper Service;C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe --> C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [?]
S3 Desura Install Service;Desura Install Service;C:\Program Files (x86)\Common Files\Desura\desura_service.exe [2011-8-20 131912]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-18 136176]
S4 AODService;AODService;C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe [2009-4-22 124256]
.
=============== Created Last 30 ================
.
2011-08-21 22:14:22 -------- d-----w- C:\Program Files (x86)\ESET
2011-08-21 07:33:58 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-20 21:31:35 -------- d-----w- C:\Program Files (x86)\Common Files\Desura
2011-08-20 21:29:15 -------- d-----w- C:\ProgramData\Desura
2011-08-20 20:54:40 98816 ----a-w- C:\Windows\sed.exe
2011-08-20 20:54:40 518144 ----a-w- C:\Windows\SWREG.exe
2011-08-20 20:54:40 256000 ----a-w- C:\Windows\PEV.exe
2011-08-20 20:54:40 208896 ----a-w- C:\Windows\MBR.exe
2011-08-20 20:41:59 388096 ----a-r- C:\Users\Skizzle\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-20 20:41:59 -------- d-----w- C:\Program Files (x86)\Hijack
2011-08-20 20:30:45 -------- d-----w- C:\Users\Skizzle\AppData\Local\Thunderbird
2011-08-20 20:15:12 -------- d-----w- C:\Users\Skizzle\AppData\Roaming\fltk.org
2011-08-20 20:15:12 -------- d-----w- C:\ProgramData\fltk.org
2011-08-20 19:27:47 -------- d-----w- C:\Users\Skizzle\AppData\Roaming\tixati
2011-08-19 01:58:38 -------- d-----w- C:\Program Files (x86)\Cheat Engine 6.1
2011-08-14 18:53:14 -------- d-----w- C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2011-07-28 22:13:00 -------- d-----w- C:\Users\Skizzle\AppData\Roaming\SGTY
2011-07-28 22:12:01 -------- d-----w- C:\Users\Skizzle\AppData\Roaming\Realm of the Titans
2011-07-28 21:44:55 -------- d-----w- C:\Program Files (x86)\Common Files\Akamai
.
==================== Find3M ====================
.
2011-07-05 03:38:37 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-06-15 16:34:39 84992 ----a-w- C:\Windows\System32\asycfilt.dll
2011-06-15 16:34:39 67584 ----a-w- C:\Windows\SysWow64\asycfilt.dll
2011-06-15 16:34:25 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-06-15 16:34:25 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-06-15 16:32:52 85504 ----a-w- C:\Windows\SysWow64\secproc_ssp_isv.dll
2011-06-15 16:31:44 46592 ----a-w- C:\Windows\System32\msasn1.dll
2011-06-15 16:31:44 34816 ----a-w- C:\Windows\SysWow64\msasn1.dll
2011-06-15 16:31:37 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2011-06-15 16:31:37 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2011-06-15 16:31:23 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2011-06-15 16:31:23 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2011-06-15 16:31:22 982600 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-06-15 16:31:22 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-06-15 16:31:22 293888 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-06-15 16:31:22 1975296 ----a-w- C:\Windows\System32\CertEnroll.dll
2011-06-15 16:31:22 1320960 ----a-w- C:\Windows\SysWow64\CertEnroll.dll
.
============= FINISH: 20:10:48.71 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-26 20:21:55
Windows 6.1.7600
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----

(WILL ONLY LET ME SELECT SERVICES, REGISTRY, AND FILES) *Running Windows 7 64. Shoulda skipped.*

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:23:21 PM, on 8/26/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
D:\Game Booster\gbtray.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Hijack\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: TVersitybar Toolbar - {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
O1 - Hosts file is located at: C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: TVersitybar Toolbar - {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: TVersitybar Toolbar - {66bd2442-241b-44cd-8c7a-b51037053cdb} - C:\Program Files (x86)\TVersitybar\tbTVer.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [TkBellExe] "D:\RealPlayer\update\realsched.exe" -osboot
O4 - HKCU\..\Run: [Advanced SystemCare 4] D:\Advanced SystemCare 4\ASCTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Desura] D:\Games\Desura\desura.exe -autostart
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {00130000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (13.0)) - http://napaaccount.com/rfmweb/LTOCX13N.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/select/asusTek_sys_ctrl3.cab
O16 - DPF: {23A2712A-7A4F-4D0C-822C-D7BA9974447B} (SettingsHelper Class) - https://registration.rr.com/RegHelper.cab
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - https://picasaweb.google.com/s/v/77.22/uploader2.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://napaaccount.com/rfmweb/comdlg32.cab
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - D:\Advanced SystemCare 4\ASCService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Desura Install Service - Desura Pty Ltd - C:\Program Files (x86)\Common Files\Desura\desura_service.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FordEcatAppServer - Unknown owner - D:\Ecat\runtimes\applicationserver\lib\appservService.exe (file missing)
O23 - Service: FordEcatUpdateTaskScheduler - Unknown owner - D:\Ecat\applications\updatescheduler\bin\JavaService.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: TVersity Media Server (TVersityMediaServer) - Unknown owner - C:\ProgramData\TVersity\Media Server\MediaServer.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9278 bytes


StartupList report, 8/26/2011, 8:22:56 PM
StartupList version: 1.52.2
Started from : C:\Program Files (x86)\Hijack\Trend Micro\HiJackThis\HiJackThis.EXE
Detected: Windows 7 (WinNT 6.00.3504)
Detected: Internet Explorer v8.00 (8.00.7600.16385)
* Using default options
==================================================

Running processes:

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
D:\Game Booster\gbtray.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Hijack\Trend Micro\HiJackThis\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Users\Skizzle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup]
MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe

Shell folders Common Startup:
[C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup]
HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpqSRMon = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
HDAudDeck = C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
TkBellExe = "D:\RealPlayer\update\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Advanced SystemCare 4 = D:\Advanced SystemCare 4\ASCTray.exe
swg = "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
Desura = D:\Games\Desura\desura.exe -autostart

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Windows\SysWOW64\mshta.exe "%1" %*

--------------------------------------------------

Load/Run keys from C:\Windows\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\Windows\SysWOW64\guard32.dll

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {02478D38-C3F9-4efb-9B51-7695ECA05670}
HP Print Enhancer - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll - {0347C33E-8762-4905-BF09-768834316C61}
AcroIEHelperStub - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
(no name) - C:\Program Files (x86)\TVersitybar\tbTVer.dll - {66bd2442-241b-44cd-8c7a-b51037053cdb}
(no name) - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
(no name) - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
HP Smart BHO Class - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}

--------------------------------------------------

Enumerating Task Scheduler jobs:

GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job

--------------------------------------------------

Enumerating Download Program Files:

[LEAD Main Control (13.0)]
InProcServer32 = C:\Windows\DOWNLO~1\ltocx13n.ocx
CODEBASE = http://napaaccount.com/rfmweb/LTOCX13N.cab

[asusTek_sysctrl Class]
InProcServer32 = C:\Windows\Downloaded Program Files\asusTek_sys_ctrl.dll
CODEBASE = http://support.asus.com/select/asusTek_sys_ctrl3.cab

[SettingsHelper Class]
InProcServer32 = C:\Windows\Downloaded Program Files\TWCRegistrationHelper.dll
CODEBASE = https://registration.rr.com/RegHelper.cab

[UploadListView Class]
InProcServer32 = C:\Windows\Downloaded Program Files\UploaderX.dll
CODEBASE = https://picasaweb.google.com/s/v/77.22/uploader2.cab

[OnlineScanner Control]
InProcServer32 = C:\PROGRA~2\ESET\ESETON~1\ONLINE~1.OCX
CODEBASE = http://download.eset.com/special/eos/OnlineScanner.cab

[{E2883E8F-472F-4FB0-9522-AC9BF37916A7}]
CODEBASE = http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

[Microsoft Common Dialog Control, version 6.0]
InProcServer32 = C:\Windows\SysWOW64\comdlg32.ocx
CODEBASE = http://napaaccount.com/rfmweb/comdlg32.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #4: C:\Windows\system32\napinsp.dll
NameSpace #5: C:\Windows\system32\pnrpnsp.dll
NameSpace #6: C:\Windows\system32\pnrpnsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\Windows\SysWow64\webcheck.dll

--------------------------------------------------
End of report, 8,064 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Edited by Skizzle, 26 August 2011 - 07:40 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:43 PM

Posted 30 August 2011 - 06:59 AM

Hello, my name is Elise and I'll be assisting you with this issue.

TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Comodo or Lavasoft Adaware.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Skizzle

Skizzle
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 30 August 2011 - 09:00 AM

Hello Elise, Thank you for helping me with this.

Ad-Aware was removed from system, only running Comodo now.

Scan ran and completed fine but it did show files that were locked.

I believe the locked file is part of my virtual drive software, im sorry, I forgot to disable it. I have to use it for work so it was re-enabled. Would you like me to disable and re-scan?

2011/08/30 09:50:51.0713 1456 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/08/30 09:50:51.0993 1456 ================================================================================
2011/08/30 09:50:51.0993 1456 SystemInfo:
2011/08/30 09:50:51.0993 1456
2011/08/30 09:50:51.0993 1456 OS Version: 6.1.7600 ServicePack: 0.0
2011/08/30 09:50:51.0993 1456 Product type: Workstation
2011/08/30 09:50:51.0993 1456 ComputerName: SKIZZLE-PC
2011/08/30 09:50:51.0993 1456 UserName: Skizzle
2011/08/30 09:50:51.0993 1456 Windows directory: C:\Windows
2011/08/30 09:50:51.0993 1456 System windows directory: C:\Windows
2011/08/30 09:50:51.0993 1456 Running under WOW64
2011/08/30 09:50:51.0993 1456 Processor architecture: Intel x64
2011/08/30 09:50:51.0993 1456 Number of processors: 4
2011/08/30 09:50:51.0993 1456 Page size: 0x1000
2011/08/30 09:50:51.0993 1456 Boot type: Normal boot
2011/08/30 09:50:51.0993 1456 ================================================================================
2011/08/30 09:50:53.0397 1456 Initialize success
2011/08/30 09:51:05.0222 4216 Deinitialize success


2011/08/30 09:51:06.0954 5952 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/08/30 09:51:07.0219 5952 ================================================================================
2011/08/30 09:51:07.0219 5952 SystemInfo:
2011/08/30 09:51:07.0219 5952
2011/08/30 09:51:07.0219 5952 OS Version: 6.1.7600 ServicePack: 0.0
2011/08/30 09:51:07.0219 5952 Product type: Workstation
2011/08/30 09:51:07.0219 5952 ComputerName: SKIZZLE-PC
2011/08/30 09:51:07.0219 5952 UserName: Skizzle
2011/08/30 09:51:07.0219 5952 Windows directory: C:\Windows
2011/08/30 09:51:07.0219 5952 System windows directory: C:\Windows
2011/08/30 09:51:07.0219 5952 Running under WOW64
2011/08/30 09:51:07.0219 5952 Processor architecture: Intel x64
2011/08/30 09:51:07.0219 5952 Number of processors: 4
2011/08/30 09:51:07.0219 5952 Page size: 0x1000
2011/08/30 09:51:07.0219 5952 Boot type: Normal boot
2011/08/30 09:51:07.0219 5952 ================================================================================
2011/08/30 09:51:07.0656 5952 Initialize success
2011/08/30 09:51:19.0106 6012 ================================================================================
2011/08/30 09:51:19.0106 6012 Scan started
2011/08/30 09:51:19.0106 6012 Mode: Manual;
2011/08/30 09:51:19.0106 6012 ================================================================================
2011/08/30 09:51:21.0337 6012 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/08/30 09:51:21.0368 6012 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2011/08/30 09:51:21.0415 6012 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/08/30 09:51:21.0446 6012 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/08/30 09:51:21.0509 6012 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2011/08/30 09:51:21.0524 6012 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2011/08/30 09:51:21.0618 6012 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2011/08/30 09:51:21.0665 6012 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2011/08/30 09:51:21.0680 6012 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2011/08/30 09:51:21.0696 6012 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2011/08/30 09:51:21.0758 6012 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2011/08/30 09:51:21.0805 6012 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2011/08/30 09:51:21.0852 6012 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2011/08/30 09:51:21.0867 6012 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/08/30 09:51:21.0914 6012 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2011/08/30 09:51:21.0992 6012 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2011/08/30 09:51:22.0055 6012 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2011/08/30 09:51:22.0086 6012 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2011/08/30 09:51:22.0117 6012 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/08/30 09:51:22.0148 6012 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2011/08/30 09:51:22.0226 6012 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2011/08/30 09:51:22.0304 6012 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/08/30 09:51:22.0335 6012 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/08/30 09:51:22.0382 6012 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/08/30 09:51:22.0398 6012 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2011/08/30 09:51:22.0429 6012 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/08/30 09:51:22.0460 6012 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/08/30 09:51:22.0476 6012 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/08/30 09:51:22.0491 6012 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/08/30 09:51:22.0507 6012 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/08/30 09:51:22.0523 6012 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/08/30 09:51:22.0601 6012 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/08/30 09:51:22.0647 6012 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/08/30 09:51:22.0679 6012 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2011/08/30 09:51:22.0757 6012 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2011/08/30 09:51:22.0850 6012 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/08/30 09:51:22.0944 6012 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/08/30 09:51:22.0975 6012 cmderd (79e33c4c8719965a650955c139970841) C:\Windows\system32\DRIVERS\cmderd.sys
2011/08/30 09:51:23.0022 6012 cmdGuard (6ad70719603268981e37961aebbe0098) C:\Windows\system32\DRIVERS\cmdguard.sys
2011/08/30 09:51:23.0069 6012 cmdHlp (c11a9b345fb92c99463b1b5a4624a131) C:\Windows\system32\DRIVERS\cmdhlp.sys
2011/08/30 09:51:23.0100 6012 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2011/08/30 09:51:23.0131 6012 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2011/08/30 09:51:23.0147 6012 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2011/08/30 09:51:23.0178 6012 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/08/30 09:51:23.0209 6012 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/08/30 09:51:23.0256 6012 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
2011/08/30 09:51:23.0381 6012 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2011/08/30 09:51:23.0412 6012 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/08/30 09:51:23.0443 6012 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2011/08/30 09:51:23.0521 6012 Dot4 (b42ed0320c6e41102fde0005154849bb) C:\Windows\system32\DRIVERS\Dot4.sys
2011/08/30 09:51:23.0568 6012 Dot4Print (85135ad27e79b689335c08167d917cde) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/08/30 09:51:23.0583 6012 dot4usb (fd05a02b0370bc3000f402e543ca5814) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/08/30 09:51:23.0661 6012 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/08/30 09:51:23.0739 6012 DXGKrnl (ebce0b0924835f635f620d19f0529dce) C:\Windows\System32\drivers\dxgkrnl.sys
2011/08/30 09:51:24.0161 6012 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2011/08/30 09:51:24.0332 6012 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2011/08/30 09:51:24.0363 6012 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2011/08/30 09:51:24.0410 6012 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/08/30 09:51:24.0426 6012 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/08/30 09:51:24.0457 6012 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2011/08/30 09:51:24.0488 6012 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/08/30 09:51:24.0504 6012 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/08/30 09:51:24.0535 6012 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/08/30 09:51:24.0566 6012 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2011/08/30 09:51:24.0629 6012 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/08/30 09:51:24.0660 6012 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/08/30 09:51:24.0707 6012 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
2011/08/30 09:51:24.0769 6012 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/08/30 09:51:24.0831 6012 GizmoDrv (ee8829b623542d8adc4dba65a1133741) C:\Windows\system32\drivers\GizmoDrv.sys
2011/08/30 09:51:24.0909 6012 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/08/30 09:51:24.0972 6012 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
2011/08/30 09:51:25.0019 6012 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/08/30 09:51:25.0034 6012 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/08/30 09:51:25.0065 6012 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2011/08/30 09:51:25.0081 6012 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2011/08/30 09:51:25.0143 6012 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2011/08/30 09:51:25.0268 6012 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/08/30 09:51:25.0315 6012 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2011/08/30 09:51:25.0346 6012 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2011/08/30 09:51:25.0393 6012 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/08/30 09:51:25.0424 6012 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/08/30 09:51:25.0455 6012 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2011/08/30 09:51:25.0487 6012 inspect (df84ed3292a87521621b9fee4c0e07bb) C:\Windows\system32\DRIVERS\inspect.sys
2011/08/30 09:51:25.0502 6012 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2011/08/30 09:51:25.0549 6012 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/08/30 09:51:25.0596 6012 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/08/30 09:51:25.0643 6012 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/08/30 09:51:25.0674 6012 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/08/30 09:51:25.0721 6012 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/08/30 09:51:25.0736 6012 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2011/08/30 09:51:25.0767 6012 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/08/30 09:51:25.0814 6012 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/08/30 09:51:25.0861 6012 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/08/30 09:51:25.0908 6012 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2011/08/30 09:51:25.0955 6012 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
2011/08/30 09:51:26.0001 6012 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/08/30 09:51:26.0048 6012 L1E (2ac603c3188c704cfce353659aa7ad71) C:\Windows\system32\DRIVERS\L1E62x64.sys
2011/08/30 09:51:26.0095 6012 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/08/30 09:51:26.0142 6012 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/08/30 09:51:26.0157 6012 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/08/30 09:51:26.0173 6012 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/08/30 09:51:26.0189 6012 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/08/30 09:51:26.0251 6012 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/08/30 09:51:26.0313 6012 mcdbus (79d51e7f5926e8ce1b3ebecebae28cff) C:\Windows\system32\DRIVERS\mcdbus.sys
2011/08/30 09:51:26.0345 6012 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2011/08/30 09:51:26.0376 6012 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/08/30 09:51:26.0407 6012 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/08/30 09:51:26.0438 6012 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/08/30 09:51:26.0703 6012 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2011/08/30 09:51:26.0781 6012 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/08/30 09:51:26.0797 6012 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2011/08/30 09:51:26.0813 6012 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2011/08/30 09:51:26.0844 6012 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/08/30 09:51:26.0906 6012 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2011/08/30 09:51:26.0953 6012 mrxsmb (cfdcd8ca87c2a657debc150ac35b5e08) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/08/30 09:51:26.0984 6012 mrxsmb10 (1bee517b220b7f024f411aec1571dd5a) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/08/30 09:51:27.0015 6012 mrxsmb20 (6b2d5fef385828b6e485c1c90afb8195) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/08/30 09:51:27.0031 6012 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2011/08/30 09:51:27.0062 6012 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2011/08/30 09:51:27.0093 6012 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/08/30 09:51:27.0125 6012 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/08/30 09:51:27.0156 6012 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/08/30 09:51:27.0187 6012 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/08/30 09:51:27.0218 6012 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/08/30 09:51:27.0249 6012 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/08/30 09:51:27.0296 6012 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2011/08/30 09:51:27.0327 6012 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/08/30 09:51:27.0374 6012 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/08/30 09:51:27.0405 6012 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/08/30 09:51:27.0468 6012 MTsensor (03b7145c889603537e9ffeabb1ad1089) C:\Windows\system32\DRIVERS\ASACPI.sys
2011/08/30 09:51:27.0499 6012 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/08/30 09:51:27.0577 6012 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/08/30 09:51:27.0671 6012 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2011/08/30 09:51:27.0733 6012 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/08/30 09:51:27.0764 6012 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/08/30 09:51:27.0795 6012 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/08/30 09:51:27.0811 6012 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/08/30 09:51:27.0889 6012 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2011/08/30 09:51:27.0936 6012 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/08/30 09:51:27.0951 6012 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2011/08/30 09:51:28.0029 6012 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/08/30 09:51:28.0076 6012 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/08/30 09:51:28.0107 6012 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/08/30 09:51:28.0388 6012 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2011/08/30 09:51:28.0529 6012 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/08/30 09:51:29.0527 6012 nvlddmkm (f12c5f17d48d9f5c70e4408b3ccb5443) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/08/30 09:51:29.0683 6012 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/08/30 09:51:29.0714 6012 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2011/08/30 09:51:29.0745 6012 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/08/30 09:51:29.0777 6012 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/08/30 09:51:29.0792 6012 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/08/30 09:51:29.0808 6012 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2011/08/30 09:51:29.0839 6012 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2011/08/30 09:51:29.0855 6012 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2011/08/30 09:51:29.0886 6012 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/08/30 09:51:29.0917 6012 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/08/30 09:51:29.0948 6012 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/08/30 09:51:30.0104 6012 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2011/08/30 09:51:30.0167 6012 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2011/08/30 09:51:30.0229 6012 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2011/08/30 09:51:30.0307 6012 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2011/08/30 09:51:30.0369 6012 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/08/30 09:51:30.0401 6012 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/08/30 09:51:30.0401 6012 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/08/30 09:51:30.0479 6012 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/08/30 09:51:30.0510 6012 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/08/30 09:51:30.0541 6012 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/08/30 09:51:30.0557 6012 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/08/30 09:51:30.0603 6012 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2011/08/30 09:51:30.0681 6012 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/08/30 09:51:30.0713 6012 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/08/30 09:51:30.0744 6012 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
2011/08/30 09:51:30.0791 6012 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/08/30 09:51:30.0806 6012 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/08/30 09:51:30.0837 6012 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2011/08/30 09:51:30.0884 6012 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2011/08/30 09:51:30.0962 6012 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/08/30 09:51:30.0993 6012 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
2011/08/30 09:51:31.0025 6012 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/08/30 09:51:31.0087 6012 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2011/08/30 09:51:31.0134 6012 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/08/30 09:51:31.0181 6012 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/08/30 09:51:31.0196 6012 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/08/30 09:51:31.0227 6012 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2011/08/30 09:51:31.0290 6012 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/08/30 09:51:31.0321 6012 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/08/30 09:51:31.0321 6012 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/08/30 09:51:31.0352 6012 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/08/30 09:51:31.0446 6012 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/08/30 09:51:31.0477 6012 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/08/30 09:51:31.0539 6012 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/08/30 09:51:31.0586 6012 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/08/30 09:51:31.0727 6012 sptd (34f974f8b3c86de03a30dcbe79091c97) C:\Windows\system32\Drivers\sptd.sys
2011/08/30 09:51:31.0727 6012 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 34f974f8b3c86de03a30dcbe79091c97
2011/08/30 09:51:31.0727 6012 sptd - detected LockedFile.Multi.Generic (1)
2011/08/30 09:51:31.0773 6012 srv (ec8f67289105bf270498095f14963464) C:\Windows\system32\DRIVERS\srv.sys
2011/08/30 09:51:31.0836 6012 srv2 (f773d2ed090b7baa1c1a034f3ca476c8) C:\Windows\system32\DRIVERS\srv2.sys
2011/08/30 09:51:31.0867 6012 srvnet (26e84d3649019c3244622e654dfcd75b) C:\Windows\system32\DRIVERS\srvnet.sys
2011/08/30 09:51:31.0914 6012 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2011/08/30 09:51:31.0961 6012 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
2011/08/30 09:51:31.0992 6012 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
2011/08/30 09:51:32.0007 6012 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2011/08/30 09:51:32.0132 6012 Tcpip (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\drivers\tcpip.sys
2011/08/30 09:51:32.0241 6012 TCPIP6 (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\DRIVERS\tcpip.sys
2011/08/30 09:51:32.0273 6012 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/08/30 09:51:32.0304 6012 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/08/30 09:51:32.0319 6012 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/08/30 09:51:32.0351 6012 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2011/08/30 09:51:32.0382 6012 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2011/08/30 09:51:32.0444 6012 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/08/30 09:51:32.0475 6012 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2011/08/30 09:51:32.0522 6012 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2011/08/30 09:51:32.0553 6012 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2011/08/30 09:51:32.0600 6012 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/08/30 09:51:32.0631 6012 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2011/08/30 09:51:32.0663 6012 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2011/08/30 09:51:32.0709 6012 usbaudio (77b01bc848298223a95d4ec23e1785a1) C:\Windows\system32\drivers\usbaudio.sys
2011/08/30 09:51:32.0756 6012 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/08/30 09:51:32.0787 6012 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2011/08/30 09:51:32.0850 6012 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2011/08/30 09:51:32.0897 6012 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
2011/08/30 09:51:32.0912 6012 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2011/08/30 09:51:32.0959 6012 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2011/08/30 09:51:32.0990 6012 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
2011/08/30 09:51:33.0006 6012 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/08/30 09:51:33.0037 6012 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/08/30 09:51:33.0099 6012 VCSVADHWSer (3a4b01c2bdb07dfef29b0b369487503a) C:\Windows\system32\DRIVERS\vcsvad.sys
2011/08/30 09:51:33.0146 6012 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/08/30 09:51:33.0177 6012 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/08/30 09:51:33.0209 6012 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/08/30 09:51:33.0224 6012 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/08/30 09:51:33.0474 6012 VIAHdAudAddService (28bcdfe57119b97eef05361906ce74be) C:\Windows\system32\drivers\viahduaa.sys
2011/08/30 09:51:33.0552 6012 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2011/08/30 09:51:33.0599 6012 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
2011/08/30 09:51:33.0770 6012 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
2011/08/30 09:51:33.0817 6012 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/08/30 09:51:33.0848 6012 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2011/08/30 09:51:33.0911 6012 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2011/08/30 09:51:33.0957 6012 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/08/30 09:51:33.0973 6012 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
2011/08/30 09:51:34.0004 6012 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2011/08/30 09:51:34.0035 6012 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/30 09:51:34.0051 6012 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/30 09:51:34.0082 6012 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2011/08/30 09:51:34.0113 6012 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/08/30 09:51:34.0176 6012 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/08/30 09:51:34.0191 6012 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/08/30 09:51:34.0254 6012 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
2011/08/30 09:51:34.0269 6012 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/08/30 09:51:34.0332 6012 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/08/30 09:51:34.0379 6012 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2011/08/30 09:51:34.0425 6012 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/08/30 09:51:34.0566 6012 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/08/30 09:51:34.0581 6012 MBR (0x1B8) (f8f1af810e3b835b1210bc9940e7be1f) \Device\Harddisk1\DR1
2011/08/30 09:51:34.0581 6012 \Device\Harddisk1\DR1 - detected Trojan-Clicker.Win32.Wistler.a (0)
2011/08/30 09:51:34.0597 6012 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk6\DR6
2011/08/30 09:51:34.0613 6012 Boot (0x1200) (d6d34e15642836380c80250429e2f622) \Device\Harddisk0\DR0\Partition0
2011/08/30 09:51:34.0613 6012 Boot (0x1200) (75077259c2afbe750e10ee341ba18314) \Device\Harddisk1\DR1\Partition0
2011/08/30 09:51:34.0628 6012 Boot (0x1200) (aca322e2fa5461b902793be4bc018140) \Device\Harddisk6\DR6\Partition0
2011/08/30 09:51:34.0628 6012 ================================================================================
2011/08/30 09:51:34.0628 6012 Scan finished
2011/08/30 09:51:34.0628 6012 ================================================================================
2011/08/30 09:51:34.0644 6004 Detected object count: 2
2011/08/30 09:51:34.0644 6004 Actual detected object count: 2
2011/08/30 09:52:11.0990 6004 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/08/30 09:52:12.0037 6004 \Device\Harddisk1\DR1 (Trojan-Clicker.Win32.Wistler.a) - will be cured after reboot
2011/08/30 09:52:12.0037 6004 \Device\Harddisk1\DR1 - ok
2011/08/30 09:52:12.0037 6004 Trojan-Clicker.Win32.Wistler.a(\Device\Harddisk1\DR1) - User select action: Cure
2011/08/30 09:52:20.0726 2956 Deinitialize success

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:43 PM

Posted 30 August 2011 - 09:20 AM

Yes, however there was also an MBR rootkit present.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Skizzle

Skizzle
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 30 August 2011 - 01:13 PM

I will try running combo fix a bit later tonight whe I get home, but I want to ask you, could this "backdoor" have been created by a keylogger program I was using? I had Refrog keylogger on my computer for awhile when I was having an issue with someone who was using my computer. I ended up deleting it when I ran my first hijack this since I was done with it.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:43 PM

Posted 30 August 2011 - 01:40 PM

It is possible, usually it is hard to say what dropped the malware on the system, as different methods are used.

I'll wait for the combofix log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Skizzle

Skizzle
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 31 August 2011 - 02:39 AM

Sorry for the delay on the log, lost internet around here for awhile:


ComboFix 11-08-30.02 - Skizzle 08/31/2011 3:27.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2699 [GMT -4:00]
Running from: c:\users\Skizzle\Desktop\ComboFix1.exe
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\comct332.ocx
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-31 )))))))))))))))))))))))))))))))
.
.
2011-08-31 07:31 . 2011-08-31 07:31 -------- d-----w- c:\users\Mcx1-SKIZZLE-PC\AppData\Local\temp
2011-08-31 07:31 . 2011-08-31 07:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-21 22:14 . 2011-08-21 22:14 -------- d-----w- c:\program files (x86)\ESET
2011-08-20 21:31 . 2011-08-29 04:20 -------- d-----w- c:\program files (x86)\Common Files\Desura
2011-08-20 21:29 . 2011-08-20 21:29 -------- d-----w- c:\programdata\Desura
2011-08-20 20:41 . 2011-08-20 20:41 388096 ----a-r- c:\users\Skizzle\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-20 20:41 . 2011-08-20 20:41 -------- d-----w- c:\program files (x86)\Hijack
2011-08-20 20:30 . 2011-08-20 20:30 -------- d-----w- c:\users\Skizzle\AppData\Roaming\Thunderbird
2011-08-20 20:30 . 2011-08-20 20:30 -------- d-----w- c:\users\Skizzle\AppData\Local\Thunderbird
2011-08-20 20:30 . 2011-08-20 20:30 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2011-08-20 20:15 . 2011-08-20 20:15 -------- d-----w- c:\users\Skizzle\AppData\Roaming\fltk.org
2011-08-20 20:15 . 2011-08-20 20:15 -------- d-----w- c:\programdata\fltk.org


2011-08-14 18:53 . 2011-08-14 18:53 -------- d-----w- c:\users\Skizzle\AppData\Roaming\InstallShield Installation Information
2011-08-14 18:53 . 2011-08-14 18:53 -------- d-----w- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-05 03:38 . 2011-05-08 13:02 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-15 16:34 . 2011-06-15 16:34 84992 ----a-w- c:\windows\system32\asycfilt.dll
2011-06-15 16:34 . 2011-06-15 16:34 67584 ----a-w- c:\windows\SysWow64\asycfilt.dll
2011-06-15 16:34 . 2011-06-15 16:34 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 16:34 . 2011-06-15 16:34 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-06-15 16:33 . 2011-06-15 16:33 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2011-06-15 16:33 . 2011-06-15 16:33 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2011-06-15 16:33 . 2011-06-15 16:33 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2011-06-15 16:33 . 2011-06-15 16:33 1446912 ----a-w- c:\windows\system32\lsasrv.dll
2011-06-15 16:33 . 2011-06-15 16:33 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2011-06-15 16:33 . 2011-06-15 16:33 223448 ----a-w- c:\windows\system32\drivers\fvevol.sys
2011-06-15 16:33 . 2011-06-15 16:33 220672 ----a-w- c:\windows\system32\wintrust.dll
2011-06-15 16:33 . 2011-06-15 16:33 172032 ----a-w- c:\windows\SysWow64\wintrust.dll
2011-06-15 16:33 . 2011-06-15 16:33 139264 ----a-w- c:\windows\system32\cabview.dll
2011-06-15 16:33 . 2011-06-15 16:33 132608 ----a-w- c:\windows\SysWow64\cabview.dll
2011-06-15 16:33 . 2011-06-15 16:33 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2011-06-15 16:33 . 2011-06-15 16:33 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2011-06-15 16:33 . 2011-06-15 16:33 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-06-15 16:33 . 2011-06-15 16:33 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2011-06-15 16:33 . 2011-06-15 16:33 243200 ----a-w- c:\windows\system32\wow64.dll
2011-06-15 16:33 . 2011-06-15 16:33 2048 ----a-w- c:\windows\SysWow64\user.exe
2011-06-15 16:33 . 2011-06-15 16:33 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2011-06-15 16:32 . 2011-06-15 16:32 85504 ----a-w- c:\windows\SysWow64\secproc_ssp_isv.dll
2011-06-15 16:32 . 2011-06-15 16:32 85504 ----a-w- c:\windows\SysWow64\secproc_ssp.dll
2011-06-15 16:32 . 2011-06-15 16:32 369152 ----a-w- c:\windows\SysWow64\secproc.dll
2011-06-15 16:32 . 2011-06-15 16:32 306688 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-06-15 16:32 . 2011-06-15 16:32 305152 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-06-15 16:32 . 2011-06-15 16:32 280064 ----a-w- c:\windows\SysWow64\RMActivate_ssp.exe
2011-06-15 16:32 . 2011-06-15 16:32 277504 ----a-w- c:\windows\SysWow64\RMActivate_ssp_isv.exe
2011-06-15 16:32 . 2011-06-15 16:32 121856 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-06-15 16:32 . 2011-06-15 16:32 121856 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-06-15 16:32 . 2011-06-15 16:32 424960 ----a-w- c:\windows\system32\secproc.dll
2011-06-15 16:32 . 2011-06-15 16:32 422912 ----a-w- c:\windows\system32\secproc_isv.dll
2011-06-15 16:32 . 2011-06-15 16:32 365568 ----a-w- c:\windows\SysWow64\secproc_isv.dll
2011-06-15 16:32 . 2011-06-15 16:32 357888 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-06-15 16:32 . 2011-06-15 16:32 356352 ----a-w- c:\windows\system32\RMActivate.exe
2011-06-15 16:32 . 2011-06-15 16:32 324608 ----a-w- c:\windows\SysWow64\RMActivate_isv.exe
2011-06-15 16:32 . 2011-06-15 16:32 320512 ----a-w- c:\windows\SysWow64\RMActivate.exe
2011-06-15 16:32 . 2011-06-15 16:32 91648 ----a-w- c:\windows\SysWow64\avifil32.dll
2011-06-15 16:32 . 2011-06-15 16:32 84480 ----a-w- c:\windows\SysWow64\mciavi32.dll
2011-06-15 16:32 . 2011-06-15 16:32 54272 ----a-w- c:\windows\system32\iyuv_32.dll
2011-06-15 16:32 . 2011-06-15 16:32 50176 ----a-w- c:\windows\SysWow64\iyuv_32.dll
2011-06-15 16:32 . 2011-06-15 16:32 38912 ----a-w- c:\windows\system32\msvidc32.dll
2011-06-15 16:32 . 2011-06-15 16:32 31744 ----a-w- c:\windows\SysWow64\msvidc32.dll
2011-06-15 16:32 . 2011-06-15 16:32 25088 ----a-w- c:\windows\system32\msyuv.dll
2011-06-15 16:32 . 2011-06-15 16:32 22016 ----a-w- c:\windows\SysWow64\msyuv.dll
2011-06-15 16:32 . 2011-06-15 16:32 16384 ----a-w- c:\windows\system32\msrle32.dll
2011-06-15 16:32 . 2011-06-15 16:32 1572352 ----a-w- c:\windows\system32\quartz.dll
2011-06-15 16:32 . 2011-06-15 16:32 14848 ----a-w- c:\windows\system32\tsbyuv.dll
2011-06-15 16:32 . 2011-06-15 16:32 13312 ----a-w- c:\windows\SysWow64\msrle32.dll
2011-06-15 16:32 . 2011-06-15 16:32 1328640 ----a-w- c:\windows\SysWow64\quartz.dll
2011-06-15 16:32 . 2011-06-15 16:32 12288 ----a-w- c:\windows\SysWow64\tsbyuv.dll
2011-06-15 16:32 . 2011-06-15 16:32 389632 ----a-w- c:\windows\system32\winlogon.exe
2011-06-15 16:32 . 2011-06-15 16:32 2870272 ----a-w- c:\windows\explorer.exe
2011-06-15 16:32 . 2011-06-15 16:32 2614272 ----a-w- c:\windows\SysWow64\explorer.exe
2011-06-15 16:32 . 2011-06-15 16:32 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2011-06-15 16:32 . 2011-06-15 16:32 148480 ----a-w- c:\windows\system32\t2embed.dll
2011-06-15 16:32 . 2011-06-15 16:32 108544 ----a-w- c:\windows\SysWow64\t2embed.dll
2011-06-15 16:32 . 2011-06-15 16:32 100864 ----a-w- c:\windows\system32\fontsub.dll
2011-06-15 16:31 . 2011-06-15 16:31 46592 ----a-w- c:\windows\system32\msasn1.dll
2011-06-15 16:31 . 2011-06-15 16:31 34816 ----a-w- c:\windows\SysWow64\msasn1.dll
2011-06-15 16:31 . 2011-06-15 16:31 311808 ----a-w- c:\windows\system32\msv1_0.dll
2011-06-15 16:31 . 2011-06-15 16:31 257024 ----a-w- c:\windows\SysWow64\msv1_0.dll
2011-06-15 16:31 . 2011-06-15 16:31 12625920 ----a-w- c:\windows\system32\wmploc.DLL
2011-06-15 16:31 . 2011-06-15 16:31 12625408 ----a-w- c:\windows\SysWow64\wmploc.DLL
2011-06-15 16:31 . 2011-06-15 16:31 982600 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-06-15 16:31 . 2011-06-15 16:31 366080 ----a-w- c:\windows\system32\atmfd.dll
2011-06-15 16:31 . 2011-06-15 16:31 293888 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-06-15 16:31 . 2011-06-15 16:31 1975296 ----a-w- c:\windows\system32\CertEnroll.dll
2011-06-15 16:31 . 2011-06-15 16:31 1320960 ----a-w- c:\windows\SysWow64\CertEnroll.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-20_21.14.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2011-08-30 13:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-08-20 20:37 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-08-30 13:44 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-20 20:37 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-20 20:37 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-30 13:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-21 23:15 . 2011-08-30 13:55 30014 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-08-30 13:55 27398 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:30 . 2011-08-30 03:07 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2011-07-08 13:29 86016 c:\windows\system32\DriverStore\infpub.dat
- 2011-02-18 22:53 . 2011-08-19 11:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-18 22:53 . 2011-08-30 13:53 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-18 22:53 . 2011-08-19 11:47 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-02-18 22:53 . 2011-08-30 13:53 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-19 11:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-30 13:53 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2011-08-30 13:54 83992 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-02-18 20:29 . 2011-08-31 07:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-18 20:29 . 2011-08-20 20:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-18 20:29 . 2011-08-20 20:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-18 20:29 . 2011-08-31 07:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-18 20:29 . 2011-08-30 13:55 8572 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3817402827-4003005445-15102773-1001_UserData.bin
+ 2005-03-29 05:30 . 2005-03-29 05:30 8192 c:\windows\system32\DriverStore\FileRepository\atk2000.inf_amd64_neutral_a91abe245a6c41c8\ASACPI.sys
+ 2005-03-29 05:30 . 2005-03-29 05:30 8192 c:\windows\system32\drivers\ASACPI.sys
+ 2011-08-31 07:32 . 2011-08-31 07:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-08-18 13:59 . 2011-08-20 21:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-08-19 13:54 661830 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-08-30 13:58 661830 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-08-19 13:54 121138 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-08-30 13:58 121138 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:30 . 2011-08-30 03:07 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2011-07-08 13:29 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2011-08-30 03:07 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:30 . 2011-07-08 13:29 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:01 . 2011-08-18 13:58 340216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-08-31 07:31 340216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-18 20:27 . 2011-08-31 07:23 1474832 c:\windows\system32\drivers\sfi.dat
- 2011-02-18 20:27 . 2011-08-20 20:47 1474832 c:\windows\system32\drivers\sfi.dat
+ 2009-07-14 04:45 . 2011-08-30 13:54 3963586 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2011-06-23 00:28 3963586 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-04-18 00:51 . 2011-08-31 07:31 1667899 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3817402827-4003005445-15102773-1001-12288.dat
- 2011-04-18 00:51 . 2011-08-18 13:58 1667899 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3817402827-4003005445-15102773-1001-12288.dat
- 2009-07-14 02:34 . 2011-08-15 02:42 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-08-30 15:09 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\tbTVer.dll" [2010-10-10 3906656]
.
[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{66bd2442-241b-44cd-8c7a-b51037053cdb}]
2010-10-10 20:51 3906656 ----a-w- c:\program files (x86)\TVersitybar\tbTVer.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\tbTVer.dll" [2010-10-10 3906656]
.
[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 4"="d:\advanced systemcare 4\ASCTray.exe" [2011-05-28 412560]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-02-18 39408]
"Desura"="d:\games\Desura\desura.exe" [2011-08-29 2514248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-05-18 2157056]
"TkBellExe"="d:\realplayer\update\realsched.exe" [2011-05-15 273544]
.
c:\users\Skizzle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2009-9-9 576000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R2 FordEcatAppServer;FordEcatAppServer;d:\ecat\runtimes\applicationserver\lib\appservService.exe [x]
R2 FordEcatUpdateTaskScheduler;FordEcatUpdateTaskScheduler;d:\ecat\applications\updatescheduler\bin\JavaService.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-18 136176]
R2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [x]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [x]
R3 Desura Install Service;Desura Install Service;c:\program files (x86)\Common Files\Desura\desura_service.exe [2011-08-29 131912]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-18 136176]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [x]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [x]
R3 X6va005;X6va005;c:\users\Skizzle\AppData\Local\Temp\005E955.tmp [x]
R4 AODService;AODService;c:\program files (x86)\AMD\OverDrive\AODAssist.exe [2009-04-22 124256]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 GizmoDrv;Gizmo Device Driver; [x]
S2 AdvancedSystemCareService;Advanced SystemCare Service;d:\advanced systemcare 4\ASCService.exe [2011-05-28 353168]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-02-07 158112]
S2 MSSQL$FORDECATDB;SQL Server (FORDECATDB);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2011-01-11 29178224]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-18 21:16]
.
2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-18 21:16]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="d:\comodo\COMODO Internet Security\cfp.exe" [2011-05-15 9057608]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
DPF: {23A2712A-7A4F-4D0C-822C-D7BA9974447B} - hxxps://registration.rr.com/RegHelper.cab
FF - ProfilePath - c:\users\Skizzle\AppData\Roaming\Mozilla\Firefox\Profiles\kumon8qn.default\
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{66BD2442-241B-44CD-8C7A-B51037053CDB} - (no file)
AddRemove-Desura - c:\program files (x86)\Common Files\Desura\\Desura_Uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\Skizzle\AppData\Local\Temp\005E955.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\DAODx.exe
d:\advanced systemcare 4\PMonitor.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programdata\TVersity\Media Server\MediaServer.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-08-31 03:35:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-31 07:35
ComboFix2.txt 2011-08-20 21:17
.
Pre-Run: 104,308,744,192 bytes free
Post-Run: 104,259,919,872 bytes free
.
- - End Of File - - E600E5EBDA5E64D8D7883680F480C1E8

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:43 PM

Posted 31 August 2011 - 02:49 AM

Hi, how are things running now?

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
File::
c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Skizzle

Skizzle
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 31 August 2011 - 08:16 AM

Ran the script in combofix, and just so you are aware combo fix had an update apparently and it downloaded it before it ran the script. My computer speed has seemed to increase significantly. Ill be on it for a bit today. One thing I noticed is my Comodo defence started working again, and I had a request blocked. It told me SVCHost was trying to connect to another computer. *Svc host is a SAFE program, but it is trying to connect to another computer. If you are not sure what to do, block this request."

ComboFix 11-08-31.02 - Skizzle 08/31/2011 9:04.3.4 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2854 [GMT -4:00]
Running from: c:\users\Skizzle\Desktop\ComboFix1.exe
Command switches used :: c:\users\Skizzle\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-31 )))))))))))))))))))))))))))))))
.
.
2011-08-31 13:08 . 2011-08-31 13:08 -------- d-----w- c:\users\Mcx1-SKIZZLE-PC\AppData\Local\temp
2011-08-31 13:08 . 2011-08-31 13:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-21 22:14 . 2011-08-21 22:14 -------- d-----w- c:\program files (x86)\ESET
2011-08-20 21:31 . 2011-08-29 04:20 -------- d-----w- c:\program files (x86)\Common Files\Desura
2011-08-20 21:29 . 2011-08-20 21:29 -------- d-----w- c:\programdata\Desura
2011-08-20 20:41 . 2011-08-20 20:41 388096 ----a-r- c:\users\Skizzle\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-20 20:41 . 2011-08-20 20:41 -------- d-----w- c:\program files (x86)\Hijack
2011-08-20 20:30 . 2011-08-20 20:30 -------- d-----w- c:\users\Skizzle\AppData\Roaming\Thunderbird
2011-08-20 20:30 . 2011-08-20 20:30 -------- d-----w- c:\users\Skizzle\AppData\Local\Thunderbird
2011-08-20 20:30 . 2011-08-20 20:30 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2011-08-20 20:15 . 2011-08-20 20:15 -------- d-----w- c:\users\Skizzle\AppData\Roaming\fltk.org
2011-08-20 20:15 . 2011-08-20 20:15 -------- d-----w- c:\programdata\fltk.org

2011-08-19 01:58 . 2011-08-21 22:17 -------- d-----w- c:\program files (x86)\Cheat Engine 6.1
2011-08-14 18:53 . 2011-08-14 18:53 -------- d-----w- c:\users\Skizzle\AppData\Roaming\InstallShield Installation Information
2011-08-14 18:53 . 2011-08-14 18:53 -------- d-----w- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-05 03:38 . 2011-05-08 13:02 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-15 16:34 . 2011-06-15 16:34 84992 ----a-w- c:\windows\system32\asycfilt.dll
2011-06-15 16:34 . 2011-06-15 16:34 67584 ----a-w- c:\windows\SysWow64\asycfilt.dll
2011-06-15 16:34 . 2011-06-15 16:34 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-15 16:34 . 2011-06-15 16:34 740864 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-06-15 16:33 . 2011-06-15 16:33 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2011-06-15 16:33 . 2011-06-15 16:33 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2011-06-15 16:33 . 2011-06-15 16:33 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2011-06-15 16:33 . 2011-06-15 16:33 1446912 ----a-w- c:\windows\system32\lsasrv.dll
2011-06-15 16:33 . 2011-06-15 16:33 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2011-06-15 16:33 . 2011-06-15 16:33 223448 ----a-w- c:\windows\system32\drivers\fvevol.sys
2011-06-15 16:33 . 2011-06-15 16:33 220672 ----a-w- c:\windows\system32\wintrust.dll
2011-06-15 16:33 . 2011-06-15 16:33 172032 ----a-w- c:\windows\SysWow64\wintrust.dll
2011-06-15 16:33 . 2011-06-15 16:33 139264 ----a-w- c:\windows\system32\cabview.dll
2011-06-15 16:33 . 2011-06-15 16:33 132608 ----a-w- c:\windows\SysWow64\cabview.dll
2011-06-15 16:33 . 2011-06-15 16:33 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2011-06-15 16:33 . 2011-06-15 16:33 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2011-06-15 16:33 . 2011-06-15 16:33 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-06-15 16:33 . 2011-06-15 16:33 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2011-06-15 16:33 . 2011-06-15 16:33 243200 ----a-w- c:\windows\system32\wow64.dll
2011-06-15 16:33 . 2011-06-15 16:33 2048 ----a-w- c:\windows\SysWow64\user.exe
2011-06-15 16:33 . 2011-06-15 16:33 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2011-06-15 16:32 . 2011-06-15 16:32 85504 ----a-w- c:\windows\SysWow64\secproc_ssp_isv.dll
2011-06-15 16:32 . 2011-06-15 16:32 85504 ----a-w- c:\windows\SysWow64\secproc_ssp.dll
2011-06-15 16:32 . 2011-06-15 16:32 369152 ----a-w- c:\windows\SysWow64\secproc.dll
2011-06-15 16:32 . 2011-06-15 16:32 306688 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2011-06-15 16:32 . 2011-06-15 16:32 305152 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2011-06-15 16:32 . 2011-06-15 16:32 280064 ----a-w- c:\windows\SysWow64\RMActivate_ssp.exe
2011-06-15 16:32 . 2011-06-15 16:32 277504 ----a-w- c:\windows\SysWow64\RMActivate_ssp_isv.exe
2011-06-15 16:32 . 2011-06-15 16:32 121856 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-06-15 16:32 . 2011-06-15 16:32 121856 ----a-w- c:\windows\system32\secproc_ssp.dll
2011-06-15 16:32 . 2011-06-15 16:32 424960 ----a-w- c:\windows\system32\secproc.dll
2011-06-15 16:32 . 2011-06-15 16:32 422912 ----a-w- c:\windows\system32\secproc_isv.dll
2011-06-15 16:32 . 2011-06-15 16:32 365568 ----a-w- c:\windows\SysWow64\secproc_isv.dll
2011-06-15 16:32 . 2011-06-15 16:32 357888 ----a-w- c:\windows\system32\RMActivate_isv.exe
2011-06-15 16:32 . 2011-06-15 16:32 356352 ----a-w- c:\windows\system32\RMActivate.exe
2011-06-15 16:32 . 2011-06-15 16:32 324608 ----a-w- c:\windows\SysWow64\RMActivate_isv.exe
2011-06-15 16:32 . 2011-06-15 16:32 320512 ----a-w- c:\windows\SysWow64\RMActivate.exe
2011-06-15 16:32 . 2011-06-15 16:32 91648 ----a-w- c:\windows\SysWow64\avifil32.dll
2011-06-15 16:32 . 2011-06-15 16:32 84480 ----a-w- c:\windows\SysWow64\mciavi32.dll
2011-06-15 16:32 . 2011-06-15 16:32 54272 ----a-w- c:\windows\system32\iyuv_32.dll
2011-06-15 16:32 . 2011-06-15 16:32 50176 ----a-w- c:\windows\SysWow64\iyuv_32.dll
2011-06-15 16:32 . 2011-06-15 16:32 38912 ----a-w- c:\windows\system32\msvidc32.dll
2011-06-15 16:32 . 2011-06-15 16:32 31744 ----a-w- c:\windows\SysWow64\msvidc32.dll
2011-06-15 16:32 . 2011-06-15 16:32 25088 ----a-w- c:\windows\system32\msyuv.dll
2011-06-15 16:32 . 2011-06-15 16:32 22016 ----a-w- c:\windows\SysWow64\msyuv.dll
2011-06-15 16:32 . 2011-06-15 16:32 16384 ----a-w- c:\windows\system32\msrle32.dll
2011-06-15 16:32 . 2011-06-15 16:32 1572352 ----a-w- c:\windows\system32\quartz.dll
2011-06-15 16:32 . 2011-06-15 16:32 14848 ----a-w- c:\windows\system32\tsbyuv.dll
2011-06-15 16:32 . 2011-06-15 16:32 13312 ----a-w- c:\windows\SysWow64\msrle32.dll
2011-06-15 16:32 . 2011-06-15 16:32 1328640 ----a-w- c:\windows\SysWow64\quartz.dll
2011-06-15 16:32 . 2011-06-15 16:32 12288 ----a-w- c:\windows\SysWow64\tsbyuv.dll
2011-06-15 16:32 . 2011-06-15 16:32 389632 ----a-w- c:\windows\system32\winlogon.exe
2011-06-15 16:32 . 2011-06-15 16:32 2870272 ----a-w- c:\windows\explorer.exe
2011-06-15 16:32 . 2011-06-15 16:32 2614272 ----a-w- c:\windows\SysWow64\explorer.exe
2011-06-15 16:32 . 2011-06-15 16:32 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2011-06-15 16:32 . 2011-06-15 16:32 148480 ----a-w- c:\windows\system32\t2embed.dll
2011-06-15 16:32 . 2011-06-15 16:32 108544 ----a-w- c:\windows\SysWow64\t2embed.dll
2011-06-15 16:32 . 2011-06-15 16:32 100864 ----a-w- c:\windows\system32\fontsub.dll
2011-06-15 16:31 . 2011-06-15 16:31 46592 ----a-w- c:\windows\system32\msasn1.dll
2011-06-15 16:31 . 2011-06-15 16:31 34816 ----a-w- c:\windows\SysWow64\msasn1.dll
2011-06-15 16:31 . 2011-06-15 16:31 311808 ----a-w- c:\windows\system32\msv1_0.dll
2011-06-15 16:31 . 2011-06-15 16:31 257024 ----a-w- c:\windows\SysWow64\msv1_0.dll
2011-06-15 16:31 . 2011-06-15 16:31 12625920 ----a-w- c:\windows\system32\wmploc.DLL
2011-06-15 16:31 . 2011-06-15 16:31 12625408 ----a-w- c:\windows\SysWow64\wmploc.DLL
2011-06-15 16:31 . 2011-06-15 16:31 982600 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-06-15 16:31 . 2011-06-15 16:31 366080 ----a-w- c:\windows\system32\atmfd.dll
2011-06-15 16:31 . 2011-06-15 16:31 293888 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-06-15 16:31 . 2011-06-15 16:31 1975296 ----a-w- c:\windows\system32\CertEnroll.dll
2011-06-15 16:31 . 2011-06-15 16:31 1320960 ----a-w- c:\windows\SysWow64\CertEnroll.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-20_21.14.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2011-08-30 13:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-08-20 20:37 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-08-30 13:44 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-20 20:37 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-20 20:37 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-30 13:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-21 23:15 . 2011-08-31 11:49 30716 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-08-31 11:49 27486 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:30 . 2011-07-08 13:29 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2009-07-14 05:30 . 2011-08-30 03:07 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-02-18 22:53 . 2011-08-31 11:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-18 22:53 . 2011-08-19 11:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-18 22:53 . 2011-08-31 11:47 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-18 22:53 . 2011-08-19 11:47 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-19 11:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-31 11:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2011-08-31 07:37 84200 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-02-18 20:29 . 2011-08-31 13:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-18 20:29 . 2011-08-20 20:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-18 20:29 . 2011-08-31 13:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-02-18 20:29 . 2011-08-20 20:23 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-18 20:29 . 2011-08-31 11:49 9126 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3817402827-4003005445-15102773-1001_UserData.bin
+ 2005-03-29 05:30 . 2005-03-29 05:30 8192 c:\windows\system32\DriverStore\FileRepository\atk2000.inf_amd64_neutral_a91abe245a6c41c8\ASACPI.sys
+ 2005-03-29 05:30 . 2005-03-29 05:30 8192 c:\windows\system32\drivers\ASACPI.sys
+ 2011-08-31 13:09 . 2011-08-31 13:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-08-18 13:59 . 2011-08-20 21:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-08-31 13:09 . 2011-08-31 13:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2011-08-31 11:52 661830 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-08-19 13:54 661830 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-08-31 11:52 121138 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-08-19 13:54 121138 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:30 . 2011-08-30 03:07 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2011-07-08 13:29 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2011-08-30 03:07 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:30 . 2011-07-08 13:29 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:01 . 2011-08-18 13:58 340216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-08-31 07:31 340216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-18 20:27 . 2011-08-31 07:23 1474832 c:\windows\system32\drivers\sfi.dat
- 2011-02-18 20:27 . 2011-08-20 20:47 1474832 c:\windows\system32\drivers\sfi.dat
- 2009-07-14 04:45 . 2011-06-23 00:28 3963586 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2011-08-30 13:54 3963586 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-04-18 00:51 . 2011-08-31 07:31 1667899 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3817402827-4003005445-15102773-1001-12288.dat
- 2011-04-18 00:51 . 2011-08-18 13:58 1667899 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3817402827-4003005445-15102773-1001-12288.dat
- 2009-07-14 02:34 . 2011-08-15 02:42 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2011-08-30 15:09 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\tbTVer.dll" [2010-10-10 3906656]
.
[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{66bd2442-241b-44cd-8c7a-b51037053cdb}]
2010-10-10 20:51 3906656 ----a-w- c:\program files (x86)\TVersitybar\tbTVer.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{66bd2442-241b-44cd-8c7a-b51037053cdb}"= "c:\program files (x86)\TVersitybar\tbTVer.dll" [2010-10-10 3906656]
.
[HKEY_CLASSES_ROOT\clsid\{66bd2442-241b-44cd-8c7a-b51037053cdb}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 4"="d:\advanced systemcare 4\ASCTray.exe" [2011-05-28 412560]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-02-18 39408]
"Desura"="d:\games\Desura\desura.exe" [2011-08-29 2514248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-05-18 2157056]
"TkBellExe"="d:\realplayer\update\realsched.exe" [2011-05-15 273544]
.
c:\users\Skizzle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2009-9-9 576000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R2 FordEcatAppServer;FordEcatAppServer;d:\ecat\runtimes\applicationserver\lib\appservService.exe [x]
R2 FordEcatUpdateTaskScheduler;FordEcatUpdateTaskScheduler;d:\ecat\applications\updatescheduler\bin\JavaService.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-18 136176]
R2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [x]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [x]
R3 Desura Install Service;Desura Install Service;c:\program files (x86)\Common Files\Desura\desura_service.exe [2011-08-29 131912]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-18 136176]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [x]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [x]
R3 X6va005;X6va005;c:\users\Skizzle\AppData\Local\Temp\005E955.tmp [x]
R4 AODService;AODService;c:\program files (x86)\AMD\OverDrive\AODAssist.exe [2009-04-22 124256]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 GizmoDrv;Gizmo Device Driver; [x]
S2 AdvancedSystemCareService;Advanced SystemCare Service;d:\advanced systemcare 4\ASCService.exe [2011-05-28 353168]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-02-07 158112]
S2 MSSQL$FORDECATDB;SQL Server (FORDECATDB);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2011-01-11 29178224]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-18 21:16]
.
2011-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-18 21:16]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Internet Security"="d:\comodo\COMODO Internet Security\cfp.exe" [2011-05-15 9057608]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1
DPF: {23A2712A-7A4F-4D0C-822C-D7BA9974447B} - hxxps://registration.rr.com/RegHelper.cab
FF - ProfilePath - c:\users\Skizzle\AppData\Roaming\Mozilla\Firefox\Profiles\kumon8qn.default\
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{66BD2442-241B-44CD-8C7A-B51037053CDB} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\Skizzle\AppData\Local\Temp\005E955.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\DAODx.exe
d:\advanced systemcare 4\PMonitor.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programdata\TVersity\Media Server\MediaServer.exe
.
**************************************************************************
.
Completion time: 2011-08-31 09:12:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-31 13:12
ComboFix2.txt 2011-08-31 07:35
ComboFix3.txt 2011-08-20 21:17
.
Pre-Run: 103,608,684,544 bytes free
Post-Run: 103,572,480,000 bytes free
.
- - End Of File - - E038A52541CC28F3BE4A9D4D6D81796C

Edited by Skizzle, 31 August 2011 - 08:22 AM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:43 PM

Posted 31 August 2011 - 08:23 AM

Hi, do you have any problem left?

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Skizzle

Skizzle
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 31 August 2011 - 08:29 AM

Downloading files and pending a run now.

The two connections blocked were:
217.212.238.119:3478
209.170.97.205:3478
My tracer tells me top ip is located in France, and secondary ip is in Massachusettes.
Kinda concerns me a little bit.

Update:
Currently runnin mbam, and on a side note, wasn't mbam free at one point? It has me on a trial right now.

Edited by Skizzle, 31 August 2011 - 08:36 AM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:43 PM

Posted 31 August 2011 - 08:53 AM

Where do you see these blocked connection (are they still being blocked)?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Skizzle

Skizzle
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 31 August 2011 - 09:00 AM

Came up through comodo defence+ still blocked.

Posted Image

Edited by Skizzle, 31 August 2011 - 09:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users