Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

high cpu usage


  • This topic is locked This topic is locked
17 replies to this topic

#1 mamazi

mamazi

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 23 December 2011 - 11:22 AM

need help my pc just got high cpu usage almost reach 90%. check resource dont know what using my cpu so high.. then
i just scanned with kaspersky,malwarebytes,eset and got this exe dont know either virus,malware or adware google also dont find any infos..
C:\PROGRA~3\LOCALS~1\TEMP\3F3667FF006064CC.EXE
scanned with malwarebytes and remove it but still no luck
after delete on reboot and safe mode also still no luck i hope anyone help can solve my problems and i don't want
to format my pc just because of this problem thank you

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Boyz at 0:08:11 on 2011-12-24
.
============== Running Processes ===============
.
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
C:\Program Files (x86)\Connectify\ConnectifyService.exe
C:\Program Files (x86)\Connectify\ConnectifyD.exe
C:\Program Files (x86)\REALTEK\Wireless LAN Utility\RtlService.exe
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files (x86)\REALTEK\Wireless LAN Utility\RtWlan.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe
C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Boyz\Downloads\Programs\dds.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
uRun: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
uRun: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /Manual
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mExplorerRun: [49491] C:\PROGRA~3\LOCALS~1\Temp\3f3667ff006064cc.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F}
LSP: C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\26965647 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\26965647 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\37869627F6 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\37869627F6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\4505D2C494E4B4 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\4505D2C494E4B4 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\94E64796D23547574656E647 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\94E64796D23547574656E647 : DhcpNameServer = 8.8.8.8 203.188.232.10 202.188.0.133
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\D45425D4149444 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\D45425D4149444 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\055747164716E6022424 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\055747164716E6022424 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\94E64796D23547574656E647 : DhcpNameServer = 8.8.8.8 203.188.232.10 202.188.0.133
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\B6C667F6F6 : DhcpNameServer = 192.168.1.1
BHO-X64: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO-X64: IDM Helper - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
mRun-x64: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Boyz\AppData\Roaming\Mozilla\Firefox\Profiles\cnbl1u32.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Nitro PDF\Reader 2\npdf.dll
FF - plugin: C:\Program Files (x86)\Nitro PDF\Reader 2\npnitromozilla.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 600000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R? AVP;Kaspersky Anti-Virus Service
R? BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver
R? BstHdDrv;BlueStacks Hypervisor
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64
R? dmvsc;dmvsc
R? IDMWFP;IDMWFP
R? MpNWMon;Microsoft Malware Protection Network Driver
R? netr28ux;RT2870 USB Extensible Wireless LAN Card Driver
R? npggsvc;nProtect GameGuard Service
R? NVHDA;Service for NVIDIA High Definition Audio Driver
R? RdpVideoMiniport;Remote Desktop Video Miniport Driver
R? Synth3dVsc;Synth3dVsc
R? terminpt;Microsoft Remote Desktop Input Driver
R? TsUsbFlt;TsUsbFlt
R? TsUsbGD;Remote Desktop Generic USB Device
R? tsusbhub;tsusbhub
R? VGPU;VGPU
R? vwifimp;Microsoft Virtual WiFi Miniport Service
R? WatAdminSvc;Windows Activation Technologies Service
S? AdvancedSystemCareService5;Advanced SystemCare Service 5
S? cnnctfy2;Connectify LightWeight Filter
S? Connectify;Connectify
S? cpuz135;cpuz135
S? dtsoftbus01;DAEMON Tools Virtual Bus Driver
S? kl2;kl2
S? KLIM6;Kaspersky Anti-Virus NDIS 6 Filter
S? klmouflt;Kaspersky Lab KLMOUFLT
S? MBAMProtector;MBAMProtector
S? MBAMService;MBAMService
S? MpFilter;Microsoft Malware Protection Driver
S? NisDrv;Microsoft Network Inspection System
S? NisSrv;Microsoft Network Inspection
S? NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2
S? nvUpdatusService;NVIDIA Update Service Daemon
S? Realtek11nSU;Realtek11nSU
S? RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
S? TeamViewer6;TeamViewer 6
S? VMUSBArbService;VMware USB Arbitration Service
S? vwififlt;Virtual WiFi Filter Driver
.
=============== Created Last 30 ================
.
2011-12-23 15:51:02 917840 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4BE4462C-16EF-4390-8960-E0852EB8D39C}\gapaengine.dll
2011-12-23 15:51:00 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F2D8B730-F6AD-4CF4-A6E4-EC84BDA17B6B}\offreg.dll
2011-12-23 15:50:58 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F2D8B730-F6AD-4CF4-A6E4-EC84BDA17B6B}\mpengine.dll
2011-12-23 15:49:33 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-12-23 15:45:26 -------- d-----w- C:\ProgramData\Kaspersky Lab
2011-12-23 00:53:16 -------- d-----w- C:\Program Files (x86)\ESET
2011-12-22 14:13:24 -------- d-----w- C:\Users\Boyz\AppData\Roaming\vghd
2011-12-22 14:12:24 7 ----a-w- C:\Windows\treeskp.sys
2011-12-22 14:12:24 7 ----a-w- C:\Windows\sbacknt.bin
2011-12-22 11:36:59 -------- d-----w- C:\Users\Boyz\AppData\Local\vghd
2011-12-21 12:50:59 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-21 12:46:18 -------- d-----w- C:\Users\Boyz\AppData\Local\temp
2011-12-21 12:22:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-21 00:57:04 388096 ----a-r- C:\Users\Boyz\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-20 22:02:37 -------- d-----w- C:\Program Files\ESET
2011-12-20 12:30:31 110992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\KavAntiBanner@kaspersky.ru_bak2\components\abhelperxpcom.dll
2011-12-20 12:30:24 147856 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak2\components\kavlinkfilter.dll
2011-12-20 12:18:44 98816 ----a-w- C:\Windows\sed.exe
2011-12-20 12:18:44 518144 ----a-w- C:\Windows\SWREG.exe
2011-12-20 12:18:44 256000 ----a-w- C:\Windows\PEV.exe
2011-12-20 12:18:44 208896 ----a-w- C:\Windows\MBR.exe
2011-12-20 12:11:32 -------- d-----w- C:\Program Files (x86)\Kaspersky Lab
2011-12-20 11:12:07 -------- d-----w- C:\Users\Boyz\AppData\Roaming\WinPatrol
2011-12-20 11:12:03 -------- d-----w- C:\ProgramData\InstallMate
2011-12-20 11:12:03 -------- d-----w- C:\Program Files (x86)\BillP Studios
2011-12-19 21:31:34 -------- d-----w- C:\Users\Boyz\AppData\Roaming\QuickScan
2011-12-19 21:31:28 -------- d-----w- C:\Program Files\Bitdefender
2011-12-19 21:31:05 -------- d-----w- C:\Program Files\Common Files\Bitdefender
2011-12-19 21:29:42 42672 ----a-w- C:\Windows\SysWow64\epfwdata.bin
2011-12-19 17:47:21 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-12-16 10:17:12 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CDF60CD0-0F16-4B38-9F7F-A5743F1E305B}\mpengine.dll
2011-12-16 10:16:30 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-16 10:16:30 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-16 10:16:25 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-16 10:16:23 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-16 10:16:23 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-16 10:16:23 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-12 14:06:55 -------- d-----w- C:\Users\Boyz\AppData\Roaming\Great Little War Game
2011-12-09 13:27:15 -------- d-----w- C:\Windows\SysWow64\spool
2011-12-05 13:33:24 -------- d-----w- C:\Users\Boyz\AppData\Local\DuplicateCleaner
2011-12-05 13:19:15 -------- d-----w- C:\Users\Boyz\AppData\Roaming\TeraCopy
2011-12-05 13:19:13 -------- d-----w- C:\Program Files\TeraCopy
2011-12-05 12:11:01 -------- d-----w- C:\Users\Boyz\AppData\Roaming\CD Art Display
2011-12-03 13:55:14 -------- d-----w- C:\Program Files (x86)\VideoLAN
2011-12-02 13:27:27 -------- d-----w- C:\Windows\System32\wbem\Framework\root\OpenHardwareMonitor
2011-12-02 13:27:27 -------- d-----w- C:\Windows\System32\wbem\Framework\root
2011-12-02 13:27:27 -------- d-----w- C:\Windows\System32\wbem\Framework
2011-12-01 03:44:37 -------- d-----w- C:\Users\Boyz\AppData\Local\Chromium
2011-12-01 03:27:46 -------- d-----w- C:\ProgramData\Rockstar Games
2011-12-01 03:26:25 -------- d-----w- C:\Program Files (x86)\Rockstar Games
2011-11-27 09:33:36 -------- d-----w- C:\Program Files (x86)\Connectify
2011-11-27 09:33:33 -------- d-----w- C:\ProgramData\Connectify
2011-11-25 16:33:29 22872 ----a-w- C:\Windows\System32\RegistryDefragBootTime.exe
2011-11-25 10:31:48 212992 ------w- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll
2011-11-25 08:27:03 819200 --sha-w- C:\Windows\SysWow64\xvidcore.dll
2011-11-25 08:27:03 180224 --sha-w- C:\Windows\SysWow64\xvidvfw.dll
2011-11-24 15:16:02 -------- d-----w- C:\Users\Boyz\AppData\Local\Aspyr
2011-11-24 11:17:46 450048 ----a-w- C:\Windows\System32\drivers\rtl8187B.sys
2011-11-24 11:17:40 614400 ----a-w- C:\Windows\SysWow64\Rtlihvs.dll
2011-11-24 11:17:40 380928 ----a-w- C:\Windows\RtlUI2.exe
2011-11-24 11:17:40 188416 ----a-w- C:\Windows\SysWow64\RTLExtUI.dll
.
==================== Find3M ====================
.
2011-12-20 00:38:33 90192 ----a-w- C:\Windows\System32\drivers\bdfndisf6.sys
2011-12-20 00:38:19 258736 ----a-w- C:\Windows\System32\drivers\avchv.sys
2011-12-20 00:38:16 543528 ----a-w- C:\Windows\System32\drivers\avckf.sys
2011-11-12 12:23:21 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-22 11:21:42 71680 ----a-w- C:\Windows\System32\frapsv64.dll
2011-10-22 11:21:38 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll
2011-10-18 11:53:14 2957544 ----a-w- C:\Windows\System32\drivers\RTKVHD64.sys
2011-10-18 10:10:30 99432 ----a-w- C:\Windows\System32\RCoInst64.dll
2011-10-18 05:55:50 331880 ----a-w- C:\Windows\System32\RtlCPAPI64.dll
2011-10-18 05:47:22 1914472 ----a-w- C:\Windows\System32\RtkApi64.dll
2011-10-18 03:05:00 2528872 ----a-w- C:\Windows\System32\RtPgEx64.dll
2011-10-17 09:30:38 3213928 ----a-w- C:\Windows\System32\RtkAPO64.dll
2011-10-14 05:43:48 1873920 ----a-w- C:\Windows\System32\RCoRes64.dat
2011-10-14 04:05:50 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2011-10-14 03:48:20 419840 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-10-14 03:48:20 413696 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-10-14 03:48:20 133632 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-10-14 03:48:20 110592 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-10-14 01:52:49 627600 ----a-w- C:\Windows\System32\deployJava1.dll
2011-10-03 03:39:50 96768 ----a-w- C:\Windows\System32\fsutil.exe
2011-10-03 03:39:50 189824 ----a-w- C:\Windows\System32\drivers\storport.sys
2011-10-03 03:39:50 1659776 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2011-10-03 03:39:49 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
2011-10-03 03:39:49 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2011-10-03 03:39:49 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2011-10-03 03:39:49 2565632 ----a-w- C:\Windows\System32\esent.dll
2011-10-03 03:39:49 1699328 ----a-w- C:\Windows\SysWow64\esent.dll
2011-10-03 03:39:49 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2011-10-03 03:39:49 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2011-10-03 03:38:32 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2011-10-03 03:38:32 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
2011-10-03 03:38:32 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2011-10-03 03:38:32 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2011-10-03 03:38:32 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2011-10-03 03:38:32 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2011-10-03 03:38:32 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2011-09-30 01:15:56 254528 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2011-09-30 01:15:02 31344 ----a-w- C:\Windows\System32\drivers\cnnctfy2.sys
2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2010-08-03 03:11:16 819200 --sha-w- C:\Windows\SysWOW64\xvidcore.dll
2010-08-03 03:11:16 180224 --sha-w- C:\Windows\SysWOW64\xvidvfw.dll
.
============= FINISH: 0:08:45.34 ===============


.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Advanced SystemCare 5
ConvertXtoDVD 4.1.19.365
DAEMON Tools Lite
Driver Sweeper version 3.0.0
ESET Online Scanner v3
foobar2000 v1.1.10
Fraps (remove only)
Glary Utilities Pro 2.40.0.1326
HiJackThis
Internet Download Manager
Jurassic Park The Game
K-Lite Codec Pack 7.9.0 (Standard)
Kaspersky Internet Security 2012
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft AppLocale
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
Mozilla Firefox 8.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Ultra Edition
neroxml
NVIDIA PhysX
ObjectDock Plus 2
OpenAL
Rainmeter
Real Alternative 2.0.2
Realtek High Definition Audio Driver
REALTEK Wireless LAN Driver and Utility
redist
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Splash PRO EX
Stardock Software
TeamViewer 6
The KMPlayer (remove only)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
VLC media player 1.1.11
VMware Player
.
==== End Of File ===========================

Edited by mamazi, 23 December 2011 - 11:35 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 29 December 2011 - 07:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434164 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 mamazi

mamazi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 29 December 2011 - 07:57 PM

hi there here the new logs

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Boyz at 8:47:23 on 2011-12-30
.
============== Running Processes ===============
.
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
C:\Program Files (x86)\Connectify\ConnectifyService.exe
C:\Program Files (x86)\REALTEK\Wireless LAN Utility\RtlService.exe
C:\Program Files (x86)\REALTEK\Wireless LAN Utility\RtWlan.exe
C:\Program Files (x86)\Connectify\ConnectifyD.exe
C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe
C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Connectify\Connectify.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Users\Boyz\Downloads\dds.pif
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
uRun: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
uRun: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /Manual
mRun: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mExplorerRun: [49491] C:\PROGRA~3\LOCALS~1\Temp\3f3667ff006064cc.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110}
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F}
LSP: C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\26965647 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\26965647 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\37869627F6 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\37869627F6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\4505D2C494E4B4 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\4505D2C494E4B4 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\94E64796D23547574656E647 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\94E64796D23547574656E647 : DhcpNameServer = 8.8.8.8 203.188.232.10 202.188.0.133
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\D45425D4149444 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\D45425D4149444 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\055747164716E6022424 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\055747164716E6022424 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\94E64796D23547574656E647 : DhcpNameServer = 8.8.8.8 203.188.232.10 202.188.0.133
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\B6C667F6F6 : DhcpNameServer = 192.168.1.1
BHO-X64: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO-X64: IDM Helper - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
mRun-x64: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Boyz\AppData\Roaming\Mozilla\Firefox\Profiles\cnbl1u32.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Nitro PDF\Reader 2\npdf.dll
FF - plugin: C:\Program Files (x86)\Nitro PDF\Reader 2\npnitromozilla.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 600000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R? BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver
R? BstHdDrv;BlueStacks Hypervisor
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64
R? dmvsc;dmvsc
R? IDMWFP;IDMWFP
R? MpNWMon;Microsoft Malware Protection Network Driver
R? netr28ux;RT2870 USB Extensible Wireless LAN Card Driver
R? npggsvc;nProtect GameGuard Service
R? NVHDA;Service for NVIDIA High Definition Audio Driver
R? RdpVideoMiniport;Remote Desktop Video Miniport Driver
R? Synth3dVsc;Synth3dVsc
R? terminpt;Microsoft Remote Desktop Input Driver
R? TsUsbFlt;TsUsbFlt
R? TsUsbGD;Remote Desktop Generic USB Device
R? tsusbhub;tsusbhub
R? VGPU;VGPU
R? WatAdminSvc;Windows Activation Technologies Service
S? AdvancedSystemCareService5;Advanced SystemCare Service 5
S? cnnctfy2;Connectify LightWeight Filter
S? Connectify;Connectify
S? cpuz135;cpuz135
S? dtsoftbus01;DAEMON Tools Virtual Bus Driver
S? kl2;kl2
S? klmouflt;Kaspersky Lab KLMOUFLT
S? MBAMProtector;MBAMProtector
S? MBAMService;MBAMService
S? MpFilter;Microsoft Malware Protection Driver
S? NisDrv;Microsoft Network Inspection System
S? NisSrv;Microsoft Network Inspection
S? NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2
S? nvoclk64;NVIDIA Enthusiasts Platform KDM
S? nvUpdatusService;NVIDIA Update Service Daemon
S? Realtek11nSU;Realtek11nSU
S? RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
S? TeamViewer6;TeamViewer 6
S? VMUSBArbService;VMware USB Arbitration Service
S? vwififlt;Virtual WiFi Filter Driver
S? vwifimp;Microsoft Virtual WiFi Miniport Service
.
=============== Created Last 30 ================
.
2011-12-29 12:04:44 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-29 12:04:44 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-29 12:04:44 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-29 12:04:44 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2011-12-29 11:36:08 709968 ----a-w- C:\Windows\is-4TAEP.exe
2011-12-29 10:55:39 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B11A8D0-6E39-463F-A907-58EDA14630C9}\offreg.dll
2011-12-29 10:55:38 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3B11A8D0-6E39-463F-A907-58EDA14630C9}\mpengine.dll
2011-12-29 04:24:37 -------- d-----w- C:\Users\Boyz\AppData\Roaming\SPlayer
2011-12-29 04:24:31 -------- d-----w- C:\Program Files (x86)\SPlayer
2011-12-26 17:38:59 -------- d-----w- C:\Users\Boyz\AppData\Local\FlatOut Ultimate Carnage
2011-12-25 15:37:22 -------- d-----w- C:\Program Files (x86)\Connectify
2011-12-25 15:37:17 -------- d-----w- C:\ProgramData\Connectify
2011-12-24 15:57:31 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-24 14:44:59 -------- d-----w- C:\Users\Boyz\AppData\Local\BoH
2011-12-24 10:57:38 -------- d-----w- C:\Users\Boyz\AppData\Local\NVIDIA Corporation
2011-12-23 15:51:02 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4BE4462C-16EF-4390-8960-E0852EB8D39C}\gapaengine.dll
2011-12-23 15:49:33 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-12-23 15:45:26 -------- d-----w- C:\ProgramData\Kaspersky Lab
2011-12-23 00:53:16 -------- d-----w- C:\Program Files (x86)\ESET
2011-12-22 14:13:24 -------- d-----w- C:\Users\Boyz\AppData\Roaming\vghd
2011-12-22 14:12:24 7 ----a-w- C:\Windows\treeskp.sys
2011-12-22 14:12:24 7 ----a-w- C:\Windows\sbacknt.bin
2011-12-22 11:36:59 -------- d-----w- C:\Users\Boyz\AppData\Local\vghd
2011-12-21 12:50:59 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-21 12:46:18 -------- d-----w- C:\Users\Boyz\AppData\Local\temp
2011-12-21 12:22:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-21 00:57:04 388096 ----a-r- C:\Users\Boyz\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-20 22:02:37 -------- d-----w- C:\Program Files\ESET
2011-12-20 12:30:31 110992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\KavAntiBanner@kaspersky.ru_bak2\components\abhelperxpcom.dll
2011-12-20 12:30:24 147856 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak2\components\kavlinkfilter.dll
2011-12-20 12:18:44 98816 ----a-w- C:\Windows\sed.exe
2011-12-20 12:18:44 518144 ----a-w- C:\Windows\SWREG.exe
2011-12-20 12:18:44 256000 ----a-w- C:\Windows\PEV.exe
2011-12-20 12:18:44 208896 ----a-w- C:\Windows\MBR.exe
2011-12-20 11:12:07 -------- d-----w- C:\Users\Boyz\AppData\Roaming\WinPatrol
2011-12-20 11:12:03 -------- d-----w- C:\ProgramData\InstallMate
2011-12-20 11:12:03 -------- d-----w- C:\Program Files (x86)\BillP Studios
2011-12-19 21:31:34 -------- d-----w- C:\Users\Boyz\AppData\Roaming\QuickScan
2011-12-19 21:31:28 -------- d-----w- C:\Program Files\Bitdefender
2011-12-19 21:31:05 -------- d-----w- C:\Program Files\Common Files\Bitdefender
2011-12-19 21:29:42 42672 ----a-w- C:\Windows\SysWow64\epfwdata.bin
2011-12-19 17:47:21 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-12-16 10:17:12 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CDF60CD0-0F16-4B38-9F7F-A5743F1E305B}\mpengine.dll
2011-12-16 10:16:30 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-12-16 10:16:30 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-12-16 10:16:25 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-16 10:16:23 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-12-16 10:16:23 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-12-16 10:16:23 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-12 14:06:55 -------- d-----w- C:\Users\Boyz\AppData\Roaming\Great Little War Game
2011-12-09 13:27:15 -------- d-----w- C:\Windows\SysWow64\spool
2011-12-05 13:33:24 -------- d-----w- C:\Users\Boyz\AppData\Local\DuplicateCleaner
2011-12-05 13:19:15 -------- d-----w- C:\Users\Boyz\AppData\Roaming\TeraCopy
2011-12-05 13:19:13 -------- d-----w- C:\Program Files\TeraCopy
2011-12-05 12:11:01 -------- d-----w- C:\Users\Boyz\AppData\Roaming\CD Art Display
2011-12-03 13:55:14 -------- d-----w- C:\Program Files (x86)\VideoLAN
2011-12-02 13:27:27 -------- d-----w- C:\Windows\System32\wbem\Framework\root\OpenHardwareMonitor
2011-12-02 13:27:27 -------- d-----w- C:\Windows\System32\wbem\Framework\root
2011-12-02 13:27:27 -------- d-----w- C:\Windows\System32\wbem\Framework
2011-12-01 03:44:37 -------- d-----w- C:\Users\Boyz\AppData\Local\Chromium
2011-12-01 03:27:46 -------- d-----w- C:\ProgramData\Rockstar Games
2011-12-01 03:26:25 -------- d-----w- C:\Program Files (x86)\Rockstar Games
.
==================== Find3M ====================
.
2011-12-20 00:38:33 90192 ----a-w- C:\Windows\System32\drivers\bdfndisf6.sys
2011-12-20 00:38:19 258736 ----a-w- C:\Windows\System32\drivers\avchv.sys
2011-12-20 00:38:16 543528 ----a-w- C:\Windows\System32\drivers\avckf.sys
2011-12-10 07:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-11-12 12:23:21 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-22 11:21:42 71680 ----a-w- C:\Windows\System32\frapsv64.dll
2011-10-22 11:21:38 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll
2011-10-19 15:10:14 22872 ----a-w- C:\Windows\System32\RegistryDefragBootTime.exe
2011-10-18 11:53:14 2957544 ----a-w- C:\Windows\System32\drivers\RTKVHD64.sys
2011-10-18 10:10:30 99432 ----a-w- C:\Windows\System32\RCoInst64.dll
2011-10-18 05:55:50 331880 ----a-w- C:\Windows\System32\RtlCPAPI64.dll
2011-10-18 05:47:22 1914472 ----a-w- C:\Windows\System32\RtkApi64.dll
2011-10-18 03:05:00 2528872 ----a-w- C:\Windows\System32\RtPgEx64.dll
2011-10-17 09:30:38 3213928 ----a-w- C:\Windows\System32\RtkAPO64.dll
2011-10-14 05:43:48 1873920 ----a-w- C:\Windows\System32\RCoRes64.dat
2011-10-14 04:05:50 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2011-10-14 03:48:20 419840 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-10-14 03:48:20 413696 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-10-14 03:48:20 133632 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-10-14 03:48:20 110592 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-10-14 01:52:49 627600 ----a-w- C:\Windows\System32\deployJava1.dll
2011-10-03 03:39:50 96768 ----a-w- C:\Windows\System32\fsutil.exe
2011-10-03 03:39:50 189824 ----a-w- C:\Windows\System32\drivers\storport.sys
2011-10-03 03:39:50 1659776 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2011-10-03 03:39:49 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
2011-10-03 03:39:49 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2011-10-03 03:39:49 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2011-10-03 03:39:49 2565632 ----a-w- C:\Windows\System32\esent.dll
2011-10-03 03:39:49 1699328 ----a-w- C:\Windows\SysWow64\esent.dll
2011-10-03 03:39:49 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2011-10-03 03:39:49 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2011-10-03 03:38:32 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2011-10-03 03:38:32 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
2011-10-03 03:38:32 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2011-10-03 03:38:32 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2011-10-03 03:38:32 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2011-10-03 03:38:32 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2011-10-03 03:38:32 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2010-08-03 03:11:16 819200 --sha-w- C:\Windows\SysWOW64\xvidcore.dll
2010-08-03 03:11:16 180224 --sha-w- C:\Windows\SysWOW64\xvidvfw.dll
.
============= FINISH: 8:47:37.54 ===============

thanks for help

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 01 January 2012 - 10:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#5 mamazi

mamazi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 01 January 2012 - 11:45 AM

hi there thanks for replying was waiting for reply

here my logs as u requested

ComboFix 11-12-31.03 - Boyz 01/02/2012 0:29.4.4 - x64
Running from: c:\users\Boyz\Downloads\Programs\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
.
.
((((((((((((((((((((((((( Files Created from 2011-12-01 to 2012-01-01 )))))))))))))))))))))))))))))))
.
.
2012-01-01 16:34 . 2012-01-01 16:34 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-01 16:34 . 2012-01-01 16:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-01 16:34 . 2012-01-01 16:34 -------- d-----w- c:\users\Boyz\AppData\Local\temp
2012-01-01 09:45 . 2012-01-01 11:47 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{58647F05-96A7-4828-A477-7DA8FE3E73D3}\offreg.dll
2012-01-01 08:00 . 2011-11-20 19:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{58647F05-96A7-4828-A477-7DA8FE3E73D3}\mpengine.dll
2011-12-29 12:04 . 2011-12-29 12:04 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-29 12:04 . 2011-12-29 12:04 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-29 12:04 . 2011-12-29 12:04 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-29 12:04 . 2011-12-29 12:04 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2011-12-29 11:36 . 2011-12-29 11:36 709968 ----a-w- c:\windows\is-4TAEP.exe
2011-12-29 04:24 . 2011-12-29 04:25 -------- d-----w- c:\users\Boyz\AppData\Roaming\SPlayer
2011-12-29 04:24 . 2011-12-29 10:30 -------- d-----w- c:\program files (x86)\SPlayer
2011-12-26 17:38 . 2011-12-26 17:38 -------- d-----w- c:\users\Boyz\AppData\Local\FlatOut Ultimate Carnage
2011-12-25 15:37 . 2011-12-30 18:41 -------- d-----w- c:\program files (x86)\Connectify
2011-12-25 15:37 . 2011-12-25 15:51 -------- d-----w- c:\programdata\Connectify
2011-12-24 15:57 . 2011-11-20 19:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-24 14:44 . 2011-12-24 14:49 -------- d-----w- c:\users\Boyz\AppData\Local\BoH
2011-12-24 10:57 . 2011-12-24 12:06 -------- d-----w- c:\users\Boyz\AppData\Local\NVIDIA Corporation
2011-12-23 15:51 . 2011-12-23 15:50 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4BE4462C-16EF-4390-8960-E0852EB8D39C}\gapaengine.dll
2011-12-23 15:49 . 2011-12-23 15:49 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-12-23 15:45 . 2011-12-23 15:45 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-23 00:53 . 2011-12-23 00:53 -------- d-----w- c:\program files (x86)\ESET
2011-12-22 14:13 . 2011-12-22 14:13 -------- d-----w- c:\users\Boyz\AppData\Roaming\vghd
2011-12-22 14:12 . 2011-12-25 07:24 7 ----a-w- c:\windows\treeskp.sys
2011-12-22 14:12 . 2011-12-25 07:24 7 ----a-w- c:\windows\sbacknt.bin
2011-12-22 11:36 . 2011-12-22 11:36 -------- d-----w- c:\users\Boyz\AppData\Local\vghd
2011-12-21 12:22 . 2011-12-30 05:17 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-21 00:57 . 2011-12-21 00:57 388096 ----a-r- c:\users\Boyz\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-20 22:02 . 2011-12-20 22:02 -------- d-----w- c:\program files\ESET
2011-12-20 12:30 . 2011-04-24 15:13 110992 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\KavAntiBanner@kaspersky.ru_bak2\components\abhelperxpcom.dll
2011-12-20 12:30 . 2011-04-24 15:13 147856 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak2\components\kavlinkfilter.dll
2011-12-20 11:12 . 2011-12-20 13:04 -------- d-----w- c:\users\Boyz\AppData\Roaming\WinPatrol
2011-12-20 11:12 . 2011-12-20 12:52 -------- d-----w- c:\programdata\InstallMate
2011-12-20 11:12 . 2011-12-20 11:12 -------- d-----w- c:\program files (x86)\BillP Studios
2011-12-19 21:31 . 2011-12-19 21:31 -------- d-----w- c:\users\Boyz\AppData\Roaming\QuickScan
2011-12-19 21:31 . 2011-12-20 12:49 -------- d-----w- c:\program files\Bitdefender
2011-12-19 21:31 . 2011-12-20 12:46 -------- d-----w- c:\program files\Common Files\Bitdefender
2011-12-19 21:29 . 2011-12-19 21:29 42672 ----a-w- c:\windows\SysWow64\epfwdata.bin
2011-12-19 17:47 . 2011-12-23 15:49 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-16 10:17 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CDF60CD0-0F16-4B38-9F7F-A5743F1E305B}\mpengine.dll
2011-12-16 10:16 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-16 10:16 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-16 10:16 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-16 10:16 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-16 10:16 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-16 10:16 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-12 14:06 . 2011-12-12 14:07 -------- d-----w- c:\users\Boyz\AppData\Roaming\Great Little War Game
2011-12-09 13:27 . 2011-12-09 13:29 -------- d-----w- c:\windows\SysWow64\spool
2011-12-05 13:33 . 2011-12-05 13:40 -------- d-----w- c:\users\Boyz\AppData\Local\DuplicateCleaner
2011-12-05 13:19 . 2011-12-05 13:19 -------- d-----w- c:\users\Boyz\AppData\Roaming\TeraCopy
2011-12-05 13:19 . 2011-12-05 13:19 -------- d-----w- c:\program files\TeraCopy
2011-12-05 12:11 . 2011-12-05 12:39 -------- d-----w- c:\users\Boyz\AppData\Roaming\CD Art Display
2011-12-03 13:55 . 2011-12-03 13:56 -------- d-----w- c:\users\Boyz\AppData\Roaming\vlc
2011-12-03 13:55 . 2011-12-03 13:55 -------- d-----w- c:\program files (x86)\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 00:38 . 2011-03-01 08:45 90192 ----a-w- c:\windows\system32\drivers\bdfndisf6.sys
2011-12-20 00:38 . 2011-07-15 07:12 258736 ----a-w- c:\windows\system32\drivers\avchv.sys
2011-12-20 00:38 . 2011-09-01 02:15 543528 ----a-w- c:\windows\system32\drivers\avckf.sys
2011-12-10 07:24 . 2011-10-01 02:29 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 13:42 . 2009-08-18 04:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-12-06 13:41 . 2009-08-18 03:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-12 12:23 . 2011-09-30 01:22 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-22 11:21 . 2011-10-22 11:21 71680 ----a-w- c:\windows\system32\frapsv64.dll
2011-10-22 11:21 . 2011-10-22 11:21 65536 ----a-w- c:\windows\SysWow64\frapsvid.dll
2011-10-19 15:10 . 2011-11-25 16:33 22872 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-10-18 11:53 . 2011-11-13 03:49 2957544 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2011-10-18 10:10 . 2011-11-13 03:49 99432 ----a-w- c:\windows\system32\RCoInst64.dll
2011-10-18 05:55 . 2011-11-13 03:49 331880 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2011-10-18 05:47 . 2011-11-13 03:49 1914472 ----a-w- c:\windows\system32\RtkApi64.dll
2011-10-18 03:05 . 2011-11-13 03:49 2528872 ----a-w- c:\windows\system32\RtPgEx64.dll
2011-10-17 09:30 . 2011-11-13 03:49 3213928 ----a-w- c:\windows\system32\RtkAPO64.dll
2011-10-15 08:53 . 2011-10-31 05:45 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-10-15 08:53 . 2011-10-31 05:45 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-10-15 08:53 . 2011-10-31 05:45 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-15 08:53 . 2011-10-31 05:45 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-10-15 08:53 . 2011-10-31 05:45 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-10-15 08:53 . 2011-10-31 05:45 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-15 08:53 . 2011-10-31 05:45 8791360 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-10-15 08:53 . 2011-10-31 05:45 7041856 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-10-15 08:53 . 2011-10-31 05:45 68928 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-15 08:53 . 2011-10-31 05:45 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-10-15 08:53 . 2011-10-31 05:45 5578560 ----a-w- c:\windows\SysWow64\nvcuda.dll
2011-10-15 08:53 . 2011-10-31 05:45 2542912 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-15 08:53 . 2011-10-31 05:45 24742720 ----a-w- c:\windows\system32\nvoglv64.dll
2011-10-15 08:53 . 2011-10-31 05:45 2401088 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2011-10-15 08:53 . 2011-10-31 05:45 2232128 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-15 08:53 . 2011-10-31 05:45 2099520 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2011-10-15 08:53 . 2011-10-31 05:45 18871616 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2011-10-15 08:53 . 2011-10-31 05:45 15693120 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-10-15 08:53 . 2011-10-31 05:45 1533248 ----a-w- c:\windows\system32\nvdispco64.dll
2011-10-15 08:53 . 2011-10-31 05:45 1454400 ----a-w- c:\windows\system32\nvgenco64.dll
2011-10-15 08:53 . 2011-10-31 05:45 13205312 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2011-10-15 08:53 . 2011-10-31 05:45 12971840 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-10-15 08:53 . 2011-10-31 05:45 7581504 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-15 08:53 . 2011-10-31 05:45 2808128 ----a-w- c:\windows\system32\nvapi64.dll
2011-10-15 08:53 . 2011-10-31 05:45 24796992 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-15 08:53 . 2011-10-31 05:45 2458432 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-10-15 08:53 . 2011-10-31 05:45 17248576 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2011-10-14 05:43 . 2011-11-13 03:49 1873920 ----a-w- c:\windows\system32\RCoRes64.dat
2011-10-14 04:05 . 2011-10-14 04:05 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2011-10-14 03:48 . 2011-10-14 03:40 419840 ----a-w- c:\windows\system32\wrap_oal.dll
2011-10-14 03:48 . 2011-10-14 03:40 413696 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-10-14 03:48 . 2011-10-14 03:40 133632 ----a-w- c:\windows\system32\OpenAL32.dll
2011-10-14 03:48 . 2011-10-14 03:40 110592 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-10-14 01:52 . 2011-10-14 01:29 627600 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 03:11 819200 --sha-w- c:\windows\SysWOW64\xvidcore.dll
2010-08-03 03:11 180224 --sha-w- c:\windows\SysWOW64\xvidvfw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2011-11-13 3437976]
"Advanced SystemCare 5"="c:\program files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-20 619352]
"Connectify"="c:\program files (x86)\Connectify\Connectify.exe" [2011-12-01 3073864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"49491"="c:\progra~3\LOCALS~1\Temp\3f3667ff006064cc.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [x]
R2 BstHdDrv;BlueStacks Hypervisor; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28ux.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\DRIVERS\cnnctfy2.sys [x]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-20 494424]
S2 Connectify;Connectify;c:\program files (x86)\Connectify\ConnectifyService.exe [2011-12-01 69632]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [2011-06-21 341296]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Realtek11nSU;Realtek11nSU;c:\program files (x86)\REALTEK\Wireless LAN Utility\RtlService.exe [2010-04-16 36864]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-03-26 539248]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclk64.sys [x]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2011-09-29 01:50]
.
2012-01-01 c:\windows\Tasks\GlaryOneClickOptimizer.job
- c:\program files (x86)\Glary Utilities\oneclickoptimizer.exe [2011-09-29 01:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 14:50 22408 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files (x86)\Stardock\ObjectDockPlus2\ODMenu64.dll" [2010-03-24 633200]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
LSP: c:\program files (x86)\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\37869627F6: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\4505D2C494E4B4: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\94E64796D23547574656E647: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\D45425D4149444: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\055747164716E6022424: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Boyz\AppData\Roaming\Mozilla\Firefox\Profiles\cnbl1u32.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 600000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-474262605-414731850-1316134761-1000_Classes\Wow6432Node\CLSID\{66472b68-1a4b-4535-a472-e8ea5ccd0d57}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000151
"Therad"=dword:00000009
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-474262605-414731850-1316134761-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):2e,00,d1,9d,3a,01,c1,0d,c0,4f,40,86,8d,9f,89,4e,c9,de,31,40,2c,
1a,79,a4,a1,e2,3f,03,03,c8,8f,87,72,4d,ed,42,47,08,2e,20,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\BlueStacks]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-02 00:35:23
ComboFix-quarantined-files.txt 2012-01-01 16:35
ComboFix2.txt 2011-12-20 22:11
ComboFix3.txt 2011-12-20 12:39
.
Pre-Run: 6,942,912,512 bytes free
Post-Run: 6,875,795,456 bytes free
.
- - End Of File - - A8000E4EA2E877F51E013DC7BBCF63AD


d Results of screen317's Security Check version 0.99.30
Windows 7 x64 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

ESET Online Scanner v3
Kaspersky Internet Security 2012
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player 11.1.102.55
Mozilla Firefox 8.0. Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
WinPatrol winpatrol.exe
Malwarebytes' Anti-Malware mbamservice.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
BillP Studios WinPatrol WinPatrol.exe
``````````End of Log````````````

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 01 January 2012 - 04:16 PM

Open notepad and copy/paste the text in the quote box below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"49491"=-


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

#7 mamazi

mamazi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 01 January 2012 - 08:02 PM

ComboFix 12-01-01.06 - Boyz 01/02/2012 8:53.6.4 - x64
Running from: c:\users\Boyz\Downloads\Programs\ComboFix.exe
Command switches used :: c:\users\Boyz\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 00:57 . 2012-01-02 00:57 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-02 00:57 . 2012-01-02 00:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 00:57 . 2012-01-02 00:57 -------- d-----w- c:\users\Boyz\AppData\Local\temp
2012-01-01 17:02 . 2012-01-01 17:02 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{28A57B52-A294-4C15-A1AC-945C8E52656B}\offreg.dll
2012-01-01 17:02 . 2011-11-20 19:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{28A57B52-A294-4C15-A1AC-945C8E52656B}\mpengine.dll
2011-12-29 12:04 . 2011-12-29 12:04 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-29 12:04 . 2011-12-29 12:04 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-29 12:04 . 2011-12-29 12:04 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-29 12:04 . 2011-12-29 12:04 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2011-12-29 11:36 . 2011-12-29 11:36 709968 ----a-w- c:\windows\is-4TAEP.exe
2011-12-29 04:24 . 2011-12-29 04:25 -------- d-----w- c:\users\Boyz\AppData\Roaming\SPlayer
2011-12-29 04:24 . 2011-12-29 10:30 -------- d-----w- c:\program files (x86)\SPlayer
2011-12-26 17:38 . 2011-12-26 17:38 -------- d-----w- c:\users\Boyz\AppData\Local\FlatOut Ultimate Carnage
2011-12-25 15:37 . 2011-12-30 18:41 -------- d-----w- c:\program files (x86)\Connectify
2011-12-25 15:37 . 2011-12-25 15:51 -------- d-----w- c:\programdata\Connectify
2011-12-24 15:57 . 2011-11-20 19:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-24 14:44 . 2011-12-24 14:49 -------- d-----w- c:\users\Boyz\AppData\Local\BoH
2011-12-24 10:57 . 2011-12-24 12:06 -------- d-----w- c:\users\Boyz\AppData\Local\NVIDIA Corporation
2011-12-23 15:51 . 2011-12-23 15:50 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4BE4462C-16EF-4390-8960-E0852EB8D39C}\gapaengine.dll
2011-12-23 15:49 . 2011-12-23 15:49 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-12-23 15:45 . 2011-12-23 15:45 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-23 00:53 . 2011-12-23 00:53 -------- d-----w- c:\program files (x86)\ESET
2011-12-22 14:13 . 2011-12-22 14:13 -------- d-----w- c:\users\Boyz\AppData\Roaming\vghd
2011-12-22 14:12 . 2011-12-25 07:24 7 ----a-w- c:\windows\treeskp.sys
2011-12-22 14:12 . 2011-12-25 07:24 7 ----a-w- c:\windows\sbacknt.bin
2011-12-22 11:36 . 2011-12-22 11:36 -------- d-----w- c:\users\Boyz\AppData\Local\vghd
2011-12-21 12:22 . 2011-12-30 05:17 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-21 00:57 . 2011-12-21 00:57 388096 ----a-r- c:\users\Boyz\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-20 22:02 . 2011-12-20 22:02 -------- d-----w- c:\program files\ESET
2011-12-20 12:30 . 2011-04-24 15:13 110992 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\KavAntiBanner@kaspersky.ru_bak2\components\abhelperxpcom.dll
2011-12-20 12:30 . 2011-04-24 15:13 147856 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak2\components\kavlinkfilter.dll
2011-12-20 11:12 . 2011-12-20 13:04 -------- d-----w- c:\users\Boyz\AppData\Roaming\WinPatrol
2011-12-20 11:12 . 2011-12-20 12:52 -------- d-----w- c:\programdata\InstallMate
2011-12-20 11:12 . 2011-12-20 11:12 -------- d-----w- c:\program files (x86)\BillP Studios
2011-12-19 21:31 . 2011-12-19 21:31 -------- d-----w- c:\users\Boyz\AppData\Roaming\QuickScan
2011-12-19 21:31 . 2011-12-20 12:49 -------- d-----w- c:\program files\Bitdefender
2011-12-19 21:31 . 2011-12-20 12:46 -------- d-----w- c:\program files\Common Files\Bitdefender
2011-12-19 21:29 . 2011-12-19 21:29 42672 ----a-w- c:\windows\SysWow64\epfwdata.bin
2011-12-19 17:47 . 2011-12-23 15:49 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-16 10:17 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CDF60CD0-0F16-4B38-9F7F-A5743F1E305B}\mpengine.dll
2011-12-16 10:16 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-16 10:16 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-16 10:16 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-16 10:16 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-16 10:16 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-16 10:16 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-12 14:06 . 2011-12-12 14:07 -------- d-----w- c:\users\Boyz\AppData\Roaming\Great Little War Game
2011-12-09 13:27 . 2011-12-09 13:29 -------- d-----w- c:\windows\SysWow64\spool
2011-12-05 13:33 . 2011-12-05 13:40 -------- d-----w- c:\users\Boyz\AppData\Local\DuplicateCleaner
2011-12-05 13:19 . 2011-12-05 13:19 -------- d-----w- c:\users\Boyz\AppData\Roaming\TeraCopy
2011-12-05 13:19 . 2011-12-05 13:19 -------- d-----w- c:\program files\TeraCopy
2011-12-05 12:11 . 2011-12-05 12:39 -------- d-----w- c:\users\Boyz\AppData\Roaming\CD Art Display
2011-12-03 13:55 . 2011-12-03 13:56 -------- d-----w- c:\users\Boyz\AppData\Roaming\vlc
2011-12-03 13:55 . 2011-12-03 13:55 -------- d-----w- c:\program files (x86)\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 00:38 . 2011-03-01 08:45 90192 ----a-w- c:\windows\system32\drivers\bdfndisf6.sys
2011-12-20 00:38 . 2011-07-15 07:12 258736 ----a-w- c:\windows\system32\drivers\avchv.sys
2011-12-20 00:38 . 2011-09-01 02:15 543528 ----a-w- c:\windows\system32\drivers\avckf.sys
2011-12-10 07:24 . 2011-10-01 02:29 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 13:42 . 2009-08-18 04:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-12-06 13:41 . 2009-08-18 03:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-12 12:23 . 2011-09-30 01:22 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-22 11:21 . 2011-10-22 11:21 71680 ----a-w- c:\windows\system32\frapsv64.dll
2011-10-22 11:21 . 2011-10-22 11:21 65536 ----a-w- c:\windows\SysWow64\frapsvid.dll
2011-10-19 15:10 . 2011-11-25 16:33 22872 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-10-18 11:53 . 2011-11-13 03:49 2957544 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2011-10-18 10:10 . 2011-11-13 03:49 99432 ----a-w- c:\windows\system32\RCoInst64.dll
2011-10-18 05:55 . 2011-11-13 03:49 331880 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2011-10-18 05:47 . 2011-11-13 03:49 1914472 ----a-w- c:\windows\system32\RtkApi64.dll
2011-10-18 03:05 . 2011-11-13 03:49 2528872 ----a-w- c:\windows\system32\RtPgEx64.dll
2011-10-17 09:30 . 2011-11-13 03:49 3213928 ----a-w- c:\windows\system32\RtkAPO64.dll
2011-10-15 08:53 . 2011-10-31 05:45 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-10-15 08:53 . 2011-10-31 05:45 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-10-15 08:53 . 2011-10-31 05:45 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-15 08:53 . 2011-10-31 05:45 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-10-15 08:53 . 2011-10-31 05:45 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-10-15 08:53 . 2011-10-31 05:45 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-15 08:53 . 2011-10-31 05:45 8791360 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-10-15 08:53 . 2011-10-31 05:45 7041856 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-10-15 08:53 . 2011-10-31 05:45 68928 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-15 08:53 . 2011-10-31 05:45 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-10-15 08:53 . 2011-10-31 05:45 5578560 ----a-w- c:\windows\SysWow64\nvcuda.dll
2011-10-15 08:53 . 2011-10-31 05:45 2542912 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-15 08:53 . 2011-10-31 05:45 24742720 ----a-w- c:\windows\system32\nvoglv64.dll
2011-10-15 08:53 . 2011-10-31 05:45 2401088 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2011-10-15 08:53 . 2011-10-31 05:45 2232128 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-15 08:53 . 2011-10-31 05:45 2099520 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2011-10-15 08:53 . 2011-10-31 05:45 18871616 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2011-10-15 08:53 . 2011-10-31 05:45 15693120 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-10-15 08:53 . 2011-10-31 05:45 1533248 ----a-w- c:\windows\system32\nvdispco64.dll
2011-10-15 08:53 . 2011-10-31 05:45 1454400 ----a-w- c:\windows\system32\nvgenco64.dll
2011-10-15 08:53 . 2011-10-31 05:45 13205312 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2011-10-15 08:53 . 2011-10-31 05:45 12971840 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-10-15 08:53 . 2011-10-31 05:45 7581504 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-15 08:53 . 2011-10-31 05:45 2808128 ----a-w- c:\windows\system32\nvapi64.dll
2011-10-15 08:53 . 2011-10-31 05:45 24796992 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-15 08:53 . 2011-10-31 05:45 2458432 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-10-15 08:53 . 2011-10-31 05:45 17248576 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2011-10-14 05:43 . 2011-11-13 03:49 1873920 ----a-w- c:\windows\system32\RCoRes64.dat
2011-10-14 04:05 . 2011-10-14 04:05 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2011-10-14 03:48 . 2011-10-14 03:40 419840 ----a-w- c:\windows\system32\wrap_oal.dll
2011-10-14 03:48 . 2011-10-14 03:40 413696 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-10-14 03:48 . 2011-10-14 03:40 133632 ----a-w- c:\windows\system32\OpenAL32.dll
2011-10-14 03:48 . 2011-10-14 03:40 110592 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-10-14 01:52 . 2011-10-14 01:29 627600 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 03:11 819200 --sha-w- c:\windows\SysWOW64\xvidcore.dll
2010-08-03 03:11 180224 --sha-w- c:\windows\SysWOW64\xvidvfw.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-01_16.34.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-09-29 13:33 . 2012-01-01 16:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-09-29 13:33 . 2012-01-02 00:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-09-29 13:33 . 2012-01-02 00:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-09-29 13:33 . 2012-01-01 16:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2011-11-13 3437976]
"Advanced SystemCare 5"="c:\program files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-20 619352]
"Connectify"="c:\program files (x86)\Connectify\Connectify.exe" [2011-12-01 3073864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"49491"="c:\progra~3\LOCALS~1\Temp\3f3667ff006064cc.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [x]
R2 BstHdDrv;BlueStacks Hypervisor; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28ux.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\DRIVERS\cnnctfy2.sys [x]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-20 494424]
S2 Connectify;Connectify;c:\program files (x86)\Connectify\ConnectifyService.exe [2011-12-01 69632]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [2011-06-21 341296]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Realtek11nSU;Realtek11nSU;c:\program files (x86)\REALTEK\Wireless LAN Utility\RtlService.exe [2010-04-16 36864]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-03-26 539248]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
S3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclk64.sys [x]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2011-09-29 01:50]
.
2012-01-01 c:\windows\Tasks\GlaryOneClickOptimizer.job
- c:\program files (x86)\Glary Utilities\oneclickoptimizer.exe [2011-09-29 01:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 14:50 22408 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files (x86)\Stardock\ObjectDockPlus2\ODMenu64.dll" [2010-03-24 633200]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
LSP: c:\program files (x86)\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\37869627F6: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\4505D2C494E4B4: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\94E64796D23547574656E647: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\D45425D4149444: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\055747164716E6022424: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Boyz\AppData\Roaming\Mozilla\Firefox\Profiles\cnbl1u32.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 600000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-474262605-414731850-1316134761-1000_Classes\Wow6432Node\CLSID\{66472b68-1a4b-4535-a472-e8ea5ccd0d57}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000151
"Therad"=dword:00000009
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-474262605-414731850-1316134761-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):2e,00,d1,9d,3a,01,c1,0d,c0,4f,40,86,8d,9f,89,4e,c9,de,31,40,2c,
1a,79,a4,a1,e2,3f,03,03,c8,8f,87,72,4d,ed,42,47,08,2e,20,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\BlueStacks]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-02 08:58:26
ComboFix-quarantined-files.txt 2012-01-02 00:58
ComboFix2.txt 2012-01-02 00:50
ComboFix3.txt 2012-01-01 16:35
ComboFix4.txt 2011-12-20 22:11
ComboFix5.txt 2012-01-02 00:52
.
Pre-Run: 5,425,844,224 bytes free
Post-Run: 5,358,268,416 bytes free
.
- - End Of File - - AC024706CD6443B1665F96D4E5801F55

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 02 January 2012 - 09:19 AM

That did not go as I had planned. The registry key was not removed.


; Purpose: Remove traces in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"49491"=-



; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

On a Vista or Windows 7 operating system, right click the Fix.reg and run as Administrator.

Delete the Fix.reg file when done.

If you get any error message running this fix please let me know what.

Any remaining issues with this computer?

#9 mamazi

mamazi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 02 January 2012 - 11:09 AM

That did not go as I had planned. The registry key was not removed.


; Purpose: Remove traces in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.


REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"49491"=-



; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

On a Vista or Windows 7 operating system, right click the Fix.reg and run as Administrator.

Delete the Fix.reg file when done.

If you get any error message running this fix please let me know what.

Any remaining issues with this computer?


im done doing it how do i check if the probs still occur?
im using winpatrol to block or disable the startup "49491"
nope just this problems i had with my pc now

looks like the problem still there
here i post logs

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:11:20 AM, on 1/3/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Internet Download Manager\idman.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe
C:\Program Files (x86)\Connectify\Connectify.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Advanced SystemCare 5] "C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" /Manual
O4 - HKCU\..\Run: [Connectify] C:\Program Files (x86)\Connectify\Connectify.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKLM\..\Policies\Explorer\Run: [49491] C:\PROGRA~3\LOCALS~1\Temp\3f3667ff006064cc.exe
O4 - HKUS\S-1-5-21-474262605-414731850-1316134761-1004\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-474262605-414731850-1316134761-1004\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-474262605-414731850-1316134761-1004\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-474262605-414731850-1316134761-1004\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - (no file)
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - (no file)
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware player\vsocklib.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}: NameServer = 8.8.8.8,8.8.4.4
O23 - Service: Advanced SystemCare Service 5 (AdvancedSystemCareService5) - IObit - C:\Program Files (x86)\IObit\Advanced SystemCare 5\ASCService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Connectify - Unknown owner - C:\Program Files (x86)\Connectify\ConnectifyService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NitroPDFReaderDriverCreatorReadSpool2 (NitroReaderDriverReadSpool2) - Nitro PDF Software - C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Realtek11nSU - Realtek - C:\Program Files (x86)\REALTEK\Wireless LAN Utility\RtlService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Player\vmware-ufad.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 7820 bytes

Edited by mamazi, 02 January 2012 - 11:14 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 02 January 2012 - 03:57 PM

You will have to release if from the hold of winpatrol then run my Combofix Script other wise it will never be removed from the registry.

#11 mamazi

mamazi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 03 January 2012 - 12:17 AM

You will have to release if from the hold of winpatrol then run my Combofix Script other wise it will never be removed from the registry.


ok just run the script but is this correct?

ComboFix 12-01-02.02 - Boyz 01/03/2012 13:07:22.9.4 - x64
Running from: c:\users\Boyz\Desktop\ComboFix.exe
Command switches used :: c:\users\Boyz\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-03 05:10 . 2012-01-03 05:10 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-01-03 05:10 . 2012-01-03 05:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-03 05:10 . 2012-01-03 05:10 -------- d-----w- c:\users\Boyz\AppData\Local\temp
2012-01-02 10:38 . 2011-11-20 19:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B328C0F5-4560-4FC2-8819-676DB15F2A95}\mpengine.dll
2012-01-02 09:23 . 2003-02-27 08:12 696320 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2012-01-02 09:23 . 2002-12-05 06:10 155648 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2012-01-02 09:23 . 2002-12-02 07:22 5632 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2012-01-02 09:23 . 2002-12-02 05:33 57344 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2012-01-02 09:23 . 2002-12-02 05:33 237568 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2012-01-02 09:23 . 2012-01-02 09:23 282756 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2012-01-02 09:23 . 2012-01-02 09:23 163972 ----a-w- c:\program files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-12-29 17:13 . 2011-07-06 15:14 145008 ----a-w- c:\windows\system32\drivers\idmwfp.sys
2011-12-29 12:04 . 2011-12-29 12:04 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-29 12:04 . 2011-12-29 12:04 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-29 12:04 . 2011-12-29 12:04 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-29 12:04 . 2011-12-29 12:04 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2011-12-29 11:36 . 2011-12-29 11:36 709968 ----a-w- c:\windows\is-4TAEP.exe
2011-12-29 04:24 . 2011-12-29 04:25 -------- d-----w- c:\users\Boyz\AppData\Roaming\SPlayer
2011-12-29 04:24 . 2011-12-29 10:30 -------- d-----w- c:\program files (x86)\SPlayer
2011-12-26 17:38 . 2011-12-26 17:38 -------- d-----w- c:\users\Boyz\AppData\Local\FlatOut Ultimate Carnage
2011-12-25 15:37 . 2011-12-30 18:41 -------- d-----w- c:\program files (x86)\Connectify
2011-12-25 15:37 . 2011-12-25 15:51 -------- d-----w- c:\programdata\Connectify
2011-12-24 15:57 . 2011-11-20 19:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-24 14:44 . 2011-12-24 14:49 -------- d-----w- c:\users\Boyz\AppData\Local\BoH
2011-12-24 10:57 . 2011-12-24 12:06 -------- d-----w- c:\users\Boyz\AppData\Local\NVIDIA Corporation
2011-12-23 15:51 . 2011-12-23 15:50 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4BE4462C-16EF-4390-8960-E0852EB8D39C}\gapaengine.dll
2011-12-23 15:49 . 2011-12-23 15:49 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-12-23 15:45 . 2011-12-23 15:45 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-23 00:53 . 2011-12-23 00:53 -------- d-----w- c:\program files (x86)\ESET
2011-12-22 14:13 . 2011-12-22 14:13 -------- d-----w- c:\users\Boyz\AppData\Roaming\vghd
2011-12-22 14:12 . 2012-01-02 06:14 5 ----a-w- c:\windows\treeskp.sys
2011-12-22 14:12 . 2012-01-02 06:14 5 ----a-w- c:\windows\sbacknt.bin
2011-12-22 11:36 . 2011-12-22 11:36 -------- d-----w- c:\users\Boyz\AppData\Local\vghd
2011-12-21 12:22 . 2011-12-30 05:17 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-21 00:57 . 2011-12-21 00:57 388096 ----a-r- c:\users\Boyz\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-20 22:02 . 2011-12-20 22:02 -------- d-----w- c:\program files\ESET
2011-12-20 12:30 . 2011-04-24 15:13 110992 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\KavAntiBanner@kaspersky.ru_bak2\components\abhelperxpcom.dll
2011-12-20 12:30 . 2011-04-24 15:13 147856 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak2\components\kavlinkfilter.dll
2011-12-20 11:12 . 2011-12-20 13:04 -------- d-----w- c:\users\Boyz\AppData\Roaming\WinPatrol
2011-12-19 21:31 . 2011-12-19 21:31 -------- d-----w- c:\users\Boyz\AppData\Roaming\QuickScan
2011-12-19 21:31 . 2011-12-20 12:49 -------- d-----w- c:\program files\Bitdefender
2011-12-19 21:31 . 2011-12-20 12:46 -------- d-----w- c:\program files\Common Files\Bitdefender
2011-12-19 21:29 . 2011-12-19 21:29 42672 ----a-w- c:\windows\SysWow64\epfwdata.bin
2011-12-19 17:47 . 2011-12-23 15:49 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-16 10:17 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CDF60CD0-0F16-4B38-9F7F-A5743F1E305B}\mpengine.dll
2011-12-16 10:16 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-16 10:16 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-12-16 10:16 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-16 10:16 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-16 10:16 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-16 10:16 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-12 14:06 . 2011-12-12 14:07 -------- d-----w- c:\users\Boyz\AppData\Roaming\Great Little War Game
2011-12-09 13:27 . 2011-12-09 13:29 -------- d-----w- c:\windows\SysWow64\spool
2011-12-05 13:33 . 2011-12-05 13:40 -------- d-----w- c:\users\Boyz\AppData\Local\DuplicateCleaner
2011-12-05 13:19 . 2011-12-05 13:19 -------- d-----w- c:\users\Boyz\AppData\Roaming\TeraCopy
2011-12-05 13:19 . 2011-12-05 13:19 -------- d-----w- c:\program files\TeraCopy
2011-12-05 12:11 . 2011-12-05 12:39 -------- d-----w- c:\users\Boyz\AppData\Roaming\CD Art Display
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-20 00:38 . 2011-03-01 08:45 90192 ----a-w- c:\windows\system32\drivers\bdfndisf6.sys
2011-12-20 00:38 . 2011-07-15 07:12 258736 ----a-w- c:\windows\system32\drivers\avchv.sys
2011-12-20 00:38 . 2011-09-01 02:15 543528 ----a-w- c:\windows\system32\drivers\avckf.sys
2011-12-10 07:24 . 2011-10-01 02:29 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 13:42 . 2009-08-18 04:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-12-06 13:41 . 2009-08-18 03:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-11-12 12:23 . 2011-09-30 01:22 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-22 11:21 . 2011-10-22 11:21 71680 ----a-w- c:\windows\system32\frapsv64.dll
2011-10-22 11:21 . 2011-10-22 11:21 65536 ----a-w- c:\windows\SysWow64\frapsvid.dll
2011-10-19 15:10 . 2011-11-25 16:33 22872 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-10-18 11:53 . 2011-11-13 03:49 2957544 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2011-10-18 10:10 . 2011-11-13 03:49 99432 ----a-w- c:\windows\system32\RCoInst64.dll
2011-10-18 05:55 . 2011-11-13 03:49 331880 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2011-10-18 05:47 . 2011-11-13 03:49 1914472 ----a-w- c:\windows\system32\RtkApi64.dll
2011-10-18 03:05 . 2011-11-13 03:49 2528872 ----a-w- c:\windows\system32\RtPgEx64.dll
2011-10-17 09:30 . 2011-11-13 03:49 3213928 ----a-w- c:\windows\system32\RtkAPO64.dll
2011-10-15 08:53 . 2011-10-31 05:45 837952 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2011-10-15 08:53 . 2011-10-31 05:45 5067584 ----a-w- c:\windows\system32\nvsvc64.dll
2011-10-15 08:53 . 2011-10-31 05:45 222528 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-15 08:53 . 2011-10-31 05:45 1640768 ----a-w- c:\windows\system32\nvvsvc.exe
2011-10-15 08:53 . 2011-10-31 05:45 137536 ----a-w- c:\windows\system32\nvshext.dll
2011-10-15 08:53 . 2011-10-31 05:45 10406208 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-15 08:53 . 2011-10-31 05:45 8791360 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-10-15 08:53 . 2011-10-31 05:45 7041856 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-10-15 08:53 . 2011-10-31 05:45 68928 ----a-w- c:\windows\system32\OpenCL.dll
2011-10-15 08:53 . 2011-10-31 05:45 61248 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-10-15 08:53 . 2011-10-31 05:45 5578560 ----a-w- c:\windows\SysWow64\nvcuda.dll
2011-10-15 08:53 . 2011-10-31 05:45 2542912 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-15 08:53 . 2011-10-31 05:45 24742720 ----a-w- c:\windows\system32\nvoglv64.dll
2011-10-15 08:53 . 2011-10-31 05:45 2401088 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2011-10-15 08:53 . 2011-10-31 05:45 2232128 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-15 08:53 . 2011-10-31 05:45 2099520 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2011-10-15 08:53 . 2011-10-31 05:45 18871616 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2011-10-15 08:53 . 2011-10-31 05:45 15693120 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-10-15 08:53 . 2011-10-31 05:45 1533248 ----a-w- c:\windows\system32\nvdispco64.dll
2011-10-15 08:53 . 2011-10-31 05:45 1454400 ----a-w- c:\windows\system32\nvgenco64.dll
2011-10-15 08:53 . 2011-10-31 05:45 13205312 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2011-10-15 08:53 . 2011-10-31 05:45 12971840 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-10-15 08:53 . 2011-10-31 05:45 7581504 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-15 08:53 . 2011-10-31 05:45 2808128 ----a-w- c:\windows\system32\nvapi64.dll
2011-10-15 08:53 . 2011-10-31 05:45 24796992 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-15 08:53 . 2011-10-31 05:45 2458432 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-10-15 08:53 . 2011-10-31 05:45 17248576 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2011-10-14 05:43 . 2011-11-13 03:49 1873920 ----a-w- c:\windows\system32\RCoRes64.dat
2011-10-14 04:05 . 2011-10-14 04:05 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2011-10-14 03:48 . 2011-10-14 03:40 419840 ----a-w- c:\windows\system32\wrap_oal.dll
2011-10-14 03:48 . 2011-10-14 03:40 413696 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-10-14 03:48 . 2011-10-14 03:40 133632 ----a-w- c:\windows\system32\OpenAL32.dll
2011-10-14 03:48 . 2011-10-14 03:40 110592 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-10-14 01:52 . 2011-10-14 01:29 627600 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 03:11 819200 --sha-w- c:\windows\SysWOW64\xvidcore.dll
2010-08-03 03:11 180224 --sha-w- c:\windows\SysWOW64\xvidvfw.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-01_16.34.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-01-01 11:47 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-03 00:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-03 00:15 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-01 11:47 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-01 11:47 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-03 00:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-01-03 00:17 41504 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-03 00:17 35808 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-09-29 03:24 . 2012-01-03 00:17 13048 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-474262605-414731850-1316134761-1000_UserData.bin
+ 2009-07-14 04:46 . 2012-01-02 02:38 83488 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-09-29 13:33 . 2012-01-03 04:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-09-29 13:33 . 2012-01-01 16:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-09-29 13:33 . 2012-01-03 04:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-09-29 13:33 . 2012-01-01 16:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-01 11:47 . 2012-01-01 11:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-03 00:15 . 2012-01-03 00:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-01 11:47 . 2012-01-01 11:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-03 00:15 . 2012-01-03 00:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-01-01 09:43 230616 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-01-02 17:33 230616 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-09-29 17:19 . 2012-01-02 17:33 64586736 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-474262605-414731850-1316134761-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2011-12-29 3462552]
"Advanced SystemCare 5"="c:\program files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-12-20 619352]
"Connectify"="c:\program files (x86)\Connectify\Connectify.exe" [2011-12-01 3073864]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"49491"="c:\progra~3\LOCALS~1\Temp\3f3667ff006064cc.exe" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [x]
R2 BstHdDrv;BlueStacks Hypervisor; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Connectify;Connectify;c:\program files (x86)\Connectify\ConnectifyService.exe [2011-12-01 69632]
R2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 dump_wmimmc;dump_wmimmc;f:\gamez\sudden\GameGuard\dump_wmimmc.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr28ux;RT2870 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr28ux.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\DRIVERS\cnnctfy2.sys [x]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2011-12-20 494424]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [2011-06-21 341296]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Realtek11nSU;Realtek11nSU;c:\program files (x86)\REALTEK\Wireless LAN Utility\RtlService.exe [2010-04-16 36864]
S2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-06-01 2337144]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-03-26 539248]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclk64.sys [x]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files (x86)\Glary Utilities\initialize.exe [2011-09-29 01:50]
.
2012-01-01 c:\windows\Tasks\GlaryOneClickOptimizer.job
- c:\program files (x86)\Glary Utilities\oneclickoptimizer.exe [2011-09-29 01:50]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-05-30 16:50 22408 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files (x86)\Stardock\ObjectDockPlus2\ODMenu64.dll" [2010-03-24 633200]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SYSTEM32\blank.htm
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
LSP: c:\program files (x86)\VMware\VMware Player\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\37869627F6: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\4505D2C494E4B4: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\94E64796D23547574656E647: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{8C4B0317-C2D5-4CB4-8211-60732C5F30D3}\D45425D4149444: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{A62769EE-B53A-49B0-94AE-BC8C5196A5DF}\055747164716E6022424: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Boyz\AppData\Roaming\Mozilla\Firefox\Profiles\cnbl1u32.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 600000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-WinPatrol - c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-474262605-414731850-1316134761-1000_Classes\Wow6432Node\CLSID\{66472b68-1a4b-4535-a472-e8ea5ccd0d57}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000151
"Therad"=dword:00000009
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-474262605-414731850-1316134761-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):2e,00,d1,9d,3a,01,c1,0d,c0,4f,40,86,8d,9f,89,4e,c9,de,31,40,2c,
1a,79,a4,a1,e2,3f,03,03,c8,8f,87,72,4d,ed,42,47,08,2e,20,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\BlueStacks]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-03 13:11:29
ComboFix-quarantined-files.txt 2012-01-03 05:11
ComboFix2.txt 2012-01-03 04:58
ComboFix3.txt 2012-01-03 04:42
ComboFix4.txt 2012-01-02 00:58
ComboFix5.txt 2012-01-03 05:06
.
Pre-Run: 61,432,672,256 bytes free
Post-Run: 61,368,246,272 bytes free
.
- - End Of File - - D4A1513013E160046626497DBBFC0F03



i tried with regfix just like u said before still no luck
using combofix with administrator still no luck.
u guess this reg entries really hard to remove.
can i try this on safemode?

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 03 January 2012 - 09:54 AM

Try this click the Start button, type REGEDIT.EXE in the box and click OK.

Navigate to this key.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

Highlight this key and hit the DEL key.
"49491"="c:\progra~3\LOCALS~1\Temp\3f3667ff006064cc.exe" [BU]

In the file menu Save the registry if the option is available.

p.s. make sure that you have the correct Highlighted item before DEL the key.

#13 mamazi

mamazi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 04 January 2012 - 05:19 AM

Try this click the Start button, type REGEDIT.EXE in the box and click OK.

Navigate to this key.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

Highlight this key and hit the DEL key.
"49491"="c:\progra~3\LOCALS~1\Temp\3f3667ff006064cc.exe" [BU]

In the file menu Save the registry if the option is available.

p.s. make sure that you have the correct Highlighted item before DEL the key.


still cant be remove as u can see the pic as i attach below
please help how to get rid of this
safemod also wont work..
running with administrator

Attached File  reg.jpg   95.66KB   3 downloadsAttached File  reg2.jpg   105.84KB   3 downloads

Edited by mamazi, 04 January 2012 - 05:20 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:15 AM

Posted 04 January 2012 - 11:27 AM

Did you have this Run key highlighed when you pressed the Del key?
HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run

Highlight the 49491 sub key and press DEL.

Since the file is no longer on the computer this key is not doing any thing bad.
We can let it go.

How is the computer performing?

#15 mamazi

mamazi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:15 AM

Posted 05 January 2012 - 12:56 AM

Did you have this Run key highlighed when you pressed the Del key?
HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run

Highlight the 49491 sub key and press DEL.

Since the file is no longer on the computer this key is not doing any thing bad.
We can let it go.

How is the computer performing?


yes i do highlight the key then press del
well my cpu usage is back to normal no high usage like before so i guess problem is solved
just leave the key right? no need to delete?
thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users