Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
12 replies to this topic

#1 loggier

loggier

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 15 April 2012 - 09:48 AM

Here's the log, hope to get some help, thanks in advance!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:28:09 PM, on 15-Apr-12
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\user\Downloads\HijackThis(1).exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Niooiee@Mail.Ru - {8984B388-A5BB-4DF7-B274-77B879E179DB} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~2\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files%20(x86)/Bejeweled%203/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files%20(x86)/Bejeweled%203/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O21 - SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
O22 - SharedTaskScheduler: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\Windows\system32\ibmpmsvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Performance Driver Service - Unknown owner - C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Program Files\OO Software\Defrag\oodag.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Program Files\Tablet\Pen\Pen_Tablet.exe
O23 - Service: Wacom Consumer Touch Service (TouchServicePen) - Wacom Technology, Corp. - C:\Program Files\Tablet\Pen\Pen_TouchService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.21\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.5.16\bin\mysqld.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:45 PM

Posted 15 April 2012 - 03:39 PM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System” (If found - select delete)
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT


  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 loggier

loggier
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 16 April 2012 - 01:09 AM

TDSSKiller log
--------------

14:57:10.0791 4944 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
14:57:11.0509 4944 ============================================================
14:57:11.0509 4944 Current date / time: 2012/04/16 14:57:11.0509
14:57:11.0509 4944 SystemInfo:
14:57:11.0509 4944
14:57:11.0509 4944 OS Version: 6.1.7601 ServicePack: 1.0
14:57:11.0509 4944 Product type: Workstation
14:57:11.0509 4944 ComputerName: XXXX-XX
14:57:11.0509 4944 UserName: XXXX
14:57:11.0509 4944 Windows directory: C:\Windows
14:57:11.0509 4944 System windows directory: C:\Windows
14:57:11.0509 4944 Running under WOW64
14:57:11.0509 4944 Processor architecture: Intel x64
14:57:11.0509 4944 Number of processors: 2
14:57:11.0509 4944 Page size: 0x1000
14:57:11.0509 4944 Boot type: Normal boot
14:57:11.0509 4944 ============================================================
14:57:13.0740 4944 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xFC59, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
14:57:14.0114 4944 Drive \Device\Harddisk1\DR1 - Size: 0xAE7EE00000 (697.98 Gb), SectorSize: 0x200, Cylinders: 0x163EB, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
14:57:14.0130 4944 \Device\Harddisk0\DR0:
14:57:14.0161 4944 MBR used
14:57:14.0161 4944 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
14:57:14.0161 4944 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x3A353000
14:57:14.0161 4944 \Device\Harddisk1\DR1:
14:57:14.0161 4944 MBR used
14:57:14.0161 4944 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x573F6FC0
14:57:14.0535 4944 Initialize success
14:57:14.0535 4944 ============================================================
14:57:56.0546 4172 ============================================================
14:57:56.0546 4172 Scan started
14:57:56.0546 4172 Mode: Manual; TDLFS;
14:57:56.0546 4172 ============================================================
14:57:58.0995 4172 !SASCORE - ok
14:57:59.0073 4172 1394ohci - ok
14:57:59.0105 4172 ACPI - ok
14:57:59.0120 4172 AcpiPmi - ok
14:57:59.0198 4172 ADIHdAudAddService - ok
14:57:59.0229 4172 adp94xx - ok
14:57:59.0229 4172 adpahci - ok
14:57:59.0245 4172 adpu320 - ok
14:57:59.0245 4172 AEADIFilters - ok
14:57:59.0261 4172 AeLookupSvc - ok
14:57:59.0276 4172 AFD - ok
14:57:59.0276 4172 agp440 - ok
14:57:59.0276 4172 ALG - ok
14:57:59.0292 4172 aliide - ok
14:57:59.0292 4172 amdide - ok
14:57:59.0292 4172 AmdK8 - ok
14:57:59.0307 4172 AmdPPM - ok
14:57:59.0307 4172 amdsata - ok
14:57:59.0323 4172 amdsbs - ok
14:57:59.0339 4172 amdxata - ok
14:57:59.0354 4172 AppID - ok
14:57:59.0354 4172 AppIDSvc - ok
14:57:59.0370 4172 Appinfo - ok
14:57:59.0448 4172 Apple Mobile Device - ok
14:57:59.0448 4172 AppMgmt - ok
14:57:59.0448 4172 arc - ok
14:57:59.0448 4172 arcsas - ok
14:57:59.0463 4172 aspnet_state - ok
14:57:59.0479 4172 AsyncMac - ok
14:57:59.0479 4172 atapi - ok
14:57:59.0495 4172 AudioEndpointBuilder - ok
14:57:59.0495 4172 AudioSrv - ok
14:57:59.0526 4172 AxInstSV - ok
14:57:59.0541 4172 b06bdrv - ok
14:57:59.0557 4172 b57nd60a - ok
14:57:59.0619 4172 BDESVC - ok
14:57:59.0651 4172 Beep - ok
14:57:59.0682 4172 BFE - ok
14:57:59.0682 4172 BITS - ok
14:57:59.0697 4172 blbdrive - ok
14:57:59.0729 4172 Bonjour Service - ok
14:57:59.0729 4172 bowser - ok
14:57:59.0729 4172 BrFiltLo - ok
14:57:59.0729 4172 BrFiltUp - ok
14:57:59.0744 4172 BridgeMP - ok
14:57:59.0744 4172 Browser - ok
14:57:59.0760 4172 Brserid - ok
14:57:59.0760 4172 BrSerWdm - ok
14:57:59.0760 4172 BrUsbMdm - ok
14:57:59.0775 4172 BrUsbSer - ok
14:57:59.0775 4172 BTHMODEM - ok
14:57:59.0775 4172 bthserv - ok
14:57:59.0869 4172 catchme - ok
14:57:59.0885 4172 CAXHWAZL - ok
14:57:59.0900 4172 cbfs3 - ok
14:57:59.0916 4172 ccEvtMgr - ok
14:57:59.0916 4172 ccSetMgr - ok
14:57:59.0931 4172 cdfs - ok
14:57:59.0963 4172 cdrom - ok
14:57:59.0978 4172 CertPropSvc - ok
14:57:59.0978 4172 circlass - ok
14:58:00.0009 4172 CLFS - ok
14:58:00.0009 4172 clr_optimization_v2.0.50727_32 - ok
14:58:00.0009 4172 clr_optimization_v2.0.50727_64 - ok
14:58:00.0025 4172 clr_optimization_v4.0.30319_32 - ok
14:58:00.0025 4172 clr_optimization_v4.0.30319_64 - ok
14:58:00.0041 4172 CmBatt - ok
14:58:00.0056 4172 cmdide - ok
14:58:00.0056 4172 CNG - ok
14:58:00.0072 4172 Compbatt - ok
14:58:00.0087 4172 CompositeBus - ok
14:58:00.0087 4172 COMSysApp - ok
14:58:00.0087 4172 crcdisk - ok
14:58:00.0087 4172 CryptSvc - ok
14:58:00.0103 4172 CSC - ok
14:58:00.0103 4172 CscService - ok
14:58:00.0103 4172 DcomLaunch - ok
14:58:00.0103 4172 defragsvc - ok
14:58:00.0150 4172 DefWatch - ok
14:58:00.0181 4172 DfsC - ok
14:58:00.0197 4172 Dhcp - ok
14:58:00.0197 4172 discache - ok
14:58:00.0212 4172 Disk - ok
14:58:00.0212 4172 dmvsc - ok
14:58:00.0212 4172 Dnscache - ok
14:58:00.0228 4172 dot3svc - ok
14:58:00.0228 4172 DPS - ok
14:58:00.0243 4172 drmkaud - ok
14:58:00.0243 4172 DXGKrnl - ok
14:58:00.0259 4172 e1express - ok
14:58:00.0275 4172 EapHost - ok
14:58:00.0275 4172 ebdrv - ok
14:58:00.0290 4172 eeCtrl - ok
14:58:00.0290 4172 EFS - ok
14:58:00.0290 4172 ehRecvr - ok
14:58:00.0290 4172 ehSched - ok
14:58:00.0321 4172 elxstor - ok
14:58:00.0353 4172 EraserUtilRebootDrv - ok
14:58:00.0368 4172 ErrDev - ok
14:58:00.0384 4172 EventSystem - ok
14:58:00.0384 4172 exfat - ok
14:58:00.0399 4172 fastfat - ok
14:58:00.0415 4172 Fax - ok
14:58:00.0415 4172 fdc - ok
14:58:00.0415 4172 fdPHost - ok
14:58:00.0415 4172 FDResPub - ok
14:58:00.0431 4172 FileInfo - ok
14:58:00.0431 4172 Filetrace - ok
14:58:00.0431 4172 flpydisk - ok
14:58:00.0431 4172 FltMgr - ok
14:58:00.0446 4172 FontCache - ok
14:58:00.0446 4172 FontCache3.0.0.0 - ok
14:58:00.0446 4172 FsDepends - ok
14:58:00.0446 4172 Fs_Rec - ok
14:58:00.0462 4172 fvevol - ok
14:58:00.0477 4172 gagp30kx - ok
14:58:00.0477 4172 GEARAspiWDM - ok
14:58:00.0477 4172 gpsvc - ok
14:58:00.0509 4172 gupdate - ok
14:58:00.0540 4172 gupdatem - ok
14:58:00.0555 4172 hcw85cir - ok
14:58:00.0571 4172 HdAudAddService - ok
14:58:00.0587 4172 HDAudBus - ok
14:58:00.0587 4172 HidBatt - ok
14:58:00.0587 4172 HidBth - ok
14:58:00.0602 4172 HidIr - ok
14:58:00.0602 4172 hidserv - ok
14:58:00.0618 4172 HidUsb - ok
14:58:00.0618 4172 hkmsvc - ok
14:58:00.0618 4172 HomeGroupListener - ok
14:58:00.0633 4172 HomeGroupProvider - ok
14:58:00.0711 4172 HpSAMD - ok
14:58:00.0711 4172 HSF_DPV - ok
14:58:00.0711 4172 HTTP - ok
14:58:00.0711 4172 hwpolicy - ok
14:58:00.0727 4172 i8042prt - ok
14:58:00.0743 4172 iaStorV - ok
14:58:00.0743 4172 IBMPMDRV - ok
14:58:00.0758 4172 IBMPMSVC - ok
14:58:00.0758 4172 idsvc - ok
14:58:00.0774 4172 iirsp - ok
14:58:00.0774 4172 IKEEXT - ok
14:58:00.0774 4172 intelide - ok
14:58:00.0789 4172 intelppm - ok
14:58:00.0789 4172 IPBusEnum - ok
14:58:00.0789 4172 IpFilterDriver - ok
14:58:00.0789 4172 iphlpsvc - ok
14:58:00.0805 4172 IPMIDRV - ok
14:58:00.0805 4172 IPNAT - ok
14:58:00.0805 4172 iPod Service - ok
14:58:00.0821 4172 IRENUM - ok
14:58:00.0821 4172 isapnp - ok
14:58:00.0821 4172 iScsiPrt - ok
14:58:00.0852 4172 JungleDiskService - ok
14:58:00.0867 4172 kbdclass - ok
14:58:00.0867 4172 kbdhid - ok
14:58:00.0899 4172 KeyIso - ok
14:58:00.0899 4172 KSecDD - ok
14:58:00.0899 4172 KSecPkg - ok
14:58:00.0899 4172 ksthunk - ok
14:58:00.0914 4172 KtmRm - ok
14:58:00.0930 4172 LanmanServer - ok
14:58:00.0945 4172 LanmanWorkstation - ok
14:58:01.0055 4172 Lavasoft Ad-Aware Service - ok
14:58:01.0133 4172 Lavasoft Kernexplorer - ok
14:58:01.0273 4172 Lbd - ok
14:58:01.0289 4172 LiveUpdate - ok
14:58:01.0320 4172 lltdio - ok
14:58:01.0320 4172 lltdsvc - ok
14:58:01.0335 4172 lmhosts - ok
14:58:01.0367 4172 LSI_FC - ok
14:58:01.0367 4172 LSI_SAS - ok
14:58:01.0367 4172 LSI_SAS2 - ok
14:58:01.0398 4172 LSI_SCSI - ok
14:58:01.0398 4172 luafv - ok
14:58:01.0413 4172 mcdbus - ok
14:58:01.0413 4172 Mcx2Svc - ok
14:58:01.0429 4172 mdmxsdk - ok
14:58:01.0429 4172 megasas - ok
14:58:01.0429 4172 MegaSR - ok
14:58:01.0445 4172 Microsoft SharePoint Workspace Audit Service - ok
14:58:01.0460 4172 MMCSS - ok
14:58:01.0460 4172 Modem - ok
14:58:01.0460 4172 monitor - ok
14:58:01.0476 4172 mouclass - ok
14:58:01.0507 4172 mouhid - ok
14:58:01.0523 4172 mountmgr - ok
14:58:01.0523 4172 mpio - ok
14:58:01.0538 4172 mpsdrv - ok
14:58:01.0538 4172 MpsSvc - ok
14:58:01.0538 4172 MRxDAV - ok
14:58:01.0538 4172 mrxsmb - ok
14:58:01.0554 4172 mrxsmb10 - ok
14:58:01.0554 4172 mrxsmb20 - ok
14:58:01.0554 4172 msahci - ok
14:58:01.0554 4172 msdsm - ok
14:58:01.0569 4172 MSDTC - ok
14:58:01.0569 4172 Msfs - ok
14:58:01.0663 4172 mshidkmdf - ok
14:58:01.0679 4172 msisadrv - ok
14:58:01.0679 4172 MSiSCSI - ok
14:58:01.0694 4172 msiserver - ok
14:58:01.0710 4172 MSKSSRV - ok
14:58:01.0710 4172 MSPCLOCK - ok
14:58:01.0710 4172 MSPQM - ok
14:58:01.0710 4172 MsRPC - ok
14:58:01.0725 4172 mssmbios - ok
14:58:01.0725 4172 MSTEE - ok
14:58:01.0725 4172 MTConfig - ok
14:58:01.0741 4172 Mup - ok
14:58:01.0741 4172 napagent - ok
14:58:01.0772 4172 NativeWifiP - ok
14:58:01.0772 4172 NAVENG - ok
14:58:01.0819 4172 NAVEX15 - ok
14:58:01.0819 4172 NDIS - ok
14:58:01.0819 4172 NdisCap - ok
14:58:01.0835 4172 NdisTapi - ok
14:58:01.0835 4172 Ndisuio - ok
14:58:01.0850 4172 NdisWan - ok
14:58:01.0850 4172 NDProxy - ok
14:58:01.0850 4172 NetBIOS - ok
14:58:01.0850 4172 NetBT - ok
14:58:01.0881 4172 Netlogon - ok
14:58:01.0881 4172 Netman - ok
14:58:01.0897 4172 NetMsmqActivator - ok
14:58:01.0897 4172 NetPipeActivator - ok
14:58:01.0897 4172 netprofm - ok
14:58:01.0897 4172 NetTcpActivator - ok
14:58:01.0913 4172 NetTcpPortSharing - ok
14:58:01.0928 4172 netw5v64 - ok
14:58:01.0944 4172 nfrd960 - ok
14:58:01.0944 4172 NlaSvc - ok
14:58:01.0975 4172 NPF - ok
14:58:01.0975 4172 Npfs - ok
14:58:02.0006 4172 npggsvc - ok
14:58:02.0006 4172 nsi - ok
14:58:02.0006 4172 nsiproxy - ok
14:58:02.0006 4172 Ntfs - ok
14:58:02.0022 4172 Null - ok
14:58:02.0037 4172 NVIDIA Performance Driver Service - ok
14:58:02.0037 4172 nvlddmkm - ok
14:58:02.0053 4172 nvraid - ok
14:58:02.0053 4172 nvstor - ok
14:58:02.0084 4172 nvsvc - ok
14:58:02.0100 4172 nv_agp - ok
14:58:02.0100 4172 O&O Defrag - ok
14:58:02.0115 4172 ohci1394 - ok
14:58:02.0131 4172 ose64 - ok
14:58:02.0131 4172 osppsvc - ok
14:58:02.0147 4172 p2pimsvc - ok
14:58:02.0147 4172 p2psvc - ok
14:58:02.0147 4172 Parport - ok
14:58:02.0147 4172 partmgr - ok
14:58:02.0162 4172 PcaSvc - ok
14:58:02.0162 4172 pci - ok
14:58:02.0162 4172 pciide - ok
14:58:02.0162 4172 pcmcia - ok
14:58:02.0178 4172 pcw - ok
14:58:02.0178 4172 PEAUTH - ok
14:58:02.0178 4172 PeerDistSvc - ok
14:58:02.0178 4172 PerfHost - ok
14:58:02.0240 4172 PID_PEPI - ok
14:58:02.0240 4172 pla - ok
14:58:02.0256 4172 PlugPlay - ok
14:58:02.0256 4172 PNRPAutoReg - ok
14:58:02.0256 4172 PNRPsvc - ok
14:58:02.0256 4172 PolicyAgent - ok
14:58:02.0271 4172 Power - ok
14:58:02.0349 4172 PptpMiniport - ok
14:58:02.0349 4172 Processor - ok
14:58:02.0349 4172 ProfSvc - ok
14:58:02.0365 4172 ProtectedStorage - ok
14:58:02.0381 4172 Psched - ok
14:58:02.0381 4172 PxHlpa64 - ok
14:58:02.0396 4172 ql2300 - ok
14:58:02.0396 4172 ql40xx - ok
14:58:02.0412 4172 QWAVE - ok
14:58:02.0412 4172 QWAVEdrv - ok
14:58:02.0412 4172 RasAcd - ok
14:58:02.0412 4172 RasAgileVpn - ok
14:58:02.0427 4172 RasAuto - ok
14:58:02.0427 4172 Rasl2tp - ok
14:58:02.0427 4172 RasMan - ok
14:58:02.0427 4172 RasPppoe - ok
14:58:02.0443 4172 RasSstp - ok
14:58:02.0443 4172 rdbss - ok
14:58:02.0443 4172 rdpbus - ok
14:58:02.0443 4172 RDPCDD - ok
14:58:02.0459 4172 RDPDR - ok
14:58:02.0474 4172 RDPENCDD - ok
14:58:02.0490 4172 RDPREFMP - ok
14:58:02.0490 4172 RdpVideoMiniport - ok
14:58:02.0490 4172 RDPWD - ok
14:58:02.0505 4172 rdyboost - ok
14:58:02.0505 4172 RemoteAccess - ok
14:58:02.0521 4172 RemoteRegistry - ok
14:58:02.0537 4172 rismxdp - ok
14:58:02.0537 4172 rpcapd - ok
14:58:02.0537 4172 RpcEptMapper - ok
14:58:02.0552 4172 RpcLocator - ok
14:58:02.0552 4172 RpcSs - ok
14:58:02.0568 4172 rspndr - ok
14:58:02.0568 4172 s3cap - ok
14:58:02.0568 4172 SamSs - ok
14:58:02.0568 4172 SASDIFSV - ok
14:58:02.0583 4172 SASKUTIL - ok
14:58:02.0583 4172 sbp2port - ok
14:58:02.0583 4172 SCardSvr - ok
14:58:02.0583 4172 scfilter - ok
14:58:02.0599 4172 Schedule - ok
14:58:02.0599 4172 SCPolicySvc - ok
14:58:02.0615 4172 sdbus - ok
14:58:02.0615 4172 SDRSVC - ok
14:58:02.0615 4172 secdrv - ok
14:58:02.0615 4172 seclogon - ok
14:58:02.0615 4172 SENS - ok
14:58:02.0630 4172 SensrSvc - ok
14:58:02.0630 4172 Serenum - ok
14:58:02.0646 4172 Serial - ok
14:58:02.0661 4172 sermouse - ok
14:58:02.0677 4172 SessionEnv - ok
14:58:02.0677 4172 sffdisk - ok
14:58:02.0677 4172 sffp_mmc - ok
14:58:02.0677 4172 sffp_sd - ok
14:58:02.0693 4172 sfloppy - ok
14:58:02.0693 4172 SharedAccess - ok
14:58:02.0693 4172 ShellHWDetection - ok
14:58:02.0708 4172 SiSRaid2 - ok
14:58:02.0724 4172 SiSRaid4 - ok
14:58:02.0724 4172 SkypeUpdate - ok
14:58:02.0739 4172 Smb - ok
14:58:02.0755 4172 SNMPTRAP - ok
14:58:02.0771 4172 spldr - ok
14:58:02.0771 4172 Spooler - ok
14:58:02.0771 4172 sppsvc - ok
14:58:02.0771 4172 sppuinotify - ok
14:58:02.0786 4172 SRTSP - ok
14:58:02.0786 4172 SRTSPL - ok
14:58:02.0786 4172 SRTSPX - ok
14:58:02.0786 4172 srv - ok
14:58:02.0802 4172 srv2 - ok
14:58:02.0802 4172 SrvHsfHDA - ok
14:58:02.0802 4172 SrvHsfV92 - ok
14:58:02.0802 4172 SrvHsfWinac - ok
14:58:02.0817 4172 srvnet - ok
14:58:02.0833 4172 SSDPSRV - ok
14:58:02.0833 4172 SstpSvc - ok
14:58:02.0833 4172 stexstor - ok
14:58:02.0849 4172 stisvc - ok
14:58:02.0849 4172 storflt - ok
14:58:02.0880 4172 storvsc - ok
14:58:02.0880 4172 swenum - ok
14:58:02.0927 4172 SwitchBoard - ok
14:58:02.0927 4172 swprv - ok
14:58:02.0958 4172 Symantec AntiVirus - ok
14:58:02.0973 4172 SymEvent - ok
14:58:02.0973 4172 Synth3dVsc - ok
14:58:02.0989 4172 SynTP - ok
14:58:03.0005 4172 SysMain - ok
14:58:03.0005 4172 TabletInputService - ok
14:58:03.0036 4172 TabletServicePen - ok
14:58:03.0051 4172 tap0901 - ok
14:58:03.0051 4172 taphss - ok
14:58:03.0051 4172 TapiSrv - ok
14:58:03.0051 4172 TBS - ok
14:58:03.0067 4172 Tcpip - ok
14:58:03.0083 4172 TCPIP6 - ok
14:58:03.0083 4172 tcpipreg - ok
14:58:03.0083 4172 TDPIPE - ok
14:58:03.0083 4172 TDTCP - ok
14:58:03.0098 4172 tdx - ok
14:58:03.0098 4172 TermDD - ok
14:58:03.0098 4172 terminpt - ok
14:58:03.0098 4172 TermService - ok
14:58:03.0114 4172 Themes - ok
14:58:03.0114 4172 THREADORDER - ok
14:58:03.0114 4172 TouchServicePen - ok
14:58:03.0129 4172 TPM - ok
14:58:03.0129 4172 TrkWks - ok
14:58:03.0129 4172 TrustedInstaller - ok
14:58:03.0145 4172 tssecsrv - ok
14:58:03.0145 4172 TsUsbFlt - ok
14:58:03.0145 4172 TsUsbGD - ok
14:58:03.0161 4172 tsusbhub - ok
14:58:03.0254 4172 tunnel - ok
14:58:03.0270 4172 uagp35 - ok
14:58:03.0285 4172 udfs - ok
14:58:03.0301 4172 UI0Detect - ok
14:58:03.0317 4172 uliagpkx - ok
14:58:03.0332 4172 umbus - ok
14:58:03.0332 4172 UmPass - ok
14:58:03.0332 4172 UmRdpService - ok
14:58:03.0348 4172 upnphost - ok
14:58:03.0348 4172 USBAAPL64 - ok
14:58:03.0379 4172 usbaudio - ok
14:58:03.0379 4172 usbccgp - ok
14:58:03.0395 4172 usbcir - ok
14:58:03.0395 4172 usbehci - ok
14:58:03.0410 4172 usbhub - ok
14:58:03.0426 4172 usbohci - ok
14:58:03.0441 4172 usbprint - ok
14:58:03.0457 4172 usbscan - ok
14:58:03.0457 4172 USBSTOR - ok
14:58:03.0473 4172 usbuhci - ok
14:58:03.0473 4172 UxSms - ok
14:58:03.0473 4172 VaultSvc - ok
14:58:03.0488 4172 vdrvroot - ok
14:58:03.0488 4172 vds - ok
14:58:03.0535 4172 vga - ok
14:58:03.0535 4172 VgaSave - ok
14:58:03.0535 4172 VGPU - ok
14:58:03.0551 4172 vhdmp - ok
14:58:03.0551 4172 viaide - ok
14:58:03.0551 4172 vmbus - ok
14:58:03.0551 4172 VMBusHID - ok
14:58:03.0551 4172 volmgr - ok
14:58:03.0566 4172 volmgrx - ok
14:58:03.0566 4172 volsnap - ok
14:58:03.0675 4172 vsmraid - ok
14:58:03.0691 4172 VSS - ok
14:58:03.0691 4172 vwifibus - ok
14:58:03.0691 4172 W32Time - ok
14:58:03.0707 4172 wacmoumonitor - ok
14:58:04.0159 4172 wacommousefilter - ok
14:58:04.0175 4172 WacomPen - ok
14:58:04.0175 4172 wacomvhid - ok
14:58:04.0237 4172 wampapache - ok
14:58:04.0237 4172 wampmysqld - ok
14:58:04.0268 4172 WANARP - ok
14:58:04.0268 4172 Wanarpv6 - ok
14:58:04.0284 4172 WatAdminSvc - ok
14:58:04.0284 4172 wbengine - ok
14:58:04.0299 4172 WbioSrvc - ok
14:58:04.0299 4172 wcncsvc - ok
14:58:04.0315 4172 WcsPlugInService - ok
14:58:04.0315 4172 Wd - ok
14:58:04.0315 4172 WDC_SAM - ok
14:58:04.0315 4172 Wdf01000 - ok
14:58:04.0331 4172 WdiServiceHost - ok
14:58:04.0331 4172 WdiSystemHost - ok
14:58:04.0331 4172 WebClient - ok
14:58:04.0331 4172 Wecsvc - ok
14:58:04.0346 4172 wercplsupport - ok
14:58:04.0346 4172 WerSvc - ok
14:58:04.0377 4172 WfpLwf - ok
14:58:04.0377 4172 WIMMount - ok
14:58:04.0377 4172 winachsf - ok
14:58:04.0393 4172 WinDefend - ok
14:58:04.0393 4172 WinHttpAutoProxySvc - ok
14:58:04.0393 4172 Winmgmt - ok
14:58:04.0409 4172 WinRM - ok
14:58:04.0409 4172 WinUsb - ok
14:58:04.0409 4172 Wlansvc - ok
14:58:04.0424 4172 WmiAcpi - ok
14:58:04.0424 4172 wmiApSrv - ok
14:58:04.0440 4172 WMPNetworkSvc - ok
14:58:04.0440 4172 WPCSvc - ok
14:58:04.0440 4172 WPDBusEnum - ok
14:58:04.0440 4172 ws2ifsl - ok
14:58:04.0455 4172 wscsvc - ok
14:58:04.0455 4172 WSearch - ok
14:58:04.0455 4172 wuauserv - ok
14:58:04.0455 4172 WudfPf - ok
14:58:04.0471 4172 WUDFRd - ok
14:58:04.0471 4172 wudfsvc - ok
14:58:04.0471 4172 WwanSvc - ok
14:58:04.0471 4172 XAudio - ok
14:58:04.0487 4172 XAudioService - ok
14:58:04.0549 4172 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
14:58:05.0454 4172 \Device\Harddisk0\DR0 - ok
14:58:05.0469 4172 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
14:58:05.0610 4172 \Device\Harddisk1\DR1 - ok
14:58:05.0625 4172 Boot (0x1200) (5944fe3e3a869f0697f6fe82bf9d1eb9) \Device\Harddisk0\DR0\Partition0
14:58:05.0625 4172 \Device\Harddisk0\DR0\Partition0 - ok
14:58:05.0641 4172 Boot (0x1200) (19d2ab218b26c13bc3f0271639989636) \Device\Harddisk0\DR0\Partition1
14:58:05.0641 4172 \Device\Harddisk0\DR0\Partition1 - ok
14:58:05.0641 4172 Boot (0x1200) (a4bddc792c99d4bceaac2f184042e511) \Device\Harddisk1\DR1\Partition0
14:58:05.0641 4172 \Device\Harddisk1\DR1\Partition0 - ok
14:58:05.0641 4172 ============================================================
14:58:05.0641 4172 Scan finished
14:58:05.0641 4172 ============================================================
14:58:05.0657 3164 Detected object count: 0
14:58:05.0657 3164 Actual detected object count: 0


aswMBR.exe log
--------------

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-16 15:00:05
-----------------------------
15:00:05.275 OS Version: Windows x64 6.1.7601 Service Pack 1
15:00:05.275 Number of processors: 2 586 0x1706
15:00:05.291 ComputerName: XXXX-XX UserName: XXXX
15:00:06.757 Initialize success
15:01:23.947 AVAST engine defs: 12041502
15:01:49.454 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
15:01:49.454 Disk 0 Vendor: WDC_WD5000BPKT-75PK4T0 01.01A01 Size: 476940MB BusType: 11
15:01:49.454 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000096
15:01:49.454 Disk 1 Vendor: Size: 476940MB BusType: 0
15:01:49.485 Disk 0 MBR read successfully
15:01:49.485 Disk 0 MBR scan
15:01:49.485 Disk 0 Windows 7 default MBR code
15:01:49.485 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:01:49.500 Disk 0 Partition 2 00 07 HPFS/NTFS 476838 MB offset 206848
15:01:49.516 Disk 0 scanning C:\Windows\system32\drivers
15:01:49.516 Service scanning
15:02:12.869 Modules scanning
15:02:12.885 Disk 0 trace - called modules:
15:02:12.900 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:02:12.916 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b7e060]
15:02:12.916 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0xfffffa80049d0060]
15:02:15.101 AVAST engine scan C:\Windows
15:02:15.132 AVAST engine scan C:\Windows\system32
15:02:15.148 AVAST engine scan C:\Windows\system32\drivers
15:02:15.163 AVAST engine scan C:\Users\user
15:02:15.163 AVAST engine scan C:\ProgramData
15:02:15.179 Scan finished successfully
15:02:24.399 Disk 0 MBR has been saved successfully to "C:\Users\user\Desktop\MBR.dat"
15:02:24.399 The log file has been saved successfully to "C:\Users\user\Desktop\aswMBR.txt"




MBR.zip attached.

Attached Files

  • Attached File  MBR.zip   559bytes   0 downloads


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:45 PM

Posted 16 April 2012 - 07:46 AM

Hi,

Please do the following

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 loggier

loggier
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 16 April 2012 - 12:04 PM

log too long to post as reply, attaching txt file.
Thanks!

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:45 PM

Posted 16 April 2012 - 05:39 PM

Hi,

Please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 loggier

loggier
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 17 April 2012 - 04:08 PM

MBAM
----

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.17.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
user :: USER-PC [administrator]

17-Apr-12 11:30:12 PM
mbam-log-2012-04-17 (23-30-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206686
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


ESET ONLINE
-----------
C:\Program Files (x86)\RealArcade\Installer\bin\OCSetupHlp.dll Win32/OpenCandy application
C:\Users\user\Downloads\cnet2_ctimer_exe.exe a variant of Win32/InstallCore.D application
C:\Users\user\Downloads\cnet2_WLELiteSetup_exe.exe a variant of Win32/InstallCore.D application
C:\Users\user\Downloads\GameHouse-Installer_am-zumasrevengetmadventure_gamehouse_(1).exe Win32/OpenCandy application
C:\Users\user\Downloads\GameHouse-Installer_am-zumasrevengetmadventure_gamehouse_.exe Win32/OpenCandy application
G:\installs\Nero 8.3.6.0 Keygen&Crack [NEMESIS]\Nero-8.3.6.0_eng_trial.exe Win32/Toolbar.AskSBar application


PC status
---------
Initially I had suspicion of infection because sometimes internet would become very slow. In addition, there was some weird behavior when accessing some specific sites/services.
It's hard to say if the problems are gone, I need to keep using the machine for a few days and see.

Is there anything suspicious in the logs, during the whole process done above?

Thanks a lot for your help!

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:45 PM

Posted 17 April 2012 - 06:12 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files (x86)\RealArcade\Installer\bin\OCSetupHlp.dll 
C:\Users\user\Downloads\cnet2_ctimer_exe.exe 
C:\Users\user\Downloads\cnet2_WLELiteSetup_exe.exe 
C:\Users\user\Downloads\GameHouse-Installer_am-zumasrevengetmadventure_gamehouse_(1).exe 
C:\Users\user\Downloads\GameHouse-Installer_am-zumasrevengetmadventure_gamehouse_.exe 
G:\installs\Nero 8.3.6.0 Keygen&Crack [NEMESIS]\Nero-8.3.6.0_eng_trial.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



There were some minor file infections on your machine,

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 loggier

loggier
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 18 April 2012 - 02:38 AM

ComboFix 12-04-16.01 - user 18-Apr-12 16:13:42.4.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1251.7.1033.18.4030.2200 [GMT 9:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files (x86)\RealArcade\Installer\bin\OCSetupHlp.dll"
"c:\users\user\Downloads\cnet2_ctimer_exe.exe"
"c:\users\user\Downloads\cnet2_WLELiteSetup_exe.exe"
"c:\users\user\Downloads\GameHouse-Installer_am-zumasrevengetmadventure_gamehouse_(1).exe"
"c:\users\user\Downloads\GameHouse-Installer_am-zumasrevengetmadventure_gamehouse_.exe"
"g:\installs\Nero 8.3.6.0 Keygen&Crack [NEMESIS]\Nero-8.3.6.0_eng_trial.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\RealArcade\Installer\bin\OCSetupHlp.dll
c:\users\user\Downloads\cnet2_ctimer_exe.exe
c:\users\user\Downloads\cnet2_WLELiteSetup_exe.exe
c:\users\user\Downloads\GameHouse-Installer_am-zumasrevengetmadventure_gamehouse_(1).exe
c:\users\user\Downloads\GameHouse-Installer_am-zumasrevengetmadventure_gamehouse_.exe
g:\installs\Nero 8.3.6.0 Keygen&Crack [NEMESIS]\Nero-8.3.6.0_eng_trial.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
.
.
2012-04-18 07:19 . 2012-04-18 07:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-04-18 07:19 . 2012-04-18 07:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-18 07:19 . 2012-04-18 07:19 -------- d-----w- c:\users\AppData\AppData\Local\temp
2012-04-17 14:42 . 2012-04-17 14:42 -------- d-----w- c:\program files (x86)\ESET
2012-04-17 06:20 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{569BBE10-9A50-44F7-B80F-E468497505D2}\mpengine.dll
2012-04-15 15:51 . 2012-04-15 15:52 -------- d-----w- c:\programdata\SecTaskMan
2012-04-15 15:51 . 2012-04-15 15:51 -------- d-----w- c:\program files (x86)\Security Task Manager
2012-04-12 22:19 . 2012-04-12 22:19 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-04-11 18:03 . 2012-03-06 06:53 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 18:03 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-04-11 18:03 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-04-11 18:00 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 18:00 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 18:00 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 18:00 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 18:00 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 18:00 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 18:00 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-06 15:23 . 2012-04-06 16:26 -------- d-----w- c:\users\user\AppData\Local\CRE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 06:56 . 2012-03-08 19:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-12 23:46 . 2011-10-29 07:05 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-27 22:37 . 2012-02-29 08:17 16432 ----a-w- c:\windows\system32\lsdelete.exe
2012-02-24 20:32 . 2012-02-24 20:32 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-23 00:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-22 07:52 . 2011-11-08 13:27 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-17 06:38 . 2012-03-14 03:17 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 06:38 . 2012-03-14 03:17 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-14 03:17 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-14 03:17 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-14 03:17 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 06:36 . 2012-03-14 03:17 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 03:17 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-05 23:28 . 2012-02-09 15:56 3966376 ----a-w- c:\windows\SysWow64\GameMon.des
2012-02-03 04:34 . 2012-03-14 03:17 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-25 06:38 . 2012-03-14 03:17 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-14 03:17 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-14 03:17 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-04-16_14.59.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-04-16 14:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-17 11:00 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-04-16 14:59 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-17 11:00 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-16 14:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-17 11:00 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-04-16 15:10 34996 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-04-16 15:01 47286 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-16 15:10 47286 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-10-29 05:41 . 2012-04-18 07:24 11718 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1525084245-1567797459-3493934968-1000_UserData.bin
- 2012-04-16 14:59 . 2012-04-16 14:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-18 07:22 . 2012-04-18 07:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-16 14:59 . 2012-04-16 14:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-18 07:22 . 2012-04-18 07:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-10-30 11:55 . 2012-04-18 06:42 393296 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
- 2009-07-14 05:01 . 2012-04-16 14:57 472688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-18 07:20 472688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-10-29 10:01 . 2012-04-18 07:20 12629444 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1525084245-1567797459-3493934968-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CLASSES_ROOT\clsid\{81d24ea1-3106-46a5-a324-fa96b8178519}]
.
[HKEY_CLASSES_ROOT\clsid\{b4efb02b-cd4a-44b9-b5d9-aa486cdffab6}]
.
[HKEY_CLASSES_ROOT\clsid\{81d24ea1-3106-46a5-a324-fa96b8178519}]
.
[HKEY_CLASSES_ROOT\clsid\{b4efb02b-cd4a-44b9-b5d9-aa486cdffab6}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2010-11-30 18:03 155416 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 4785536]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-28 17148552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2006-12-08 107112]
"vptray"="c:\progra~2\SYMANT~1\VPTray.exe" [2006-12-14 134808]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-05-19 1314816]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-11 1523360]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2010-10-25 821144]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Jungle Disk Desktop.lnk - c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-5-18 9761096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-09 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-28 158856]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-09 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 JungleDiskService;JungleDiskService;c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-05-17 9761096]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2012-02-27 2152152]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2009-07-20 4908576]
S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2011-09-08 6583160]
S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2011-09-08 528760]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-06 138360]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2012-02-27 17152]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - LAVASOFT_KERNEXPLORER
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-22 22:37]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-09 17:52]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-09 17:52]
.
2012-04-17 c:\windows\Tasks\RegCure Program Check.job
- c:\program files (x86)\RegCure\RegCure.exe [2011-11-20 22:11]
.
2012-04-15 c:\windows\Tasks\RegCure.job
- c:\program files (x86)\RegCure\RegCure.exe [2011-11-20 22:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2010-11-30 18:03 188696 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk1_Complete]
@="{78061A12-1E91-4446-8B65-8ED2FF328D4A}"
[HKEY_CLASSES_ROOT\CLSID\{78061A12-1E91-4446-8B65-8ED2FF328D4A}]
2011-03-04 18:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk2_InProgress]
@="{700AD13D-E86F-41C9-9A8F-39B4C438806F}"
[HKEY_CLASSES_ROOT\CLSID\{700AD13D-E86F-41C9-9A8F-39B4C438806F}]
2011-03-04 18:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk3_Conflicted]
@="{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}"
[HKEY_CLASSES_ROOT\CLSID\{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}]
2011-03-04 18:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2009-09-12 3832064]
"nwiz"="nwiz.exe" [2009-08-27 1712672]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-06 16336488]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-11-05 980368]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-29 499608]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.101.1 220.220.248.1 220.220.248.9
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\nigszfcf.default\
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
WebBrowser-{81D24EA1-3106-46A5-A324-FA96B8178519} - (no file)
WebBrowser-{B4EFB02B-CD4A-44B9-B5D9-AA486CDFFAB6} - (no file)
WebBrowser-{F228C6A4-A593-4017-944C-4E7958FB3177} - (no file)
WebBrowser-{962975BD-6884-4512-B712-C78D273BEBAF} - (no file)
WebBrowser-{A497981B-B4B8-4A0B-84D5-64C9C365AA38} - (no file)
WebBrowser-{2C1E21B5-5666-4CD5-8152-96B690B7216E} - (no file)
WebBrowser-{FFAEE60F-A2DE-4473-808F-5696B1BB4B02} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="54BC1B8BE61FD0B4C6A14D051A0CBC9BD9C4BA08681E245D405010691143B50037A17FD5EBF01F5A18934C0A23F68A9FB6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A6A0AC4980AC7933A6171C11EC38DE3DFEBC9E127BECC74CACE64047A8C0AFC6774EDB53D588273850ACD269228650DEB0C04DD2603EB7E62E10F0F8CF76E21F417E209EF63D5BD6ACAD4967042FC715E1B5D0B3C5981C9388A57D43365A4C1285DDFA3409309BF421AC7346D8B6F5B6ACCA28F8DA4859A84A1AABEB26AAD40534BB1F9F090D8ACA9DF60AF7EFD35371A3E937995EB0636C4891A90EF0170872011CA1C0F770EDA7D98C2C409AB0808B1D31436011AB53B497E8089A68C49765E4B5FB4A596DAF6E4C215B37AD6D41D9B2717AE73B83E2ED15AEB950654DD9811CF50BC5B5895D94B49E7E4B839D7948C2AFE9A5A678739A5F231949C3BDC47A26F9900F1B3E2A24122160BBF846B7D56F27865D2240084D593FE16FE196F79AC617B2531A79E9BC2AF8AE9EF064A8171F44A72981804AAFAA2DB280A34D33BD07D3F819461E980F86AB7DDACFE59EB17B28877699D604FBBD499210F24BDA56B3EBD1B7390252E1F46FC0AF80AE12627329C58745D2270442A8E88538EBF8E95BCF10598FEE5A1084B2D3ABEF151E77B84FE6726578452BAB90819AE582B911532266FEE7A315868C9676358FE38053415BD120D9BF18EA307C8D5E6C516EF9B33A6F7C6AD08E4AA46DC804D55B1CEFC73BD1CF8B15FA4E4B1AA03347158BE3D724A9793D9D736E2B4153263B2CF8564996161162D7ED763CCB34D1EF772A27DF9FF5F10E23951FBF4FFE7ABE01C027894633CB505C15170728A343661B072AB01F97B48C70E91A49851AB760F043940DD79EB8C56B36F8717AB065AD94836B72CB3B666E070C31700BD865270E72659F8D34E539BE407808C0FD6DCD6CA47C117F6CFE6B5DB94CA1B650E01C5967F6CEDB3534A70AC184182D1560D3A192813CCA1DC941DC55630E967ADACDCAD9B7EB6DC25A0DED6F23B627E29ACC231AB568EF22E62FE362862C69B6D74DCDAAA90D9DE462EC049F6B3AC836C84F572D64CE68B5497BC38CD7332547B0AFC05D658D80882A4F584F8ABDDFC46FF095DFEF69DE743A6EC3210DA2F0D1120F7696168BDAFBE2BDE99DC0A0F026E3CDACEBCD7A33DFD3531D92EFB92B61FC0937A3FA68A47192C62E50E0053057D2855DAC8585F7DD077CFD77607DE2E346BFBCF066CA8D02127C8CCC54D28939393C5BA437D1F437973D88874FB8DDAD17583614C11DF5A81076E02197369B0FEA19D078916C261B9B6FD22343F792F16B7C47C2068CF3C48ECF7B7B3B1DB7800E48DA705B253B18026E66C9D68B2FCC155A8657438BD09863262031"
"OOSAFEERASE03.00.00.01MSWINDOWS"="E3094183A5C363B951BE0B18DFB40191395616CCDB919851AA99164770F7EFD328C5FEB470DB5599D21552EDBBE39AFA56E835AF174ECBE2B379D9DF5A72479F5314B765EE4717BEE974940B9BFAA902AB25DB7A1C24CA5554EC47411678F9E1785ADA66CE98062F28CD2691B967804B6920E340D4F87E8CF8565F8ED98A27E35EE0AB0EAF8B9432517030A6443E8740EED67B969DFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A6A0AC4980AC7933A6171C11EC38DE3DFEBC9E127BECC74C8DA3880CAD20F51794ECCC9187D31EB458B78913413BCCAEC11E4E386C0345551A3886A104B190BC9E4BE819CB83EBE02F48F81FC50A578E869C1133B0AEA81E855400841CF3B1878C89C15E8F9276356AA22F70355E773650E8D6E0A08200BAE062D932A28618DDC986D6F8A7A76F446DBB6C5EAC04EB091C2CC4F3C4103D77E360B65B245E849A653670B7493D87173F1BBA73AC19F9DA0BA1C3D584B8D51767E07F641344BD0C119F971B91A0F4A90CDCE2ED9990E875E11D7EA02CB5C0CFE988E265C6D58C7624DD9959FE7275EA24B2F5403B3083950983E5A37013FB4A8C93D1AB7983BE111A218ADA76A9433FFA5FC512BD939A6C8D4CADE264AF87A7965001364912270592AB40BE3D10247FA83BE93C332A801F21064E17813F6876EF1F693CB81999F2CD55535580435E77E8B3BDCD0EB50E4597D184A9264A263F27F748232E87716EB509A3244FB5BC671D47608AA84E9EEDEAE54F3C132C4F7AEE651F0AF31C8A7CD2C6D1669B2C0D81468CB467BD5C9119370AF220EE1572961D0433BF386BC799D5A045863F4021EF8E2A628FEDA14B3CBC9BF75FC088A6F5AA070D498EE08F35113FA7A9F36051CEC15C53E1BE2E3240620EAB33F65E81EEB6B479DFEB3849B07BDC67A2594E78AB4E74387097EAB281AF631C8C64C1234A02E78B6F2B80E3642E49B67CF120730D4A5683014510BBD1D1379E0E3C33A9C7738E16988B9FD01AEA670BF327BDA6EAEBF86C0F78AF427699354B8F99863A1894A9B430AD4F8613132E1FFAC368772F8EEA6EC9C42ABC27FBA0FD1D7863FD6191D0413E1A1B7D00ADAAF03777AE51BB34CAC712A2B7A791914DD7F53C45A13DBF2E60FE3A63B409E57AC281D37722E37FCDFC806F6103D797A43B0DA77B55BB9280F4645B5FABC80B511A67D1FCDDF0B8BAD3DD6B87D08D6FA4520A662B4EDDA419A891B1156ACE0F76422BCBCB7A1D4BEF5829B9DC9ABC1DDD07C905CAC418345EE85FD262F99D884548428348F119C7DBD894E3E66AE0C9768BDA75A775D6224A675BB978E62CB3ACFE55992544886105E9085602D06CC326D2000C60A1F5F46D98C3C3DAC2666F307D43166DF2847081E19C60DBE045793B95"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Symantec AntiVirus\DefWatch.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\program files (x86)\Symantec AntiVirus\Rtvscan.exe
c:\program files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2012-04-18 16:27:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-18 07:27
ComboFix2.txt 2012-04-16 15:04
ComboFix3.txt 2012-03-08 19:38
ComboFix4.txt 2012-03-05 16:56
.
Pre-Run: 367,498,084,352 bytes free
Post-Run: 367,300,636,672 bytes free
.
- - End Of File - - 11456D2F82439C5135F374723E1AF753

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:45 PM

Posted 18 April 2012 - 07:09 AM

How is the computer running now? Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 loggier

loggier
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 18 April 2012 - 07:21 AM

It runs fine, I'll have to use it for a few more days to make sure.
Internet speed seems ok too.
One problem I experience is that sometimes certain sites return this error:
"The connection to the server was reset while the page was loading."
I suspect that it might be related to some router problems, rather than software infection.
Thanks a lot for your help and guidance!

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:45 PM

Posted 18 April 2012 - 05:35 PM

That message can sometimes be related to firewall or security settings, make sure yours are set to recommended defaults. If that doesn't change it, then reset your router:

  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you don’t know the router's default password, you can look it up. HERE
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.



Make sure you have installed all the windows updates that are available for download, now we have some housekeeping to do to clean up the tools we used,

I'll keep the thread open a few days incase any other issues arise

please do the following:


You can delete the TDSSKiller and aswMBR logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:45 PM

Posted 24 April 2012 - 07:06 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users