Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZAccess/HDDRescue.AB/conserv.dll/multiple threats


  • This topic is locked This topic is locked
7 replies to this topic

#1 Chubawuba

Chubawuba

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 10 November 2011 - 08:18 PM

actually, rather than infected, i survived the attack.

yes, i was infected, but with the use of my amateur computer knowledge, i was able to insert a live linux CD and remove the path of some malawares.

and lots of props to Grindler(http://www.bleepingcomputer.com/forums/topic405109.html/page__st__45) i was able to restore back 80% of the settings except my windows toolbar missing all the shortcuts.

i was hoping to see if you guys could check and remove the rest of the dust here.

thank you so much and i hope i haven't caused too much trouble.

**interesting notes
funny when i did get attacked, ZAcess had trouble writing down files on system32 path... it was giving me millions of errors..seems like the virus had a coding problem itself...*laugh*
only difficulty was the HDDRescue malaware which thanks to grindler i could recover most excluding the taskbar shortcut icons.

in addition, my hard disk was writing files and it was overpopulating in one file(random algorithm)instantly populating to the size of 17GB in less than a min...

and contrary to popular belief, i did not get any redirects in yahoo/google etc.

and Sirenf came up also

(i still have permission problem overall and can't delete LCD files in system32)


and that is all.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,012 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:53 PM

Posted 11 November 2011 - 04:26 AM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Chubawuba

Chubawuba
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 11 November 2011 - 03:31 PM

alright here it is finally:




****the only issue i had is when i ran GMER, i could only select

Services
Registry
Files C:\
And ADS

all the other fields couldn't be either checked for some weird reason.
-----------------------------------------------------------------------------------------------------------------------
From what i know for a fact is that i've been infected with ZeroAccess and my permissions are screwed up and half the file is set to EVERYONE and administrator access is pretty much of a joke.

Also, i cannot delete bunch of .NLS Files in System32 as well as delete Fake drivers in DRIVERS either.

the funny thing is when i did get infected, i remember it was writing huge sums of disc into one file......in 3 mins it accumulated 15 GB so i used some basic knowledge to delete that

and that is all... hope u can find a lot of interesting things here.

im very grateful for any help you provide and i'll take all precautions to make sure things like this wont happen again.

;)

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 PM

Posted 13 November 2011 - 05:14 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Chubawuba

Chubawuba
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 14 November 2011 - 03:52 PM

ah thanks so much for looking into this:

here is the log:
basically any other problem u should know is like i said up there, i have permission problems in system32 and SYSWOW64 and i still keep getting access denied etc.

the computer is doing fine, it just acts quirky sometimes.
------------------------------------------------------------------------------
and actually, when i ran the combofix first time, i got a BsoD

BAD_POOL_CALLER


and the second time i ran combofix the computer froze when i was away for a while.

finally, the third time it ran, YES it did get through and generated the report.
-----------------------------------------------------------------------------------------------------------------------


i hope this is all you're looking for.
again, thank you so much for helping out of your own time >:)

Chewy

ComboFix 11-11-14.02 - Sanchis 4/2011 Mon 15:31:38.5.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.949.82.1033.18.12221.9607 [GMT -5:00]
Running from: c:\users\Sanchis\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 4.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-14 to 2011-11-14 )))))))))))))))))))))))))))))))
.
.
2011-11-14 20:38 . 2011-11-14 20:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-14 20:29 . 2011-11-14 20:29 -------- d-----w- c:\users\UpdatusUser
2011-11-14 06:25 . 2011-11-14 06:26 -------- d-----w- c:\program files (x86)\FormatFactory
2011-11-14 06:06 . 2011-11-14 06:18 -------- d-----w- c:\users\Sanchis\AppData\Roaming\Celemony Software GmbH
2011-11-14 06:06 . 2011-11-14 06:06 -------- d-----w- c:\programdata\Celemony Software GmbH
2011-11-14 05:58 . 2011-11-14 05:58 -------- d-----w- c:\users\Sanchis\AppData\Roaming\www.shadowexplorer.com
2011-11-14 05:58 . 2011-11-14 05:58 -------- d-----w- c:\program files (x86)\ShadowExplorer
2011-11-14 05:46 . 2011-09-27 10:57 431936 ----a-w- c:\windows\SysWow64\msvcp100.dll.bak
2011-11-14 05:40 . 2011-11-14 05:40 -------- d-----w- c:\program files\Common Files\VST3
2011-11-14 05:40 . 2011-11-14 05:40 -------- d-----w- c:\program files (x86)\Celemony
2011-11-14 05:31 . 2011-11-14 20:04 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0A4FF741-7C3A-4EA8-BFCF-AA34B0F2B6E2}\offreg.dll
2011-11-14 00:00 . 2011-10-07 01:16 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0A4FF741-7C3A-4EA8-BFCF-AA34B0F2B6E2}\mpengine.dll
2011-11-13 23:23 . 2011-11-13 23:23 -------- d-----w- c:\program files\Propellerhead
2011-11-13 21:09 . 2011-11-13 22:58 -------- d-----w- c:\users\Sanchis\AppData\Roaming\Xfire
2011-11-13 21:09 . 2011-11-13 21:10 -------- d-----w- c:\programdata\Xfire
2011-11-13 21:09 . 2011-11-13 21:09 -------- d-----w- c:\program files (x86)\Xfire
2011-11-13 07:34 . 2011-11-14 01:29 -------- d-----w- c:\program files (x86)\Wolfenstein - Enemy Territory
2011-11-13 06:55 . 2011-11-13 06:57 -------- d-----w- c:\users\Sanchis\AppData\Local\ElevatedDiagnostics
2011-11-13 00:04 . 2011-11-13 19:22 -------- d-----w- c:\program files\Peavey Electronics
2011-11-12 22:49 . 2011-11-12 22:49 -------- d-----w- C:\Rbackup
2011-11-12 22:47 . 2011-11-12 22:51 -------- d-----w- c:\program files\Perfect Uninstaller
2011-11-12 05:39 . 2011-11-12 05:39 -------- d-----w- C:\found.000
2011-11-12 05:07 . 2011-11-03 01:29 34624 ----a-w- c:\windows\system32\TURegOpt.exe
2011-11-12 05:07 . 2011-11-03 01:29 25920 ----a-w- c:\windows\system32\authuitu.dll
2011-11-12 05:07 . 2011-11-03 01:29 21312 ----a-w- c:\windows\SysWow64\authuitu.dll
2011-11-12 05:06 . 2011-11-12 05:06 -------- d-----w- c:\users\Sanchis\AppData\Roaming\TuneUp Software
2011-11-12 05:05 . 2011-11-12 05:07 -------- d-----w- c:\program files (x86)\TuneUp Utilities 2012
2011-11-12 05:05 . 2011-11-12 05:07 -------- d-----w- c:\programdata\TuneUp Software
2011-11-12 05:04 . 2011-11-12 05:04 -------- d-sh--w- c:\programdata\{32364CEA-7855-4A3C-B674-53D8E9B97936}
2011-11-11 20:25 . 2011-11-11 20:25 -------- d-----w- c:\program files\jBridge
2011-11-11 18:55 . 2011-11-11 18:55 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-11-11 18:53 . 2011-11-14 06:26 -------- d-sh--w- c:\windows\Installer
2011-11-11 05:11 . 2011-11-11 05:11 -------- d-----w- c:\users\Sanchis\AppData\Local\dotoo
2011-11-10 22:59 . 2011-11-11 18:54 476904 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2011-11-08 19:44 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-08 19:44 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-08 19:44 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-08 19:44 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
2011-11-07 19:50 . 2011-11-10 20:17 -------- d-----w- c:\users\Sanchis\AppData\Local\VMware
2011-11-07 18:45 . 2011-11-07 18:45 -------- d-----w- c:\windows\SysWow64\RTCOM
2011-11-07 18:43 . 2011-05-05 20:24 2085440 ----a-w- c:\windows\system32\FMAPO64.dll
2011-11-07 18:42 . 2009-11-17 23:12 108960 ----a-w- c:\windows\system32\AERTAR64.dll
2011-11-07 18:42 . 2010-07-22 21:37 200800 ----a-w- c:\windows\system32\AERTAC64.dll
2011-11-07 18:36 . 2011-11-07 18:36 -------- d-----w- c:\program files\Common Files\LogiShrd
2011-11-07 18:35 . 2011-11-07 18:36 -------- d-----w- c:\users\Sanchis\AppData\Roaming\Logishrd
2011-11-07 18:35 . 2011-11-07 18:35 -------- d-----w- c:\users\Sanchis\AppData\Roaming\Logitech
2011-11-07 18:33 . 2011-08-25 07:33 22056 ----a-w- c:\windows\system32\btwcoins.dll
2011-11-07 18:33 . 2011-08-25 07:33 89640 ----a-w- c:\windows\system32\drivers\btwdpan.sys
2011-11-07 18:04 . 2011-11-07 18:05 -------- d-----w- c:\program files (x86)\Qualcomm Atheros WiFi Driver Installation
2011-11-07 18:00 . 2011-11-07 18:00 -------- d-----w- c:\programdata\Qualcomm Atheros
2011-11-07 17:43 . 2011-11-09 09:07 -------- d-----w- c:\users\Sanchis\AppData\Roaming\Auslogics
2011-11-07 17:41 . 2011-11-07 17:41 -------- d-----w- c:\program files (x86)\Auslogics
2011-11-07 17:22 . 2011-11-10 20:17 -------- d-----w- c:\users\Sanchis\AppData\Roaming\VMware
2011-11-07 17:16 . 2011-11-07 17:16 -------- d-----w- c:\windows\UltraDefrag
2011-11-07 17:04 . 2011-08-22 22:07 62064 ----a-w- c:\windows\system32\drivers\vmx86.sys
2011-11-07 17:04 . 2011-08-22 22:07 354416 ----a-w- c:\windows\SysWow64\vmnetdhcp.exe
2011-11-07 17:04 . 2011-08-22 22:06 432752 ----a-w- c:\windows\SysWow64\vmnat.exe
2011-11-07 17:04 . 2011-08-22 22:06 30320 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2011-11-07 17:04 . 2011-08-22 22:07 942192 ----a-w- c:\windows\system32\vnetlib64.dll
2011-11-07 17:03 . 2011-08-22 22:06 32880 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2011-11-07 17:03 . 2011-08-22 04:11 39024 ----a-w- c:\windows\system32\drivers\hcmon.sys
2011-11-07 17:02 . 2011-11-08 20:35 -------- d-----w- c:\programdata\VMware
2011-11-07 17:02 . 2011-11-07 17:02 -------- d-----w- c:\program files (x86)\VMware
2011-11-07 17:02 . 2011-11-07 17:02 -------- d-----w- c:\program files (x86)\Common Files\VMware
2011-11-07 17:01 . 2011-11-07 17:01 -------- d-----w- c:\program files\Common Files\VMware
2011-11-07 16:02 . 2011-11-11 20:53 -------- d-----w- C:\Boot
2011-11-06 18:32 . 2011-11-06 18:32 -------- d-----w- c:\windows\amlog
2011-11-06 18:03 . 2011-01-19 15:47 15288 ----a-w- c:\windows\system32\ampa.sys
2011-11-06 18:03 . 2011-01-19 15:47 12728 ----a-w- c:\windows\SysWow64\ampa.sys
2011-11-06 18:03 . 2011-01-21 22:40 1249720 ----a-w- c:\windows\ampa.exe
2011-11-06 18:03 . 2011-11-06 18:05 -------- d-----w- c:\program files (x86)\Aomei Partition Assistant 3.0
2011-11-06 10:57 . 2011-10-07 01:16 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-06 06:37 . 2011-11-07 20:01 -------- d-----w- c:\users\Sanchis\VirtualBox VMs
2011-11-06 06:35 . 2011-11-06 09:05 -------- d-----w- c:\users\Sanchis\.VirtualBox
2011-11-06 06:35 . 2011-11-04 17:37 224048 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys
2011-11-06 06:34 . 2011-11-04 17:37 130864 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys
2011-11-06 06:34 . 2011-11-06 06:34 -------- d-----w- c:\program files\Oracle
2011-11-06 06:14 . 2011-11-08 23:52 -------- d-----r- c:\users\Sanchis\Virtual Machines
2011-11-06 02:51 . 2011-11-06 02:51 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{31F509EF-DAE6-4198-A66F-3A586C3FFC0D}\gapaengine.dll
2011-11-06 02:50 . 2011-11-06 02:50 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-11-06 02:50 . 2011-11-06 02:50 -------- d-----w- c:\program files\Microsoft Security Client
2011-11-06 01:25 . 2009-07-22 22:22 358144 ----a-w- c:\windows\system32\drivers\vpcvmm.sys
2011-11-06 01:25 . 2009-07-22 22:22 66304 ----a-w- c:\windows\system32\drivers\vpcnfltr.sys
2011-11-06 01:25 . 2009-07-22 22:20 2258944 ----a-w- c:\windows\system32\VPCWizard.exe
2011-11-06 01:25 . 2009-07-22 22:20 562176 ----a-w- c:\windows\system32\VMCPropertyHandler.dll
2011-11-06 01:25 . 2009-07-22 21:53 792064 ----a-w- c:\windows\SysWow64\vmsal.exe
2011-11-06 01:25 . 2009-07-22 22:22 4513280 ----a-w- c:\windows\system32\vpc.exe
2011-11-06 01:25 . 2009-07-22 22:21 1208320 ----a-w- c:\windows\system32\VMWindow.exe
2011-11-06 01:25 . 2009-07-22 22:20 1369600 ----a-w- c:\windows\system32\VPCSettings.exe
2011-11-06 01:25 . 2009-07-22 22:21 934400 ----a-w- c:\windows\system32\vmsal.exe
2011-11-06 01:11 . 2011-11-06 05:51 165232 ----a-w- c:\users\Sanchis\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2011-11-06 00:29 . 2011-11-06 00:29 -------- d-----w- c:\windows\SysWow64\Wat
2011-11-06 00:29 . 2011-11-06 00:29 -------- d-----w- c:\windows\system32\Wat
2011-11-05 22:34 . 2011-11-05 22:49 -------- d-----w- c:\program files\PeerBlock
2011-11-05 22:30 . 2011-11-05 22:30 -------- d-----w- c:\program files (x86)\OpenVPN Technologies
2011-11-05 21:29 . 2011-11-11 04:01 -------- d-----w- c:\program files (x86)\OpenVPN
2011-11-04 17:37 . 2011-11-04 17:37 146736 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys
2011-11-04 15:16 . 2011-10-07 04:16 8570192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CD986993-75F8-4F32-B537-F9F69792B43B}\mpengine.dll
2011-11-03 15:53 . 2011-11-03 15:53 -------- d-----w- c:\program files (x86)\Bluetack
2011-10-31 20:50 . 2011-10-31 20:50 98304 ----a-w- c:\windows\SysWow64\CmdLineExt.dll
2011-10-31 20:44 . 2011-10-31 20:44 -------- d-----w- c:\program files (x86)\Eidos
2011-10-30 23:35 . 2011-10-30 23:35 -------- d-----w- c:\program files (x86)\EVGA Precision
2011-10-30 23:11 . 2011-10-30 23:12 -------- d-----w- c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
2011-10-30 22:06 . 2010-08-03 02:14 185912 ----a-w- c:\windows\system32\CbFsMntNtf3.dll
2011-10-30 22:06 . 2010-08-03 02:14 153656 ----a-w- c:\windows\SysWow64\CbFsMntNtf3.dll
2011-10-30 22:06 . 2010-08-03 02:14 316384 ----a-w- c:\windows\system32\drivers\cbfs3.sys
2011-10-30 22:02 . 2011-10-30 22:02 -------- d-----w- c:\program files\iTunes
2011-10-30 22:02 . 2011-10-30 22:02 -------- d-----w- c:\program files\iPod
2011-10-30 21:59 . 2011-10-30 21:59 -------- d-----w- c:\program files\Bonjour
2011-10-30 21:59 . 2011-10-30 21:59 -------- d-----w- c:\program files (x86)\Bonjour
2011-10-30 19:17 . 2011-10-30 19:17 -------- d-----w- c:\program files (x86)\MSI Kombustor
2011-10-30 19:16 . 2010-10-27 01:43 110592 ----a-w- c:\windows\system32\rtvcvfw32.dll
2011-10-30 19:16 . 2011-11-01 00:44 -------- d-----w- c:\program files (x86)\MSI Afterburner
2011-10-30 18:26 . 2011-10-31 22:53 -------- d-----w- c:\users\Sanchis\AppData\Local\NVIDIA Corporation
2011-10-30 18:11 . 2011-10-30 18:11 -------- d-----w- c:\program files (x86)\NVIDIA nTune Performance Application
2011-10-30 17:37 . 2011-10-30 18:45 -------- d-----w- c:\program files\CCleaner
2011-10-29 13:44 . 2011-10-29 13:44 -------- d-----w- c:\users\Sanchis\AppData\Roaming\Malwarebytes
2011-10-29 13:44 . 2011-10-29 13:44 -------- d-----w- c:\programdata\Malwarebytes
2011-10-29 13:44 . 2011-10-29 13:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-29 13:44 . 2011-08-31 21:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-29 02:21 . 2011-10-29 02:21 -------- d-----w- c:\users\Sanchis\AppData\Roaming\Renoise ReWire Engine
2011-10-29 01:36 . 2011-10-29 01:36 -------- d-----w- c:\users\Sanchis\AppData\Roaming\Renoise
2011-10-29 01:35 . 2011-10-29 14:00 -------- d-----w- c:\users\Sanchis\AppData\Local\ieNetCres
2011-10-27 23:52 . 2011-10-27 23:52 -------- d-----w- c:\programdata\Nexon
2011-10-27 23:49 . 2011-10-27 23:50 -------- d-----w- c:\program files (x86)\BandiMPEG1
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 18:54 . 2011-08-26 08:49 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-10-30 17:22 . 2011-08-25 04:58 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-27 13:58 . 2011-09-17 07:32 111928 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-10-15 16:47 . 2011-08-27 00:00 45056 ----a-w- c:\windows\system32\acovcnt.exe
2011-10-15 08:53 . 2011-10-07 11:10 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-10-15 08:53 . 2011-10-07 11:09 8791360 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-10-15 08:53 . 2011-10-07 11:09 7041856 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-10-15 08:53 . 2011-10-07 11:09 2808128 ----a-w- c:\windows\system32\nvapi64.dll
2011-10-15 08:53 . 2011-10-07 11:09 2458432 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-10-15 08:53 . 2011-10-07 11:09 1533248 ----a-w- c:\windows\system32\nvdispco64.dll
2011-10-15 08:53 . 2011-10-07 11:09 1454400 ----a-w- c:\windows\system32\nvgenco64.dll
2011-10-15 08:53 . 2011-10-07 11:09 13205312 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2011-10-15 08:53 . 2010-02-26 20:37 539456 ----a-w- c:\windows\system32\nvhotkey.dll
2011-10-15 08:53 . 2010-02-26 20:37 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-10-15 08:53 . 2010-02-26 20:37 3074368 ----a-w- c:\windows\system32\nvsvcr.dll
2011-10-15 08:53 . 2010-02-26 20:37 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-15 08:53 . 2010-02-26 20:37 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-10-15 08:53 . 2010-02-26 20:37 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-10-15 08:53 . 2010-02-26 20:37 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-15 04:54 . 2011-10-15 04:54 321856 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2011-10-13 21:29 . 2011-10-13 19:57 139264 ----a-w- c:\windows\War3Unin.exe
2011-10-13 20:30 . 2011-10-13 20:30 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
2011-10-13 20:30 . 2011-10-13 20:30 28056 ----a-w- c:\windows\system32\xfcodec64.dll
2011-10-13 20:03 . 2011-10-13 19:57 2829 ----a-w- c:\windows\War3Unin.pif
2011-10-12 19:59 . 2011-10-12 19:59 964 ----a-w- c:\windows\system32\ud-boot-time.cmd
2011-10-07 19:41 . 2009-08-18 16:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-10-07 19:41 . 2009-08-18 15:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-10-07 14:02 . 2011-10-07 14:02 66510 ----a-w- c:\windows\SysWow64\PDS_Uninstall.exe
2011-10-07 14:02 . 2011-10-07 14:02 487424 ----a-w- c:\windows\SysWow64\DreamxPDS.exe
2011-10-06 22:12 . 2011-09-17 07:32 66872 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2011-10-04 19:49 . 2011-08-25 01:28 2770944 ----a-w- c:\windows\system32\drivers\athrx.sys
2011-10-04 19:49 . 2011-08-25 01:28 2770944 ----a-w- c:\windows\system32\athrx.sys
2011-09-26 16:31 . 2011-09-26 16:31 4608 ----a-w- c:\windows\SysWow64\w95inf32.dll
2011-09-26 16:31 . 2011-09-26 16:31 2272 ----a-w- c:\windows\SysWow64\w95inf16.dll
2011-09-26 15:58 . 2011-09-17 09:49 280480 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-09-26 15:52 . 2011-09-17 07:32 290496 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-09-20 03:54 . 2011-09-20 03:54 108656 ----a-w- c:\windows\system32\drivers\L1C62x64.sys
2011-09-17 07:28 . 2011-09-17 07:28 61440 ----a-w- c:\windows\diabunin.exe
2011-09-17 01:46 . 2011-09-17 01:46 98304 ----a-w- c:\windows\W2BNEUnin.exe
2011-09-17 01:46 . 2011-09-17 01:46 2829 ----a-w- c:\windows\W2BNEUnin.pif
2011-09-14 19:53 . 2011-09-17 07:32 3142728 ----a-w- c:\windows\SysWow64\pbsvc_hos.exe
2011-09-01 05:24 . 2011-10-13 20:41 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 05:17 . 2011-10-13 20:41 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 05:12 . 2011-10-13 20:41 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-01 02:35 . 2011-10-13 20:41 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-09-01 02:28 . 2011-10-13 20:41 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-09-01 02:22 . 2011-10-13 20:41 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-09-01 00:12 . 2011-08-25 01:24 1698408 ----a-w- c:\windows\RtlExUpd.dll
2011-08-31 20:20 . 2011-08-25 01:20 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2011-08-31 03:05 . 2011-08-31 03:05 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-08-31 03:05 . 2011-08-31 03:05 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-08-29 18:00 . 2011-09-14 00:51 86016 ----a-w- c:\windows\system32\ff_vfw.dll
2011-08-29 13:34 . 2011-08-29 13:34 406528 ----a-w- c:\windows\SysWow64\ReWire.dll
2011-08-29 08:00 . 2011-09-14 00:47 74752 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2011-08-29 02:28 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-08-29 02:28 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-08-27 05:37 . 2011-10-13 02:39 861696 ----a-w- c:\windows\system32\oleaut32.dll
2011-08-27 05:37 . 2011-10-13 02:39 331776 ----a-w- c:\windows\system32\oleacc.dll
2011-08-27 04:26 . 2011-10-13 02:39 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-08-27 04:26 . 2011-10-13 02:39 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2011-08-27 01:08 . 2011-08-27 01:08 338432 ----a-w- c:\windows\SysWow64\REX Shared Library.dll
2011-08-26 18:00 . 2011-08-26 18:00 345216 ----a-w- c:\windows\SysWow64\NowCDNUp2.exe
2011-08-26 14:05 . 2011-08-26 14:05 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-08-26 14:05 . 2011-08-26 14:05 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-08-26 14:05 . 2011-08-26 14:05 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-08-26 14:05 . 2011-08-26 14:05 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-08-26 14:05 . 2011-08-26 14:05 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-08-26 14:05 . 2011-08-26 14:05 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-08-26 14:05 . 2011-08-26 14:05 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-08-26 14:05 . 2011-08-26 14:05 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-08-26 14:05 . 2011-08-26 14:05 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-08-26 14:05 . 2011-08-26 14:05 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-08-26 14:05 . 2011-08-26 14:05 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-08-26 14:05 . 2011-08-26 14:05 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-08-26 14:05 . 2011-08-26 14:05 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-08-26 14:05 . 2011-08-26 14:05 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-08-26 14:05 . 2011-08-26 14:05 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-08-26 14:05 . 2011-08-26 14:05 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-08-26 14:05 . 2011-08-26 14:05 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-08-26 14:05 . 2011-08-26 14:05 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-08-26 14:05 . 2011-08-26 14:05 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-08-26 14:05 . 2011-08-26 14:05 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-08-26 14:05 . 2011-08-26 14:05 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-08-26 14:05 . 2011-08-26 14:05 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-08-26 14:05 . 2011-08-26 14:05 222208 ----a-w- c:\windows\system32\msls31.dll
2011-08-26 14:05 . 2011-08-26 14:05 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-08-26 14:05 . 2011-08-26 14:05 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-08-26 14:05 . 2011-08-26 14:05 12288 ----a-w- c:\windows\system32\mshta.exe
2011-08-26 14:05 . 2011-08-26 14:05 114176 ----a-w- c:\windows\system32\admparse.dll
2011-08-26 14:05 . 2011-08-26 14:05 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-08-26 14:05 . 2011-08-26 14:05 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-08-26 14:05 . 2011-08-26 14:05 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-08-26 14:05 . 2011-08-26 14:05 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-08-26 14:05 . 2011-08-26 14:05 448512 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-09-15 3077528]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HControlUser"="c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"ATKOSD2"="c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe" [2009-10-09 6937216]
"VolPanel"="c:\program files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" [2008-12-29 237693]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Media\DMedia.exe" [2009-08-20 170624]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"DigidesignMMERefresh"="c:\program files (x86)\Digidesign\Drivers\MMERefresh.exe" [2011-03-03 77824]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"vmware-tray"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe" [2011-08-22 103536]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"UpdReg"=c:\windows\UpdReg.EXE
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\itunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [x]
R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [x]
R3 ampa;ampa;c:\windows\system32\ampa.sys [2011-01-19 15288]
R3 AXIOM;Service for M-Audio Axiom;c:\windows\system32\DRIVERS\MAudioAxiom.sys [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 BTWDPAN;Bluetooth Personal Area Network;c:\windows\system32\DRIVERS\btwdpan.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-08-25 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-08-25 79360]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\ÀÌÅͳνÃƼ\GameGuard\dump_wmimmc.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena Classic\safedrv.sys [x]
R3 MBOXPRO;Service for Avid Mbox Pro;c:\windows\system32\DRIVERS\AvidMboxPro.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RivaTuner64;RivaTuner64;c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2011-10-30 19952]
R3 rvbedit;rvbedit;c:\users\Sanchis\AppData\Local\Temp\rvbedit.sys [x]
R3 Synth3dVsc;Synth3dVsc; [x]
R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub; [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU; [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
R4 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
R4 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
R4 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2011-08-22 11837440]
S0 MDFSYSNT;MacDrive file system driver; [x]
S0 MDPMGRNT;MacDrive Partition Driver;c:\windows\system32\DRIVERS\MDPMGRNT.SYS [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
S1 CBDisk;CBDisk;c:\windows\system32\drivers\CBDisk.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
S2 AxiomAudioDevMon;Axiom Audio Device Monitor;c:\program files (x86)\M-Audio\Axiom\AudioDevMon.exe [2010-03-11 1636872]
S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [x]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2011-01-12 810144]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [x]
S2 M4iPodWPDService;M4iPodWPDService;c:\program files (x86)\Common Files\Mediafour\iPod\M4iPodWPDService.exe [2010-11-15 211968]
S2 M4LIC;Mediafour M4LIC service;c:\program files (x86)\Common Files\Mediafour\M4LIC.EXE [2010-07-20 205312]
S2 MacDrive8Service;MacDrive 8 service;c:\program files\Mediafour\MacDrive 8\MacDrive8Service.exe [2010-10-08 149504]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 MboxProAudioDevMon;Mbox Pro Audio Device Monitor;c:\program files (x86)\Avid\Mbox Pro\AudioDevMon.exe [2010-10-08 1919504]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [x]
S2 sesvc;ShadowExplorer Service;c:\program files (x86)\ShadowExplorer\sesvc.exe [2011-01-03 9216]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesService64.exe [2011-11-03 2072896]
S2 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe [2011-10-14 745832]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-09-30 2314240]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-08-22 846448]
S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]
S3 cbfs3;EldoS CallbackFS driver v3;c:\windows\system32\DRIVERS\cbfs3.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclk64.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [x]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesDriver64.sys [2011-10-31 11856]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2010-08-03 02:14 185912 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2009-07-14 45568]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2918656]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"MacDrive 8 application"="c:\program files\Mediafour\MacDrive 8\MacDrive.exe" [2010-10-08 193536]
"Getting started with MacDrive 8"="c:\program files\Mediafour\MacDrive 8\MDGetStarted.exe" [2010-10-08 146432]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}"="c:\program files\Mediafour\XPlay 3\XPlay.exe" [2010-11-15 395776]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {{20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - c:\windows\system32\mscoree.DLL
LSP: %SystemRoot%\system32\vsocklib.dll
TCP: Interfaces\{D35E092D-CACD-43FB-8001-73C1CDEBCE2F}: NameServer = 68.105.28.11,68.105.29.11,68.105.28.12
DPF: {24CF28C7-14A4-4740-BFC5-6BB10EA77FA8} - hxxp://web.gscdn.mgame.com/download/cab/mgcontrol_v2004.cab
DPF: {8768D5EA-5412-4810-A032-09AD2A726C69} - hxxp://bgweb.nowcdn.co.kr/Bin/DownStarter2.cab
DPF: {9488B4AB-ECD7-4F13-B48B-1FFC9DD803D4} - hxxp://download.netmarble.net/web/nmstarter/mgame/MGameStarter.cab
DPF: {B0846BBB-A5C3-45BF-A9B9-A6837A8C6A9B} - hxxp://pds.dreamx.com/include/component/pdscontrol.cab
FF - ProfilePath - c:\users\Sanchis\AppData\Roaming\Mozilla\Firefox\Profiles\14kkwp5m.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z192&form=ZGAADF&install_date=20110930&q=
FF - prefs.js: network.proxy.type - 4
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-MacDrive volume icons - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\08\04\19\040%?"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\T[ð?*ŒÏòN\Unreal Tournament 3\1.0]
@=""
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-14 15:40:55
ComboFix-quarantined-files.txt 2011-11-14 20:40
ComboFix2.txt 2011-11-14 20:29
ComboFix3.txt 2011-11-10 22:53
.
Pre-Run: 227,355,025,408 bytes free
Post-Run: 227,054,690,304 bytes free
.
- - End Of File - - B63FCE31DD0669A45D0C408031C2E7FE

Attached Files


Edited by gringo_pr, 14 November 2011 - 06:00 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 PM

Posted 14 November 2011 - 06:02 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Extra::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 PM

Posted 17 November 2011 - 11:59 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:53 PM

Posted 21 November 2011 - 01:55 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users