Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirects and IE opening in background after Removing System Restore Malware


  • This topic is locked This topic is locked
20 replies to this topic

#1 Narfy

Narfy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 09 November 2011 - 07:46 PM

Hello,

Recently, my computer was infected with the "System Restore" Malware. I followed the steps located at http://www.bleepingcomputer.com/virus-removal/remove-system-restore and was able to successfully remove the malware. However, after these actions I am still seeing some odd behavior.

My SATA HDD's on SATA channels 1 & 2 are no longer being recognized, and attempting to initialize them in Disk Management results in an I/O device error. Links in search results displayed with either Google or Bing are being redirected to other sites. Additionally, an iexplore.exe process is opening periodically in the background, that appears to randomly play audio from a video or radio stream (with no open IE window). Ending the process immediately stops the audio, however another iexplore.exe will open shortly after. Computer response is also quite slow, hoever that may be attributed to disk issues (Swap files were originally located on the disk on Channel 1).

Currently I have Microsoft Forefront Endpoint Protection installed as virus/malware protection. Additionally I have run scans with Malwarebytes Anti-Malware and the tdsskiller with no success in detecting any running rootkits.

dds & gmer logs included

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Arren at 15:24:28 on 2011-11-09
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.8190.6176 [GMT -8:00]
.
AV: Microsoft Forefront Endpoint Protection *Enabled/Updated* {2E6C4BAB-3371-CD46-62DC-0E0A86B42619}
SP: Microsoft Forefront Endpoint Protection *Enabled/Updated* {950DAA4F-154B-C2C8-586C-3578FD336CA4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Forefront\Forefront System\Client\AntiMalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Microsoft Forefront\Forefront System\Client\Agent\FSysAgent.exe
C:\Program Files\System Center Operations Manager 2007\HealthService.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\IT Connection Manager\SRUserService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\vVX6000.exe
C:\Program Files\Microsoft Forefront\Forefront System\Client\UX\FSysClientUI.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Users\Arren\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cscript.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
uRun: [googletalk] C:\Users\Arren\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
uRun: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [Eye-Fi] "C:\Program Files (x86)\E
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
mRun: [EasyTuneVI] C:\Program Files (x86)\GIGABYTE\ET6\ETcall.exe
mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Arren\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with KUSO EXIF Viewer - C:\Program Files (x86)\KUSO EXIF Viewer\EXIF.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
Trusted Zone: kongregate.com\www
Trusted Zone: microsoft.com\im
Trusted Zone: microsoft.com\lslm01.meet
Trusted Zone: microsoft.com\lslm02.meet
Trusted Zone: microsoft.com\lslm03.meet
Trusted Zone: microsoft.com\lslm11.meet
Trusted Zone: microsoft.com\lslm12.meet
Trusted Zone: microsoft.com\lslm21.meet
Trusted Zone: microsoft.com\lslm22.meet
Trusted Zone: microsoft.com\mail
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{7C32C880-FD3E-447C-8121-0F91C4579637} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{FFF0D9F7-47F9-4A3E-9DAC-A97F6B009446} : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO-X64: Skype add-on (mastermind): {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
BHO-X64: Skype add-on (mastermind) - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB-X64: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
mRun-x64: [Adobe_ID0EYTHM] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
mRun-x64: [EasyTuneVI] C:\Program Files (x86)\GIGABYTE\ET6\ETcall.exe
mRun-x64: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-11-09 23:20:42 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{F0E8276E-8B46-479E-BECD-EDB31D370475}\offreg.dll
2011-11-09 21:50:09 -------- d-----w- C:\Users\Arren\AppData\Local\{547F5A26-C85C-4FD1-BAF5-E540823AF65F}
2011-11-09 21:49:48 -------- d-----w- C:\Users\Arren\AppData\Local\{54EDB889-500C-4EE9-A911-7D059D0A7547}
2011-11-09 21:46:51 -------- d-sh--w- C:\$RECYCLE.BIN
2011-11-09 07:57:48 8570192 ----a-w- C:\ProgramData\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{F0E8276E-8B46-479E-BECD-EDB31D370475}\mpengine.dll
2011-11-09 07:54:58 1426304 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-11-09 07:54:55 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-11-09 07:54:55 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-11-09 07:54:54 893440 ----a-w- C:\Program Files\Common Files\System\wab32.dll
2011-11-09 07:54:54 707584 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll
2011-11-09 07:54:54 50688 ----a-w- C:\Program Files\Windows Mail\wabimp.dll
2011-11-09 06:53:19 98816 ----a-w- C:\Windows\sed.exe
2011-11-09 06:53:19 518144 ----a-w- C:\Windows\SWREG.exe
2011-11-09 06:53:19 256000 ----a-w- C:\Windows\PEV.exe
2011-11-09 06:53:19 208896 ----a-w- C:\Windows\MBR.exe
2011-11-09 06:52:11 -------- d-----w- C:\ComboFix
2011-11-09 02:48:07 -------- d-----w- C:\Users\Arren\AppData\Local\{E1575334-6A60-4826-B3D0-65FBBCD09A66}
2011-11-09 02:47:39 -------- d-----w- C:\Users\Arren\AppData\Local\{11C37E31-EC84-4CDD-8D8D-534B3EB76D53}
2011-11-08 21:03:18 -------- d-----w- C:\Users\Arren\AppData\Local\uTorrent
2011-11-08 07:45:36 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-11-08 07:21:14 -------- d-----w- C:\Users\Arren\AppData\Local\{1553A2A6-76B4-4324-848E-25993F1BC144}
2011-11-08 07:20:31 -------- d-----w- C:\Users\Arren\AppData\Local\{BDF9EE89-C880-4023-B7F7-60CD727C943A}
2011-11-08 06:07:41 -------- d-----w- C:\Users\Arren\AppData\Local\{4F00D0C5-86DB-4298-8889-7A42B2449398}
2011-11-08 06:07:30 -------- d-----w- C:\Users\Arren\AppData\Local\{6FA0EF86-E435-4F31-A2F8-AEB8A72650B1}
2011-11-08 03:32:49 -------- d-----w- C:\Users\Arren\AppData\Roaming\Malwarebytes
2011-11-08 03:32:35 -------- d-----w- C:\ProgramData\Malwarebytes
2011-11-08 03:32:30 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-11-08 02:46:34 -------- d-----w- C:\Users\Arren\AppData\Local\{011CC331-D62B-4287-A973-A2E378F3BFC7}
2011-10-28 06:27:11 -------- d-----w- C:\Users\Arren\AppData\Local\{7CCD6025-3546-497D-83A9-3DC07B381E3A}
2011-10-28 06:27:00 -------- d-----w- C:\Users\Arren\AppData\Local\{13E2733E-5DE6-4D85-BE12-4554AE068EED}
2011-10-27 04:11:50 -------- d-----w- C:\Games
2011-10-23 07:05:04 -------- d-----w- C:\Users\Arren\AppData\Roaming\Unity
2011-10-23 06:57:05 -------- d-----w- C:\Windows\System32\ms-MY
2011-10-23 06:54:58 -------- d-----w- C:\Windows\System32\drivers\UMDF\it-IT
2011-10-23 06:54:55 -------- d-----w- C:\Windows\System32\drivers\UMDF\de-DE
2011-10-23 06:54:49 -------- d-----w- C:\Windows\System32\drivers\UMDF\fr-FR
2011-10-23 06:54:44 -------- d-----w- C:\Windows\System32\drivers\UMDF\es-ES
2011-10-19 05:32:43 -------- d-----w- C:\Users\Arren\AppData\Local\Unity
2011-10-15 18:11:35 -------- d-----w- C:\Users\Arren\AppData\Local\{677715ED-391D-4877-A771-A855124B47C1}
2011-10-12 20:23:21 -------- d-----w- C:\Users\Arren\AppData\Local\{DC4333EB-583C-47EC-9E63-6D5589E27E49}
2011-10-12 20:23:06 -------- d-----w- C:\Users\Arren\AppData\Local\{07555B23-7A6C-479A-BD4D-61E1CBBAEBD1}
2011-10-12 03:12:54 332288 ----a-w- C:\Windows\System32\oleacc.dll
2011-10-12 03:12:54 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll
2011-10-12 03:12:53 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2011-10-12 03:12:52 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-10-12 03:12:52 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2011-10-12 03:12:52 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-10-12 03:12:52 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll
2011-10-12 03:12:52 4096 ----a-w- C:\Windows\System32\oleaccrc.dll
2011-10-12 03:04:31 2764288 ----a-w- C:\Windows\System32\win32k.sys
2011-10-12 03:01:08 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-10-12 03:01:08 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-10-12 03:01:08 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-10-12 03:01:08 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-10-12 03:01:08 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-10-12 03:01:07 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-10-12 03:01:07 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
2011-10-12 03:01:07 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
.
==================== Find3M ====================
.
2011-11-09 23:23:45 30528 ----a-w- C:\Windows\GVTDrv64.sys
2011-11-09 23:23:00 25640 ----a-w- C:\Windows\gdrv.sys
2011-10-06 23:00:44 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-03 13:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-28 04:19:38 1447936 ----a-w- C:\Windows\System32\drivers\athrx.sys
2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2007-03-09 07:12:32 27648 --sha-w- C:\Windows\SysWOW64\AVSredirect.dll
.
============= FINISH: 15:38:29.05 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:40 PM

Posted 14 November 2011 - 07:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/427154 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Narfy

Narfy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 16 November 2011 - 12:03 AM

I do still need assistance. I am not curerntly at the affected machine, however nothing has changed. The machine has been shutdown for most of the time from the original logs to current.

#4 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 17 November 2011 - 08:07 AM

Hello Narfy
,

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy. As you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.

Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box. Only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box. Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you are having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread.

Thank you for your patience!!


---------------------------------------------------

We need to create an OTL Report
  • Please download OTL from the following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


In your next reply please include the following:

OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized



Thanks!!
PW

#5 Narfy

Narfy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 17 November 2011 - 04:21 PM

OTL didn't actually generate a Extra.txt file....

OTL.txt log file included below>>>

OTL logfile created on: 11/17/2011 1:18:22 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\Arren\Desktop
64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 5.65 Gb Available Physical Memory | 70.63% Memory free
16.18 Gb Paging File | 13.69 Gb Available in Paging File | 84.60% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 698.63 Gb Total Space | 52.89 Gb Free Space | 7.57% Space Free | Partition Type: NTFS
Drive D: | 698.63 Gb Total Space | 247.55 Gb Free Space | 35.43% Space Free | Partition Type: NTFS

Computer Name: MIRANDA | User Name: Arren | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/17 13:07:28 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Arren\Desktop\OTL.exe
PRC - [2011/11/08 13:04:14 | 000,641,400 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files (x86)\uTorrent\uTorrent.exe
PRC - [2011/08/30 12:24:59 | 000,624,056 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
PRC - [2010/01/29 00:05:04 | 000,764,784 | ---- | M] (Microsoft Corporation
) -- C:\Windows\vVX6000.exe
PRC - [2009/09/19 22:42:50 | 000,655,624 | ---- | M] (Acresso Software Inc.) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/03/25 16:21:56 | 000,219,656 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe
PRC - [2008/02/27 10:37:20 | 000,260,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\IT Connection Manager\SRUserService.exe


========== Modules (No Company Name) ==========

MOD - [2010/11/17 13:16:56 | 000,067,872 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2009/07/23 10:08:48 | 002,236,487 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\Normal.dll
MOD - [2009/07/22 17:57:56 | 000,262,144 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\MFCCPU.dll
MOD - [2009/07/07 14:37:48 | 000,135,168 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\OCK.dll
MOD - [2009/07/02 15:00:02 | 000,327,747 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\work.dll
MOD - [2009/06/16 15:06:12 | 000,192,512 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\GVTunner.dll
MOD - [2009/04/16 13:31:28 | 000,106,496 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\HM.dll
MOD - [2009/03/13 10:30:44 | 000,109,096 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\ycc.dll
MOD - [2009/02/22 23:21:28 | 004,296,704 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\AODAPI.dll
MOD - [2008/09/01 13:26:32 | 000,102,400 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\SF.dll
MOD - [2008/05/07 14:22:58 | 000,102,400 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\CIAMIB.dll
MOD - [2008/03/25 16:21:56 | 000,219,656 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\GUI.exe
MOD - [2003/02/14 13:11:46 | 000,102,400 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\ET6\Sound.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/08/05 11:53:12 | 000,467,680 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV:64bit: - [2011/08/05 11:53:12 | 000,306,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
SRV:64bit: - [2011/08/05 11:53:06 | 008,277,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV:64bit: - [2010/03/12 17:40:18 | 000,199,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS64.exe -- (MSCamSvc)
SRV:64bit: - [2009/09/19 22:43:01 | 001,038,088 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV:64bit: - [2009/09/02 20:47:58 | 000,298,864 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Forefront\Forefront System\Client\Agent\FSysAgent.exe -- (FSysAgent)
SRV:64bit: - [2009/07/02 18:42:36 | 000,017,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Forefront\Forefront System\Client\AntiMalware\MsMpEng.exe -- (FCSAM)
SRV:64bit: - [2009/05/08 20:35:22 | 000,343,936 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\AdtAgent.exe -- (AdtAgent)
SRV:64bit: - [2009/05/08 20:27:48 | 000,030,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\System Center Operations Manager 2007\HealthService.exe -- (HealthService)
SRV:64bit: - [2008/01/19 00:06:50 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2008/01/19 00:00:52 | 000,195,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2011/01/05 13:52:43 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/09/19 22:42:50 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/03/29 20:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/02/27 10:37:20 | 000,260,232 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\IT Connection Manager\SRUserService.exe -- (SRUserService)
SRV - [2007/12/14 10:46:28 | 000,047,624 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\GIGABYTE\GEST\GSvr.exe -- (GEST Service)
SRV - [2007/05/31 09:11:54 | 000,443,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 09:11:46 | 000,225,672 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2007/03/20 16:41:24 | 000,153,792 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe -- (Adobe Version Cue CS3)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/09/27 20:19:38 | 001,447,936 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\athrx.sys -- (athr)
DRV:64bit: - [2010/11/06 21:24:34 | 000,024,176 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV:64bit: - [2010/06/23 09:21:34 | 000,318,568 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2010/01/29 00:05:06 | 002,143,600 | ---- | M] (Microsoft Corporation
) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VX6000Xp.sys -- (VX6000)
DRV:64bit: - [2009/09/30 16:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2009/05/22 15:08:37 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\VClone.sys -- (VClone)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/04/10 21:39:37 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usbser.sys -- (usbser)
DRV:64bit: - [2009/04/10 21:34:05 | 000,038,400 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usbccid.sys -- (USBCCID)
DRV:64bit: - [2009/02/17 09:11:25 | 000,031,400 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2009/01/07 18:21:26 | 000,033,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\point64k.sys -- (Point64)
DRV:64bit: - [2008/10/20 15:24:33 | 000,084,288 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ftser2k.sys -- (FTSER2K)
DRV:64bit: - [2008/10/20 15:24:33 | 000,068,800 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ftdibus.sys -- (FTDIBUS)
DRV:64bit: - [2008/08/28 00:12:10 | 000,051,240 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt)
DRV:64bit: - [2008/06/27 06:51:10 | 000,088,632 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\adfs.sys -- (adfs)
DRV:64bit: - [2008/03/12 23:46:00 | 000,027,136 | ---- | M] (ManyCam LLC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\ManyCam_x64.sys -- (ManyCam)
DRV:64bit: - [2008/02/29 02:17:08 | 000,041,488 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\LUsbFilt.Sys -- (LUsbFilt)
DRV:64bit: - [2008/02/29 02:16:52 | 000,057,360 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\LMouFilt.Sys -- (LMouFilt)
DRV:64bit: - [2008/02/29 02:16:44 | 000,054,800 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - [2008/01/18 23:11:31 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2007/03/08 14:19:00 | 000,012,800 | ---- | M] (GARMIN Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\grmnusb.sys -- (grmnusb)
DRV:64bit: - [2007/01/25 09:31:38 | 000,040,208 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF)
DRV:64bit: - [2007/01/12 16:43:40 | 000,037,552 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\frmupgr.sys -- (DFUBTUSB)
DRV - [2011/11/17 12:54:32 | 000,030,528 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\GVTDrv64.sys -- (GVTDrv64)
DRV - [2011/11/17 12:54:08 | 000,025,640 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2009/09/18 03:12:10 | 000,025,640 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\etdrv.sys -- (etdrv)
DRV - [2009/02/22 23:21:54 | 000,014,904 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files (x86)\GIGABYTE\ET6\amd64\AODDriver.sys -- (AODDriver)
DRV - [2008/08/14 06:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysWow64\drivers\adfs.sys -- (adfs)
DRV - [2007/10/16 15:15:26 | 000,036,416 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\ET5Drv.sys -- (ET5Drv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files (x86)\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/Photosynth,version=2.0: C:\Program Files (x86)\Photosynth\npPhotosynthMozilla.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files (x86)\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.775: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.775: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.775: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Arren\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)



O1 HOSTS File: ([2011/11/08 23:45:43 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg64.dll (Google Inc.)
O2:64bit: - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll File not found
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\/Adobe Contribute CS3/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (@msdxmLC.dll,-1@1033,&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\SysWOW64\Msdxm6.ocx (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No CLSID value found.
O3 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [FCS Notify Icon] C:\Program Files\Microsoft Forefront\Forefront System\Client\UX\FSysClientUI.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [VX6000] C:\Windows\vVX6000.exe (Microsoft Corporation
)
O4:64bit: - HKLM..\Run: [Windows Mobile Device Center] C:\Windows\WindowsMobile\wmdc.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe_ID0EYTHM] C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [EasyTuneVI] C:\Program Files (x86)\GIGABYTE\ET6\ETcall.exe ()
O4 - HKLM..\Run: [LifeCam] C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000..\Run: [Eye-Fi] "C:\Program Files (x86)\E File not found
O4 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000..\Run: [googletalk] C:\Users\Arren\AppData\Roaming\Google\Google Talk\googletalk.exe (Google)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Open with KUSO EXIF Viewer - C:\Program Files (x86)\KUSO EXIF Viewer\EXIF.htm ()
O8 - Extra context menu item: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Open with KUSO EXIF Viewer - C:\Program Files (x86)\KUSO EXIF Viewer\EXIF.htm ()
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: kongregate.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: microsoft.com ([im] https in Trusted sites)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: microsoft.com ([lslm01.meet] https in Trusted sites)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: microsoft.com ([lslm02.meet] https in Trusted sites)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: microsoft.com ([lslm03.meet] https in Trusted sites)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: microsoft.com ([lslm11.meet] https in Trusted sites)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: microsoft.com ([lslm12.meet] https in Trusted sites)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: microsoft.com ([lslm21.meet] https in Trusted sites)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: microsoft.com ([lslm22.meet] https in Trusted sites)
O15 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000\..Trusted Domains: microsoft.com ([mail] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 10.1.0)
O16 - DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx.com/player/DivXBrowserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7C32C880-FD3E-447C-8121-0F91C4579637}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FFF0D9F7-47F9-4A3E-9DAC-A97F6B009446}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\vnd.ms.radio - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\Windows\SysWOW64\Msdxm6.ocx (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logitech\bluetooth\LBTWlgn.dll) - File not found
O22:64bit: - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\SysNative\DreamScene.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Arren\Pictures\2011-01\2011-01-30 Photos\Fav\Photos 013.JPG
O24 - Desktop BackupWallPaper: C:\Users\Arren\Pictures\2011-01\2011-01-30 Photos\Fav\Photos 013.JPG
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/17 13:07:28 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\Arren\Desktop\OTL.exe
[2011/11/17 12:57:11 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{47A87921-DFE7-4BA7-B164-B2D1E0252171}
[2011/11/17 12:56:49 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{BB5DB5DE-D6F9-4F25-8E80-6924FC3CEB0C}
[2011/11/16 17:04:20 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{D3B1D246-B2CF-4BA4-B690-E5C4DC7BCD53}
[2011/11/16 17:04:05 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{41BC9BFC-DE43-4B68-AEE1-0D6C4403CF7D}
[2011/11/15 17:24:14 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{A79A5DB7-A705-48CB-8131-0FF3CF944A2F}
[2011/11/15 17:23:54 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{C52948E1-FCE6-4BE0-BE32-ADBFD9FF9D05}
[2011/11/14 21:34:48 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{33A2329A-AFAC-4843-9AF1-3E5DE5066226}
[2011/11/14 21:34:28 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{FFF6B6A5-4B22-4E98-8563-6DA201FD7889}
[2011/11/14 09:23:38 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{C13DAE54-5161-418D-93DF-E1E8E3758851}
[2011/11/14 09:23:15 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{5E7F3A22-2805-4FEA-BC56-66BAA00D4904}
[2011/11/12 09:07:38 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{B056B68C-C3F1-498D-81F0-203B1FB0F615}
[2011/11/11 21:07:13 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{5BDB8B7C-EDD4-42A5-A488-9244D364D9D3}
[2011/11/11 21:07:02 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{70C0643D-DA6C-4EF2-BB76-A79ACA13D2BC}
[2011/11/11 11:55:00 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2011/11/11 09:33:46 | 000,252,296 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\javaws.exe
[2011/11/11 09:33:46 | 000,188,808 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\javaw.exe
[2011/11/11 09:33:46 | 000,188,808 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\java.exe
[2011/11/11 09:31:55 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/11/11 09:06:06 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{312908C6-3685-4D0A-9333-1A0045B0A4D7}
[2011/11/11 09:05:25 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{039016C3-F675-4802-A2DE-E545C3E23CC0}
[2011/11/10 17:06:20 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/11/10 16:35:29 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{757EE0CA-47FA-4406-A5BA-81063316BF6F}
[2011/11/10 16:35:14 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{5D62CA63-D10E-4BD5-8C90-7ED262ADC8D5}
[2011/11/09 14:32:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java(141)
[2011/11/09 14:32:29 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2011/11/09 13:50:09 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{547F5A26-C85C-4FD1-BAF5-E540823AF65F}
[2011/11/09 13:49:48 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{54EDB889-500C-4EE9-A911-7D059D0A7547}
[2011/11/08 22:52:17 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/11/08 18:48:07 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{E1575334-6A60-4826-B3D0-65FBBCD09A66}
[2011/11/08 18:47:39 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{11C37E31-EC84-4CDD-8D8D-534B3EB76D53}
[2011/11/08 13:03:18 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\uTorrent
[2011/11/07 23:45:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/07 23:45:36 | 000,025,416 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/11/07 23:21:14 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{1553A2A6-76B4-4324-848E-25993F1BC144}
[2011/11/07 23:20:31 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{BDF9EE89-C880-4023-B7F7-60CD727C943A}
[2011/11/07 22:07:41 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{4F00D0C5-86DB-4298-8889-7A42B2449398}
[2011/11/07 22:07:30 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{6FA0EF86-E435-4F31-A2F8-AEB8A72650B1}
[2011/11/07 19:32:49 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Roaming\Malwarebytes
[2011/11/07 19:32:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/11/07 19:32:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/11/07 18:46:34 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{011CC331-D62B-4287-A973-A2E378F3BFC7}
[2011/10/29 11:33:16 | 000,000,000 | ---D | C] -- C:\Users\Arren\Documents\My Cheat Tables
[2011/10/27 22:27:11 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{7CCD6025-3546-497D-83A9-3DC07B381E3A}
[2011/10/27 22:27:00 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\{13E2733E-5DE6-4D85-BE12-4554AE068EED}
[2011/10/26 20:12:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sengoku Demo
[2011/10/26 20:11:50 | 000,000,000 | ---D | C] -- C:\Games
[2011/10/22 23:05:04 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Roaming\Unity
[2011/10/22 22:57:05 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\ms-MY
[2011/10/22 22:53:23 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zune
[2011/10/18 21:32:43 | 000,000,000 | ---D | C] -- C:\Users\Arren\AppData\Local\Unity

========== Files - Modified Within 30 Days ==========

[2011/11/17 13:10:03 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2011/11/17 13:07:28 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Arren\Desktop\OTL.exe
[2011/11/17 12:54:32 | 000,030,528 | ---- | M] () -- C:\Windows\GVTDrv64.sys
[2011/11/17 12:54:32 | 000,000,004 | ---- | M] () -- C:\Windows\SysWow64\GVTunner.ref
[2011/11/17 12:54:08 | 000,025,640 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\Windows\gdrv.sys
[2011/11/17 12:53:24 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/11/17 12:53:05 | 000,089,039 | ---- | M] () -- C:\ProgramData\nvModes.001
[2011/11/17 12:53:02 | 000,004,176 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 12:53:02 | 000,004,176 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/17 12:52:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/17 12:52:56 | 4293,386,239 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/16 19:46:55 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/11/16 19:27:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/11/16 17:33:15 | 000,045,568 | ---- | M] () -- C:\Users\Arren\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/11/16 17:03:18 | 000,001,356 | ---- | M] () -- C:\Users\Arren\AppData\Local\d3d9caps.dat
[2011/11/15 01:22:23 | 000,723,694 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/11/15 01:22:23 | 000,619,404 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/11/15 01:22:23 | 000,108,356 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/11/11 20:32:38 | 976,500,418 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/11/11 11:55:12 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2011/11/11 09:32:12 | 000,627,600 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\deployJava1.dll
[2011/11/11 09:32:12 | 000,252,296 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\javaws.exe
[2011/11/11 09:32:12 | 000,188,808 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\javaw.exe
[2011/11/11 09:32:12 | 000,188,808 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\java.exe
[2011/11/10 18:56:32 | 000,001,460 | ---- | M] () -- C:\Users\Arren\AppData\Local\d3d9caps64.dat
[2011/11/09 15:15:19 | 000,000,000 | ---- | M] () -- C:\Users\Arren\defogger_reenable
[2011/11/08 23:45:43 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2011/11/08 22:37:38 | 000,000,764 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.new
[2011/11/07 15:40:19 | 000,089,039 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2011/10/27 15:18:23 | 000,000,975 | ---- | M] () -- C:\Users\Public\Desktop\Second Life Viewer 2.lnk
[2011/10/22 22:53:23 | 000,000,842 | ---- | M] () -- C:\Users\Public\Desktop\Zune.lnk

========== Files Created - No Company Name ==========

[2011/11/11 09:07:14 | 000,000,004 | ---- | C] () -- C:\Windows\SysWow64\GVTunner.ref
[2011/11/11 09:02:54 | 4293,386,239 | -HS- | C] () -- C:\hiberfil.sys
[2011/11/09 15:15:19 | 000,000,000 | ---- | C] () -- C:\Users\Arren\defogger_reenable
[2011/10/22 22:53:23 | 000,000,842 | ---- | C] () -- C:\Users\Public\Desktop\Zune.lnk
[2011/05/11 19:50:17 | 000,000,010 | ---- | C] () -- C:\Windows\WININIT.INI
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/04/02 09:54:31 | 001,936,528 | ---- | C] () -- C:\Windows\SysWow64\ltmm15.dll
[2011/01/29 02:04:30 | 000,085,504 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2010/11/25 10:14:16 | 000,000,008 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2010/06/24 09:35:48 | 000,000,760 | ---- | C] () -- C:\Users\Arren\AppData\Roaming\setup_ldm.iss
[2010/05/27 19:14:32 | 000,000,130 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
[2010/03/22 14:35:51 | 000,089,039 | ---- | C] () -- C:\ProgramData\nvModes.001
[2010/03/22 14:35:48 | 000,089,039 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/11/27 04:43:46 | 000,001,696 | ---- | C] () -- C:\Windows\aopr.ini
[2009/10/07 18:20:22 | 000,027,991 | ---- | C] () -- C:\Users\Arren\AppData\Roaming\OFMissionEditorConfig.xml
[2009/09/24 00:10:13 | 001,970,176 | ---- | C] () -- C:\Windows\SysWow64\d3dx9.dll
[2009/09/18 03:13:32 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll
[2009/09/18 03:12:49 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2009/09/18 03:12:07 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/09/12 09:48:24 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2009/08/19 01:19:50 | 000,030,528 | ---- | C] () -- C:\Windows\GVTDrv64.sys
[2009/05/27 14:05:18 | 000,033,576 | ---- | C] () -- C:\Windows\SysWow64\BCGPOleAcc.dll
[2009/03/15 13:14:57 | 000,001,356 | ---- | C] () -- C:\Users\Arren\AppData\Local\d3d9caps.dat
[2009/02/21 06:20:35 | 002,463,976 | ---- | C] () -- C:\Windows\SysWow64\NPSWF32.dll
[2008/12/26 15:31:10 | 000,000,571 | ---- | C] () -- C:\Users\Arren\AppData\Roaming\AutoGK.ini
[2008/12/26 14:40:54 | 000,043,698 | ---- | C] () -- C:\Windows\SysWow64\xvid-uninstall.exe
[2008/11/27 03:28:08 | 000,044,544 | ---- | C] () -- C:\Windows\SysWow64\Gif89.dll
[2008/09/17 02:00:39 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
[2008/09/02 20:18:23 | 000,004,096 | ---- | C] () -- C:\Users\Arren\AppData\Local\keyfile3.drm
[2008/05/10 10:58:10 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2008/04/29 22:46:16 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2008/04/14 22:47:42 | 000,019,456 | ---- | C] () -- C:\Windows\SysWow64\SMSRsGen.dll
[2008/04/13 22:09:24 | 000,045,568 | ---- | C] () -- C:\Users\Arren\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/04/12 08:59:04 | 000,001,460 | ---- | C] () -- C:\Users\Arren\AppData\Local\d3d9caps64.dat
[2007/07/25 05:24:28 | 001,559,040 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll
[2007/04/10 13:46:32 | 000,015,497 | ---- | C] () -- C:\Windows\VX6KStd.ini
[2007/03/10 03:51:48 | 000,282,624 | ---- | C] () -- C:\Windows\SysWow64\xvidvfw.dll
[2007/03/08 23:12:32 | 000,027,648 | -HS- | C] () -- C:\Windows\SysWow64\AVSredirect.dll
[2007/01/25 09:31:36 | 000,053,299 | ---- | C] () -- C:\Windows\SysWow64\pthreadVC.dll
[2006/11/02 07:35:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 04:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2006/11/02 04:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2006/11/02 04:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2006/11/02 01:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin

< End of report >

#6 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 17 November 2011 - 05:16 PM

Hi Narfy,

Is this a business computer? If so, have you contacted your IT department? :)



Thanks!!
PW

#7 Narfy

Narfy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 17 November 2011 - 05:18 PM

Personal Computer, it was the machine I used to work from home originally. Now it is just my personal machine.

#8 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 17 November 2011 - 06:57 PM

Hi Narfy,

Personal Computer, it was the machine I used to work from home originally. Now it is just my personal machine.

:thumbup2:

It will be later this evening or in the morning before I can get back to you.

Thanks for your patience.
PW

#9 Narfy

Narfy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 18 November 2011 - 03:27 AM

Thanks, let me know. Ran another MalwareBytes and a separate Forefront Security scan with nothing detected. Issue is still ongoing and I had to have the machine on for a bit, so I changed the iexplore.exe file name to prevent any more errant browser windows being opened for the time being.

#10 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 18 November 2011 - 03:52 AM

Hi Narfy,

Step 1.

Make sure System Restore is turned on.


1.Click Start
2.Right click on My Computer
3.Select Properties
4.From the tasks pane on the left, click System Protection
5.Select a disk (place check mark in box if it is not already checked) from the list, usually C:, and click on the Create button.
6.Type a name to describe this restore point (ex. "Before driver update")
7.Click Create button

When finished, Windows opens a window stating that the restore point was created successfully.

Reboot your computer.

Step 2.

Going over your logs I noticed that you have µTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs in XP or Programs and Features in Vista and Windows 7

If you wish to keep it, please do not use it until your computer is cleaned.


Step 3.

I notice that you are allowing or placing sites in the Internet Explorer Trusted Zone.

"Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone.
There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge.
It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone.. "

In your case I see you have the following sites in the trusted zone:


kongregate.com ([www] http in Trusted sites)
microsoft.com ([im] https in Trusted sites)
microsoft.com ([lslm01.meet] https in Trusted sites)
microsoft.com ([lslm02.meet] https in Trusted sites)
microsoft.com ([lslm03.meet] https in Trusted sites)
microsoft.com ([lslm11.meet] https in Trusted sites)
microsoft.com ([lslm12.meet] https in Trusted sites)
microsoft.com ([lslm21.meet] https in Trusted sites)
microsoft.com ([lslm22.meet] https in Trusted sites)
microsoft.com ([mail] https in Trusted sites)


I suggest you do not allow any sites in the Trusted Zone for the above stated reasons.

To remove sites from the Trusted Zone
Close any Internet Explorer or Windows Explorer windows that are currently open.
Open Internet Explorer by clicking the Start button , and then clicking Internet Explorer.
Click the Tools button, and then click Internet Options.(under Network and Internet in the category view).
Choose the Security tab, select Trusted Sites then click on the Sites button. In the Trusted Sites window hilite the sites to remove and click the Remove button then close all windows.


Step 4.

I see you have DAEMON Tools Toolbar installed which is an Adware toolbar bundled with Daemon Tools software. Please uninstall it via Programs and Features.
http://www.systemlookup.com/search.php?list=&type=name&search=DAEMON+Tools+Toolbar&s=


Step 5.

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :OTL
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No CLSID value found.
    O4 - HKU\S-1-5-21-328246381-1834628235-4228974303-1000..\Run: [Eye-Fi] "C:\Program Files (x86)\E File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
    O18:64bit: - Protocol\Handler\vnd.ms.radio - No CLSID value found
    O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
    O20:64bit: - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logitech\bluetooth\LBTWlgn.dll) - File not found
    
    :commands
    [CREATERESTOREPOINT]
    [REBOOT]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.


Step 6.

Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.


In your next reply please include the following:

OTLFix report
ComboFix.txt



Thanks!!

Edited by pwgib, 18 November 2011 - 04:01 AM.
Remove dead link

PW

#11 Narfy

Narfy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 18 November 2011 - 07:24 PM

I ran the OTL script, however it did not appear to generate any sort of log.

Running the Combofix scan now. Will post when completed

#12 Narfy

Narfy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 18 November 2011 - 08:13 PM

Combofix log included below>>>

ComboFix 11-11-18.02 - Arren 11/18/2011 16:06:40.2.2 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.8190.6166 [GMT -8:00]
Running from: c:\users\Arren\Desktop\ComboFix.exe
AV: Microsoft Forefront Endpoint Protection *Disabled/Updated* {2E6C4BAB-3371-CD46-62DC-0E0A86B42619}
SP: Microsoft Forefront Endpoint Protection *Disabled/Updated* {950DAA4F-154B-C2C8-586C-3578FD336CA4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Arren\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
.
.
((((((((((((((((((((((((( Files Created from 2011-10-19 to 2011-11-19 )))))))))))))))))))))))))))))))
.
.
2011-11-19 00:44 . 2011-11-19 00:44 -------- d-----w- c:\users\Jessica\AppData\Local\temp
2011-11-19 00:44 . 2011-11-19 00:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-19 00:44 . 2011-11-19 00:44 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-11-18 23:46 . 2011-11-18 23:46 69000 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{7216C45E-3D51-4D5F-B7F2-BA86BBD14ECF}\offreg.dll
2011-11-18 23:46 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{7216C45E-3D51-4D5F-B7F2-BA86BBD14ECF}\mpengine.dll
2011-11-18 23:31 . 2011-11-18 23:31 -------- d-----w- C:\_OTL
2011-11-11 19:55 . 2011-11-11 19:55 -------- d-----w- c:\windows\system32\Macromed
2011-11-11 17:31 . 2011-11-11 17:31 -------- d-----w- c:\program files\Java
2011-11-11 17:25 . 2011-09-30 16:16 893440 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-11 17:25 . 2011-09-30 16:16 50688 ----a-w- c:\program files\Windows Mail\wabimp.dll
2011-11-11 17:25 . 2011-09-30 15:57 707584 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-11 17:24 . 2011-09-20 21:06 1426304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-11 17:23 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-11 17:23 . 2011-10-17 11:41 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2011-11-09 22:32 . 2011-11-09 22:32 -------- d-----w- c:\program files (x86)\Common Files\Java(141)
2011-11-09 22:32 . 2011-11-09 22:32 -------- d-----w- c:\windows\Sun
2011-11-09 08:08 . 2011-11-09 08:08 -------- d-----w- c:\users\Jessica\AppData\Local\Temp(3001)
2011-11-09 08:08 . 2011-11-09 08:08 -------- d-----w- c:\users\Dannika\AppData\Local\Temp(2875)
2011-11-08 21:03 . 2011-11-08 21:03 -------- d-----w- c:\users\Arren\AppData\Local\uTorrent
2011-11-08 07:45 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-08 03:32 . 2011-11-08 03:32 -------- d-----w- c:\users\Arren\AppData\Roaming\Malwarebytes
2011-11-08 03:32 . 2011-11-08 03:32 -------- d-----w- c:\programdata\Malwarebytes
2011-11-08 03:32 . 2011-11-11 00:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-27 04:11 . 2011-10-27 04:11 -------- d-----w- C:\Games
2011-10-23 07:05 . 2011-10-23 07:05 -------- d-----w- c:\users\Arren\AppData\Roaming\Unity
2011-10-23 06:57 . 2011-10-23 06:57 -------- d-----w- c:\windows\system32\ms-MY
2011-10-23 06:54 . 2011-10-23 06:54 -------- d-----w- c:\windows\system32\drivers\UMDF\it-IT
2011-10-23 06:54 . 2011-10-23 06:54 -------- d-----w- c:\windows\system32\drivers\UMDF\de-DE
2011-10-23 06:54 . 2011-10-23 06:54 -------- d-----w- c:\windows\system32\drivers\UMDF\fr-FR
2011-10-23 06:54 . 2011-10-23 06:54 -------- d-----w- c:\windows\system32\drivers\UMDF\es-ES
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 23:41 . 2009-08-19 09:19 30528 ----a-w- c:\windows\GVTDrv64.sys
2011-11-18 23:41 . 2008-04-12 20:30 25640 ----a-w- c:\windows\gdrv.sys
2011-11-11 19:55 . 2011-05-25 01:27 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-11 17:32 . 2011-04-18 23:19 627600 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 04:19 . 2009-07-21 00:41 1447936 ----a-w- c:\windows\system32\drivers\athrx.sys
2011-09-13 00:26 . 2009-11-04 01:20 9049936 ----a-w- c:\programdata\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-07 02:35 . 2011-09-07 02:35 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-09-06 13:56 . 2011-10-12 03:04 2764288 ----a-w- c:\windows\system32\win32k.sys
2011-09-01 05:24 . 2011-10-12 10:00 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 05:17 . 2011-10-12 10:00 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 05:12 . 2011-10-12 10:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-01 02:35 . 2011-10-12 10:00 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-09-01 02:28 . 2011-10-12 10:00 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-09-01 02:22 . 2011-10-12 10:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-08-25 16:20 . 2011-10-12 03:12 735744 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-08-25 16:19 . 2011-10-12 03:12 332288 ----a-w- c:\windows\system32\oleacc.dll
2011-08-25 16:19 . 2011-10-12 03:12 847360 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-25 16:15 . 2011-10-12 03:12 555520 ----a-w- c:\windows\SysWow64\UIAutomationCore.dll
2011-08-25 16:14 . 2011-10-12 03:12 238080 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-08-25 16:14 . 2011-10-12 03:12 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-08-25 13:54 . 2011-10-12 03:12 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-08-25 13:31 . 2011-10-12 03:12 4096 ----a-w- c:\windows\SysWow64\oleaccrc.dll
2007-03-09 07:12 27648 --sha-w- c:\windows\SysWOW64\AVSredirect.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-04-11 . 5CDD30BC217082DAC71A9878D9BFD566 . 547328 . . [6.0.6002.18005] .. c:\windows\winsxs\amd64_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6002.18005_none_eca9565809c353e4\termsrv.dll
[7] 2008-01-19 . F870A5589D6A94B426EFB13689023946 . 546816 . . [6.0.6001.18000] .. c:\windows\winsxs\amd64_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6001.18000_none_eabddd4c0ca18898\termsrv.dll
[7] 2006-11-02 . 48592E6E18F22E4939799B82A4825E77 . 499200 . . [6.0.6000.16386] .. c:\windows\winsxs\amd64_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.0.6000.16386_none_e8871b500fb677c4\termsrv.dll
[-] 2010-09-21 . B5E4219086EDD5CE8C50655C6039D82A . 499200 . . [6.0.6001.18000] .. c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\Arren\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"MsnMsgr"="c:\program files (x86)\Windows Live\Messenger\MsnMsgr.Exe" [2011-05-13 4283256]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056]
"EasyTuneVI"="c:\program files (x86)\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"LifeCam"="c:\program files (x86)\Microsoft LifeCam\LifeExp.exe" [2010-03-13 119152]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-12-14 421160]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
.
c:\users\Arren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1c99f60350a2d3e;Google Update Service (gupdate1c99f60350a2d3e);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-07 133104]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 etdrv;etdrv;c:\windows\etdrv.sys [2009-09-18 25640]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-09-20 1038088]
R3 GEST Service;GEST Service for program management.;c:\program files (x86)\GIGABYTE\GEST\GSvr.exe [2007-12-14 47624]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-07 133104]
R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys [2011-11-18 30528]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 24176]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\DRIVERS\VX6000Xp.sys [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 306400]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 AdtAgent;Operations Manager Audit Forwarding Service;c:\windows\system32\AdtAgent.exe [x]
S2 FCSAM;Microsoft Antimalware Service;c:\program files\Microsoft Forefront\Forefront System\Client\AntiMalware\MsMpEng.exe [2009-07-03 17400]
S2 FSysAgent;Microsoft Forefront System Agent;c:\program files\Microsoft Forefront\Forefront System\Client\Agent\FSysAgent.exe [2009-09-03 298864]
S2 HealthService;System Center Management;c:\program files\System Center Operations Manager 2007\HealthService.exe [2009-05-09 30592]
S2 SRUserService;IT Connection Manager;c:\program files (x86)\IT Connection Manager\SRUserService.exe [2008-02-27 260232]
S3 AODDriver;AODDriver;c:\program files (x86)\GIGABYTE\ET6\amd64\AODDriver.sys [2009-02-23 14904]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam_x64.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [x]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AODDRIVER
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-07 23:29]
.
2011-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-07 20:06]
.
2011-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-03-07 20:06]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
"VX6000"="c:\windows\vVX6000.exe" [2010-01-29 764784]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 225792]
"FCS Notify Icon"="c:\program files\Microsoft Forefront\Forefront System\Client\UX\FSysClientUI.exe" [2009-09-03 1857392]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-01-19 9996320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-08 2304904]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-08 2324872]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with KUSO EXIF Viewer - c:\program files (x86)\KUSO EXIF Viewer\EXIF.htm
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Replay_AV_807 - c:\windows\iun6002.exe
AddRemove-Replay_Converter_1 - c:\windows\iun6002.exe
AddRemove-WPRE.exe - c:\program files (x86)\Password Recovery Engine for Word\uninstall.exe
AddRemove-XviD MPEG4 Video Codec - c:\windows\system32\xvid-uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-328246381-1834628235-4228974303-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*i*n*i*ť^á(\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-328246381-1834628235-4228974303-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*i*n*i*¦Ęęb\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2011-11-18 17:07:33
ComboFix-quarantined-files.txt 2011-11-19 01:07
.
Pre-Run: 57,501,462,528 bytes free
Post-Run: 57,316,810,752 bytes free
.
- - End Of File - - 377B2225752E5A54250333D5F9124B4E

#13 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 19 November 2011 - 10:03 AM

Hi Narfy,


Step 1.


I need you to locate the OTLFix log.

Open Windows Explorer.

Go to Start | Run and type or copy and paste Explorer and click OK
Windows Explorer will open.

Expand My Computer.
Expand Local Disk (C:)
Expand _OTL
Click on Moved Files

Look for the log that corresponds with the OTLFix. It will be in the following format.

11182011_XXXXXX where X = the time

Please post that log in your next reply.


Step 2.

  • Click on this link--> virustotal
  • Click the browse button. Copy and paste the following lines in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.


c:\windows\system32\termsrv.dll


If the file has been analyzed before, click the Reanalyse File Now button.

Please copy and paste the results of the scan in your next post.


Step 3.


Please delete any copies of TDSSKiller from your desktop.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


In your next reply please include the following:

OTLFix report
VirusTotal scan results
TDSSKiller log



Thanks!!
PW

#14 Narfy

Narfy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 19 November 2011 - 11:14 PM

Found the OTL Log and attached.

I decided to attach the reports due to size and formatting.

TDSS Killer did and the Virus Total scan on Termsrv.dll did not seem to find anything.

Attached Files



#15 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:40 PM

Posted 20 November 2011 - 08:54 AM

Hello Narfy,

Please do not attach logs unless asked to. You can use more than one post if needed. :thumbup2:


Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u1-windows-i586-s.exe (or jre-7u1-windows-x64.exe for 64-bit) to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Step 1.

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    /md5start
    termsrv.dll
    /md5stop
    
    In the Extra Registry box make sure that Use Safelist is checked.
  • Push Posted Image
  • Two reports will open.

    OTList.txt <-- Will be opened
    Extra.txt <-- Will be minimized in the system tray

    Copy and Paste those reports in your next reply.


Step 2.

Please rerun MBAM that appears to already be installed on your computer.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply please include the following:


OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized <----Important
MBAM log



How is your computer running now?


Thanks!!
PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users