Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR wiped while attempting to install antirootkit software


  • This topic is locked This topic is locked
19 replies to this topic

#1 FRiNKEL

FRiNKEL

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 02 December 2011 - 10:13 PM

I started to notice odd activity starting November 24th.
There was unusual download activity coming from svchost, for one. At a random point of time, about 16 different "'x.exe' has encountered an error and needs to be closed" boxes showed up for different programs. Here's a screenshot I took of the scene (Please note that the errors were not originally placed this way: I put them there, I thought it might make a funny-looking desktop wallpaper or something at the time xD). Additionally, after taking a closer look at the Event Viewer, I found that the same thing happened with multiple services about 5 minutes later. As well as the odd program closing issue, the mouse kept flashing the hourglass icon. Additionally, after running Defog and rebooting, I got a bluescreen on the PC (I do not know if this is the virus's fault or not though) (At this time, I cannot find the log in the Event Viewer describing the event). However, I decided to forget the problem after I realized that one of the largest culprits that svchost was downloading from was Google's IP address.

I forgot about it, until today.

I saw an unusual icon flash in the notification area (It was an icon of a lock). It dissapeared quickly. I never remembered installing a program that had that icon for the notification area. I immediately tried to look for solutions on the Internet. I checked my startup programs. I couldn't find any culprits from the majority of the .EXE files using the Startup Database. Then I decided to try downloading RootkitBuster from Trend Micro. When I tried starting it, my computer hung. I left to do something else, and when I came back, I found to my surprise that the MBR has been wiped from the PC and the computer restarted!
Fortunately, I found a bootable CD with a program (Paragon Rescue Kit v9) that lets me boot into the OS without the MBR, so I am currently using that to let me onto the Vista partition of this computer. I am now downloading Ubuntu in the case that I am no longer able to boot into the partition while using the previously mentioned workaround.

I am using a Windows Vista x32 bit PC. I ran a HijackThis scan before the master boot record was wiped, and I currently have AVG, Spybot Search & Destroy, and Malwarebytes Antimalware on this PC.

Also, I do not know if this means much, but while looking through my Event Viewer logs, I found a very interesting event that was logged on the 24th. It wouldn't display correctly due to apparently some component that wasn't there, but the error event had this information attached to it:
"Microsoft Antimalware Service
%%2147942402"

Thank you, and hopefully you can help me get this problem all worked out.

EDIT: Just an update on what's going on with my computer.
First of all, apparently Vista rebuilt its MBR automatically during my last session. Woohoo! Next, and I just realized this today, apparently AVG's anti-virus engine has been disabled and there is no option to turn it back on. Also, Spybot Search & Destroy currently has antispyware protection off and live protection on, and I don't see anything that will let me reenable the antispyware protection. I'm tempted to try more things, such as boot into Ubuntu and seeing if I can solve the problem from there, or if using a LiveCD will do any good, but I will instead wait for further help before proceeding.

Edited by FRiNKEL, 03 December 2011 - 03:50 PM.

"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 04 December 2011 - 05:13 AM

Hello, lets see if we can resolve this problem.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 04 December 2011 - 06:18 AM

Hello,
Thanks for helping me with this issue, it was really starting to worry me!
Anyways, just another update, apparently after rebooting AVG has re-enabled its anti-virus protection and Spybot S+D has reenabled its antispyware protection. However, I don't think the problem has evaded, and Spybot has taken notice of multiple programs trying to start, and therefore auto-scanning them (but with no result). Here's a list of items I noticed were running when they shouldn't have, or seem a bit fishy:
  • wsqmcons.exe (Dunno what this executable is, threw it in just in case)
  • Rundll32.exe (Never seen rundll32.exe with a capital letter. It might be my skepticism though.)
  • wermgr.exe (Don't know what this executable is, but I threw it in the list just in case)
  • wmpnscfg.exe (Didn't tell Windows Media Player to start.)
  • wmplayer.exe (Didn't tell Windows Media Player to start.)

Anyways, back on topic, I attached the zipped mbr.bin file to this post. Thanks again for helping me!
(Oh, and hope you don't mind, but I'm doing everything from the sick computer, because I have no other working computer available at hand at the moment.)

Attached Files

  • Attached File  mbr.zip   595bytes   4 downloads

Edited by FRiNKEL, 04 December 2011 - 06:21 AM.

"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 04 December 2011 - 07:34 AM

The MBR looks good. Can you boot normally into Windows at this point without any intervention?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 04 December 2011 - 12:59 PM

Yes I can.
"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 04 December 2011 - 01:35 PM

In that case, lets see what else needs fixing here.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 04 December 2011 - 01:56 PM

Did as you asked, except when I downloaded the .scr file format, I renamed it and changed it to .exe (my computer's not letting it run while .scr format).
Plus, I never added "127.0.0.1 www.spywareinfo.com" to my HOSTS file!


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Antec04 at 10:41:42 on 2011-12-04
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2039.964 [GMT -8:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Spybot - Search & Destroy *Enabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Enabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\SHAPE Services\Mobiola Wave Service\MobiolaWaveService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\iZ3D Driver\Win32\S3DCService.exe
C:\Program Files\Spybot - Search & Destroy 2\SDHookSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\COMODO\COMODO Internet Security\cfpupdat.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Antec04\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Users\Antec04\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Antec04\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Antec04\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Antec04\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Antec04\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Antec04\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Antec04\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Antec04\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
mURLSearchHooks: LOCKERZ Restock Toolbar: {44658024-1a78-446b-90c0-ce912bf6f44b} - c:\program files\lockerz_restock\tbLOC0.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn0.dll
mURLSearchHooks: ALERTMEBrowse Toolbar: {d5370e46-2925-446c-86bc-eb13323a6b8e} - c:\program files\alertmebrowse\tbALER.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\soluto\soluto.exe /userinit
BHO: AutorunsDisabled - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5.1\plugins\ieplugin\contributeieplugin.dll
BHO: {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CashGopher BHO: {2aae80ce-5d5e-4ad2-b722-e9e0a506ce52} - c:\users\antec04\appdata\roaming\cashgopher\cashgopherbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: LOCKERZ Restock Toolbar: {44658024-1a78-446b-90c0-ce912bf6f44b} - c:\program files\lockerz_restock\tbLOC0.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn0.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.40\AVG Secure Search_toolbar.dll
BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\users\antec04\appdata\roaming\flashgetbho\FlashGetBHO3.dll
BHO: {CCB69577-088B-4004-9ED8-FF5BCC83A039} - No File
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: ALERTMEBrowse Toolbar: {d5370e46-2925-446c-86bc-eb13323a6b8e} - c:\program files\alertmebrowse\tbALER.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: LOCKERZ Restock Toolbar: {44658024-1a78-446b-90c0-ce912bf6f44b} - c:\program files\lockerz_restock\tbLOC0.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\prxtbZyn0.dll
TB: ALERTMEBrowse Toolbar: {d5370e46-2925-446c-86bc-eb13323a6b8e} - c:\program files\alertmebrowse\tbALER.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.40\AVG Secure Search_toolbar.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5.1\plugins\ieplugin\contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [<NO NAME>]
uRun: [AdobeBridge]
uRun: [fsm]
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [<NO NAME>]
mRun: [Skytel] Skytel.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\antec04\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\antec04\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\antec04\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\antec04\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all by FlashGet3 - c:\users\antec04\appdata\roaming\flashgetbho\GetAllUrl.htm
IE: Download by FlashGet3 - c:\users\antec04\appdata\roaming\flashgetbho\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab
TCP: Interfaces\{55031F99-6F53-40C2-853D-0409FF925467} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{73312F79-6A9D-4496-BFC8-E0DD5D25E4BB} : NameServer = 156.154.70.22,156.154.71.22
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.1.254 homeportal
Hosts: 74.208.10.249 gs.apple.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\antec04\appdata\roaming\mozilla\firefox\profiles\fkizaixy.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80544&lng=en
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=MYC-ST&o=102868&locale=en_US&apn_uid=ecd4f624-fa3a-4663-aa6f-a68c32fd608f&apn_ptnrs=5I&apn_sauid=047BEF37-51FB-4ABA-93A9-E52498D8A353&apn_dtid=YYYYYYYYUS&&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\nokia\nokia ovi suite\connectors\bookmarks connector\firefoxextension\components\FirefoxExtension.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\wolfram research\browser\8.0.1.2077975\npmathplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\onlive\plugin\npolgdet.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\antec04\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\users\antec04\appdata\local\roblox\versions\version-9d8ee47fdc21422e\NPRobloxProxy.dll
FF - plugin: c:\users\antec04\appdata\local\rockmelt\update\1.2.189.1\npRockMeltOneClick8.dll
FF - plugin: c:\users\antec04\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\antec04\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc - BRI/1
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-5-2 238960]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-5-2 36568]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2011-9-11 189888]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2011-9-11 60352]
R1 iZ3DInjectionDriver;Driver inject our D3D and OGL wrappers;c:\program files\iz3d driver\win32\S3DInjectionDriver.sys [2011-7-17 34968]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\spybot - search & destroy 2\SDHookDrv32.sys [2011-10-31 38504]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2011-6-10 162544]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2011-6-10 44720]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-7-30 21992]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-18 21504]
R2 Mobiola Wave Service;Mobiola Wave Service;c:\program files\common files\shape services\mobiola wave service\MobiolaWaveService.exe [2011-4-15 125088]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 S3DSvc32;S3D Service (Win32);c:\program files\iz3d driver\win32\S3DCService.exe [2011-7-17 360960]
R2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\spybot - search & destroy 2\SDHookSvc.exe [2011-10-31 130976]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2011-10-31 892336]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2011-10-31 955816]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2011-10-31 169624]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-9-17 4408616]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-8-1 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-8-1 539184]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-9-24 246600]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-9-17 112936]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-6-11 40576]
R3 MOBIOLA_Wave;Mobiola Wave Audio Device (WDM);c:\windows\system32\drivers\mobiolawave.sys [2011-4-15 25024]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2011-2-20 9472]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-6-17 128272]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-5-16 111280]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-5-16 122224]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-9-17 13224]
S0 Soluto;Soluto;c:\windows\system32\drivers\Soluto.sys [2011-7-9 51144]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-24 136176]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\soluto\SolutoService.exe [2011-7-7 376352]
S2 tmrkb;tmrkb;c:\windows\system32\drivers\tmrkb.sys [2011-12-2 65808]
S3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S3 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-9-18 21504]
S3 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-5-25 154424]
S3 cpuz134;cpuz134;c:\program files\cpuid\pc wizard 2010\pcwiz_x32.sys [2011-11-18 20328]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-24 136176]
S3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-5-25 1336712]
S3 iDispService;iDispService;c:\windows\system32\drivers\idisplayminiport.sys [2011-1-22 14032]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2011-2-21 42592]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\drivers\mr97310c.sys [2008-3-27 116992]
S3 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2011-1-7 63304]
S3 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S3 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 173352]
S3 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-6-1 2337144]
S3 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2011-5-26 826896]
S3 usedisk;USEDisk Driver;c:\windows\system32\drivers\usedisk.sys [2010-5-13 17408]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-12-25 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
.
=============== Created Last 30 ================
.
2011-12-03 03:37:27 -------- d-----w- c:\program files\Alex Feinman
2011-12-03 01:15:41 65808 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-12-03 01:15:08 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-03 00:52:07 388096 ----a-r- c:\users\antec04\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-03 00:52:05 -------- d-----w- c:\program files\Trend Micro
2011-12-02 07:44:05 -------- d-----w- c:\program files\Photoupz
2011-12-02 06:04:34 -------- d-----w- c:\program files\Foldit
2011-12-02 00:13:10 -------- d-----w- c:\users\antec04\appdata\roaming\Antares
2011-11-30 02:02:47 -------- d-----w- c:\program files\SlimPublisher
2011-11-30 02:02:41 -------- d-----w- c:\users\antec04\appdata\roaming\SpringPublisher
2011-11-30 01:53:55 4627968 ----a-w- C:\slimpublisher2.msi
2011-11-28 01:08:03 73032 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2011-11-28 01:08:03 67400 ----a-w- c:\windows\system32\ftcserco.dll
2011-11-28 01:08:03 52552 ----a-w- c:\windows\system32\ftserui2.dll
2011-11-28 01:08:03 197952 ----a-w- c:\windows\system32\FTLang.dll
2011-11-28 01:08:02 60104 ----a-w- c:\windows\system32\drivers\ftdibus.sys
2011-11-28 01:08:02 198464 ----a-w- c:\windows\system32\ftd2xx.dll
2011-11-28 01:08:02 105288 ----a-w- c:\windows\system32\ftbusui.dll
2011-11-28 01:07:56 -------- d-----w- c:\users\antec04\appdata\local\Parallax
2011-11-28 01:05:11 -------- d-----w- c:\program files\Parallax Inc
2011-11-27 04:47:30 -------- d-----w- c:\users\antec04\dwhelper
2011-11-26 07:34:52 -------- d-----w- c:\programdata\TagTuner
2011-11-26 07:33:26 -------- d-----w- c:\users\antec04\appdata\roaming\TagTuner
2011-11-26 07:33:17 -------- d-----w- c:\program files\TAGTUNER
2011-11-24 23:00:44 -------- d-----w- c:\program files\Windows Portable Devices
2011-11-24 02:48:54 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-11-24 02:48:52 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-11-24 02:48:52 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-11-24 02:41:14 161792 ----a-w- c:\windows\system32\msls31.dll
2011-11-24 02:38:33 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-11-24 02:38:32 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-11-24 02:38:31 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-11-24 02:38:30 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-11-24 02:38:29 98816 ----a-w- c:\windows\system32\mfps.dll
2011-11-24 02:38:29 2873344 ----a-w- c:\windows\system32\mf.dll
2011-11-24 02:38:26 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-11-24 02:38:24 586240 ----a-w- c:\windows\system32\stobject.dll
2011-11-24 02:38:01 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-11-24 02:37:57 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-11-24 02:37:56 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-11-24 02:37:55 37376 ----a-w- c:\windows\system32\cdd.dll
2011-11-24 02:37:55 258048 ----a-w- c:\windows\system32\winspool.drv
2011-11-24 02:37:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-11-24 02:37:53 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-11-24 02:37:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-11-24 02:35:07 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-11-24 02:35:06 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-11-24 02:35:04 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-11-24 02:34:52 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-11-24 02:34:40 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-11-24 02:34:37 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-11-24 02:34:36 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-11-23 22:46:17 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-11-23 22:46:17 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-11-23 22:46:17 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-11-23 22:46:16 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-11-23 22:46:16 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-11-23 22:46:16 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-11-23 22:46:16 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-11-23 22:46:16 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-11-23 22:46:16 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-11-23 22:46:15 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-11-23 22:46:15 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-11-23 22:46:15 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-11-23 22:44:56 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-11-23 22:44:56 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-11-23 22:44:52 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-11-23 22:22:46 -------- d-----w- c:\users\antec04\appdata\roaming\VBA-M
2011-11-23 02:15:15 -------- d-----w- c:\programdata\xml_param
2011-11-22 08:35:21 -------- d-----w- c:\users\antec04\appdata\local\Wondershare
2011-11-22 08:35:13 -------- d-----w- c:\program files\common files\Wondershare
2011-11-22 08:34:51 158720 ----a-w- c:\windows\system32\WS_VideoConverterContextMenu.dll
2011-11-22 08:34:48 892928 ----a-w- c:\windows\system32\iconv.dll
2011-11-22 08:34:48 675840 ----a-w- c:\windows\system32\ac3filter.ax
2011-11-22 08:34:48 496640 ----a-w- c:\windows\system32\xvid.ax
2011-11-22 08:34:46 -------- d-----w- c:\users\antec04\appdata\roaming\Wondershare
2011-11-22 04:39:02 -------- d-----w- C:\CLAYMATION_HOLIDAYS
2011-11-20 08:52:05 -------- d-----w- c:\users\antec04\appdata\roaming\OnLive App
2011-11-20 08:51:19 -------- d-----w- c:\program files\OnLive
2011-11-20 08:24:48 -------- d-----w- c:\users\antec04\appdata\local\Bit.Trip Beat
2011-11-20 08:24:42 -------- d-----w- c:\users\antec04\appdata\roaming\Hive Cluster
2011-11-20 08:20:42 -------- d-----w- c:\program files\OpenAL
2011-11-20 08:19:18 -------- d-----w- c:\program files\BIT.TRIP BEAT
2011-11-20 00:11:05 -------- d-----w- c:\program files\Minecraft Note Block Studio
2011-11-19 23:39:52 -------- d-----w- c:\users\antec04\appdata\roaming\pymclevel
2011-11-19 23:39:06 -------- d-----w- c:\users\antec04\appdata\local\MCEdit
2011-11-19 06:17:41 114176 ----a-w- c:\windows\system32\PCWizard.cpl
2011-11-19 06:17:41 -------- d-----w- c:\windows\Java
2011-11-19 06:12:31 -------- d-----w- c:\program files\FinalWire
2011-11-17 08:16:38 -------- d-----w- c:\program files\DayMate
2011-11-14 08:06:53 -------- d-----w- c:\users\antec04\appdata\roaming\BlitzCards
2011-11-14 08:05:41 -------- d-----w- c:\program files\Blitz FlashCards (GOTD Version)
2011-11-14 01:09:06 -------- d-----w- C:\fasm
2011-11-13 08:06:31 -------- d-----w- c:\users\antec04\appdata\local\PlayBasic
2011-11-13 07:53:38 -------- d-----w- c:\program files\PlayBASIC
2011-11-11 00:01:36 -------- d-----w- c:\users\antec04\appdata\roaming\Software Informer
2011-11-11 00:01:35 -------- d-----w- c:\program files\Software Informer
2011-11-10 23:59:15 -------- d-----w- c:\program files\Zebra-Media
2011-11-09 03:24:49 -------- d-----w- c:\program files\DVDFab 8 Qt
2011-11-09 03:03:39 -------- d-----w- C:\masm32
2011-11-08 21:02:41 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-08 21:02:40 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-11-08 21:02:38 707584 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-07 23:59:41 -------- d-----w- c:\users\antec04\.shsh
2011-11-06 18:40:05 -------- d-----w- c:\program files\Brighter Minds Media
2011-11-06 04:41:06 -------- d-----w- c:\users\antec04\.msf3
2011-11-06 04:37:31 -------- d-----w- c:\users\antec04\.gem
2011-11-06 03:55:05 -------- d-----w- C:\exploits
.
==================== Find3M ====================
.
2011-12-03 20:40:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-24 02:41:13 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-11-24 02:41:09 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-11-24 02:41:09 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-11-24 02:41:08 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-11-24 02:41:08 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-11-24 02:41:05 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-11-24 02:41:03 367104 ----a-w- c:\windows\system32\html.iec
2011-11-24 02:41:00 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-11-24 02:40:58 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-24 02:40:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-24 02:40:56 152064 ----a-w- c:\windows\system32\wextract.exe
2011-11-24 02:40:56 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-11-24 02:40:53 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-11-24 02:40:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-11-24 02:40:52 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-11-24 02:40:50 11776 ----a-w- c:\windows\system32\mshta.exe
2011-11-24 02:40:50 101888 ----a-w- c:\windows\system32\admparse.dll
2011-11-24 02:40:48 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-24 02:40:47 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-11-24 02:40:44 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-11-24 02:35:18 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2011-11-20 08:20:36 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-11-20 08:20:35 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-10-24 21:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 21:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-14 21:39:06 21806 ----a-w- C:\FixitRegBackup.reg
2011-10-07 13:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 13:21:16 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-10-03 13:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-13 13:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys
2010-06-14 02:10:00 2734688 ----a-w- c:\program files\tbLOCK.dll
.
============= FINISH: 10:45:03.69 ===============

The other log is attached.

Attached Files


"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 04 December 2011 - 02:03 PM

Hi again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 05 December 2011 - 01:08 AM

ComboFix was able to remove a few files and restart within 30 minutes, but I've been waiting ten hours and the log has yet to be prepared. Should I keep waiting or should I do something?
"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 05 December 2011 - 01:49 AM

Just exit it and restart your computer, look for the log at c:\combofix.txt afterwards and post it here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 05 December 2011 - 02:10 AM

Exited and restarted, but there's no c:\combofix.txt to be found.
Looks like that past 10 hours of log preparing the computer did was put to good use.
"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 05 December 2011 - 02:49 AM

Can you please rerun Combofix and see if a log is created now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 05 December 2011 - 04:47 AM

Did as requested.

Here's the entire ComboFix.txt log (You want me to copypaste it all here, right?)


ComboFix 11-12-04.04 - Antec04 12/05/2011 0:14.2.1 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2039.1017 [GMT -8:00]
Running from: c:\users\Antec04\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
FW: COMODO Firewall *Disabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Spybot - Search & Destroy *Enabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\install.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\users\Antec04\.msf3\logs\framework.log
c:\users\Antec04\.msf3\modcache
c:\users\Antec04\AppData\Roaming\Bitcoin\.lock
c:\users\Antec04\AppData\Roaming\Bitcoin\__db.001
c:\users\Antec04\AppData\Roaming\Bitcoin\__db.002
c:\users\Antec04\AppData\Roaming\Bitcoin\__db.003
c:\users\Antec04\AppData\Roaming\Bitcoin\__db.004
c:\users\Antec04\AppData\Roaming\Bitcoin\__db.005
c:\users\Antec04\AppData\Roaming\Bitcoin\__db.006
c:\users\Antec04\AppData\Roaming\Bitcoin\addr.dat
c:\users\Antec04\AppData\Roaming\Bitcoin\blk0001.dat
c:\users\Antec04\AppData\Roaming\Bitcoin\blkindex.dat
c:\users\Antec04\AppData\Roaming\Bitcoin\database\log.0000000088
c:\users\Antec04\AppData\Roaming\Bitcoin\db.log
c:\users\Antec04\AppData\Roaming\Bitcoin\debug.log
c:\users\Antec04\AppData\Roaming\Bitcoin\wallet.dat
c:\users\Antec04\AppData\Roaming\EurekaLog\EurekaLog.ini
c:\windows\MTUn4905.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Engine
.
.
((((((((((((((((((((((((( Files Created from 2011-11-05 to 2011-12-05 )))))))))))))))))))))))))))))))
.
.
2011-12-05 08:38 . 2011-12-05 08:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-04 19:52 . 2011-12-05 08:38 -------- d-----w- c:\users\Antec04\AppData\Local\temp
2011-12-03 03:37 . 2011-12-03 03:37 -------- d-----w- c:\program files\Alex Feinman
2011-12-03 01:15 . 2011-12-03 01:15 65808 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-12-03 01:15 . 2011-12-03 01:15 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-12-03 00:52 . 2011-12-03 00:52 388096 ----a-r- c:\users\Antec04\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-03 00:52 . 2011-12-03 00:52 -------- d-----w- c:\program files\Trend Micro
2011-12-02 07:44 . 2011-12-02 07:44 -------- d-----w- c:\program files\Photoupz
2011-12-02 06:04 . 2011-12-02 07:03 -------- d-----w- c:\program files\Foldit
2011-12-02 00:13 . 2011-12-02 00:13 -------- d-----w- c:\users\Antec04\AppData\Roaming\Antares
2011-11-30 02:02 . 2011-11-30 02:02 -------- d-----w- c:\program files\SlimPublisher
2011-11-30 02:02 . 2011-11-30 02:12 -------- d-----w- c:\users\Antec04\AppData\Roaming\SpringPublisher
2011-11-30 01:53 . 2011-11-25 19:09 4627968 ----a-w- C:\slimpublisher2.msi
2011-11-28 01:08 . 2010-07-12 21:49 197952 ----a-w- c:\windows\system32\FTLang.dll
2011-11-28 01:08 . 2010-07-12 21:49 52552 ----a-w- c:\windows\system32\ftserui2.dll
2011-11-28 01:08 . 2010-07-12 21:49 67400 ----a-w- c:\windows\system32\ftcserco.dll
2011-11-28 01:08 . 2010-07-12 21:48 73032 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2011-11-28 01:08 . 2010-07-12 21:50 198464 ----a-w- c:\windows\system32\ftd2xx.dll
2011-11-28 01:08 . 2010-07-12 21:50 105288 ----a-w- c:\windows\system32\ftbusui.dll
2011-11-28 01:08 . 2010-07-12 21:49 60104 ----a-w- c:\windows\system32\drivers\ftdibus.sys
2011-11-28 01:07 . 2011-11-28 01:23 -------- d-----w- c:\users\Antec04\AppData\Local\Parallax
2011-11-28 01:05 . 2011-11-28 01:05 -------- d-----w- c:\program files\Parallax Inc
2011-11-27 04:47 . 2011-11-27 04:47 -------- d-----w- c:\users\Antec04\dwhelper
2011-11-26 07:34 . 2011-11-26 07:34 -------- d-----w- c:\programdata\TagTuner
2011-11-26 07:33 . 2011-11-26 07:36 -------- d-----w- c:\users\Antec04\AppData\Roaming\TagTuner
2011-11-26 07:33 . 2011-11-26 07:33 -------- d-----w- c:\program files\TAGTUNER
2011-11-24 23:00 . 2011-11-24 23:00 -------- d-----w- c:\program files\Windows Portable Devices
2011-11-24 02:48 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-11-24 02:48 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-11-24 02:48 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-11-24 02:41 . 2011-11-24 02:41 161792 ----a-w- c:\windows\system32\msls31.dll
2011-11-24 02:38 . 2011-11-24 02:38 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-11-24 02:38 . 2011-11-24 02:38 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-11-24 02:38 . 2011-11-24 02:38 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-11-24 02:38 . 2011-11-24 02:38 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-11-24 02:38 . 2011-11-24 02:38 98816 ----a-w- c:\windows\system32\mfps.dll
2011-11-24 02:38 . 2011-11-24 02:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-11-24 02:38 . 2011-11-24 02:38 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-11-24 02:38 . 2011-11-24 02:38 586240 ----a-w- c:\windows\system32\stobject.dll
2011-11-24 02:38 . 2011-11-24 02:38 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-11-24 02:37 . 2011-11-24 02:37 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-11-24 02:37 . 2011-11-24 02:37 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-11-24 02:37 . 2011-11-24 02:37 37376 ----a-w- c:\windows\system32\cdd.dll
2011-11-24 02:37 . 2011-11-24 02:37 258048 ----a-w- c:\windows\system32\winspool.drv
2011-11-24 02:37 . 2011-11-24 02:37 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-11-24 02:37 . 2011-11-24 02:37 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-11-24 02:37 . 2011-11-24 02:37 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-11-24 02:35 . 2011-11-24 02:35 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-11-24 02:35 . 2011-11-24 02:35 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-11-24 02:35 . 2011-11-24 02:35 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-11-24 02:34 . 2011-11-24 02:34 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-11-24 02:34 . 2011-11-24 02:34 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-11-24 02:34 . 2011-11-24 02:34 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-11-24 02:34 . 2011-11-24 02:34 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-11-23 22:46 . 2011-01-20 16:08 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-11-23 22:46 . 2011-01-20 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-11-23 22:46 . 2011-01-20 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-11-23 22:46 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-11-23 22:46 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-11-23 22:46 . 2011-01-20 16:08 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-11-23 22:46 . 2011-01-20 16:08 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-11-23 22:46 . 2011-01-20 16:08 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-11-23 22:46 . 2011-01-20 14:11 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-11-23 22:46 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-11-23 22:46 . 2011-01-20 14:28 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-11-23 22:46 . 2011-01-20 14:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-11-23 22:44 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-11-23 22:44 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-11-23 22:44 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-23 22:22 . 2011-11-23 22:22 -------- d-----w- c:\users\Antec04\AppData\Roaming\VBA-M
2011-11-23 02:15 . 2011-11-29 05:56 -------- d-----w- c:\programdata\xml_param
2011-11-22 08:35 . 2011-11-22 08:35 -------- d-----w- c:\users\Antec04\AppData\Local\Wondershare
2011-11-22 08:35 . 2011-11-22 08:35 -------- d-----w- c:\program files\Common Files\Wondershare
2011-11-22 08:34 . 2011-11-11 22:05 158720 ----a-w- c:\windows\system32\WS_VideoConverterContextMenu.dll
2011-11-22 08:34 . 2011-11-11 22:05 892928 ----a-w- c:\windows\system32\iconv.dll
2011-11-22 08:34 . 2011-11-11 22:05 675840 ----a-w- c:\windows\system32\ac3filter.ax
2011-11-22 08:34 . 2011-11-11 22:05 496640 ----a-w- c:\windows\system32\xvid.ax
2011-11-22 08:34 . 2011-11-22 08:34 -------- d-----w- c:\users\Antec04\AppData\Roaming\Wondershare
2011-11-22 04:39 . 2011-11-22 04:47 -------- d-----w- C:\CLAYMATION_HOLIDAYS
2011-11-20 08:52 . 2011-11-20 08:52 -------- d-----w- c:\users\Antec04\AppData\Roaming\OnLive App
2011-11-20 08:51 . 2011-11-20 08:52 -------- d-----w- c:\program files\OnLive
2011-11-20 08:24 . 2011-11-20 08:25 -------- d-----w- c:\users\Antec04\AppData\Local\Bit.Trip Beat
2011-11-20 08:24 . 2011-11-20 08:24 -------- d-----w- c:\users\Antec04\AppData\Roaming\Hive Cluster
2011-11-20 08:20 . 2011-11-20 08:20 -------- d-----w- c:\program files\OpenAL
2011-11-20 08:19 . 2011-11-20 08:50 -------- d-----w- c:\program files\BIT.TRIP BEAT
2011-11-20 00:11 . 2011-11-20 00:11 -------- d-----w- c:\program files\Minecraft Note Block Studio
2011-11-19 23:39 . 2011-11-19 23:39 -------- d-----w- c:\users\Antec04\AppData\Roaming\pymclevel
2011-11-19 23:39 . 2011-11-19 23:39 -------- d-----w- c:\users\Antec04\AppData\Local\MCEdit
2011-11-19 06:17 . 2011-11-19 06:17 -------- d-----w- c:\windows\Java
2011-11-19 06:17 . 2010-08-22 21:48 114176 ----a-w- c:\windows\system32\PCWizard.cpl
2011-11-19 06:12 . 2011-11-19 06:12 -------- d-----w- c:\program files\FinalWire
2011-11-17 08:16 . 2011-11-17 08:16 -------- d-----w- c:\program files\DayMate
2011-11-14 08:06 . 2011-11-14 08:06 -------- d-----w- c:\users\Antec04\AppData\Roaming\BlitzCards
2011-11-14 08:05 . 2011-11-14 08:05 -------- d-----w- c:\program files\Blitz FlashCards (GOTD Version)
2011-11-14 01:09 . 2011-11-14 01:12 -------- d-----w- C:\fasm
2011-11-13 08:06 . 2011-11-13 08:30 -------- d-----w- c:\users\Antec04\AppData\Local\PlayBasic
2011-11-13 07:53 . 2011-11-13 07:54 -------- d-----w- c:\program files\PlayBASIC
2011-11-11 00:01 . 2011-11-25 00:02 -------- d-----w- c:\users\Antec04\AppData\Roaming\Software Informer
2011-11-11 00:01 . 2011-11-11 00:01 -------- d-----w- c:\program files\Software Informer
2011-11-10 23:59 . 2011-11-10 23:59 -------- d-----w- c:\program files\Zebra-Media
2011-11-09 03:24 . 2011-11-11 15:21 -------- d-----w- c:\program files\DVDFab 8 Qt
2011-11-09 03:03 . 2011-11-09 03:15 -------- d-----w- C:\masm32
2011-11-08 21:02 . 2011-09-20 21:02 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-08 21:02 . 2011-09-20 13:44 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-11-08 21:02 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-07 23:59 . 2011-11-08 00:08 -------- d-----w- c:\users\Antec04\.shsh
2011-11-06 18:40 . 2011-11-06 18:40 -------- d-----w- c:\program files\Brighter Minds Media
2011-11-06 04:37 . 2011-11-06 04:37 -------- d-----w- c:\users\Antec04\.gem
2011-11-06 03:55 . 2011-11-06 04:07 -------- d-----w- C:\exploits
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-03 20:40 . 2011-06-19 05:33 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-24 02:35 . 2011-11-24 02:35 4096 ----a-w- c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
2011-11-20 08:20 . 2011-02-07 04:57 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-11-20 08:20 . 2011-02-07 04:57 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-10-24 21:29 . 2011-10-24 21:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 21:29 . 2011-10-24 21:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-14 21:39 . 2011-10-14 21:39 21806 ----a-w- C:\FixitRegBackup.reg
2011-10-07 13:23 . 2011-10-07 13:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-07 03:48 . 2011-10-21 18:35 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4F5AFB3F-9817-476D-9805-ED04C645ED8A}\mpengine.dll
2011-10-05 00:22 . 2011-10-14 20:25 703824 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{66382F0A-3DCB-4D40-8286-0FD7D34FE5BC}\gapaengine.dll
2011-10-04 13:21 . 2011-10-04 13:21 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-10-03 13:06 . 2010-04-28 21:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-21 16:00 . 2011-10-14 20:22 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9503B8A-4451-4FC1-8ACF-16E9A12644FD}\mpengine.dll
2011-09-13 13:30 . 2011-09-13 13:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:30 . 2011-10-11 18:52 2043392 ----a-w- c:\windows\system32\win32k.sys
2010-06-14 02:10 . 2010-07-22 20:13 2734688 ----a-w- c:\program files\tbLOCK.dll
2011-04-29 12:37 . 2011-03-23 06:41 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AAE80CE-5D5E-4AD2-B722-E9E0A506CE52}]
2011-01-19 04:26 36352 ----a-w- c:\users\Antec04\AppData\Roaming\CashGopher\CashGopherBHO.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44658024-1a78-446b-90c0-ce912bf6f44b}]
2010-06-14 02:10 2734688 ----a-w- c:\program files\LOCKERZ_Restock\tbLOC0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Zynga\prxtbZyn0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-11-10 04:30 1451336 ----a-w- c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-08-24 04:20 1515688 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d5370e46-2925-446c-86bc-eb13323a6b8e}]
2010-09-12 22:02 3863136 ----a-w- c:\program files\ALERTMEBrowse\tbALER.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{44658024-1a78-446b-90c0-ce912bf6f44b}"= "c:\program files\LOCKERZ_Restock\tbLOC0.dll" [2010-06-14 2734688]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\prxtbZyn0.dll" [2011-05-09 176936]
"{d5370e46-2925-446c-86bc-eb13323a6b8e}"= "c:\program files\ALERTMEBrowse\tbALER.dll" [2010-09-12 3863136]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll" [2011-11-10 1451336]
.
[HKEY_CLASSES_ROOT\clsid\{44658024-1a78-446b-90c0-ce912bf6f44b}]
.
[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
.
[HKEY_CLASSES_ROOT\clsid\{d5370e46-2925-446c-86bc-eb13323a6b8e}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{44658024-1A78-446B-90C0-CE912BF6F44B}"= "c:\program files\LOCKERZ_Restock\tbLOC0.dll" [2010-06-14 2734688]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\prxtbZyn0.dll" [2011-05-09 176936]
"{D5370E46-2925-446C-86BC-EB13323A6B8E}"= "c:\program files\ALERTMEBrowse\tbALER.dll" [2010-09-12 3863136]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-08-24 1515688]
.
[HKEY_CLASSES_ROOT\clsid\{44658024-1a78-446b-90c0-ce912bf6f44b}]
.
[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
.
[HKEY_CLASSES_ROOT\clsid\{d5370e46-2925-446c-86bc-eb13323a6b8e}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Antec04\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Antec04\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Antec04\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-06-17 412432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-12-27 4702208]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
"Skytel"="Skytel.exe" [2007-12-27 1826816]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-07-17 2554696]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-06-23 1386776]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2011-10-23 218440]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2011-10-05 3578272]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
c:\users\Antec04\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Antec04\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\users\Antec04\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer6"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Air Mouse.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Air Mouse.lnk
backup=c:\windows\pss\Air Mouse.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Antec04^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=c:\users\Antec04\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=c:\windows\pss\PdaNet Desktop.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Antec04^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ScrollWall.lnk]
path=c:\users\Antec04\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScrollWall.lnk
backup=c:\windows\pss\ScrollWall.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
2010-12-14 01:01 3826616 ----a-w- c:\program files\Babylon\Babylon-Pro\Babylon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CashGopher]
2011-09-22 17:04 69632 ----a-w- c:\users\Antec04\AppData\Roaming\CashGopher\CashGopher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Control center.exe]
2010-10-25 07:05 4450816 ----a-w- c:\program files\iZ3D Driver\Control center.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DayMate]
2011-10-16 06:10 7848272 ----a-w- c:\program files\DayMate\daymate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2010-04-16 18:25 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-06-26 21:01 136176 ----atw- c:\users\Antec04\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfraDrive Digital Diary]
2009-09-04 00:39 1401192 ----a-w- c:\program files\InfraDrive\Digital Diary\DigitalDiary.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfraDrive Digital Diary Reminder]
2009-09-03 07:11 962392 ----a-w- c:\program files\InfraDrive\Digital Diary\Reminder.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keysound]
2010-09-12 16:16 709120 ----a-w- c:\program files\Sounding Keyboard and Mouse\keysound.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 08:12 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 08:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-06-16 14:55 6276408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 05:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MusicManager]
2011-11-12 00:54 13222400 ----a-w- c:\users\Antec04\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPowerSpeed]
1601-01-01 00:00 0 ----a-w- c:\program files\PCPowerSpeed\PCPowerTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RebateInformer]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RockMelt Update]
2011-03-07 06:29 136336 ----atw- c:\users\Antec04\AppData\Local\RockMelt\Update\RockMeltUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2011-06-17 13:30 412432 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteRanker]
1601-01-01 00:00 0 ----a-w- c:\program files\SiteRanker\SiteRankTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-05-27 04:50 15147400 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer]
2011-03-23 06:11 2859077 ----a-w- c:\program files\Software Informer\softinfo.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2010-08-23 21:48 5636136 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WordWeb]
2009-11-09 06:18 65216 ------w- c:\program files\WordWeb\wweb32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2566366829-1090183706-3800839904-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-02 136176]
R2 tmrkb;tmrkb;c:\windows\system32\DRIVERS\tmrkb.sys [2011-12-03 65808]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R3 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-01-19 21504]
R3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R3 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-05-26 154424]
R3 cpuz134;cpuz134;c:\program files\CPUID\PC Wizard 2010\pcwiz_x32.sys [2010-07-09 20328]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-11-02 136176]
R3 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-05-26 1336712]
R3 iDispService;iDispService;c:\windows\system32\DRIVERS\idisplayminiport.sys [2011-01-18 14032]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2011-07-24 42592]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 mr97310c;CIF Dual-Mode Camera;c:\windows\system32\DRIVERS\mr97310c.sys [2008-03-27 116992]
R3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2011-01-07 63304]
R3 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
R3 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
R3 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe [2011-05-26 826896]
R3 usedisk;USEDisk Driver;c:\windows\system32\DRIVERS\usedisk.sys [2010-05-13 17408]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2009-01-30 15656]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-11 691696]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S0 Soluto;Soluto;c:\windows\system32\DRIVERS\Soluto.sys [2011-07-07 51144]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-10-07 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-07-17 238960]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-07-17 36568]
S1 Ext2fs;Ext2fs;c:\windows\system32\DRIVERS\ext2fs.sys [2008-09-26 189888]
S1 IfsMount;IfsMount;c:\windows\system32\DRIVERS\ifsmount.sys [2008-08-29 60352]
S1 iZ3DInjectionDriver;Driver inject our D3D and OGL wrappers;c:\program files\iZ3D Driver\Win32\S3DInjectionDriver.sys [2010-10-07 34968]
S1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\Spybot - Search & Destroy 2\SDHookDrv32.sys [2011-10-05 38504]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2011-05-17 162544]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2011-05-17 44720]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2010-11-09 21992]
S2 Mobiola Wave Service;Mobiola Wave Service;c:\program files\Common Files\SHAPE Services\Mobiola Wave Service\MobiolaWaveService.exe [2011-02-11 125088]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 S3DSvc32;S3D Service (Win32);c:\program files\iZ3D Driver\Win32\S3DCService.exe [2010-10-25 360960]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\Spybot - Search & Destroy 2\SDHookSvc.exe [2011-10-05 130976]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2011-10-05 892336]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2011-10-05 955816]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2011-10-05 169624]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2011-07-07 376352]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-07-15 4408616]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2010-08-01 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-08-01 539184]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-09-24 246600]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-07-15 112936]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-10-04 16720]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\DRIVERS\vrtaucbl.sys [2008-06-11 40576]
S3 MOBIOLA_Wave;Mobiola Wave Audio Device (WDM);c:\windows\system32\drivers\mobiolawave.sys [2010-05-14 25024]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2011-05-17 111280]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2011-05-17 122224]
S3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\DRIVERS\WacomVTHid.sys [2009-05-20 13224]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Akamai REG_MULTI_SZ Akamai
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-12 00:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 17:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-05 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2011-10-31 22:46]
.
2011-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 16:11]
.
2011-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 16:11]
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2566366829-1090183706-3800839904-1000Core.job
- c:\users\Antec04\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-26 21:01]
.
2011-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2566366829-1090183706-3800839904-1000UA.job
- c:\users\Antec04\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-26 21:01]
.
2011-12-04 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2011-10-31 22:46]
.
2011-12-05 c:\windows\Tasks\RockMeltUpdateTaskUserS-1-5-21-2566366829-1090183706-3800839904-1000Core.job
- c:\users\Antec04\AppData\Local\RockMelt\Update\RockMeltUpdate.exe [2011-03-07 06:29]
.
2011-12-05 c:\windows\Tasks\RockMeltUpdateTaskUserS-1-5-21-2566366829-1090183706-3800839904-1000UA.job
- c:\users\Antec04\AppData\Local\RockMelt\Update\RockMeltUpdate.exe [2011-03-07 06:29]
.
2011-12-04 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2011-10-31 22:46]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download all by FlashGet3 - c:\users\Antec04\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\users\Antec04\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
TCP: Interfaces\{73312F79-6A9D-4496-BFC8-E0DD5D25E4BB}: NameServer = 156.154.70.22,156.154.71.22
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\Antec04\AppData\Roaming\Mozilla\Firefox\Profiles\fkizaixy.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80544&lng=en
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=MYC-ST&o=102868&locale=en_US&apn_uid=ecd4f624-fa3a-4663-aa6f-a68c32fd608f&apn_ptnrs=5I&apn_sauid=047BEF37-51FB-4ABA-93A9-E52498D8A353&apn_dtid=YYYYYYYYUS&&q=
FF - user.js: general.useragent.extra.brc - BRI/1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - (no file)
BHO-{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} - (no file)
BHO-{CCB69577-088B-4004-9ED8-FF5BCC83A039} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-fsm - (no file)
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-Bing Bar - c:\program files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-eSupport UndeletePlus_is1 - f:\esupport undeleteplus\unins000.exe
AddRemove-MadTracker 2 - c:\windows\MTUn4905.exe
AddRemove-NTFS Undelete_is1 - f:\ntfs undelete\unins000.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-05 00:38
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}"=hex:51,66,7a,6c,4c,1d,38,12,8a,de,68,
55,95,ad,1e,00,cd,08,68,12,b3,4d,db,d3
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=hex:51,66,7a,6c,4c,1d,38,12,57,36,90,
43,f7,9e,4b,04,e0,be,4b,59,e7,b4,e8,87
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
"{074C1DC5-9320-4A9A-947D-C042949C6216}"=hex:51,66,7a,6c,4c,1d,38,12,ab,1e,5f,
03,12,dd,f4,0f,eb,6b,83,02,91,c2,26,02
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{2AAE80CE-5D5E-4AD2-B722-E9E0A506CE52}"=hex:51,66,7a,6c,4c,1d,38,12,a0,83,bd,
2e,6c,13,bc,0f,c8,34,aa,a0,a0,58,8a,46
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}"=hex:51,66,7a,6c,4c,1d,38,12,d8,cf,e9,
98,0d,61,19,04,eb,fc,4e,6b,77,8d,c0,d5
"{AE7CD045-E861-484F-8273-0445EE161910}"=hex:51,66,7a,6c,4c,1d,38,12,2b,d3,6f,
aa,53,a6,21,0d,fd,65,47,05,eb,48,5d,04
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{B070D3E3-FEC0-47D9-8E8A-99D4EEB3D3B0}"=hex:51,66,7a,6c,4c,1d,38,12,8d,d0,63,
b4,f2,b0,b7,02,f1,9c,da,94,eb,ed,97,a4
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{F4971EE7-DAA0-4053-9964-665D8EE6A077}"=hex:51,66,7a,6c,4c,1d,38,12,89,1d,84,
f0,92,94,3d,05,e6,72,25,1d,8b,b8,e4,63
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:46,25,6f,03,6d,b1,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,a2,d1,3e,7a,98,82,4c,b5,85,bd,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,a2,d1,3e,7a,98,82,4c,b5,85,bd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,a2,d1,3e,7a,98,82,4c,b5,85,bd,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\guard32.dll
.
Completion time: 2011-12-05 00:51:18
ComboFix-quarantined-files.txt 2011-12-05 08:51
.
Pre-Run: 6,406,524,928 bytes free
Post-Run: 5,978,435,584 bytes free
.
- - End Of File - - A4FF9E793B64F07E0AFB5C1D79D820EE
"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:33 PM

Posted 05 December 2011 - 06:07 AM

Hi, do you have any problem left at this point?

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or MS Security Essentials.


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u1.
  • Look for "JDK 7u1 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 FRiNKEL

FRiNKEL
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 06 December 2011 - 10:48 AM

First, I apologize for my delay for posting this.
I do not see any problems at this time, but this virus seems to be the type that hides and suddenly, one day secretly slips into your memory and then deletes important files while you're not looking. Of course, I could always try seeing if running RootkitBuster will get my MBR wiped again, but I'm not the type that prefers to put the MBR at risk.

Next, per your request, I uninstalled uTorrent. I didn't really like P2P applications anyways.
As for the two anti viruses, I thought I uninstalled MS Security Essentials already, but apparently it kept pieces of itself on the computer. Since it didn't list itself on the Programs and Features page, I used one of Microsoft's Fix It tools to remove it.
I have successfully updated my Java Runtime Environment version to 7u1.
Finally, I ran a Malwarebytes Anti-Malware scan, following your directions. (For some reason it didn't delete Cain.exe [Had it highlighted but didn't know that deselected viruses to quarantine], so I just removed Cain.exe through FileASSASSIN afterwards)

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8320

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

12/6/2011 12:02:33 AM
mbam-log-2011-12-06 (00-02-33).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 772082
Time elapsed: 7 hour(s), 1 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\CainAbel\Abel.exe (HackTool.Cain) -> Quarantined and deleted successfully.
c:\program files\CainAbel\Abel64.exe (HackTool.Cain) -> Quarantined and deleted successfully.
c:\program files\CainAbel\Cain.exe (PUP.Passwordtool.Cain) -> Not selected for removal.
c:\exploits\framework\msf3\data\templates\template_x86_windows.exe (Trojan.Swrort) -> Quarantined and deleted successfully.
c:\exploits\framework\msf3\data\templates\.svn\text-base\template_x86_windows.exe.svn-base (Trojan.Swrort) -> Quarantined and deleted successfully.
c:\exploits\framework\msf3\external\source\dllhijackauditkit\.svn\text-base\runcalc.exe.svn-base (Trojan.Swrort) -> Quarantined and deleted successfully.
c:\exploits\framework\msf3\external\source\dllhijackauditkit\.svn\text-base\runtest.exe.svn-base (Trojan.Swrort) -> Quarantined and deleted successfully.
c:\Users\Antec04\downloads\pv2_quickinstall_0.1.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.
c:\Users\Antec04\downloads\camcorderkit20.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.
"I've done so much with so little for so long, they now expect me to do the impossible with nothing." - Source unknown to me




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users