Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Acer laptop, Blizzard account hacked, keylogger?


  • This topic is locked This topic is locked
15 replies to this topic

#1 XenoVega

XenoVega

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 21 May 2012 - 01:18 PM

Hello everyone!

Looking for expert eyes and advice!

Here's the short version:
I have an Acer Aspire 7720G laptop with Windows Vista Home Premium SP2. My Blizzard game account was hacked. I didn't share it with anyone, and I don't remember entering my data into some dodgy web-page. So I assumed it was a keylogger of some kind. I used a lot of cleaning software on my laptop. What I'm hoping for now is that someone takes a look at the DDS and GMER logs (which I don't know how to interpret) and checks them for anything suspicious that might have slipped past the cleaning software. Thanks in advance!

Here's the long version:
Last year I was hacked. I'm a Starcraft 2 player, but someone hacked my Blizzard account and created a World of Warcraft sub-account which was then used to spam in-game chat. I found out about it when Blizzard closed my account. I straightened it with Blizzard and played the game on a different, clean computer from then on. Now I'm cleaning the hacked laptop.

Up to this point I used all the free or free-trial antivirus and antimalware programs i could download (I saved all the scan-logs I could):

Windows Defender, Malwarebytes, Microsoft Security Essentials, G-Data, Avira, Panda Online Scanner, Sophos Free Virus Removal Tool, ESET Nod32, Superantispyware, Kaspersky TDSS killer, Kaspersky 2011 Virus Removal tool, Avast, AVG, Webroot, Comodo Cleaning Essentials, Norton Antivirus, Norton Power Eraser, Bit Defender, Kaspersky Antivirus 2012. The idea was to use whatever I can because no single software can find them all.

I also used Combofix. At the time I didn't realize it was a mistake - I read bleepingcomputer.com warnings only afterwards. Basically, I learned about Combofix in a AV-Comparatives antivirus software comparison, and it was near the top of the list for rootkits. So I Googled it, downloaded it and followed all the instructions on the download page. The only problem I encountered afterwards was 2 Desktop links not working, but a reboot solved that. I guess I was lucky.

Here is what was found:

G-Data found 2 viruses in memory even without starting a scan.
WJCHess3D "Gen:Variant.Zbot.7 (Engine A)"
iefdm2.dll "Gen:Variant.TDss.64 (Engine A)"

Combofix deleted:
c:\acer\Empowering Technology\eRecovery\Autorun\SW1\Tuner\Liteon\Resources\_desktop.ini
c:\drv\Tuner\Yuan\Resources\_desktop.ini
c:\windows\iun6002.exe
I have the log saved if necessary.

Superantispyware deleted 660 cookies

Comodo Cleaning Essentials found "heur.packed.unknown" in the Acer Gamezone installed games (i never used them) - it could be a false positive but I deleted them anyway.

AVG found 3 files with "Broken Microsoft Certificates":
"";"File";"Information";"Result"
"";"C:\Acer\Empowering Technology\eRecovery\Autorun\SW3\CDMAKER\WMDMDist.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
"";"C:\Acer\Empowering Technology\eRecovery\Autorun\SW3\CDMAKER\WMFADist.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
"";"C:\Acer\Empowering Technology\eRecovery\Autorun\SW3\CDMAKER\WMFDist.exe";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""
These 3 all came preinstalled with the laptop. I redownloaded the eRecovery application from the Acer website, installed it, ran AVG again, same result. They are either false positives or the download itself is infected. Although, when I googled it I came upon topics that say that these files should be harmless.

Webroot found W32.Malware.Gen in another Acer Gamezone preinstalled game. I then deleted all the preinstalled Acer Gamezone games.


This is basically it. Once again, sorry for using Combofix on my own. I would greatly appreciate if someone checked my logs for anything suspicious left.

Thank you very much.

---


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by XenoVega at 17:37:52 on 2012-05-21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.385.1033.18.2045.1314 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\ProgramData\DatacardService\DCSHost.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\DatacardService\DataCardMonitor.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Users\XenoVega\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
C:\Program Files\WinZip\WZQKPICK32.EXE
C:\Program Files\DeskPins\DeskPins.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Free Download Manager: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\play movie\PMVService.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Skytel] Skytel.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [eRecoveryService]
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\users\xenovega\appdata\roaming\micros~1\windows\startm~1\programs\startup\deskpins.lnk - c:\program files\deskpins\DeskPins.exe
StartupFolder: c:\users\xenovega\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\lolrec~1.lnk - c:\program files\lolreplay\LOLRecorder.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\web'n'~1.lnk - c:\program files\t-mobile\web'n'walk manager\web'n'walk Manager.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK32.EXE
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: DisableLocalMachineRun = 0 (0x0)
uPolicies-explorer: DisableLocalMachineRunOnce = 0 (0x0)
uPolicies-explorer: DisableCurrentUserRun = 0 (0x0)
uPolicies-explorer: DisableCurrentUserRunOnce = 0 (0x0)
uPolicies-explorer: NoFile = 0 (0x0)
uPolicies-explorer: HideClock = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-explorer: NoDFSTab = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoEncryptOnMove = 0 (0x0)
uPolicies-explorer: NoResolveTrack = 0 (0x0)
uPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: DisableLocalMachineRun = 0 (0x0)
mPolicies-explorer: DisableLocalMachineRunOnce = 0 (0x0)
mPolicies-explorer: DisableCurrentUserRun = 0 (0x0)
mPolicies-explorer: DisableCurrentUserRunOnce = 0 (0x0)
mPolicies-explorer: NoFile = 0 (0x0)
mPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
mPolicies-explorer: NoDFSTab = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoEncryptOnMove = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: DisableLocalMachineRun = 0 (0x0)
dPolicies-explorer: DisableLocalMachineRunOnce = 0 (0x0)
dPolicies-explorer: DisableCurrentUserRun = 0 (0x0)
dPolicies-explorer: DisableCurrentUserRunOnce = 0 (0x0)
dPolicies-explorer: NoFile = 0 (0x0)
dPolicies-explorer: HideClock = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-explorer: NoDFSTab = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-explorer: NoEncryptOnMove = 0 (0x0)
dPolicies-explorer: NoResolveTrack = 0 (0x0)
dPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 217.115.3.243 217.115.2.243
TCP: Interfaces\{1E85983C-DBFB-4B5F-A9DE-217709074E14} : DhcpNameServer = 83.139.104.2 83.139.105.2
TCP: Interfaces\{2EEFC896-EBA3-497B-9293-67B42B5EE6B6} : DhcpNameServer = 217.115.3.243 217.115.2.243
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\xenovega\appdata\roaming\mozilla\firefox\profiles\ngunqi8b.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-5-21 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-5-21 337880]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2007-8-31 13560]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-4-4 63928]
R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-8-9 50688]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-5-21 20696]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-5-21 57688]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-5-21 44768]
R2 DCSHost.exe;DCSHost.exe;c:\programdata\datacardservice\DCSHOST.exe [2010-7-20 110592]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-26 21504]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2007-8-8 32256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-8 179712]
S3 GDPkIcpt;GDPkIcpt;c:\windows\system32\drivers\PktIcpt.sys [2012-5-13 49016]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-7-9 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2007-6-26 51968]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-7-20 101248]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-4-1 80744]
.
=============== File Associations ===============
.
JSEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
.
=============== Created Last 30 ================
.
2012-05-21 12:56:31 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-05-21 12:56:31 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-05-21 12:55:17 41184 ----a-w- c:\windows\avastSS.scr
2012-05-21 11:31:18 -------- d-----w- c:\users\xenovega\appdata\local\NPE
2012-05-21 06:04:25 96748 ----a-w- c:\programdata\1337580131.bdinstall.bin
2012-05-21 01:16:43 -------- d-----w- c:\programdata\VS
2012-05-20 23:33:23 204192 ----a-w- c:\programdata\1337556564.bdinstall.bin
2012-05-20 23:05:24 102074 ----a-w- c:\programdata\1337554921.bdinstall.bin
2012-05-20 23:02:01 31274 ----a-w- c:\programdata\1337554920.bdinstall.bin
2012-05-20 22:22:14 261144 ----a-w- c:\programdata\1337551976.bdinstall.bin
2012-05-20 22:21:06 -------- d-----w- c:\programdata\BDLogging
2012-05-20 22:13:37 -------- d-----w- c:\users\xenovega\appdata\roaming\QuickScan
2012-05-18 19:56:32 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5ffc31f3-c928-4774-9782-3adedc4110db}\mpengine.dll
2012-05-18 19:51:08 6737808 ------w- c:\programdata\microsoft\windows defender\definition updates\updates\mpengine.dll
2012-05-18 11:33:25 -------- d-----w- c:\users\xenovega\appdata\roaming\AVG2012
2012-05-18 11:31:26 -------- d-----w- c:\programdata\AVG2012
2012-05-18 11:29:41 -------- d-----w- c:\program files\AVG
2012-05-18 11:24:57 -------- d--h--w- c:\programdata\Common Files
2012-05-18 11:24:41 -------- d-----w- c:\programdata\MFAData
2012-05-18 10:51:51 -------- d-----w- C:\CCE_Quarantine
2012-05-18 02:35:25 -------- d-----w- c:\programdata\AVAST Software
2012-05-18 02:35:25 -------- d-----w- c:\program files\AVAST Software
2012-05-16 09:54:08 -------- d-----w- c:\users\xenovega\appdata\roaming\SUPERAntiSpyware.com
2012-05-16 09:53:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-15 23:26:08 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-15 23:14:30 -------- d-----w- c:\users\xenovega\appdata\local\temp
2012-05-14 23:17:11 -------- d-----w- c:\programdata\Sophos
2012-05-14 23:17:05 73728 ----a-r- c:\users\xenovega\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-14 23:17:02 73728 ----a-r- c:\users\xenovega\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-14 23:17:02 73728 ----a-r- c:\users\xenovega\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2012-05-14 23:16:45 -------- d-----w- c:\program files\Sophos
2012-05-14 21:46:46 -------- d-----w- C:\scc_40
2012-05-14 21:12:55 -------- d-----w- C:\Downloads
2012-05-14 08:51:58 639688 ----a-w- c:\windows\system32\sig.bin
2012-05-14 08:40:56 -------- d-----w- c:\users\xenovega\appdata\roaming\Free Download Manager
2012-05-14 08:40:52 -------- d-----w- c:\program files\Free Download Manager
2012-05-13 20:30:33 30256 ----a-w- c:\windows\system32\drivers\GRD.sys
2012-05-13 20:24:16 51192 ----a-w- c:\program files\mozilla firefox\extensions\{906305f7-aafc-45e9-8bbd-941950a84dad}\components\BanksafeXPCOM.dll
2012-05-13 19:32:16 49016 ----a-w- c:\windows\system32\drivers\PktIcpt.sys
2012-05-13 19:26:36 -------- d-----w- c:\programdata\G DATA
2012-05-13 19:26:36 -------- d-----w- c:\program files\G Data
2012-05-13 19:26:36 -------- d-----w- c:\program files\common files\G Data
2012-05-13 19:18:54 -------- d-----w- c:\users\xenovega\Pavark
2012-05-13 19:17:55 -------- d-----w- c:\users\xenovega\appdata\local\WinZip
2012-05-13 09:09:41 -------- d-----w- c:\program files\common files\Canon
2012-05-12 20:04:08 -------- d-----w- c:\users\xenovega\appdata\roaming\Malwarebytes
2012-05-12 20:04:03 -------- d-----w- c:\programdata\Malwarebytes
2012-05-12 19:11:41 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-05-12 18:31:56 5120 ----a-w- c:\windows\system32\wmi.dll
2012-05-12 18:31:56 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-05-12 18:31:56 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-05-12 18:31:56 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
.
==================== Find3M ====================
.
2012-04-03 08:16:12 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-03 08:16:11 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-02 13:36:21 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-03-30 12:39:11 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-29 13:39:19 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2012-03-20 23:28:50 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-03-01 14:46:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-01 14:46:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-29 14:08:47 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-29 13:44:50 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-29 13:41:40 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 17:39:47,25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:54 PM

Posted 26 May 2012 - 08:27 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 XenoVega

XenoVega
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 28 May 2012 - 06:09 PM

Hi m0le, pleased to meet you!

I'm ready for your instructions.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:54 PM

Posted 28 May 2012 - 07:31 PM

Well, you've certainly run a lot of tools.

Can you run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 XenoVega

XenoVega
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 29 May 2012 - 04:05 AM

Here you go.

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:54 PM

Posted 29 May 2012 - 05:17 PM

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#7 XenoVega

XenoVega
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 30 May 2012 - 05:11 PM

Here's the log.
Also, know the fact that since at this time I have access only to this laptop, and not to any other clean computer, I used the suspicioous laptop to download the program to the USB stick.



Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 29-05-2012 02
Ran by SYSTEM at 30-05-2012 23:57:55
Running from F:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [457216 2007-04-25] (HiTRUST)
HKLM\...\Run: [PLFSetL] C:\Windows\PLFSetL.exe [94208 2007-07-05] (sonix)
HKLM\...\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe [752136 2007-06-27] (Dritek System Inc.)
HKLM\...\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [206952 2007-05-24] (CyberLink Corp.)
HKLM\...\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [174872 2007-03-21] (Intel Corporation)
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [159744 2007-06-06] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe [151552 2007-05-22] (Acer Inc.)
HKLM\...\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe [57344 2006-11-05] (Acer Inc.)
HKLM\...\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe" [1286144 2007-06-11] (CyberLink)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [1037736 2007-08-31] (Microsoft Corporation)
HKLM\...\Run: [Skytel] Skytel.exe [x]
HKLM\...\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [202256 2010-07-05] (RealNetworks, Inc.)
HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1144104 2010-06-02] ()
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-04-03] (Adobe Systems Incorporated)
HKLM\...\Run: [eRecoveryService] [x]
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4241512 2012-03-06] (AVAST Software)
HKU\XenoVega\...\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork [1103216 2009-10-27] (IGN Entertainment)
HKU\XenoVega\...\Policies\system: [DisableCMD] 0
HKU\XenoVega\...\Policies\system: [NoDispAppearancePage] 0
HKU\XenoVega\...\Policies\system: [NoDispBackgroundPage] 0
HKU\XenoVega\...\Policies\system: [NoDispSettingsPage] 0
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [X]
Tcpip\Parameters: [DhcpNameServer] 217.115.3.243 217.115.2.243
Startup: C:\Users\All Users\Start Menu\Programs\Startup\LOLRecorder.lnk
ShortcutTarget: LOLRecorder.lnk -> C:\Program Files\LOLReplay\LOLRecorder.exe (No File)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk
ShortcutTarget: Nikon Monitor.lnk -> C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\web'n'walk Manager.lnk
ShortcutTarget: web'n'walk Manager.lnk -> C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe (T-Mobile)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
Startup: C:\Users\XenoVega\Start Menu\Programs\Startup\DeskPins.lnk
ShortcutTarget: DeskPins.lnk -> C:\Program Files\DeskPins\DeskPins.exe (Elias Fotinis)
Startup: C:\Users\XenoVega\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

================================ Services (Whitelisted) ==================

2 ALaunchService; C:\Acer\ALaunch\ALaunchSvc.exe [50688 2007-01-26] ()
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44768 2012-03-06] (AVAST Software)
2 DCSHost.exe; C:\ProgramData\DatacardService\DCSHost.exe [110592 2009-09-23] ()
2 eDataSecurity Service; "C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [457512 2007-04-25] (HiTRSUT)
2 eLockService; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [24576 2007-03-14] (Acer Inc.)
2 eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [135168 2007-05-22] (Acer Inc.)
2 eRecoveryService; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [57344 2007-09-10] (Acer Inc.)
2 eSettingsService; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [24576 2007-05-10] ()
2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe -p [107008 2006-11-24] ()
4 NetMsmqActivator; "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator [124240 2010-03-18] (Microsoft Corporation)
4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)
3 npggsvc; C:\Windows\system32\GameMon.des -service [3549224 2010-06-07] (INCA Internet Co., Ltd.)
2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2010-06-18] ()
2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [266343 2007-01-23] ()
3 WLSetupSvc; "C:\Program Files\Windows Live\installer\WLSetupSvc.exe" [266240 2007-10-25] (Microsoft Corporation)
2 WMIService; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [167936 2007-06-13] (acer)
2 CLTNetCnService; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

========================== Drivers (Whitelisted) =============

3 ApfiltrService; C:\Windows\System32\DRIVERS\Apfiltr.sys [154624 2007-06-13] (Alps Electric Co., Ltd.)
2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [20696 2012-03-06] (AVAST Software)
2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [57688 2012-03-06] (AVAST Software)
1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [35672 2012-03-06] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [612184 2012-03-06] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [337880 2012-03-06] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [53848 2012-03-06] (AVAST Software)
3 DKbFltr; C:\Windows\System32\DRIVERS\DKbFltr.sys [21264 2006-11-02] (Dritek System Inc.)
1 DritekPortIO; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [20112 2006-11-02] (Dritek System Inc.)
3 enecir; C:\Windows\System32\DRIVERS\enecir.sys [32256 2007-03-07] (ENE TECHNOLOGY INC.)
3 GDPkIcpt; \??\C:\Windows\system32\drivers\PktIcpt.sys [49016 2012-05-13] (G Data Software AG)
3 GT72NDISIPXP; C:\Windows\System32\DRIVERS\Gt51Ip.sys [95744 2007-07-09] (Option NV)
3 GT72UBUS; C:\Windows\System32\DRIVERS\gt72ubus.sys [51968 2007-06-26] (Option N.V.)
3 GTPTSER; C:\Windows\System32\DRIVERS\gtptser.sys [8064 2007-03-30] (Option N.V.)
3 HSFHWAZL; C:\Windows\System32\DRIVERS\VSTAZL3.SYS [200704 2006-11-01] (Conexant Systems, Inc.)
3 hwdatacard; C:\Windows\System32\DRIVERS\ewusbmdm.sys [102912 2009-09-10] (Huawei Technologies Co., Ltd.)
3 hwusbdev; C:\Windows\System32\DRIVERS\ewusbdev.sys [101248 2009-07-24] (Huawei Technologies Co., Ltd.)
2 int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [15392 2007-07-03] (Acer, Inc.)
3 NETw4v32; C:\Windows\System32\DRIVERS\NETw4v32.sys [2226688 2007-08-07] (Intel Corporation)
3 NTIDrvr; C:\Windows\System32\DRIVERS\NTIDrvr.sys [6144 2007-08-08] (NewTech Infosystems, Inc.)
0 PSDFilter; C:\Windows\System32\DRIVERS\psdfilter.sys [20776 2007-04-25] (HiTRUST)
0 PSDNServ; C:\Windows\System32\drivers\PSDNServ.sys [16680 2007-04-25] (HiTRUST)
0 psdvdisk; C:\Windows\System32\drivers\psdvdisk.sys [60712 2007-04-25] (HiTRUST)
3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1749376 2007-08-02] ()
3 usb_rndis; C:\Windows\System32\DRIVERS\usb8023.sys [15872 2009-04-10] (Microsoft Corporation)
3 WSVD; \??\C:\Windows\system32\drivers\WSVD.sys [80744 2006-09-19] (Wasay)
2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [13560 2006-11-02] (Cyberlink Corp.)
4 blbdrive; C:\Windows\System32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
0 eorclc; [x]
0 hqmpym; [x]
3 igfx; C:\Windows\System32\DRIVERS\igdkmd32.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
0 ovanvq; [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-05-30 07:34 - 2012-05-30 07:34 - 0155152 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-27 15:06 - 2012-05-27 15:06 - 0148648 ____A C:\Windows\Minidump\Mini052812-01.dmp
2012-05-26 15:17 - 2012-05-26 15:17 - 0000000 ____D C:\Users\XenoVega\Documents\Finale Files
2012-05-26 15:16 - 2012-05-26 15:16 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\MakeMusic
2012-05-26 15:15 - 2012-05-26 15:15 - 0000000 ____D C:\Users\All Users\MakeMusic
2012-05-26 15:15 - 2012-05-26 15:15 - 0000000 ____D C:\PSFONTS
2012-05-26 15:15 - 2012-05-26 15:15 - 0000000 ____D C:\Program Files\Finale NotePad 2012
2012-05-26 00:32 - 2012-05-26 00:32 - 0151944 ____A C:\Windows\Minidump\Mini052612-01.dmp
2012-05-25 05:30 - 2012-05-25 14:12 - 0000000 ____D C:\Program Files\VSTPlugins
2012-05-25 05:30 - 2012-05-25 05:30 - 0000000 ____D C:\Users\All Users\Camel Audio
2012-05-25 05:30 - 2012-05-25 05:30 - 0000000 ____D C:\Program Files\Common Files\Digidesign
2012-05-25 05:30 - 2012-05-25 05:30 - 0000000 ____D C:\Program Files\Camel Audio
2012-05-24 14:09 - 2012-05-30 13:53 - 0000000 ____D C:\Users\XenoVega\AppData\Local\CrashDumps
2012-05-24 04:41 - 2012-05-24 04:41 - 0000356 ____A C:\Users\XenoVega\Desktop\Music.lnk
2012-05-23 02:17 - 2012-05-23 02:17 - 0155160 ____A C:\Windows\Minidump\Mini052312-01.dmp
2012-05-21 08:19 - 2012-05-21 08:19 - 0148104 ____A C:\Windows\Minidump\Mini052112-03.dmp
2012-05-21 07:55 - 2012-05-21 07:55 - 0155128 ____A C:\Windows\Minidump\Mini052112-02.dmp
2012-05-21 05:28 - 2012-05-29 00:06 - 0000000 ____D C:\Users\XenoVega\Desktop\Vedran
2012-05-21 05:27 - 2012-05-30 12:50 - 0000000 ____D C:\Users\XenoVega\Desktop\Petra
2012-05-21 04:56 - 2012-03-06 15:03 - 0612184 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-05-21 04:56 - 2012-03-06 15:03 - 0337880 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-05-21 04:56 - 2012-03-06 15:02 - 0035672 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-05-21 04:56 - 2012-03-06 15:01 - 0057688 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-05-21 04:56 - 2012-03-06 15:01 - 0053848 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-05-21 04:56 - 2012-03-06 15:01 - 0020696 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-05-21 04:55 - 2012-03-06 15:15 - 0201352 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-05-21 04:55 - 2012-03-06 15:15 - 0041184 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-05-21 04:25 - 2012-05-21 04:25 - 0155144 ____A C:\Windows\Minidump\Mini052112-01.dmp
2012-05-21 03:35 - 2012-05-21 03:40 - 2797228 ____A C:\Windows\ntbtlog.txt
2012-05-21 03:31 - 2012-05-21 03:39 - 0000000 ____D C:\Users\XenoVega\AppData\Local\NPE
2012-05-20 23:32 - 2012-05-20 23:32 - 0017408 ____A C:\Users\XenoVega\AppData\Local\WebpageIcons.db
2012-05-20 22:04 - 2012-05-20 22:04 - 0096748 ____A C:\Users\All Users\1337580131.bdinstall.bin
2012-05-20 17:16 - 2012-05-20 17:16 - 0000000 ____D C:\Users\All Users\VS
2012-05-20 15:33 - 2012-05-20 15:33 - 0204192 ____A C:\Users\All Users\1337556564.bdinstall.bin
2012-05-20 15:05 - 2012-05-20 15:05 - 0102074 ____A C:\Users\All Users\1337554921.bdinstall.bin
2012-05-20 15:02 - 2012-05-20 15:02 - 0031274 ____A C:\Users\All Users\1337554920.bdinstall.bin
2012-05-20 14:22 - 2012-05-20 14:22 - 0261144 ____A C:\Users\All Users\1337551976.bdinstall.bin
2012-05-20 14:21 - 2012-05-20 14:21 - 0000000 ____D C:\Users\All Users\BDLogging
2012-05-20 14:13 - 2012-05-20 14:13 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\QuickScan
2012-05-20 10:08 - 2012-05-30 13:53 - 0037205 ____A C:\Users\All Users\nvModes.001
2012-05-20 09:50 - 2012-05-30 13:53 - 0037205 ____A C:\Users\All Users\nvModes.dat
2012-05-18 03:33 - 2012-05-18 03:33 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\AVG2012
2012-05-18 03:31 - 2012-05-20 23:20 - 0000000 ____D C:\Users\All Users\AVG2012
2012-05-18 03:29 - 2012-05-18 03:29 - 0000000 ____D C:\Program Files\AVG
2012-05-18 03:24 - 2012-05-20 23:18 - 0000000 ____D C:\Users\All Users\MFAData
2012-05-18 02:51 - 2012-05-18 03:12 - 0000000 ____D C:\CCE_Quarantine
2012-05-17 18:35 - 2012-05-21 04:54 - 0000000 ____D C:\Users\All Users\AVAST Software
2012-05-17 18:35 - 2012-05-21 04:54 - 0000000 ____D C:\Program Files\AVAST Software
2012-05-16 05:04 - 2012-05-30 13:53 - 2145394688 __ASH C:\hiberfil.sys
2012-05-16 03:09 - 2012-05-16 03:11 - 0122222 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_13.09.38_log.txt
2012-05-16 01:54 - 2012-05-16 01:54 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\SUPERAntiSpyware.com
2012-05-16 01:53 - 2012-05-16 01:53 - 0000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-05-15 16:56 - 2012-05-15 16:59 - 0000000 ___SD C:\32788R22FWJFW
2012-05-15 15:27 - 2012-05-15 15:27 - 0014866 ____A C:\ComboFix.txt
2012-05-15 15:26 - 2012-05-21 05:12 - 0000000 __SHD C:\$RECYCLE.BIN
2012-05-15 15:15 - 2012-05-15 15:15 - 0262144 ___AH C:\Windows\System32\config\security.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\system.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\system.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\software.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\software.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\security.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\sam.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\sam.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\default.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\default.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\COMPON~3.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\COMPON~3.tmp.LOG1
2012-05-15 14:57 - 2012-05-15 16:59 - 0000000 ____D C:\Windows\ERDNT
2012-05-15 03:41 - 2012-05-15 03:41 - 0155160 ____A C:\Windows\Minidump\Mini051512-01.dmp
2012-05-14 15:17 - 2012-05-14 15:17 - 0000000 ____D C:\Users\All Users\Sophos
2012-05-14 15:16 - 2012-05-14 15:16 - 0000000 ____D C:\Program Files\Sophos
2012-05-14 13:46 - 2012-05-14 13:46 - 0000000 ____D C:\scc_40
2012-05-14 00:51 - 2012-05-14 00:51 - 0639688 ____A C:\Windows\System32\sig.bin
2012-05-14 00:51 - 2012-05-14 00:51 - 0039692 ____A C:\Windows\System32\nmp.map
2012-05-13 12:30 - 2012-05-13 12:30 - 0030256 ____A (G Data Software) C:\Windows\System32\Drivers\GRD.sys
2012-05-13 11:32 - 2012-05-13 12:24 - 0049016 ____A (G Data Software AG) C:\Windows\System32\Drivers\PktIcpt.sys
2012-05-13 11:26 - 2012-05-14 02:03 - 0000000 ____D C:\Users\All Users\G DATA
2012-05-13 11:26 - 2012-05-14 02:03 - 0000000 ____D C:\Program Files\Common Files\G Data
2012-05-13 11:26 - 2012-05-14 02:01 - 0000000 ____D C:\Program Files\G Data
2012-05-13 11:18 - 2012-05-13 11:19 - 0000000 ____D C:\Users\XenoVega\Pavark
2012-05-13 11:17 - 2012-05-30 05:16 - 0000000 ____D C:\Users\XenoVega\AppData\Local\WinZip
2012-05-13 11:16 - 2012-05-13 11:16 - 0000000 ____D C:\Program Files\WinZip
2012-05-13 01:09 - 2012-05-13 01:09 - 0000000 ____D C:\Program Files\Common Files\Canon
2012-05-12 12:04 - 2012-05-12 12:04 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\Malwarebytes
2012-05-12 12:04 - 2012-05-12 12:04 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-05-12 11:13 - 2012-05-12 12:02 - 0001945 ____A C:\Windows\epplauncher.mif
2012-05-12 11:11 - 2010-04-05 12:00 - 0221568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-05-12 10:34 - 2012-02-27 17:52 - 12281856 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-12 10:34 - 2012-02-27 17:27 - 9705984 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-12 10:34 - 2012-02-27 17:18 - 1799168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-12 10:34 - 2012-02-27 17:12 - 1103360 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-12 10:34 - 2012-02-27 17:11 - 1427456 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-12 10:34 - 2012-02-27 17:11 - 1127424 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-12 10:34 - 2012-02-27 17:09 - 0231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-12 10:34 - 2012-02-27 17:08 - 0065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-12 10:34 - 2012-02-27 17:06 - 0716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-12 10:34 - 2012-02-27 17:04 - 1792000 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-12 10:34 - 2012-02-27 17:03 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-12 10:34 - 2012-02-27 17:03 - 0072704 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-12 10:34 - 2012-02-27 16:59 - 0176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-12 10:31 - 2012-02-29 07:11 - 0172032 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-05-12 10:31 - 2012-02-29 07:11 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-05-12 10:31 - 2012-02-29 07:09 - 0157696 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-05-12 10:31 - 2012-02-29 05:32 - 0012800 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-05-11 12:51 - 2012-04-03 00:16 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-05-11 12:51 - 2012-04-03 00:16 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-11 12:51 - 2012-04-02 05:36 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-11 12:51 - 2012-03-30 04:39 - 0914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-05-11 12:51 - 2012-03-29 05:39 - 0031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2012-05-11 12:51 - 2012-03-20 15:28 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-05-11 12:51 - 2012-03-01 06:46 - 0219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll
2012-05-11 12:51 - 2012-03-01 06:46 - 0160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll
2012-05-11 12:51 - 2012-02-29 06:08 - 1172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll
2012-05-11 12:51 - 2012-02-29 05:44 - 0683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll
2012-05-11 12:51 - 2012-02-29 05:41 - 1069056 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll


============ 3 Months Modified Files and Folders ===============

2012-05-30 23:57 - 2012-05-30 23:57 - 0000000 ____D C:\FRST
2012-05-30 13:55 - 2010-06-10 05:41 - 0000424 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{6A6E54A7-A3DE-4217-B9E8-0DAF834BFDEE}.job
2012-05-30 13:55 - 2008-01-09 05:45 - 0196608 ____A C:\Windows\System32\Ikeext.etl
2012-05-30 13:55 - 2007-11-12 04:23 - 0000012 ____A C:\Windows\bthservsdp.dat
2012-05-30 13:55 - 2006-11-02 05:01 - 0032654 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-30 13:55 - 2006-11-02 05:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-05-30 13:54 - 2009-08-04 22:43 - 0000418 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{53692D66-AB35-474D-8914-0D1C3769A1CD}.job
2012-05-30 13:53 - 2012-05-24 14:09 - 0000000 ____D C:\Users\XenoVega\AppData\Local\CrashDumps
2012-05-30 13:53 - 2012-05-20 10:08 - 0037205 ____A C:\Users\All Users\nvModes.001
2012-05-30 13:53 - 2012-05-20 09:50 - 0037205 ____A C:\Users\All Users\nvModes.dat
2012-05-30 13:53 - 2012-05-16 05:04 - 2145394688 __ASH C:\hiberfil.sys
2012-05-30 13:53 - 2006-11-02 04:47 - 0003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-05-30 13:53 - 2006-11-02 04:47 - 0003296 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-05-30 13:53 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\tracing
2012-05-30 13:46 - 2007-08-31 07:36 - 1051711 ____A C:\Windows\WindowsUpdate.log
2012-05-30 12:50 - 2012-05-21 05:27 - 0000000 ____D C:\Users\XenoVega\Desktop\Petra
2012-05-30 12:50 - 2010-06-10 08:04 - 0000970 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1068182206-656636503-233835067-1003UA.job
2012-05-30 12:48 - 2006-11-02 02:33 - 0755906 ____A C:\Windows\System32\PerfStringBackup.INI
2012-05-30 07:34 - 2012-05-30 07:34 - 0155152 ____A C:\Windows\Minidump\Mini053012-01.dmp
2012-05-30 07:34 - 2007-11-07 07:51 - 290650769 ____A C:\Windows\MEMORY.DMP
2012-05-30 07:34 - 2007-11-07 07:51 - 0000000 ____D C:\Windows\Minidump
2012-05-30 05:16 - 2012-05-13 11:17 - 0000000 ____D C:\Users\XenoVega\AppData\Local\WinZip
2012-05-29 10:50 - 2010-06-10 08:04 - 0000918 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1068182206-656636503-233835067-1003Core.job
2012-05-29 10:20 - 2006-11-02 04:52 - 0049578 ____A C:\Windows\setupact.log
2012-05-29 00:06 - 2012-05-21 05:28 - 0000000 ____D C:\Users\XenoVega\Desktop\Vedran
2012-05-27 15:06 - 2012-05-27 15:06 - 0148648 ____A C:\Windows\Minidump\Mini052812-01.dmp
2012-05-26 23:14 - 2010-06-10 07:59 - 0100264 ____A C:\Users\XenoVega\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-26 23:12 - 2006-11-02 04:47 - 0357400 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-26 15:17 - 2012-05-26 15:17 - 0000000 ____D C:\Users\XenoVega\Documents\Finale Files
2012-05-26 15:16 - 2012-05-26 15:16 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\MakeMusic
2012-05-26 15:15 - 2012-05-26 15:15 - 0000000 ____D C:\Users\All Users\MakeMusic
2012-05-26 15:15 - 2012-05-26 15:15 - 0000000 ____D C:\PSFONTS
2012-05-26 15:15 - 2012-05-26 15:15 - 0000000 ____D C:\Program Files\Finale NotePad 2012
2012-05-26 00:32 - 2012-05-26 00:32 - 0151944 ____A C:\Windows\Minidump\Mini052612-01.dmp
2012-05-25 14:42 - 2012-02-25 05:59 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\REAPER
2012-05-25 14:12 - 2012-05-25 05:30 - 0000000 ____D C:\Program Files\VSTPlugins
2012-05-25 05:30 - 2012-05-25 05:30 - 0000000 ____D C:\Users\All Users\Camel Audio
2012-05-25 05:30 - 2012-05-25 05:30 - 0000000 ____D C:\Program Files\Common Files\Digidesign
2012-05-25 05:30 - 2012-05-25 05:30 - 0000000 ____D C:\Program Files\Camel Audio
2012-05-24 04:41 - 2012-05-24 04:41 - 0000356 ____A C:\Users\XenoVega\Desktop\Music.lnk
2012-05-23 02:17 - 2012-05-23 02:17 - 0155160 ____A C:\Windows\Minidump\Mini052312-01.dmp
2012-05-21 17:52 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2012-05-21 08:19 - 2012-05-21 08:19 - 0148104 ____A C:\Windows\Minidump\Mini052112-03.dmp
2012-05-21 07:55 - 2012-05-21 07:55 - 0155128 ____A C:\Windows\Minidump\Mini052112-02.dmp
2012-05-21 07:24 - 2006-11-02 02:23 - 0002577 ____A C:\Windows\System32\config.nt
2012-05-21 05:30 - 2007-08-08 15:23 - 0000000 ____D C:\Program Files\Microsoft Office
2012-05-21 05:12 - 2012-05-15 15:26 - 0000000 __SHD C:\$RECYCLE.BIN
2012-05-21 04:54 - 2012-05-17 18:35 - 0000000 ____D C:\Users\All Users\AVAST Software
2012-05-21 04:54 - 2012-05-17 18:35 - 0000000 ____D C:\Program Files\AVAST Software
2012-05-21 04:28 - 2011-09-29 05:09 - 0000000 ____D C:\Program Files\LOLReplay
2012-05-21 04:25 - 2012-05-21 04:25 - 0155144 ____A C:\Windows\Minidump\Mini052112-01.dmp
2012-05-21 03:40 - 2012-05-21 03:35 - 2797228 ____A C:\Windows\ntbtlog.txt
2012-05-21 03:39 - 2012-05-21 03:31 - 0000000 ____D C:\Users\XenoVega\AppData\Local\NPE
2012-05-21 03:31 - 2010-07-06 04:55 - 0000000 ____D C:\Users\All Users\Norton
2012-05-20 23:32 - 2012-05-20 23:32 - 0017408 ____A C:\Users\XenoVega\AppData\Local\WebpageIcons.db
2012-05-20 23:31 - 2010-06-10 07:57 - 0000000 ____D C:\users\XenoVega
2012-05-20 23:20 - 2012-05-18 03:31 - 0000000 ____D C:\Users\All Users\AVG2012
2012-05-20 23:20 - 2007-08-31 07:31 - 1621904 ____A C:\Windows\PFRO.log
2012-05-20 23:18 - 2012-05-18 03:24 - 0000000 ____D C:\Users\All Users\MFAData
2012-05-20 22:08 - 2007-08-08 15:21 - 0000000 ____D C:\Users\All Users\Adobe
2012-05-20 22:04 - 2012-05-20 22:04 - 0096748 ____A C:\Users\All Users\1337580131.bdinstall.bin
2012-05-20 22:02 - 2010-01-26 01:11 - 0032753 ____A C:\bdlog.txt
2012-05-20 18:04 - 2006-11-02 03:18 - 0000000 ____D C:\Program Files\Common Files\microsoft shared
2012-05-20 17:16 - 2012-05-20 17:16 - 0000000 ____D C:\Users\All Users\VS
2012-05-20 16:16 - 2007-10-26 15:13 - 0000117 ____A C:\Windows\MBRWR.LOG
2012-05-20 16:15 - 2007-08-31 07:43 - 0000000 ____D C:\Program Files\Acer Inc
2012-05-20 15:33 - 2012-05-20 15:33 - 0204192 ____A C:\Users\All Users\1337556564.bdinstall.bin
2012-05-20 15:05 - 2012-05-20 15:05 - 0102074 ____A C:\Users\All Users\1337554921.bdinstall.bin
2012-05-20 15:02 - 2012-05-20 15:02 - 0031274 ____A C:\Users\All Users\1337554920.bdinstall.bin
2012-05-20 14:40 - 2010-06-10 08:04 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\Adobe
2012-05-20 14:29 - 2008-06-03 23:11 - 0000000 ____D C:\Program Files\Common Files\Adobe
2012-05-20 14:28 - 2007-08-08 15:21 - 0000000 ____D C:\Program Files\Adobe
2012-05-20 14:27 - 2010-06-10 12:07 - 0000000 ____D C:\Users\XenoVega\AppData\Local\Adobe
2012-05-20 14:22 - 2012-05-20 14:22 - 0261144 ____A C:\Users\All Users\1337551976.bdinstall.bin
2012-05-20 14:21 - 2012-05-20 14:21 - 0000000 ____D C:\Users\All Users\BDLogging
2012-05-20 14:13 - 2012-05-20 14:13 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\QuickScan
2012-05-20 13:45 - 2007-08-08 15:36 - 0000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-05-20 10:26 - 2010-07-06 04:55 - 0000000 ____D C:\Users\All Users\NortonInstaller
2012-05-20 09:43 - 2007-08-08 15:30 - 0000000 ____D C:\Program Files\Acer GameZone
2012-05-20 09:42 - 2007-08-08 15:30 - 0000000 ____D C:\Users\Public\Documents\.GamesData
2012-05-20 09:15 - 2011-01-27 09:18 - 0000000 ____D C:\Users\All Users\PopCap Games
2012-05-18 03:33 - 2012-05-18 03:33 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\AVG2012
2012-05-18 03:29 - 2012-05-18 03:29 - 0000000 ____D C:\Program Files\AVG
2012-05-18 03:12 - 2012-05-18 02:51 - 0000000 ____D C:\CCE_Quarantine
2012-05-16 03:11 - 2012-05-16 03:09 - 0122222 ____A C:\TDSSKiller.2.7.35.0_16.05.2012_13.09.38_log.txt
2012-05-16 01:54 - 2012-05-16 01:54 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\SUPERAntiSpyware.com
2012-05-16 01:53 - 2012-05-16 01:53 - 0000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-05-15 17:10 - 2007-08-08 15:23 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-05-15 16:59 - 2012-05-15 16:56 - 0000000 ___SD C:\32788R22FWJFW
2012-05-15 16:59 - 2012-05-15 14:57 - 0000000 ____D C:\Windows\ERDNT
2012-05-15 16:22 - 2012-01-01 04:01 - 0000000 ____D C:\BigFishGamesCache
2012-05-15 15:27 - 2012-05-15 15:27 - 0014866 ____A C:\ComboFix.txt
2012-05-15 15:27 - 2006-11-02 03:18 - 0000000 __RHD C:\users\Default
2012-05-15 15:27 - 2006-11-02 03:18 - 0000000 ___RD C:\users\Public
2012-05-15 15:18 - 2006-11-02 02:23 - 0000215 ____A C:\Windows\system.ini
2012-05-15 15:18 - 2006-11-02 02:23 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-05-15 15:16 - 2006-11-02 02:22 - 49807360 ____A C:\Windows\System32\config\software.bak
2012-05-15 15:16 - 2006-11-02 02:22 - 40370176 ____A C:\Windows\System32\config\COMPON~3.bak
2012-05-15 15:16 - 2006-11-02 02:22 - 33554432 ____A C:\Windows\System32\config\system.bak
2012-05-15 15:16 - 2006-11-02 02:22 - 2621440 ____A C:\Windows\System32\config\default.bak
2012-05-15 15:16 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\security.bak
2012-05-15 15:16 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\sam.bak
2012-05-15 15:15 - 2012-05-15 15:15 - 0262144 ___AH C:\Windows\System32\config\security.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\system.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\system.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\software.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\software.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\security.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\sam.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\sam.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\default.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\default.tmp.LOG1
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\COMPON~3.tmp.LOG2
2012-05-15 15:15 - 2012-05-15 15:15 - 0000000 ___AH C:\Windows\System32\config\COMPON~3.tmp.LOG1
2012-05-15 03:41 - 2012-05-15 03:41 - 0155160 ____A C:\Windows\Minidump\Mini051512-01.dmp
2012-05-14 15:17 - 2012-05-14 15:17 - 0000000 ____D C:\Users\All Users\Sophos
2012-05-14 15:16 - 2012-05-14 15:16 - 0000000 ____D C:\Program Files\Sophos
2012-05-14 13:46 - 2012-05-14 13:46 - 0000000 ____D C:\scc_40
2012-05-14 02:03 - 2012-05-13 11:26 - 0000000 ____D C:\Users\All Users\G DATA
2012-05-14 02:03 - 2012-05-13 11:26 - 0000000 ____D C:\Program Files\Common Files\G Data
2012-05-14 02:01 - 2012-05-13 11:26 - 0000000 ____D C:\Program Files\G Data
2012-05-14 00:51 - 2012-05-14 00:51 - 0639688 ____A C:\Windows\System32\sig.bin
2012-05-14 00:51 - 2012-05-14 00:51 - 0039692 ____A C:\Windows\System32\nmp.map
2012-05-13 12:30 - 2012-05-13 12:30 - 0030256 ____A (G Data Software) C:\Windows\System32\Drivers\GRD.sys
2012-05-13 12:24 - 2012-05-13 11:32 - 0049016 ____A (G Data Software AG) C:\Windows\System32\Drivers\PktIcpt.sys
2012-05-13 11:19 - 2012-05-13 11:18 - 0000000 ____D C:\Users\XenoVega\Pavark
2012-05-13 11:16 - 2012-05-13 11:16 - 0000000 ____D C:\Program Files\WinZip
2012-05-13 11:16 - 2010-06-19 09:52 - 0000000 ____D C:\Users\All Users\WinZip
2012-05-13 11:16 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Sidebar
2012-05-13 01:09 - 2012-05-13 01:09 - 0000000 ____D C:\Program Files\Common Files\Canon
2012-05-13 00:28 - 2006-11-02 04:37 - 0000000 ____D C:\Windows\System32\XPSViewer
2012-05-12 12:04 - 2012-05-12 12:04 - 0000000 ____D C:\Users\XenoVega\AppData\Roaming\Malwarebytes
2012-05-12 12:04 - 2012-05-12 12:04 - 0000000 ____D C:\Users\All Users\Malwarebytes
2012-05-12 12:02 - 2012-05-12 11:13 - 0001945 ____A C:\Windows\epplauncher.mif
2012-05-12 11:00 - 2006-11-02 04:37 - 0000000 ____D C:\Program Files\Windows Journal
2012-04-26 10:08 - 2006-11-02 02:24 - 55656824 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-04-03 00:16 - 2012-05-11 12:51 - 3602816 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-04-03 00:16 - 2012-05-11 12:51 - 3550080 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-02 05:36 - 2012-05-11 12:51 - 2044928 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-30 04:39 - 2012-05-11 12:51 - 0914304 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-03-29 05:39 - 2012-05-11 12:51 - 0031232 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpipreg.sys
2012-03-20 15:28 - 2012-05-11 12:51 - 0053120 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-03-06 15:15 - 2012-05-21 04:55 - 0201352 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-03-06 15:15 - 2012-05-21 04:55 - 0041184 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-03-06 15:03 - 2012-05-21 04:56 - 0612184 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-03-06 15:03 - 2012-05-21 04:56 - 0337880 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-03-06 15:02 - 2012-05-21 04:56 - 0035672 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-03-06 15:01 - 2012-05-21 04:56 - 0057688 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-03-06 15:01 - 2012-05-21 04:56 - 0053848 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-03-06 15:01 - 2012-05-21 04:56 - 0020696 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 2045.39 MB
Available physical RAM: 1778.63 MB
Total Pagefile: 1980.97 MB
Available Pagefile: 1853.53 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.72 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:69.77 GB) (Free:16.93 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (DATA) (Fixed) (Total:69.52 GB) (Free:6.59 GB) NTFS
4 Drive f: () (Removable) (Total:3.8 GB) (Free:3.75 GB) FAT32
5 Drive x: (PQSERVICE) (Fixed) (Total:9.76 GB) (Free:0.56 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1307 KB
Disk 1 Online 3894 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 10 GB 32 KB
Partition 2 Primary 70 GB 10 GB
Partition 3 Primary 70 GB 80 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 X PQSERVICE NTFS Partition 10 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C ACER NTFS Partition 70 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D DATA NTFS Partition 70 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3894 MB 28 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F FAT32 Removable 3894 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-05-30 12:34

======================= End Of Log ==========================

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:54 PM

Posted 30 May 2012 - 06:52 PM

Okay, there's nothing showing in the FRST log.

Are you still getting any symptoms?
Posted Image
m0le is a proud member of UNITE

#9 XenoVega

XenoVega
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 02 June 2012 - 05:03 AM

Hi, sorry for the delay.

Now, about symptoms:

around 2 days ago i had several blue sceens of death happen for no apparent reason.
Also, the messages in the screenshots started appearing this week, during bootup. Possibly I just need to replace "Acer eData Security management."

Apart from that all seems stable.

What is your opinion?

Attached Files

  • Attached File  1.jpg   58.38KB   4 downloads
  • Attached File  2.jpg   85.18KB   4 downloads
  • Attached File  3.jpg   85.18KB   3 downloads


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:54 PM

Posted 02 June 2012 - 01:05 PM

Possibly I just need to replace "Acer eData Security management


Reinstall it first and see if that deals with it.
Posted Image
m0le is a proud member of UNITE

#11 XenoVega

XenoVega
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 08 June 2012 - 04:18 AM

Finally reinstalled it. Yes, now those system messages are gone. Haven't had any other problems during the last few days. Do you have any other scans I could run, or si this pretty much all that we can do?

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:54 PM

Posted 08 June 2012 - 08:24 PM

We can certainly do a quick check but I would say that the system looks okay.

Please run MBAM and ESET

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


And

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#13 XenoVega

XenoVega
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 09 June 2012 - 01:25 PM

Here are the logs.

ESET quarantined 6 files. 2 of them were in the Recycle Bin, 4 were old WinZip installers that I downladed from the official WinZip site. I chose to delete them all.

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:54 PM

Posted 09 June 2012 - 02:28 PM

You look clean as can be. You're clear so let's tidy up

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir - though if you choose Avira you should make sure that you uncheck the box offering to install the Ask toolbar. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it XenoVega, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#15 XenoVega

XenoVega
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 09 June 2012 - 04:59 PM

Thank you very much for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users