Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

failure to boot (Vista Home Premium 64bit) failed to start because consrv was not found


  • This topic is locked This topic is locked
26 replies to this topic

#1 Fenen

Fenen

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Wisconsin
  • Local time:08:10 AM

Posted 23 December 2011 - 01:40 AM

After an endless reboot cycle, I was able to disable the auto restart and was presented with a blue screen with the error: failed to start because consrv was not found.

I did some digging and found some related problems and went ahead and did the first step. Here is the results of the FRST64 scan.



Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.0
Ran by SYSTEM at 2011-12-23 00:11:27
Running from E:\
Windows Vista ™ Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM-x32\...\Run: [ZPdtWzdVitaKey AC5031] "C:\Program Files (x86)\VitaKey\AC5031\PdtWzd.exe" show [2894848 2010-02-26] (Arachnoid Biometrics Identification Group Corp.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [61440 2008-08-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [BDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe" [75048 2009-09-04] (cyberlink)
HKLM-x32\...\Run: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [87336 2009-04-16] (Cyberlink Corp.)
HKLM-x32\...\Run: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe" [62760 2009-04-16] ()
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [x]
HKU\Vav\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Vav\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-11-02] (Google Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Lsa: [Notification Packages] scecli
C:\Program Files (x86)\VitaKey\AC5031\PwdFilter
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 Ati External Event Utility; C:\Windows\System32\Ati2evxx.exe [943616 2008-12-09] (ATI Technologies Inc.)
2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [796712 2008-05-14] (Broadcom Corporation.)
3 McComponentHostService; "C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)

========================== Drivers (Whitelisted) =============

4 ahcix64; C:\Windows\System32\drivers\ahcix64.sys [146944 2008-07-29] (ATI Technologies Inc.)
0 AlfaFF; C:\Windows\System32\Drivers\AlfaFF.sys [53744 2010-02-26] (Alfa Corporation)
3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdLH6.sys [113680 2010-07-15] (ATI Technologies, Inc.)
3 ATSWPDRV; C:\Windows\System32\DRIVERS\ATSwpDrv.sys [216192 2008-04-25] (AuthenTec, Inc.)
0 JGOGO; C:\Windows\System32\drivers\jgogo.sys [8704 2006-02-07] (JMicron )
0 JRAID; C:\Windows\System32\drivers\jraid.sys [92760 2008-07-03] (JMicron Technology Corp.)
4 mv61xx; C:\Windows\System32\drivers\mv61xx.sys [163736 2007-06-15] (Marvell Semiconductor, Inc.)
4 nvrd64; C:\Windows\System32\drivers\nvrd64.sys [165408 2008-01-25] (NVIDIA Corporation)
4 nvstor64; C:\Windows\System32\drivers\nvstor64.sys [163872 2008-01-25] (NVIDIA Corporation)
3 StillCam; C:\Windows\System32\DRIVERS\serscan.sys [12288 2008-01-20] (Microsoft Corporation)
2 {95808DC4-FA4A-4C74-92FE-5B863F82066B}; \??\C:\Program Files (x86)\CyberLink\PowerDVD\000.fcl [146928 2009-09-04] (CyberLink Corp.)
3 IntcAzAudAddService; C:\Windows\System32\drivers\RTKVHD64.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 msiserver; C:\Windows\System32\msiexec /V [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 ziuithil; \??\C:\Windows\system32\drivers\ziuithil.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2011-12-23 00:11 - 2011-12-23 00:11 - 0000000 ____D C:\FRST
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 _RASH C:\$lsdrive$
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 _RASH C:\$installdrive$
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 _RASH C:\$bootdrive$
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 ____D C:\$WINDOWS.~LS
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 ____D C:\$WINDOWS.~BT
2011-12-17 22:50 - 2011-12-22 21:18 - 2570234 ____A C:\Windows\ntbtlog.txt
2011-12-17 22:38 - 2011-12-17 22:40 - 0000000 ____D C:\Windows\System32\MpEngineStore
2011-12-17 11:03 - 2011-12-17 21:43 - 0011232 __ASH C:\Users\Vav\AppData\Local\p67dc07cqqn0s36ykl4dvsgm63100jnpw
2011-12-17 11:03 - 2011-12-17 21:43 - 0011232 __ASH C:\Users\All Users\p67dc07cqqn0s36ykl4dvsgm63100jnpw
2011-12-17 11:03 - 2011-12-17 21:43 - 0011232 __ASH C:\ProgramData\p67dc07cqqn0s36ykl4dvsgm63100jnpw
2011-12-17 11:03 - 2011-12-17 11:03 - 2420224 ____A C:\Users\Vav\AppData\Local\frw.exe
2011-12-17 10:50 - 2011-12-17 11:03 - 0011372 __ASH C:\Users\Vav\AppData\Local\c7wj12w3jk7mnk
2011-12-17 10:50 - 2011-12-17 11:03 - 0011372 __ASH C:\Users\All Users\c7wj12w3jk7mnk
2011-12-17 10:50 - 2011-12-17 11:03 - 0011372 __ASH C:\ProgramData\c7wj12w3jk7mnk
2011-12-17 10:50 - 2011-12-17 10:50 - 0000000 ____D C:\Windows\system64
2011-12-13 15:48 - 2011-11-03 18:38 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-12-13 15:48 - 2011-11-03 17:59 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-12-13 15:48 - 2011-11-03 17:53 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-12-13 15:48 - 2011-11-03 17:46 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-12-13 15:48 - 2011-11-03 17:44 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-12-13 15:48 - 2011-11-03 17:44 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-12-13 15:48 - 2011-11-03 17:43 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-12-13 15:48 - 2011-11-03 17:41 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-12-13 15:48 - 2011-11-03 17:39 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-12-13 15:48 - 2011-11-03 17:36 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-12-13 15:48 - 2011-11-03 17:35 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-12-13 15:48 - 2011-11-03 17:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-12-13 15:48 - 2011-11-03 17:30 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-12-13 15:48 - 2011-11-03 15:02 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-12-13 15:48 - 2011-11-03 14:47 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2011-12-13 15:48 - 2011-11-03 14:46 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-12-13 15:48 - 2011-11-03 14:40 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2011-12-13 15:48 - 2011-11-03 14:40 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-12-13 15:48 - 2011-11-03 14:39 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-12-13 15:48 - 2011-11-03 14:38 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-12-13 15:48 - 2011-11-03 14:37 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-12-13 15:48 - 2011-11-03 14:34 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2011-12-13 15:48 - 2011-11-03 14:32 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-12-13 15:48 - 2011-11-03 14:32 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-12-13 15:48 - 2011-11-03 14:31 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-12-13 15:48 - 2011-11-03 14:28 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-12-13 15:47 - 2011-11-23 05:57 - 2764800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-12-13 15:47 - 2011-11-08 06:58 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-12-13 15:47 - 2011-11-08 06:42 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2011-12-13 15:47 - 2011-10-25 08:09 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2011-12-13 15:47 - 2011-10-14 09:30 - 0559616 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
2011-12-13 15:47 - 2011-10-14 08:02 - 0429056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
2011-12-10 20:31 - 2011-12-10 20:31 - 0088040 ____A C:\Users\Vav\Downloads\photo (1).JPG
2011-12-10 20:29 - 2011-12-10 20:30 - 0088040 ____A C:\Users\Vav\Downloads\photo.JPG
2011-12-09 18:55 - 2011-12-09 18:59 - 0402425 ____A C:\Users\Vav\Downloads\IMG00410-20111129-1648.jpg
2011-12-08 17:00 - 2011-12-09 22:23 - 0001773 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2011-12-08 17:00 - 2011-12-09 22:23 - 0001771 ____A C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
2011-12-08 17:00 - 2011-12-09 22:23 - 0000000 ____D C:\Program Files (x86)\McAfee Security Scan
2011-12-08 17:00 - 2011-12-08 17:00 - 0000000 ____D C:\Users\All Users\McAfee Security Scan
2011-12-08 17:00 - 2011-12-08 17:00 - 0000000 ____D C:\Users\All Users\McAfee
2011-12-08 17:00 - 2011-12-08 17:00 - 0000000 ____D C:\ProgramData\McAfee Security Scan
2011-12-08 17:00 - 2011-12-08 17:00 - 0000000 ____D C:\ProgramData\McAfee
2011-12-01 15:50 - 2011-12-01 15:51 - 3552208 ____A (Piriform Ltd) C:\Users\Vav\Downloads\ccsetup313.exe
2011-11-25 08:23 - 2011-12-17 22:40 - 0489587 ____A C:\Windows\WindowsUpdate.log

============ 3 Months Modified Files and Folders =============

2011-12-23 00:11 - 2011-12-23 00:11 - 0000000 ____D C:\FRST
2011-12-22 21:18 - 2011-12-17 22:50 - 2570234 ____A C:\Windows\ntbtlog.txt
2011-12-22 14:22 - 2009-12-18 13:07 - 0000000 ____D C:\users\Vav
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 _RASH C:\$lsdrive$
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 _RASH C:\$installdrive$
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 _RASH C:\$bootdrive$
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 ____D C:\$WINDOWS.~LS
2011-12-22 13:22 - 2011-12-22 13:22 - 0000000 ____D C:\$WINDOWS.~BT
2011-12-17 22:40 - 2011-12-17 22:38 - 0000000 ____D C:\Windows\System32\MpEngineStore
2011-12-17 22:40 - 2011-11-25 08:23 - 0489587 ____A C:\Windows\WindowsUpdate.log
2011-12-17 22:40 - 2009-12-18 14:57 - 0000012 ____A C:\Windows\bthservsdp.dat
2011-12-17 22:40 - 2006-11-02 07:42 - 0032644 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2011-12-17 22:40 - 2006-11-02 07:42 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2011-12-17 22:40 - 2006-11-02 07:22 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2011-12-17 22:40 - 2006-11-02 07:22 - 0003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2011-12-17 22:34 - 2010-11-02 14:58 - 0000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2011-12-17 21:43 - 2011-12-17 11:03 - 0011232 __ASH C:\Users\Vav\AppData\Local\p67dc07cqqn0s36ykl4dvsgm63100jnpw
2011-12-17 21:43 - 2011-12-17 11:03 - 0011232 __ASH C:\Users\All Users\p67dc07cqqn0s36ykl4dvsgm63100jnpw
2011-12-17 21:43 - 2011-12-17 11:03 - 0011232 __ASH C:\ProgramData\p67dc07cqqn0s36ykl4dvsgm63100jnpw
2011-12-17 18:30 - 2010-12-06 22:56 - 0000000 ____D C:\Program Files (x86)\World of Warcraft
2011-12-17 18:29 - 2009-12-18 13:17 - 0000000 ____D C:\Users\Vav\AppData\Local\Deployment
2011-12-17 15:30 - 2006-11-02 04:46 - 0690960 ____A C:\Windows\System32\PerfStringBackup.INI
2011-12-17 15:23 - 2010-11-02 14:58 - 0000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2011-12-17 12:06 - 2010-11-02 14:57 - 0000000 ____D C:\Program Files (x86)\Google
2011-12-17 11:03 - 2011-12-17 11:03 - 2420224 ____A C:\Users\Vav\AppData\Local\frw.exe
2011-12-17 11:03 - 2011-12-17 10:50 - 0011372 __ASH C:\Users\Vav\AppData\Local\c7wj12w3jk7mnk
2011-12-17 11:03 - 2011-12-17 10:50 - 0011372 __ASH C:\Users\All Users\c7wj12w3jk7mnk
2011-12-17 11:03 - 2011-12-17 10:50 - 0011372 __ASH C:\ProgramData\c7wj12w3jk7mnk
2011-12-17 10:50 - 2011-12-17 10:50 - 0000000 ____D C:\Windows\system64
2011-12-17 10:50 - 2011-06-07 14:39 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2011-12-14 16:55 - 2011-03-23 20:51 - 0057344 ____A C:\Users\Vav\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-12-14 16:43 - 2010-12-10 20:47 - 0000312 ____A C:\Users\Vav\Desktop\Curse Client.appref-ms
2011-12-13 16:11 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\rescache
2011-12-13 15:53 - 2006-11-02 07:21 - 0229696 ____A C:\Windows\System32\FNTCACHE.DAT
2011-12-13 15:49 - 2006-11-02 04:35 - 54867776 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2011-12-10 20:31 - 2011-12-10 20:31 - 0088040 ____A C:\Users\Vav\Downloads\photo (1).JPG
2011-12-10 20:30 - 2011-12-10 20:29 - 0088040 ____A C:\Users\Vav\Downloads\photo.JPG
2011-12-09 22:23 - 2011-12-08 17:00 - 0001773 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2011-12-09 22:23 - 2011-12-08 17:00 - 0001771 ____A C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
2011-12-09 22:23 - 2011-12-08 17:00 - 0000000 ____D C:\Program Files (x86)\McAfee Security Scan
2011-12-09 18:59 - 2011-12-09 18:55 - 0402425 ____A C:\Users\Vav\Downloads\IMG00410-20111129-1648.jpg
2011-12-08 17:00 - 2011-12-08 17:00 - 0000000 ____D C:\Users\All Users\McAfee Security Scan
2011-12-08 17:00 - 2011-12-08 17:00 - 0000000 ____D C:\Users\All Users\McAfee
2011-12-08 17:00 - 2011-12-08 17:00 - 0000000 ____D C:\ProgramData\McAfee Security Scan
2011-12-08 17:00 - 2011-12-08 17:00 - 0000000 ____D C:\ProgramData\McAfee
2011-12-06 18:56 - 2010-11-02 14:58 - 0000000 ____D C:\Users\Vav\AppData\Local\Google
2011-12-06 05:51 - 2011-08-11 12:59 - 0000000 ____D C:\Users\Vav\Desktop\Funny
2011-12-01 15:51 - 2011-12-01 15:50 - 3552208 ____A (Piriform Ltd) C:\Users\Vav\Downloads\ccsetup313.exe
2011-12-01 15:51 - 2010-11-02 14:58 - 0000856 ____A C:\Users\Public\Desktop\CCleaner.lnk
2011-12-01 15:51 - 2009-12-18 15:19 - 0000000 ____D C:\Program Files (x86)\CCleaner
2011-11-23 05:57 - 2011-12-13 15:47 - 2764800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2011-11-22 18:11 - 2009-12-18 13:07 - 0001460 ____A C:\Users\Vav\AppData\Local\d3d9caps64.dat
2011-11-20 15:09 - 2009-12-18 15:34 - 0000000 ____D C:\Users\Vav\AppData\Roaming\Ventrilo
2011-11-20 15:09 - 2009-12-18 14:53 - 0000000 ____D C:\Windows\Panther
2011-11-20 15:08 - 2011-11-20 15:08 - 3511776 ____A (Piriform Ltd) C:\Users\Vav\Downloads\ccsetup312(2).exe
2011-11-20 15:07 - 2011-11-20 15:07 - 3511776 ____A (Piriform Ltd) C:\Users\Vav\Downloads\ccsetup312.exe
2011-11-20 15:07 - 2011-11-20 15:07 - 3511776 ____A (Piriform Ltd) C:\Users\Vav\Downloads\ccsetup312(1).exe
2011-11-15 22:42 - 2011-11-15 22:42 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2011-11-14 14:05 - 2011-10-18 14:02 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2011-11-12 09:24 - 2006-11-02 05:33 - 0000000 ____D C:\Program Files\Common Files\System
2011-11-08 06:58 - 2011-12-13 15:47 - 0002048 ____A (Microsoft Corporation) C:\Windows\System32\tzres.dll
2011-11-08 06:42 - 2011-12-13 15:47 - 0002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2011-11-04 16:18 - 2011-11-04 16:18 - 0000001 ____A C:\Users\Vav\Documents\Bastik.txt
2011-11-03 18:38 - 2011-12-13 15:48 - 17786368 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2011-11-03 17:59 - 2011-12-13 15:48 - 10886656 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2011-11-03 17:53 - 2011-12-13 15:48 - 2309120 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2011-11-03 17:46 - 2011-12-13 15:48 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2011-11-03 17:44 - 2011-12-13 15:48 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2011-11-03 17:44 - 2011-12-13 15:48 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2011-11-03 17:43 - 2011-12-13 15:48 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2011-11-03 17:41 - 2011-12-13 15:48 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2011-11-03 17:39 - 2011-12-13 15:48 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2011-11-03 17:36 - 2011-12-13 15:48 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2011-11-03 17:35 - 2011-12-13 15:48 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2011-11-03 17:34 - 2011-12-13 15:48 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2011-11-03 17:30 - 2011-12-13 15:48 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2011-11-03 15:02 - 2011-12-13 15:48 - 12279808 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2011-11-03 14:47 - 2011-12-13 15:48 - 1798144 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2011-11-03 14:46 - 2011-12-13 15:48 - 9705472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2011-11-03 14:40 - 2011-12-13 15:48 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2011-11-03 14:40 - 2011-12-13 15:48 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2011-11-03 14:39 - 2011-12-13 15:48 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2011-11-03 14:38 - 2011-12-13 15:48 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2011-11-03 14:37 - 2011-12-13 15:48 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2011-11-03 14:34 - 2011-12-13 15:48 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2011-11-03 14:32 - 2011-12-13 15:48 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2011-11-03 14:32 - 2011-12-13 15:48 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2011-11-03 14:31 - 2011-12-13 15:48 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2011-11-03 14:28 - 2011-12-13 15:48 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2011-10-25 08:09 - 2011-12-13 15:47 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\csrsrv.dll
2011-10-24 13:51 - 2009-12-18 14:08 - 0000000 ____D C:\RaidTool
2011-10-22 08:35 - 2011-10-22 08:34 - 0003002 ____A C:\Windows\SysWOW64\jupdate-1.6.0_29-b11.log
2011-10-22 08:35 - 2010-05-14 16:30 - 0000000 ____D C:\Program Files (x86)\Java
2011-10-18 14:02 - 2011-10-18 14:02 - 0000888 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2011-10-18 14:02 - 2011-10-18 14:02 - 0000000 ____D C:\Users\Vav\AppData\Roaming\Mozilla
2011-10-18 14:02 - 2011-10-18 14:02 - 0000000 ____D C:\Users\Vav\AppData\Local\Mozilla
2011-10-17 05:28 - 2010-12-27 14:19 - 0007052 ____A C:\Users\Vav\AppData\Local\d3d9caps.dat
2011-10-14 09:30 - 2011-12-13 15:47 - 0559616 ____A (Microsoft Corporation) C:\Windows\System32\EncDec.dll
2011-10-14 08:02 - 2011-12-13 15:47 - 0429056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\EncDec.dll
2011-10-12 13:41 - 2010-05-14 19:14 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2011-10-09 06:35 - 2011-10-09 06:35 - 0525544 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2011-10-09 06:35 - 2011-10-09 06:35 - 0190752 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2011-10-09 06:35 - 2011-10-09 06:35 - 0171808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2011-10-09 06:35 - 2011-10-09 06:35 - 0171808 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2011-10-09 06:35 - 2011-10-09 06:35 - 0000000 ____D C:\Program Files\Java
2011-10-09 06:34 - 2011-10-09 06:34 - 17191200 ____A (Sun Microsystems, Inc.) C:\Users\Vav\Downloads\jre-6u27-windows-x64.exe
2011-10-09 05:49 - 2006-11-02 07:07 - 0000000 ___RD C:\Users\Public\Recorded TV
2011-10-09 05:44 - 2011-10-09 05:44 - 0046386 ____A C:\Users\Vav\Downloads\AHThoseI
2011-10-09 05:21 - 2011-10-09 05:21 - 0000000 ____D C:\Windows\System32\Macromed
2011-10-09 05:21 - 2006-11-02 05:33 - 0000000 ___SD C:\Windows\Downloaded Program Files
2011-10-06 19:16 - 2006-11-02 05:33 - 0000000 ___RD C:\Windows\Offline Web Pages
2011-10-06 19:16 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\PolicyDefinitions
2011-10-06 19:14 - 2011-10-06 19:14 - 3695416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2011-10-06 19:14 - 2011-10-06 19:14 - 3695416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2011-10-06 19:14 - 2011-10-06 19:14 - 0697344 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0603648 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0580608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0534528 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0452608 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0448512 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2011-10-06 19:14 - 2011-10-06 19:14 - 0434176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0403248 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0367104 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2011-10-06 19:14 - 2011-10-06 19:14 - 0353792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0353584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0282112 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0267776 ____A (Microsoft Corporation) C:\Windows\System32\ieaksie.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0249344 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0227840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieaksie.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0223232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0222208 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0203776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0165888 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakui.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0163840 ____A (Microsoft Corporation) C:\Windows\System32\ieakui.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0162304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0161792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0160256 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0160256 ____A (Microsoft Corporation) C:\Windows\System32\ieakeng.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0152064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0145920 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0136192 ____A (Microsoft Corporation) C:\Windows\System32\advpack.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0135168 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0130560 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieakeng.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0123392 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0118784 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0114176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\advpack.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0114176 ____A (Microsoft Corporation) C:\Windows\System32\admparse.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0111616 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0103936 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0101888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\admparse.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0091648 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0089088 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0089088 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0086528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0082432 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0078848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0076800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0076800 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2011-10-06 19:14 - 2011-10-06 19:14 - 0074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0074752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0074240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ie4uinit.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0072822 ____A C:\Windows\SysWOW64\ieuinit.inf
2011-10-06 19:14 - 2011-10-06 19:14 - 0072822 ____A C:\Windows\System32\ieuinit.inf
2011-10-06 19:14 - 2011-10-06 19:14 - 0066048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0063488 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2011-10-06 19:14 - 2011-10-06 19:14 - 0055296 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0054272 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0049664 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0035840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0031744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0030720 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2011-10-06 19:14 - 2011-10-06 19:14 - 0012288 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0010752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2011-10-06 19:14 - 2011-10-06 19:14 - 0010752 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2011-10-06 19:14 - 2006-11-02 04:16 - 0008798 ____A C:\Windows\SysWOW64\icrav03.rat
2011-10-06 19:14 - 2006-11-02 04:16 - 0001988 ____A C:\Windows\SysWOW64\ticrf.rat
2011-10-06 19:14 - 2006-11-01 22:36 - 0008798 ____A C:\Windows\System32\icrav03.rat
2011-10-06 19:14 - 2006-11-01 22:36 - 0001988 ____A C:\Windows\System32\ticrf.rat
2011-10-06 19:13 - 2011-10-06 19:13 - 3548672 ____A (Microsoft Corporation) C:\Windows\System32\mf.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 3068416 ____A (Microsoft Corporation) C:\Windows\System32\xpsservices.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 2873344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 2002944 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1653760 ____A (Microsoft Corporation) C:\Windows\System32\XpsPrint.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1555968 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1554432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xpsservices.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1461760 ____A (Microsoft Corporation) C:\Windows\System32\OpcServices.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1268224 ____A (Microsoft Corporation) C:\Windows\System32\d3d10.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1257984 ____A (Microsoft Corporation) C:\Windows\System32\MFH264Dec.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1204224 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1172480 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1147904 ____A (Microsoft Corporation) C:\Windows\System32\FntCache.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1075712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1068544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 1032192 ____A (Microsoft Corporation) C:\Windows\System32\printfilterpipelinesvc.exe
2011-10-06 19:13 - 2011-10-06 19:13 - 1029120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0979456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MFH264Dec.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0900480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2011-10-06 19:13 - 2011-10-06 19:13 - 0876032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0847360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\OpcServices.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0834048 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0748544 ____A (Microsoft Corporation) C:\Windows\System32\stobject.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0683008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0625152 ____A (Microsoft Corporation) C:\Windows\System32\dxgi.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0586240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\stobject.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0566272 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0486400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0479744 ____A (Microsoft Corporation) C:\Windows\System32\XpsGdiConverter.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0478720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0428544 ____A (Microsoft Corporation) C:\Windows\System32\MFHEAACdec.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0377344 ____A (Microsoft Corporation) C:\Windows\System32\mfmp4src.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0366592 ____A (Microsoft Corporation) C:\Windows\System32\winspool.drv
2011-10-06 19:13 - 2011-10-06 19:13 - 0357376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MFHEAACdec.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0345088 ____A (Microsoft Corporation) C:\Windows\System32\mfreadwrite.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0327680 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0302592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfmp4src.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0288768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsGdiConverter.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0287232 ____A (Microsoft Corporation) C:\Windows\System32\d3d10core.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0278528 ____A (Microsoft Corporation) C:\Windows\System32\mfplat.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0261632 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfreadwrite.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0258048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\winspool.drv
2011-10-06 19:13 - 2011-10-06 19:13 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\XpsRasterService.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0219648 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1core.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0209920 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfplat.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0196096 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0195072 ____A (Microsoft Corporation) C:\Windows\System32\mfps.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0189952 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10core.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0160768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10_1.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0135680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XpsRasterService.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0098816 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0047104 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0035840 ____A (Microsoft Corporation) C:\Windows\System32\printfilterpipelineprxy.dll
2011-10-06 19:13 - 2011-10-06 19:13 - 0034304 ____A (Microsoft Corporation) C:\Windows\System32\mfpmp.exe
2011-10-06 19:12 - 2011-10-06 19:12 - 1209856 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0974848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0792576 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0519680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0449024 ____A (Microsoft Corporation) C:\Windows\System32\WMPhoto.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0411648 ____A (Microsoft Corporation) C:\Windows\System32\PhotoMetadataHandler.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0369664 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0328192 ____A (Microsoft Corporation) C:\Windows\System32\dxdiag.exe
2011-10-06 19:12 - 2011-10-06 19:12 - 0321024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\PhotoMetadataHandler.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0262656 ____A (Microsoft Corporation) C:\Windows\System32\dxdiagn.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0252928 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxdiag.exe
2011-10-06 19:12 - 2011-10-06 19:12 - 0245248 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecsExt.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0195584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxdiagn.dll
2011-10-06 19:12 - 2011-10-06 19:12 - 0189440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecsExt.dll
2011-10-04 07:49 - 2011-10-04 07:49 - 0000000 ____D C:\Windows\SysWOW64\vi-VN
2011-10-04 07:49 - 2011-10-04 07:49 - 0000000 ____D C:\Windows\SysWOW64\eu-ES
2011-10-04 07:49 - 2011-10-04 07:49 - 0000000 ____D C:\Windows\SysWOW64\ca-ES
2011-10-04 07:49 - 2011-10-04 07:49 - 0000000 ____D C:\Windows\System32\vi-VN
2011-10-04 07:49 - 2011-10-04 07:49 - 0000000 ____D C:\Windows\System32\eu-ES
2011-10-04 07:49 - 2011-10-04 07:49 - 0000000 ____D C:\Windows\System32\ca-ES
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Windows\SysWOW64\XPSViewer
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Program Files\Windows Sidebar
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Program Files\Windows Photo Gallery
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Program Files\Windows Journal
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Program Files\Windows Defender
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Program Files\Windows Collaboration
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Program Files\Movie Maker
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Program Files (x86)\Windows Sidebar
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Program Files (x86)\Windows Photo Gallery
2011-10-04 07:49 - 2006-11-02 07:07 - 0000000 ____D C:\Program Files (x86)\Windows Calendar
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\zh-TW
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\zh-CN
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\uk-UA
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\tr-TR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\th-TH
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\sv-SE
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\sr-Latn-CS
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\SLUI
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\sl-SI
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\sk-SK
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\setup
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\ru-RU
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\ro-RO
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\pt-PT
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\pt-BR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\pl-PL
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\oobe
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\nl-NL
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\nb-NO
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\migwiz
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\manifeststore
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\lv-LV
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\lt-LT
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\ko-KR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\ja-JP
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\it-IT
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\hu-HU
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\hr-HR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\he-IL
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\fr-FR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\fi-FI
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\et-EE
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\es-ES
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\el-GR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\de-DE
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\da-DK
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\cs-CZ
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\bg-BG
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\ar-SA
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\zh-TW
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\zh-CN
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\uk-UA
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\tr-TR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\th-TH
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\sv-SE
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\sr-Latn-CS
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\SLUI
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\sl-SI
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\sk-SK
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\setup
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\ru-RU
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\ro-RO
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\pt-PT
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\pt-BR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\pl-PL
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\oobe
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\nl-NL
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\nb-NO
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\migwiz
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\manifeststore
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\lv-LV
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\lt-LT
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\ko-KR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\ja-JP
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\it-IT
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\hu-HU
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\hr-HR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\he-IL
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\fr-FR
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\fi-FI
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\et-EE
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\es-ES
2011-10-04 07:49 - 2006-11-02 05:34 - 0000000 ____D C:\Windows\System32\el-GR
2011-10-04 07:49 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\System32\de-DE
2011-10-04 07:49 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\System32\da-DK
2011-10-04 07:49 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\System32\cs-CZ
2011-10-04 07:49 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\System32\bg-BG
2011-10-04 07:49 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\System32\ar-SA
2011-10-04 07:49 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\System32\AdvancedInstallers
2011-10-04 07:49 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\servicing
2011-10-04 07:49 - 2006-11-02 05:33 - 0000000 ____D C:\Windows\IME
2011-10-04 07:38 - 2011-10-04 07:38 - 0000000 ____D C:\Windows\System32\EventProviders
2011-10-04 07:22 - 2011-10-04 07:21 - 0445234 ____A C:\Windows\dd_vcredistMSI77E4.txt
2011-10-04 07:22 - 2011-10-04 07:21 - 0011574 ____A C:\Windows\dd_vcredistUI77E4.txt
2011-10-04 07:21 - 2006-11-02 05:33 - 0000000 ____D C:\Program Files\Common Files\Microsoft Shared
2011-10-03 02:06 - 2011-10-22 08:35 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2011-10-03 02:06 - 2011-10-22 08:35 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2011-10-03 02:06 - 2011-10-22 08:35 - 0145184 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2011-10-03 02:06 - 2010-05-14 16:30 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2011-09-27 14:37 - 2011-09-27 14:36 - 0001917 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2011-09-27 14:36 - 2010-04-26 21:53 - 0000000 ____D C:\Users\Vav\AppData\Local\Adobe
2011-09-27 14:36 - 2009-12-18 14:14 - 0000000 ____D C:\Users\All Users\Adobe
2011-09-27 14:36 - 2009-12-18 14:14 - 0000000 ____D C:\ProgramData\Adobe
2011-09-27 14:30 - 2010-02-04 21:19 - 0000000 ____D C:\Windows\Minidump

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4090.89 MB
Available physical RAM: 3480.09 MB
Total Pagefile: 4089.04 MB
Available Pagefile: 3465.5 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:285.66 GB) (Free:162.22 GB) NTFS ==>[Drive with boot components]
2 Drive d: (GRMCPRXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
3 Drive e: (Cruzer) (Removable) (Total:3.74 GB) (Free:3.74 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 3072 KB
Disk 1 Online 596 GB 596 GB
Disk 2 Online 3835 MB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 285 GB 1024 KB
Partition 2 OEM 12 GB 285 GB

Disk: 0
Partition 1
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 285 GB Healthy

==========================================================

Last Boot: 2011-12-17 15:29

======================= End Of Log ==========================

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:12:10 AM

Posted 23 December 2011 - 03:45 AM

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:10 PM

Posted 23 December 2011 - 05:54 AM

Hello, your computer is infected with the ZeroAccess rootkit. In order to get it to boot again, do the following.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ==> ZeroAccess

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Fenen

Fenen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Wisconsin
  • Local time:08:10 AM

Posted 23 December 2011 - 06:03 AM

Fix result of Farbars's Recovery Tool (FRST written by farbar Version 2.3.0)
Ran by SYSTEM at 2011-12-23 05:00:23 R:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.

==== End of Fixlog ====



Successfully booted into safe mode.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:10 PM

Posted 23 December 2011 - 06:35 AM

Okay, now lets see what else needs to be done. :)

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Fenen

Fenen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Wisconsin
  • Local time:08:10 AM

Posted 23 December 2011 - 06:44 AM

.
DDS (Ver_2011-06-23.01) - NTFSAMD64 MINIMAL
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Vav at 5:38:47 on 2011-12-23
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4090.3557 [GMT -6:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Users\Vav\AppData\Local\frw.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [ZPdtWzdVitaKey AC5031] "C:\Program Files (x86)\VitaKey\AC5031\PdtWzd.exe" show
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [BDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe"
mRun: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
mRun: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Vav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3486A895-D24D-4A2E-9E43-C9E8FA078548} : DhcpNameServer = 172.20.101.1
TCP: Interfaces\{C03BE276-F49C-4C9A-826C-FB142D9196BA} : DhcpNameServer = 192.168.2.1
Notify: AWinNotifyVitaKey AC5031 - C:\Program Files (x86)\VitaKey\AC5031\WinNotify.dll
LSA: Notification Packages = scecli C:\Program Files (x86)\VitaKey\AC5031\PwdFilter
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [ZPdtWzdVitaKey AC5031] "C:\Program Files (x86)\VitaKey\AC5031\PdtWzd.exe" show
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [BDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe"
mRun-x64: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe"
mRun-x64: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Vav\AppData\Roaming\Mozilla\Firefox\Profiles\nzlpfrk1.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AlfaFF;AlfaFF mini-filter driver;C:\Windows\system32\Drivers\AlfaFF.sys --> C:\Windows\system32\Drivers\AlfaFF.sys [?]
S2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-2 135664]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdLH6.sys --> C:\Windows\system32\drivers\AtihdLH6.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2011-10-4 89920]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-11-2 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NETw5v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit ;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S4 ahcix64;ahcix64;C:\Windows\system32\drivers\ahcix64.sys --> C:\Windows\system32\drivers\ahcix64.sys [?]
S4 mv61xx;mv61xx;C:\Windows\system32\drivers\mv61xx.sys --> C:\Windows\system32\drivers\mv61xx.sys [?]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.exe=yd
.
=============== Created Last 30 ================
.
2011-12-23 08:11:04 -------- d-----w- C:\FRST
2011-12-22 21:22:36 -------- d-----w- C:\$WINDOWS.~LS
2011-12-22 21:22:35 -------- d-----w- C:\$WINDOWS.~BT
2011-12-18 06:38:50 -------- d-----w- C:\Windows\System32\MpEngineStore
2011-12-17 19:03:19 2420224 ----a-w- C:\Users\Vav\AppData\Local\frw.exe
2011-12-17 18:50:24 -------- d-----we C:\Windows\system64
2011-12-17 08:27:59 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0F548F01-F4E4-4281-A2BD-06E720F2B5A3}\mpengine.dll
2011-12-13 23:47:32 2764800 ----a-w- C:\Windows\System32\win32k.sys
2011-12-13 23:47:30 85504 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-13 23:47:27 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-13 23:47:27 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-13 23:47:24 559616 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-13 23:47:24 429056 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-09 01:00:32 -------- d-----w- C:\ProgramData\McAfee Security Scan
2011-12-09 01:00:31 -------- d-----w- C:\Program Files (x86)\McAfee Security Scan
2011-12-04 02:09:00 644368 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
==================== Find3M ====================
.
2011-12-17 18:50:29 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-09 14:35:38 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-10-07 03:13:42 979456 ----a-w- C:\Windows\SysWow64\MFH264Dec.dll
2011-10-07 03:12:06 974848 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2011-10-03 10:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
.
============= FINISH: 5:39:47.09 ===============

Attached Files



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:10 PM

Posted 23 December 2011 - 06:48 AM

Hello,
Unfortunately you have a nasty rootkit infection. Please read the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Fenen

Fenen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Wisconsin
  • Local time:08:10 AM

Posted 23 December 2011 - 07:17 AM

It looks like it skipped the recovery console.




ComboFix 11-12-23.01 - Vav 12/23/2011 6:03.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4090.3003 [GMT -6:00]
Running from: c:\users\Vav\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\VitaKey\AC5031\PwdFilter.dll
c:\programdata\Roaming
c:\programdata\Roaming\Intel\Wireless\Settings\Settings.ini
c:\users\Vav\AppData\Local\._Revolution_
c:\users\Vav\AppData\Local\frw.exe
c:\users\Vav\GoToAssistDownloadHelper.exe
c:\windows\system32\java.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
.
.
2011-12-23 12:09 . 2011-12-23 12:12 -------- d-----w- c:\users\Vav\AppData\Local\temp
2011-12-23 12:09 . 2011-12-23 12:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-23 08:11 . 2011-12-23 08:12 -------- d-----w- C:\FRST
2011-12-22 21:22 . 2011-12-22 21:22 -------- d-----w- C:\$WINDOWS.~LS
2011-12-22 21:22 . 2011-12-22 21:22 -------- d-----w- C:\$WINDOWS.~BT
2011-12-18 06:38 . 2011-12-18 06:40 -------- d-----w- c:\windows\system32\MpEngineStore
2011-12-17 18:50 . 2011-12-17 18:50 -------- d-----we c:\windows\system64
2011-12-17 08:27 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0F548F01-F4E4-4281-A2BD-06E720F2B5A3}\mpengine.dll
2011-12-13 23:47 . 2011-11-23 13:57 2764800 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 23:47 . 2011-10-25 16:09 85504 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 23:47 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 23:47 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-13 23:47 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 23:47 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-09 01:00 . 2011-12-09 01:00 -------- d-----w- c:\programdata\McAfee
2011-12-09 01:00 . 2011-12-09 01:00 -------- d-----w- c:\programdata\McAfee Security Scan
2011-12-09 01:00 . 2011-12-10 06:23 -------- d-----w- c:\program files (x86)\McAfee Security Scan
2011-12-04 02:09 . 2011-12-04 02:09 644368 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-17 18:50 . 2011-06-07 22:39 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-09 14:35 . 2011-10-09 14:35 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-07 03:14 . 2011-10-07 03:14 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-10-07 03:14 . 2011-10-07 03:14 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-10-07 03:14 . 2011-10-07 03:14 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-10-07 03:14 . 2011-10-07 03:14 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-10-07 03:14 . 2011-10-07 03:14 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-10-07 03:14 . 2011-10-07 03:14 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-10-07 03:14 . 2011-10-07 03:14 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-10-07 03:14 . 2011-10-07 03:14 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-10-07 03:14 . 2011-10-07 03:14 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-10-07 03:14 . 2011-10-07 03:14 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-10-07 03:14 . 2011-10-07 03:14 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-10-07 03:14 . 2011-10-07 03:14 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-10-07 03:14 . 2011-10-07 03:14 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-10-07 03:14 . 2011-10-07 03:14 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-10-07 03:14 . 2011-10-07 03:14 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-10-07 03:14 . 2011-10-07 03:14 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-10-07 03:14 . 2011-10-07 03:14 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-10-07 03:14 . 2011-10-07 03:14 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-10-07 03:14 . 2011-10-07 03:14 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-10-07 03:14 . 2011-10-07 03:14 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-10-07 03:14 . 2011-10-07 03:14 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-10-07 03:14 . 2011-10-07 03:14 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-10-07 03:14 . 2011-10-07 03:14 448512 ----a-w- c:\windows\system32\html.iec
2011-10-07 03:14 . 2011-10-07 03:14 222208 ----a-w- c:\windows\system32\msls31.dll
2011-10-07 03:14 . 2011-10-07 03:14 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-10-07 03:14 . 2011-10-07 03:14 12288 ----a-w- c:\windows\system32\mshta.exe
2011-10-07 03:14 . 2011-10-07 03:14 114176 ----a-w- c:\windows\system32\admparse.dll
2011-10-07 03:14 . 2011-10-07 03:14 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-10-07 03:14 . 2011-10-07 03:14 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-10-07 03:14 . 2011-10-07 03:14 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-10-07 03:14 . 2011-10-07 03:14 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-10-07 03:14 . 2011-10-07 03:14 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-10-07 03:14 . 2011-10-07 03:14 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-10-07 03:14 . 2011-10-07 03:14 160256 ----a-w- c:\windows\system32\wextract.exe
2011-10-07 03:13 . 2011-10-07 03:13 979456 ----a-w- c:\windows\SysWow64\MFH264Dec.dll
2011-10-07 03:13 . 2011-10-07 03:13 428544 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-10-07 03:13 . 2011-10-07 03:13 357376 ----a-w- c:\windows\SysWow64\MFHEAACdec.dll
2011-10-07 03:13 . 2011-10-07 03:13 1257984 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-10-07 03:13 . 2011-10-07 03:13 98816 ----a-w- c:\windows\SysWow64\mfps.dll
2011-10-07 03:13 . 2011-10-07 03:13 748544 ----a-w- c:\windows\system32\stobject.dll
2011-10-07 03:13 . 2011-10-07 03:13 586240 ----a-w- c:\windows\SysWow64\stobject.dll
2011-10-07 03:13 . 2011-10-07 03:13 377344 ----a-w- c:\windows\system32\mfmp4src.dll
2011-10-07 03:13 . 2011-10-07 03:13 3548672 ----a-w- c:\windows\system32\mf.dll
2011-10-07 03:13 . 2011-10-07 03:13 345088 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-10-07 03:13 . 2011-10-07 03:13 34304 ----a-w- c:\windows\system32\mfpmp.exe
2011-10-07 03:13 . 2011-10-07 03:13 302592 ----a-w- c:\windows\SysWow64\mfmp4src.dll
2011-10-07 03:13 . 2011-10-07 03:13 2873344 ----a-w- c:\windows\SysWow64\mf.dll
2011-10-07 03:13 . 2011-10-07 03:13 278528 ----a-w- c:\windows\system32\mfplat.dll
2011-10-07 03:13 . 2011-10-07 03:13 261632 ----a-w- c:\windows\SysWow64\mfreadwrite.dll
2011-10-07 03:13 . 2011-10-07 03:13 209920 ----a-w- c:\windows\SysWow64\mfplat.dll
2011-10-07 03:13 . 2011-10-07 03:13 195072 ----a-w- c:\windows\system32\mfps.dll
2011-10-07 03:13 . 2011-10-07 03:13 834048 ----a-w- c:\windows\system32\d2d1.dll
2011-10-07 03:13 . 2011-10-07 03:13 683008 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-10-07 03:13 . 2011-10-07 03:13 566272 ----a-w- c:\windows\system32\d3d10level9.dll
2011-10-07 03:13 . 2011-10-07 03:13 486400 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2011-10-07 03:13 . 2011-10-07 03:13 479744 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-10-07 03:13 . 2011-10-07 03:13 231936 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-10-07 03:13 . 2011-10-07 03:13 2002944 ----a-w- c:\windows\system32\d3d10warp.dll
2011-10-07 03:13 . 2011-10-07 03:13 1555968 ----a-w- c:\windows\system32\DWrite.dll
2011-10-07 03:13 . 2011-10-07 03:13 1172480 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2011-10-07 03:13 . 2011-10-07 03:13 1147904 ----a-w- c:\windows\system32\FntCache.dll
2011-10-07 03:13 . 2011-10-07 03:13 1068544 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-10-07 03:13 . 2011-10-07 03:13 900480 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-10-07 03:13 . 2011-10-07 03:13 876032 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-10-07 03:13 . 2011-10-07 03:13 847360 ----a-w- c:\windows\SysWow64\OpcServices.dll
2011-10-07 03:13 . 2011-10-07 03:13 625152 ----a-w- c:\windows\system32\dxgi.dll
2011-10-07 03:13 . 2011-10-07 03:13 478720 ----a-w- c:\windows\SysWow64\dxgi.dll
2011-10-07 03:13 . 2011-10-07 03:13 47104 ----a-w- c:\windows\system32\cdd.dll
2011-10-07 03:13 . 2011-10-07 03:13 366592 ----a-w- c:\windows\system32\winspool.drv
2011-10-07 03:13 . 2011-10-07 03:13 35840 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-10-07 03:13 . 2011-10-07 03:13 327680 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-10-07 03:13 . 2011-10-07 03:13 3068416 ----a-w- c:\windows\system32\xpsservices.dll
2011-10-07 03:13 . 2011-10-07 03:13 288768 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2011-10-07 03:13 . 2011-10-07 03:13 287232 ----a-w- c:\windows\system32\d3d10core.dll
2011-10-07 03:13 . 2011-10-07 03:13 258048 ----a-w- c:\windows\SysWow64\winspool.drv
2011-10-07 03:13 . 2011-10-07 03:13 219648 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-10-07 03:13 . 2011-10-07 03:13 196096 ----a-w- c:\windows\system32\d3d10_1.dll
2011-10-07 03:13 . 2011-10-07 03:13 189952 ----a-w- c:\windows\SysWow64\d3d10core.dll
2011-10-07 03:13 . 2011-10-07 03:13 1653760 ----a-w- c:\windows\system32\XpsPrint.dll
2011-10-07 03:13 . 2011-10-07 03:13 160768 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-10-07 03:13 . 2011-10-07 03:13 1554432 ----a-w- c:\windows\SysWow64\xpsservices.dll
2011-10-07 03:13 . 2011-10-07 03:13 1461760 ----a-w- c:\windows\system32\OpcServices.dll
2011-10-07 03:13 . 2011-10-07 03:13 135680 ----a-w- c:\windows\SysWow64\XpsRasterService.dll
2011-10-07 03:13 . 2011-10-07 03:13 1268224 ----a-w- c:\windows\system32\d3d10.dll
2011-10-07 03:13 . 2011-10-07 03:13 1032192 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-10-07 03:13 . 2011-10-07 03:13 1029120 ----a-w- c:\windows\SysWow64\d3d10.dll
2011-10-07 03:12 . 2011-10-07 03:12 974848 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2011-10-07 03:12 . 2011-10-07 03:12 792576 ----a-w- c:\windows\system32\d3d11.dll
2011-10-07 03:12 . 2011-10-07 03:12 519680 ----a-w- c:\windows\SysWow64\d3d11.dll
2011-10-07 03:12 . 2011-10-07 03:12 449024 ----a-w- c:\windows\system32\WMPhoto.dll
2011-10-07 03:12 . 2011-10-07 03:12 411648 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-10-07 03:12 . 2011-10-07 03:12 369664 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2011-10-07 03:12 . 2011-10-07 03:12 328192 ----a-w- c:\windows\system32\dxdiag.exe
2011-10-07 03:12 . 2011-10-07 03:12 321024 ----a-w- c:\windows\SysWow64\PhotoMetadataHandler.dll
2011-10-07 03:12 . 2011-10-07 03:12 262656 ----a-w- c:\windows\system32\dxdiagn.dll
2011-10-07 03:12 . 2011-10-07 03:12 252928 ----a-w- c:\windows\SysWow64\dxdiag.exe
2011-10-07 03:12 . 2011-10-07 03:12 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-10-07 03:12 . 2011-10-07 03:12 195584 ----a-w- c:\windows\SysWow64\dxdiagn.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-02 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ZPdtWzdVitaKey AC5031"="c:\program files (x86)\VitaKey\AC5031\PdtWzd.exe" [2010-02-26 2894848]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-09-04 75048]
"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2009-04-17 87336]
"LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2009-04-17 62760]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\Vav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-12-10 0]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-14 1026600]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey AC5031]
2010-02-26 18:18 1977856 ----a-w- c:\program files (x86)\VitaKey\AC5031\WinNotify.dll
.
R1 ziuithil;ziuithil;c:\windows\system32\drivers\ziuithil.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-02 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-02 135664]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 ahcix64;ahcix64;c:\windows\system32\drivers\ahcix64.sys [x]
R4 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [x]
S0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\Drivers\AlfaFF.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH6.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 NETw5v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit ;c:\windows\system32\DRIVERS\NETw5v64.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-02 22:58]
.
2011-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-02 22:58]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]
@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"
[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]
2010-02-26 18:18 146944 ----a-w- c:\program files (x86)\VitaKey\AC5031\{IconOvrly.dll}
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF18341.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Vav\AppData\Roaming\Mozilla\Firefox\Profiles\nzlpfrk1.default\
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\VitaKey\AC5031\CompPtcVUI.exe
c:\program files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
.
**************************************************************************
.
Completion time: 2011-12-23 06:15:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-23 12:15
.
Pre-Run: 172,538,105,856 bytes free
Post-Run: 172,288,147,456 bytes free
.
- - End Of File - - C77691912B2F863761718D68AB0F096D

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:10 PM

Posted 23 December 2011 - 08:46 AM

Hi, this is Vista, so no recovery console. :)
How are things running at this point?

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Driver::
ziuithil

Rootkit::
c:\windows\system32\drivers\ziuithil.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Fenen

Fenen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Wisconsin
  • Local time:08:10 AM

Posted 23 December 2011 - 02:34 PM

sorry for the delay...



ComboFix 11-12-23.01 - Vav 12/23/2011 13:16:00.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4090.2884 [GMT -6:00]
Running from: c:\users\Vav\Desktop\ComboFix.exe
Command switches used :: c:\users\Vav\Desktop\CFScript.txt.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ziuithil
.
.
((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
.
.
2011-12-23 08:11 . 2011-12-23 08:12 -------- d-----w- C:\FRST
2011-12-22 21:22 . 2011-12-22 21:22 -------- d-----w- C:\$WINDOWS.~LS
2011-12-22 21:22 . 2011-12-22 21:22 -------- d-----w- C:\$WINDOWS.~BT
2011-12-18 06:38 . 2011-12-18 06:40 -------- d-----w- c:\windows\system32\MpEngineStore
2011-12-17 18:50 . 2011-12-17 18:50 -------- d-----we c:\windows\system64
2011-12-17 08:27 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0F548F01-F4E4-4281-A2BD-06E720F2B5A3}\mpengine.dll
2011-12-13 23:47 . 2011-11-23 13:57 2764800 ----a-w- c:\windows\system32\win32k.sys
2011-12-13 23:47 . 2011-10-25 16:09 85504 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-13 23:47 . 2011-11-08 14:58 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 23:47 . 2011-11-08 14:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-13 23:47 . 2011-10-14 17:30 559616 ----a-w- c:\windows\system32\EncDec.dll
2011-12-13 23:47 . 2011-10-14 16:02 429056 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-09 01:00 . 2011-12-09 01:00 -------- d-----w- c:\programdata\McAfee
2011-12-09 01:00 . 2011-12-09 01:00 -------- d-----w- c:\programdata\McAfee Security Scan
2011-12-09 01:00 . 2011-12-10 06:23 -------- d-----w- c:\program files (x86)\McAfee Security Scan
2011-12-04 02:09 . 2011-12-04 02:09 644368 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-17 18:50 . 2011-06-07 22:39 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-09 14:35 . 2011-10-09 14:35 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-07 03:14 . 2011-10-07 03:14 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-10-07 03:14 . 2011-10-07 03:14 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-10-07 03:14 . 2011-10-07 03:14 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-10-07 03:14 . 2011-10-07 03:14 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-10-07 03:14 . 2011-10-07 03:14 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-10-07 03:14 . 2011-10-07 03:14 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-10-07 03:14 . 2011-10-07 03:14 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-10-07 03:14 . 2011-10-07 03:14 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-10-07 03:14 . 2011-10-07 03:14 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-10-07 03:14 . 2011-10-07 03:14 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-10-07 03:14 . 2011-10-07 03:14 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-10-07 03:14 . 2011-10-07 03:14 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-10-07 03:14 . 2011-10-07 03:14 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-10-07 03:14 . 2011-10-07 03:14 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-10-07 03:14 . 2011-10-07 03:14 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-10-07 03:14 . 2011-10-07 03:14 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-10-07 03:14 . 2011-10-07 03:14 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-10-07 03:14 . 2011-10-07 03:14 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-10-07 03:14 . 2011-10-07 03:14 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-10-07 03:14 . 2011-10-07 03:14 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-10-07 03:14 . 2011-10-07 03:14 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-10-07 03:14 . 2011-10-07 03:14 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-10-07 03:14 . 2011-10-07 03:14 448512 ----a-w- c:\windows\system32\html.iec
2011-10-07 03:14 . 2011-10-07 03:14 222208 ----a-w- c:\windows\system32\msls31.dll
2011-10-07 03:14 . 2011-10-07 03:14 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-10-07 03:14 . 2011-10-07 03:14 12288 ----a-w- c:\windows\system32\mshta.exe
2011-10-07 03:14 . 2011-10-07 03:14 114176 ----a-w- c:\windows\system32\admparse.dll
2011-10-07 03:14 . 2011-10-07 03:14 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-10-07 03:14 . 2011-10-07 03:14 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-10-07 03:14 . 2011-10-07 03:14 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-10-07 03:14 . 2011-10-07 03:14 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-10-07 03:14 . 2011-10-07 03:14 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-10-07 03:14 . 2011-10-07 03:14 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-10-07 03:14 . 2011-10-07 03:14 160256 ----a-w- c:\windows\system32\wextract.exe
2011-10-07 03:13 . 2011-10-07 03:13 979456 ----a-w- c:\windows\SysWow64\MFH264Dec.dll
2011-10-07 03:13 . 2011-10-07 03:13 428544 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-10-07 03:13 . 2011-10-07 03:13 357376 ----a-w- c:\windows\SysWow64\MFHEAACdec.dll
2011-10-07 03:13 . 2011-10-07 03:13 1257984 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-10-07 03:13 . 2011-10-07 03:13 98816 ----a-w- c:\windows\SysWow64\mfps.dll
2011-10-07 03:13 . 2011-10-07 03:13 748544 ----a-w- c:\windows\system32\stobject.dll
2011-10-07 03:13 . 2011-10-07 03:13 586240 ----a-w- c:\windows\SysWow64\stobject.dll
2011-10-07 03:13 . 2011-10-07 03:13 377344 ----a-w- c:\windows\system32\mfmp4src.dll
2011-10-07 03:13 . 2011-10-07 03:13 3548672 ----a-w- c:\windows\system32\mf.dll
2011-10-07 03:13 . 2011-10-07 03:13 345088 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-10-07 03:13 . 2011-10-07 03:13 34304 ----a-w- c:\windows\system32\mfpmp.exe
2011-10-07 03:13 . 2011-10-07 03:13 302592 ----a-w- c:\windows\SysWow64\mfmp4src.dll
2011-10-07 03:13 . 2011-10-07 03:13 2873344 ----a-w- c:\windows\SysWow64\mf.dll
2011-10-07 03:13 . 2011-10-07 03:13 278528 ----a-w- c:\windows\system32\mfplat.dll
2011-10-07 03:13 . 2011-10-07 03:13 261632 ----a-w- c:\windows\SysWow64\mfreadwrite.dll
2011-10-07 03:13 . 2011-10-07 03:13 209920 ----a-w- c:\windows\SysWow64\mfplat.dll
2011-10-07 03:13 . 2011-10-07 03:13 195072 ----a-w- c:\windows\system32\mfps.dll
2011-10-07 03:13 . 2011-10-07 03:13 834048 ----a-w- c:\windows\system32\d2d1.dll
2011-10-07 03:13 . 2011-10-07 03:13 683008 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-10-07 03:13 . 2011-10-07 03:13 566272 ----a-w- c:\windows\system32\d3d10level9.dll
2011-10-07 03:13 . 2011-10-07 03:13 486400 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2011-10-07 03:13 . 2011-10-07 03:13 479744 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-10-07 03:13 . 2011-10-07 03:13 231936 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-10-07 03:13 . 2011-10-07 03:13 2002944 ----a-w- c:\windows\system32\d3d10warp.dll
2011-10-07 03:13 . 2011-10-07 03:13 1555968 ----a-w- c:\windows\system32\DWrite.dll
2011-10-07 03:13 . 2011-10-07 03:13 1172480 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2011-10-07 03:13 . 2011-10-07 03:13 1147904 ----a-w- c:\windows\system32\FntCache.dll
2011-10-07 03:13 . 2011-10-07 03:13 1068544 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-10-07 03:13 . 2011-10-07 03:13 900480 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-10-07 03:13 . 2011-10-07 03:13 876032 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-10-07 03:13 . 2011-10-07 03:13 847360 ----a-w- c:\windows\SysWow64\OpcServices.dll
2011-10-07 03:13 . 2011-10-07 03:13 625152 ----a-w- c:\windows\system32\dxgi.dll
2011-10-07 03:13 . 2011-10-07 03:13 478720 ----a-w- c:\windows\SysWow64\dxgi.dll
2011-10-07 03:13 . 2011-10-07 03:13 47104 ----a-w- c:\windows\system32\cdd.dll
2011-10-07 03:13 . 2011-10-07 03:13 366592 ----a-w- c:\windows\system32\winspool.drv
2011-10-07 03:13 . 2011-10-07 03:13 35840 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-10-07 03:13 . 2011-10-07 03:13 327680 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-10-07 03:13 . 2011-10-07 03:13 3068416 ----a-w- c:\windows\system32\xpsservices.dll
2011-10-07 03:13 . 2011-10-07 03:13 288768 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2011-10-07 03:13 . 2011-10-07 03:13 287232 ----a-w- c:\windows\system32\d3d10core.dll
2011-10-07 03:13 . 2011-10-07 03:13 258048 ----a-w- c:\windows\SysWow64\winspool.drv
2011-10-07 03:13 . 2011-10-07 03:13 219648 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2011-10-07 03:13 . 2011-10-07 03:13 196096 ----a-w- c:\windows\system32\d3d10_1.dll
2011-10-07 03:13 . 2011-10-07 03:13 189952 ----a-w- c:\windows\SysWow64\d3d10core.dll
2011-10-07 03:13 . 2011-10-07 03:13 1653760 ----a-w- c:\windows\system32\XpsPrint.dll
2011-10-07 03:13 . 2011-10-07 03:13 160768 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2011-10-07 03:13 . 2011-10-07 03:13 1554432 ----a-w- c:\windows\SysWow64\xpsservices.dll
2011-10-07 03:13 . 2011-10-07 03:13 1461760 ----a-w- c:\windows\system32\OpcServices.dll
2011-10-07 03:13 . 2011-10-07 03:13 135680 ----a-w- c:\windows\SysWow64\XpsRasterService.dll
2011-10-07 03:13 . 2011-10-07 03:13 1268224 ----a-w- c:\windows\system32\d3d10.dll
2011-10-07 03:13 . 2011-10-07 03:13 1032192 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-10-07 03:13 . 2011-10-07 03:13 1029120 ----a-w- c:\windows\SysWow64\d3d10.dll
2011-10-07 03:12 . 2011-10-07 03:12 974848 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2011-10-07 03:12 . 2011-10-07 03:12 792576 ----a-w- c:\windows\system32\d3d11.dll
2011-10-07 03:12 . 2011-10-07 03:12 519680 ----a-w- c:\windows\SysWow64\d3d11.dll
2011-10-07 03:12 . 2011-10-07 03:12 449024 ----a-w- c:\windows\system32\WMPhoto.dll
2011-10-07 03:12 . 2011-10-07 03:12 411648 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-10-07 03:12 . 2011-10-07 03:12 369664 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2011-10-07 03:12 . 2011-10-07 03:12 328192 ----a-w- c:\windows\system32\dxdiag.exe
2011-10-07 03:12 . 2011-10-07 03:12 321024 ----a-w- c:\windows\SysWow64\PhotoMetadataHandler.dll
2011-10-07 03:12 . 2011-10-07 03:12 262656 ----a-w- c:\windows\system32\dxdiagn.dll
2011-10-07 03:12 . 2011-10-07 03:12 252928 ----a-w- c:\windows\SysWow64\dxdiag.exe
2011-10-07 03:12 . 2011-10-07 03:12 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-10-07 03:12 . 2011-10-07 03:12 195584 ----a-w- c:\windows\SysWow64\dxdiagn.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-23_12.11.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 15:45 . 2011-12-23 12:13 88600 c:\windows\system64\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-18 21:09 . 2011-12-23 12:13 14358 c:\windows\system64\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3249809739-367327911-3232028224-1000_UserData.bin
+ 2006-11-02 15:45 . 2011-12-23 12:13 88600 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-18 21:09 . 2011-12-23 12:13 14358 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3249809739-367327911-3232028224-1000_UserData.bin
- 2011-12-23 12:11 . 2011-12-23 12:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-23 19:28 . 2011-12-23 19:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-12-23 19:28 . 2011-12-23 19:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-12-23 12:11 . 2011-12-23 12:11 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-21 01:28 . 2011-12-23 19:06 312130 c:\windows\system64\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 12:46 . 2011-12-23 12:06 595684 c:\windows\system64\perfh009.dat
+ 2006-11-02 12:46 . 2011-12-23 12:19 595684 c:\windows\system64\perfh009.dat
+ 2006-11-02 12:46 . 2011-12-23 12:19 101350 c:\windows\system64\perfc009.dat
- 2006-11-02 12:46 . 2011-12-23 12:06 101350 c:\windows\system64\perfc009.dat
+ 2009-12-21 01:28 . 2011-12-23 19:06 312130 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 12:46 . 2011-12-23 12:06 595684 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-12-23 12:19 595684 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2011-12-23 12:19 101350 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2011-12-23 12:06 101350 c:\windows\system32\perfc009.dat
+ 2011-10-07 04:45 . 2011-12-23 19:25 197044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-10-07 04:45 . 2011-12-23 12:09 197044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-02 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ZPdtWzdVitaKey AC5031"="c:\program files (x86)\VitaKey\AC5031\PdtWzd.exe" [2010-02-26 2894848]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2009-09-04 75048]
"RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2009-04-17 87336]
"LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2009-04-17 62760]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\Vav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-12-10 0]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-5-14 1026600]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey AC5031]
2010-02-26 18:18 1977856 ----a-w- c:\program files (x86)\VitaKey\AC5031\WinNotify.dll
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-02 135664]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-02 135664]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 ahcix64;ahcix64;c:\windows\system32\drivers\ahcix64.sys [x]
R4 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [x]
S0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\Drivers\AlfaFF.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH6.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 NETw5v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit ;c:\windows\system32\DRIVERS\NETw5v64.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-02 22:58]
.
2011-12-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-02 22:58]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]
@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"
[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]
2010-02-26 18:18 146944 ----a-w- c:\program files (x86)\VitaKey\AC5031\{IconOvrly.dll}
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF4877.3XE" [2008-01-21 363008]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Vav\AppData\Roaming\Mozilla\Firefox\Profiles\nzlpfrk1.default\
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\VitaKey\AC5031\CompPtcVUI.exe
c:\program files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
.
**************************************************************************
.
Completion time: 2011-12-23 13:32:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-23 19:32
ComboFix2.txt 2011-12-23 12:15
.
Pre-Run: 172,318,314,496 bytes free
Post-Run: 172,207,218,688 bytes free
.
- - End Of File - - 6BB68B64295871939E63F49AF080E6E8

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:10 PM

Posted 23 December 2011 - 02:57 PM

No problem at all, how are things running now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Fenen

Fenen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Wisconsin
  • Local time:08:10 AM

Posted 23 December 2011 - 03:48 PM

It looks pretty good. Thanks so much, you rock!

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:10 PM

Posted 23 December 2011 - 03:52 PM

I'm glad to hear that! :)

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u2.
  • Look for "JDK 7u2 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Fenen

Fenen
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:Wisconsin
  • Local time:08:10 AM

Posted 23 December 2011 - 05:06 PM

During the scan, Microsoft Security Essentials popped up saying it detected 6 threats and suspended them. There is a clean option. Still scanning with MBAM.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:10 PM

Posted 23 December 2011 - 05:09 PM

MSE just detects that MBAM is accessing files, usually in system restore. That is nothing to worry about.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users