Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

uKash infection - Win7x64Ult


  • This topic is locked This topic is locked
11 replies to this topic

#1 Taurich

Taurich

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 05 June 2012 - 06:03 PM

Hey guys
Somehow managed to get infected by some dutch or german version of that damn ukash virus.
It hit at exactly 03:26 yesterday morning (05/06/12), looks like it somehow invaded during a JRE update.

Anyway, managed to get my computer unlocked from the whitescreen by booting in safemode and manually removing a few .exe files it had created, thought it was all clean, then noticed my computer was using an excessive amount of bandwidth through services.exe and svchost.exe (between 20-150kb/s at all times, terrible for me as I'm on a 15gb monthly plan, managed to use 4gb of that today doing absolutely nothing), there were dozens (hundreds) of connections to various IP addresses from the process. So, in a panic I've attempted to delete every file created at 03:26, ran into hurdles on the last couple of files, they cannot be deleted because they are in use by services.exe :angry:
This is pretty urgent for me, I've already chewed through 150mb of downloads just writing this post. I basically cannot have my computer online or it's going to cost me an exorbitant amount of money at the end of the month. This is a huge problem because I'm doing my studies online.

I've noticed I can circumvent this by suspending services.exe in perfmon, but this is obviously opening up a whole new can of worms and stability/functionality of the computer goes right out the window.


So now my google searching has led me to you lovely folks, I want to get rid of this thing for good. I know could reformat the drive, but then the virus has won ;)

Soooo I've gone ahead and downloaded all the programs mentioned in this thread, I've run the OTL scan which I will post below. Attached are the DDS logs also.
Please note: I've restricted OTL to only scan changes over the last day as I know the date and time of infection.
Also, because I have manually deleted most of the files earlier there aren't many entries for that time on the log, just the .dll file that cannot be deleted.
I should finally mention that neither DDS or OTL logged the creation of virus files in %windows%/installer, there are files located here time-stamped @ 03:26 that cannot be deleted due to use by services.exe

Thank you in advance for your help.

EDIT: I am downloading Comodo firewall in an effort to lock down services.exe, I know this bastard virus likes to infect and disable things like virus scanners and firewalls though, so we'll see how it goes.
Double Edit: Comodo successfully locked down both processes, albeit with some very aggressive settings. It'll do until I can deal with the infection itself.
---

OTL logfile created on: 6/06/2012 08:18:32 - Run 1
OTL by OldTimer - Version 3.2.46.1 Folder = C:\Users\kingy\Desktop
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000c09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

6.00 Gb Total Physical Memory | 2.28 Gb Available Physical Memory | 38.03% Memory free
8.93 Gb Paging File | 4.68 Gb Available in Paging File | 52.45% Paging File free
Paging file location(s): f:\pagefile.sys 3000 9000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 60.01 Gb Total Space | 16.27 Gb Free Space | 27.11% Space Free | Partition Type: NTFS
Drive D: | 189.92 Gb Total Space | 62.52 Gb Free Space | 32.92% Space Free | Partition Type: NTFS
Drive F: | 275.27 Gb Total Space | 123.98 Gb Free Space | 45.04% Space Free | Partition Type: NTFS
Drive G: | 1863.01 Gb Total Space | 90.82 Gb Free Space | 4.88% Space Free | Partition Type: NTFS
Drive I: | 1863.01 Gb Total Space | 0.04 Gb Free Space | 0.00% Space Free | Partition Type: NTFS

Computer Name: SNUGGLEBUNNY | User Name: kingy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 1 Day

========== Processes (SafeList) ==========

PRC - [2012/06/06 08:14:08 | 000,302,592 | ---- | M] () -- C:\Users\kingy\Downloads\sijqrsdx.exe
PRC - [2012/06/06 07:50:24 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\kingy\Desktop\OTL.exe
PRC - [2012/06/02 20:29:49 | 000,076,888 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2012/05/12 20:38:40 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2012/05/11 12:11:22 | 000,949,104 | ---- | M] (Opera Software) -- C:\Program Files (x86)\Opera\opera.exe
PRC - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/04/04 15:56:38 | 000,981,680 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
PRC - [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/03/01 10:02:00 | 002,348,352 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2012/02/29 12:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2011/11/22 23:02:26 | 001,495,880 | ---- | M] (Actual Tools) -- C:\Program Files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsCenter.exe
PRC - [2011/09/13 10:34:12 | 006,199,192 | ---- | M] (Telstra) -- C:\Program Files (x86)\Telstra\Mobile Broadband Manager\TelstraUCM.exe
PRC - [2011/07/21 10:52:48 | 000,218,480 | ---- | M] (Sierra Wireless, Inc.) -- C:\Program Files (x86)\Telstra\Mobile Broadband Manager\SwiApiMuxX.exe
PRC - [2011/05/26 11:01:18 | 000,129,648 | ---- | M] (Portrait Displays, Inc.) -- C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
PRC - [2011/05/26 11:01:16 | 001,555,056 | ---- | M] (Portrait Displays, Inc) -- C:\Program Files (x86)\Acer Display\eDisplay Management\dthtml.exe
PRC - [2011/05/05 14:44:42 | 000,113,264 | ---- | M] (Portrait Displays, Inc.) -- C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
PRC - [2011/05/04 22:22:22 | 003,174,536 | ---- | M] (FinalWire Ltd.) -- C:\Program Files (x86)\FinalWire\AIDA64 Extreme Edition\aida64.exe
PRC - [2011/01/20 19:20:12 | 001,305,408 | ---- | M] (DT Soft Ltd) -- C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
PRC - [2011/01/18 06:07:06 | 000,150,632 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTSS.exe
PRC - [2011/01/18 06:07:04 | 000,355,432 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\EVGAPrecision.exe
PRC - [2010/11/19 10:22:00 | 000,232,048 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\XHD_II\XHDTray.exe
PRC - [2010/06/15 11:54:22 | 002,320,304 | ---- | M] (Beepa P/L) -- C:\Fraps\fraps.exe
PRC - [2010/05/13 15:34:48 | 000,711,792 | ---- | M] () -- C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\Floater.exe
PRC - [2010/05/13 15:34:42 | 000,674,928 | ---- | M] () -- C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\wpCtrl.exe
PRC - [2010/04/22 14:05:26 | 001,011,712 | ---- | M] (Gigabyte Technology CO., LTD.) -- C:\Program Files (x86)\GIGABYTE\smart6\timelock\AlarmClock.exe
PRC - [2010/03/08 12:50:00 | 000,235,560 | ---- | M] () -- C:\Program Files (x86)\Marvell\raid\svc\mvraidsvc.exe
PRC - [2010/01/19 12:31:26 | 000,072,304 | R--- | M] () -- C:\Windows\SysWOW64\XSrvSetup.exe
PRC - [2009/11/20 21:17:54 | 000,106,496 | ---- | M] (NEC Electronics Corporation) -- C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
PRC - [2009/10/13 15:39:46 | 000,114,688 | ---- | M] (Gigabyte Technology CO., LTD.) -- C:\Program Files (x86)\GIGABYTE\smart6\timelock\TimeMgmtDaemon.exe
PRC - [2009/08/19 09:23:24 | 007,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 09:23:22 | 007,424,000 | ---- | M] (OpenOffice.org) -- C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
PRC - [2009/07/14 11:14:42 | 000,227,328 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\taskmgr.exe
PRC - [2009/06/17 15:13:06 | 000,068,136 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe
PRC - [2008/06/13 06:05:04 | 000,024,635 | ---- | M] (Apache Software Foundation) -- C:\Program Files (x86)\Marvell\raid\Apache2\bin\httpd.exe
PRC - [2008/06/11 21:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- F:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/06 08:14:08 | 000,302,592 | ---- | M] () -- C:\Users\kingy\Downloads\sijqrsdx.exe
MOD - [2012/05/12 20:38:40 | 001,952,696 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2012/05/11 12:11:22 | 000,783,360 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\gstreamer.dll
MOD - [2012/05/11 12:11:22 | 000,316,928 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstoggdec.dll
MOD - [2012/05/11 12:11:22 | 000,276,480 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstwebmdec.dll
MOD - [2012/05/11 12:11:22 | 000,168,448 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstffmpegcolorspace.dll
MOD - [2012/05/11 12:11:22 | 000,099,840 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstcoreplugins.dll
MOD - [2012/05/11 12:11:22 | 000,098,816 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstaudioresample.dll
MOD - [2012/05/11 12:11:22 | 000,098,816 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstaudioconvert.dll
MOD - [2012/05/11 12:11:22 | 000,078,336 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstwavparse.dll
MOD - [2012/05/11 12:11:22 | 000,076,800 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstdirectsound.dll
MOD - [2012/05/11 12:11:22 | 000,068,608 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstdecodebin2.dll
MOD - [2012/05/11 12:11:22 | 000,064,000 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstautodetect.dll
MOD - [2012/05/11 12:11:22 | 000,046,592 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gstwaveform.dll
MOD - [2012/05/11 12:11:22 | 000,045,568 | ---- | M] () -- C:\Program Files (x86)\Opera\gstreamer\plugins\gsttypefindfunctions.dll
MOD - [2012/04/03 18:20:14 | 008,797,344 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_228.dll
MOD - [2012/02/29 12:26:28 | 000,360,768 | ---- | M] () -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\Nv3DVStreaming.dll
MOD - [2011/05/26 11:01:14 | 000,121,456 | ---- | M] () -- C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\CC\gui.dll
MOD - [2011/05/26 10:50:32 | 000,176,128 | ---- | M] () -- C:\Program Files (x86)\Common Files\Portrait Displays\Shared\PresetsCOM.dll
MOD - [2011/05/04 22:22:22 | 000,274,552 | ---- | M] () -- C:\Program Files (x86)\FinalWire\AIDA64 Extreme Edition\aida_icons7.dll
MOD - [2011/01/18 16:17:50 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\RTMUI.dll
MOD - [2011/01/18 16:17:46 | 000,270,336 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\RTHAL.dll
MOD - [2011/01/18 16:17:32 | 000,229,376 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\RTCore.dll
MOD - [2011/01/18 16:17:20 | 000,147,456 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\RTUI.dll
MOD - [2011/01/18 16:17:12 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\RTFC.dll
MOD - [2011/01/18 06:07:06 | 000,150,632 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTSS.exe
MOD - [2011/01/18 06:07:04 | 000,355,432 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\EVGAPrecision.exe
MOD - [2010/11/19 10:22:00 | 000,232,048 | ---- | M] () -- C:\Program Files (x86)\GIGABYTE\XHD_II\XHDTray.exe
MOD - [2010/11/05 09:57:12 | 000,081,920 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTSSHooks.dll
MOD - [2010/11/05 04:15:16 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTMUI.dll
MOD - [2010/11/05 04:15:08 | 000,147,456 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTUI.dll
MOD - [2010/11/05 04:15:04 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTFC.dll
MOD - [2010/07/28 06:37:16 | 000,013,312 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\RTTSH.dll
MOD - [2010/07/28 06:37:16 | 000,013,312 | ---- | M] () -- C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTTSH.dll
MOD - [2010/05/13 15:34:48 | 000,711,792 | ---- | M] () -- C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\Floater.exe
MOD - [2010/05/13 15:34:42 | 000,674,928 | ---- | M] () -- C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\wpCtrl.exe
MOD - [2009/08/18 14:54:22 | 000,970,752 | ---- | M] () -- C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/12/28 18:00:34 | 001,296,728 | ---- | M] (www.BitComet.com) [On_Demand | Stopped] -- C:\Program Files\BitComet\tools\BitCometService.exe -- (BITCOMET_HELPER_SERVICE)
SRV:64bit: - [2010/04/06 15:30:38 | 000,031,272 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysNative\AppleChargerSrv.exe -- (AppleChargerSrv)
SRV:64bit: - [2009/07/14 11:41:27 | 000,097,792 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\mprdim.dll -- (RemoteAccess)
SRV:64bit: - [2009/07/14 11:41:21 | 000,084,480 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\Mcx2Svc.dll -- (Mcx2Svc)
SRV:64bit: - [2009/07/14 11:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2012/06/02 20:29:49 | 000,076,888 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2012/06/02 18:07:57 | 000,529,232 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/05/12 20:38:40 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/04/03 18:20:14 | 000,253,600 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/03/01 10:02:00 | 002,348,352 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/02/29 12:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2011/11/24 00:11:18 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/06/24 10:44:16 | 000,317,296 | ---- | M] (Sierra Wireless, Inc.) [Auto | Running] -- C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe -- (SwiCardDetectSvc)
SRV - [2011/05/26 11:01:18 | 000,129,648 | ---- | M] (Portrait Displays, Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe -- (DTSRVC)
SRV - [2011/05/05 14:44:42 | 000,113,264 | ---- | M] (Portrait Displays, Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe -- (PdiService)
SRV - [2010/03/08 12:50:00 | 000,235,560 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Marvell\raid\svc\mvraidsvc.exe -- (Marvell RAID)
SRV - [2010/01/19 12:31:26 | 000,072,304 | R--- | M] () [Auto | Running] -- C:\Windows\SysWOW64\XSrvSetup.exe -- (JMB36X)
SRV - [2009/10/13 15:39:46 | 000,114,688 | ---- | M] (Gigabyte Technology CO., LTD.) [Auto | Running] -- C:\Program Files (x86)\GIGABYTE\smart6\timelock\TimeMgmtDaemon.exe -- (Smart TimeLock)
SRV - [2009/07/14 11:15:41 | 000,075,264 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysWOW64\mprdim.dll -- (RemoteAccess)
SRV - [2009/06/17 15:13:06 | 000,068,136 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe -- (DES2 Service)
SRV - [2009/06/11 07:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/08/15 04:46:20 | 000,284,016 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe -- (Adobe Version Cue CS4)
SRV - [2008/06/13 06:05:04 | 000,024,635 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files (x86)\Marvell\raid\Apache2\bin\httpd.exe -- (MRUWebService)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/04/04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/01/17 22:45:56 | 000,188,224 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2012/01/05 00:28:36 | 000,016,640 | ---- | M] (Windows ® Win 7 DDK provider) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\gtkdrv.sys -- (TrojanKillerDriver)
DRV:64bit: - [2011/10/21 21:46:58 | 000,189,576 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\EuFdDisk.sys -- (EUFDDISK)
DRV:64bit: - [2011/10/21 21:46:54 | 000,050,312 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\EUBKMON.sys -- (EUBKMON)
DRV:64bit: - [2011/10/21 21:46:48 | 000,019,592 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\eudskacs.sys -- (EUDSKACS)
DRV:64bit: - [2011/10/21 21:46:46 | 000,044,680 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\eubakup.sys -- (EUBAKUP)
DRV:64bit: - [2011/10/15 02:54:35 | 000,513,080 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\sptd.sys -- (sptd)
DRV:64bit: - [2011/08/09 13:28:04 | 000,018,456 | R--- | M] (HandSet Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\massfilter_LTE.sys -- (massfilter_lte)
DRV:64bit: - [2011/07/21 10:52:46 | 000,258,432 | ---- | M] (Sierra Wireless Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\swg3kser00.sys -- (swg3kser00)
DRV:64bit: - [2011/07/21 10:52:46 | 000,249,344 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\swnc8ua3.sys -- (SWNC8UA3) Sierra Wireless MUX NDIS Driver (UMTSA3)
DRV:64bit: - [2011/07/21 10:52:46 | 000,109,312 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\swiwdmbx64.sys -- (swiwdmbx)
DRV:64bit: - [2011/06/15 18:30:46 | 000,093,240 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\scdemu.sys -- (SCDEmu)
DRV:64bit: - [2011/06/03 16:54:55 | 000,310,984 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt)
DRV:64bit: - [2011/06/03 16:33:52 | 000,042,696 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt)
DRV:64bit: - [2011/06/03 16:28:30 | 000,254,528 | ---- | M] (DT Soft Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2011/05/25 09:40:10 | 000,037,888 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\taphss.sys -- (taphss)
DRV:64bit: - [2011/05/05 14:44:20 | 000,020,592 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\PdiPorts.sys -- (PdiPorts)
DRV:64bit: - [2011/01/13 21:58:00 | 000,413,800 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/01/01 09:12:24 | 000,097,040 | ---- | M] (MotioninJoy) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\MijXfilt.sys -- (MotioninJoyXFilter)
DRV:64bit: - [2010/08/19 18:24:34 | 000,074,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2010/07/16 10:04:44 | 000,121,344 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV:64bit: - [2010/07/16 10:04:44 | 000,121,344 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV:64bit: - [2010/07/16 10:04:44 | 000,121,344 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV:64bit: - [2010/07/16 10:04:44 | 000,009,216 | R--- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\massfilter.sys -- (massfilter)
DRV:64bit: - [2010/04/22 14:08:14 | 000,021,544 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\AppleCharger.sys -- (AppleCharger)
DRV:64bit: - [2010/01/27 18:58:38 | 000,115,312 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\jraid.sys -- (JRAID)
DRV:64bit: - [2009/12/22 01:39:40 | 000,051,712 | R--- | M] (Realtek Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtTeam60.sys -- (TEAM) Realtek Virtual Miniport Driver for Teaming (NDIS 6.0)
DRV:64bit: - [2009/12/22 01:39:40 | 000,051,712 | R--- | M] (Realtek Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtTeam60.sys -- (RTTEAMPT) Realtek Teaming Protocol Driver (NDIS 6.0)
DRV:64bit: - [2009/11/20 21:16:02 | 000,177,152 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2009/11/20 21:15:58 | 000,075,776 | ---- | M] (NEC Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2009/10/27 16:37:14 | 000,022,568 | ---- | M] (Marvell Semiconductor Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv91cons.sys -- (mv91cons)
DRV:64bit: - [2009/07/20 12:27:34 | 000,027,136 | R--- | M] (Realtek ) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\RtNdPt60.sys -- (RtNdPt60)
DRV:64bit: - [2009/07/14 11:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/14 11:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/14 11:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 11:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 11:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/14 11:47:48 | 000,024,144 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\crcdisk.sys -- (crcdisk)
DRV:64bit: - [2009/07/14 11:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009/07/14 11:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/14 10:10:33 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\drivers\ws2ifsl.sys -- (ws2ifsl)
DRV:64bit: - [2009/07/14 09:23:37 | 000,327,168 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\udfs.sys -- (udfs)
DRV:64bit: - [2009/07/14 09:19:47 | 000,092,160 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\cdfs.sys -- (cdfs)
DRV:64bit: - [2009/06/11 06:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/11 06:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/11 06:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/11 06:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/06/27 06:51:10 | 000,088,632 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\adfs.sys -- (adfs)
DRV:64bit: - [2008/02/06 02:00:00 | 000,054,480 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2007/12/03 12:20:54 | 000,024,064 | R--- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtVlan60.sys -- (RTVLANPT) Realtek Vlan Protocol Driver (NDIS 6.2)
DRV - [2012/06/06 05:59:58 | 000,025,640 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\gdrv.sys -- (gdrv)
DRV - [2012/01/15 01:19:39 | 000,030,528 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\GVTDrv64.sys -- (GVTDrv64)
DRV - [2012/01/03 20:12:59 | 000,025,640 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\etdrv.sys -- (etdrv)
DRV - [2011/05/04 22:22:22 | 000,027,808 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files (x86)\FinalWire\AIDA64 Extreme Edition\kerneld.x64 -- (AIDA64Driver)
DRV - [2011/01/18 06:07:02 | 000,014,440 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files (x86)\EVGA Precision\RTCore64.sys -- (RTCore64)
DRV - [2010/01/29 10:40:16 | 000,115,600 | ---- | M] (EZB Systems, Inc.) [File_System | System | Running] -- C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys -- (ISODrive)
DRV - [2009/07/14 11:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2008/08/14 06:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysWow64\drivers\adfs.sys -- (adfs)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.telstra.com/
IE - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.bigpond.com/
IE - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ninemsn.com.au/?ocid=iehp
IE - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-au
IE - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E0 D5 0A 6A 5F E6 CB 01 [binary data]
IE - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-search.com/search?q={searchTerms}
IE - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.eohpoker.com/anon/default.aspx?ReturnUrl=%2fclient%2flaunch.aspx"
FF - prefs.js..extensions.enabledItems: DTToolbar@toolbarnet.com:1.1.4.0024
FF - prefs.js..extensions.enabledItems: en-AU@dictionaries.addons.mozilla.org:2.1.2
FF - prefs.js..extensions.enabledItems: {daf5b34c-1aa3-4c33-ae24-766a370635d2}:1.0.0.12
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_228.dll ()
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.122.0: C:\Program Files (x86)\Battlelog Web Plugins\1.122.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKCU\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Users\kingy\Program Files (x86)\DNA\plugins\npbtdna.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/05/12 20:38:40 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/05/12 20:38:40 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{d5bc46d8-67c7-11dc-8c1d-0097498c2b7a}: C:\Users\kingy\Program Files (x86)\DNA

[2011/04/17 14:30:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\kingy\AppData\Roaming\Mozilla\Extensions
[2012/05/12 01:50:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\kingy\AppData\Roaming\Mozilla\Firefox\Profiles\dvo3fd5v.default\extensions
[2012/03/16 18:53:19 | 000,000,000 | ---D | M] (BitComet Video Downloader) -- C:\Users\kingy\AppData\Roaming\Mozilla\Firefox\Profiles\dvo3fd5v.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2012/05/10 04:40:36 | 000,000,000 | ---D | M] (KMP Media Toolbar) -- C:\Users\kingy\AppData\Roaming\Mozilla\Firefox\Profiles\dvo3fd5v.default\extensions\{daf5b34c-1aa3-4c33-ae24-766a370635d2}
[2011/06/03 15:57:45 | 000,000,000 | ---D | M] ("DAEMON Tools Toolbar") -- C:\Users\kingy\AppData\Roaming\Mozilla\Firefox\Profiles\dvo3fd5v.default\extensions\DTToolbar@toolbarnet.com
[2012/03/29 00:40:11 | 000,000,000 | ---D | M] (English (Australian) Dictionary) -- C:\Users\kingy\AppData\Roaming\Mozilla\Firefox\Profiles\dvo3fd5v.default\extensions\en-AU@dictionaries.addons.mozilla.org
[2011/06/03 15:57:30 | 000,002,055 | ---- | M] () -- C:\Users\kingy\AppData\Roaming\Mozilla\Firefox\Profiles\dvo3fd5v.default\searchplugins\daemon-search.xml
[2011/12/08 00:11:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/05/12 20:38:40 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/01/12 18:58:30 | 000,917,816 | ---- | M] (BitComet) -- C:\Program Files (x86)\mozilla firefox\plugins\npBitCometAgent.dll
[2010/06/29 14:01:22 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll
[2012/05/12 20:38:39 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/05/12 20:38:39 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/05/26 20:13:20 | 000,000,885 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 www.youtube.com
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - F:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll (BitComet)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (KMP Media Toolbar) - {daf5b34c-1aa3-4c33-ae24-766a370635d2} - C:\Program Files (x86)\kmpmediatoolbar\searchresultsDx.dll (Ask.com)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3:64bit: - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll ()
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - F:\Program Files (x86)\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKLM\..\Toolbar: (KMP Media Toolbar) - {daf5b34c-1aa3-4c33-ae24-766a370635d2} - C:\Program Files (x86)\kmpmediatoolbar\searchresultsDx.dll (Ask.com)
O3:64bit: - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll ()
O3 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [nctpi] C:\Users\kingy\AppData\Roaming\nctpi.dll (DT Soft Ltd)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] F:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] F:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BigPondWirelessBroadbandCM] C:\Program Files (x86)\Telstra\Mobile Broadband Manager\TelstraUCM.exe (Telstra)
O4 - HKLM..\Run: [DT ACR] C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe (Portrait Displays, Inc.)
O4 - HKLM..\Run: [EaseUs Tray] "G:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayNotify.exe" File not found
O4 - HKLM..\Run: [EaseUs Watch] "G:\Program Files (x86)\EaseUS\Todo Backup\bin\EuWatch.exe" File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (NEC Electronics Corporation)
O4 - HKLM..\Run: [PivotSoftware] C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe ()
O4 - HKLM..\Run: [SyncCenter] "C:\Program Files (x86)\Common Files\Sync\SyncCenter.exe" /t File not found
O4 - HKLM..\Run: [Vs6sXYle8XGBDXh] C:\Users\kingy\AppData\Roaming\CodeArchiver.exe File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000..\Run: [Actual Multiple Monitors] C:\Program Files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsCenter.exe (Actual Tools)
O4 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000..\Run: [DS3 Tool] C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe (www.motioninjoy.com)
O4 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000..\Run: [Geotag Security] C:\Program Files (x86)\Geotag Security\GeotagSecurity.exe ()
O4 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000..\Run: [Steam] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
O4 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000..\Run: [Vs6sXYle8XGBDXh] C:\Users\kingy\AppData\Roaming\CodeArchiver.exe File not found
O4 - HKU\S-1-5-21-2448071376-1067175635-125407750-1006..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [DES2] C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2.exe ()
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [XHD_II] C:\Program Files (x86)\GIGABYTE\XHD_II\XHD2_Tray.exe ()
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-2448071376-1067175635-125407750-1006..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\kingy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8:64bit: - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8:64bit: - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8:64bit: - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll (BitComet)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\..Trusted Ranges: Range1 ([http] in Trusted sites)
O15 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000\..Trusted Ranges: Range1 ([https] in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 61.9.194.49 61.9.134.49
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{711463CA-A967-4C12-8BFC-258DD70045BE}: DhcpNameServer = 61.9.194.49 61.9.134.49
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{98901648-FAE4-4D53-9267-489D792ADC2C}: DhcpNameServer = 10.20.0.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000 Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000 Winlogon: UserInit - (C:\Users\kingy\AppData\Roaming\CodeArchiver.exe) - File not found
O20 - HKU\S-1-5-21-2448071376-1067175635-125407750-1000 Winlogon: UserInit - (C:\WINDOWS\System32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{2ed78d49-43f7-11e0-b681-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{2ed78d49-43f7-11e0-b681-806e6f6e6963}\Shell\AutoRun\command - "" = G:\Run.exe
O33 - MountPoints2\{9c8a16f6-6efa-11e1-adfb-1c6f6537d18a}\Shell - "" = AutoRun
O33 - MountPoints2\{9c8a16f6-6efa-11e1-adfb-1c6f6537d18a}\Shell\AutoRun\command - "" = K:\WIN\setup.exe
O33 - MountPoints2\{c1b15cbc-43fd-11e0-a921-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{c1b15cbc-43fd-11e0-a921-806e6f6e6963}\Shell\AutoRun\command - "" = G:\autorun.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\SETUP.EXE
O33 - MountPoints2\J\Shell - "" = AutoRun
O33 - MountPoints2\J\Shell\AutoRun\command - "" = J:\FalloutLauncher.exe
O33 - MountPoints2\K\Shell - "" = AutoRun
O33 - MountPoints2\K\Shell\AutoRun\command - "" = K:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 1 Day ==========

[2012/06/06 08:06:38 | 004,538,040 | ---- | C] (Swearware) -- C:\Users\kingy\Desktop\ComboFix.exe
[2012/06/06 07:50:19 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Users\kingy\Desktop\OTL.exe
[2012/06/06 07:48:55 | 000,000,000 | ---D | C] -- C:\Users\kingy\AppData\Roaming\Malwarebytes
[2012/06/06 07:48:51 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/06/06 07:48:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/06/06 07:48:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/06/06 07:48:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/06/06 07:46:58 | 002,127,448 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\kingy\Desktop\tdsskiller.exe
[2012/06/05 03:26:28 | 000,127,488 | -HS- | C] (DT Soft Ltd) -- C:\Users\kingy\AppData\Roaming\nctpi.dll
[2 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 1 Day ==========

[2012/06/06 08:18:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/06/06 08:06:59 | 004,538,040 | ---- | M] (Swearware) -- C:\Users\kingy\Desktop\ComboFix.exe
[2012/06/06 07:50:24 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\kingy\Desktop\OTL.exe
[2012/06/06 07:48:51 | 000,001,122 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/06/06 07:47:13 | 002,127,448 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\kingy\Desktop\tdsskiller.exe
[2012/06/06 07:35:14 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/06 07:35:14 | 000,014,016 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/06 06:04:09 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/06/06 06:04:09 | 000,619,206 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/06/06 06:04:09 | 000,107,388 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/06/06 05:59:58 | 000,025,640 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\Windows\gdrv.sys
[2012/06/06 05:59:22 | 000,000,008 | ---- | M] () -- C:\Windows\mvraidver.dat
[2012/06/06 05:59:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/06 04:13:29 | 000,283,304 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2012/06/06 04:13:29 | 000,283,304 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012/06/06 04:13:15 | 000,280,904 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/06 07:48:51 | 000,001,122 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/29 12:26:56 | 000,416,064 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
[2012/02/11 00:10:12 | 000,017,712 | ---- | C] () -- C:\Windows\DIIUnin.dat
[2011/12/16 12:51:06 | 000,021,840 | ---- | C] () -- C:\Windows\SysWow64\SIntfNT.dll
[2011/12/16 12:51:06 | 000,017,212 | ---- | C] () -- C:\Windows\SysWow64\SIntf32.dll
[2011/12/16 12:51:06 | 000,012,067 | ---- | C] () -- C:\Windows\SysWow64\SIntf16.dll
[2011/12/09 19:40:58 | 000,007,432 | ---- | C] () -- C:\Windows\SysWow64\Machnm32.sys
[2011/12/04 19:15:05 | 000,001,210 | ---- | C] () -- C:\Windows\ARCHPR.INI
[2011/11/30 01:14:58 | 000,000,008 | ---- | C] () -- C:\Windows\mvraidver.dat
[2011/11/30 01:14:56 | 000,000,278 | ---- | C] () -- C:\Windows\SysWow64\mvcli.ini
[2011/10/16 08:18:32 | 000,283,304 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2011/10/15 00:46:48 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2011/10/15 00:46:44 | 000,000,331 | ---- | C] () -- C:\Windows\game.ini
[2011/10/15 00:03:05 | 000,034,501 | ---- | C] () -- C:\Windows\scunin.dat
[2011/08/07 16:33:29 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2011/06/27 19:45:45 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\cd.dat
[2011/03/20 01:06:52 | 000,007,598 | ---- | C] () -- C:\Users\kingy\AppData\Local\Resmon.ResmonCfg
[2011/03/04 02:33:35 | 000,001,456 | ---- | C] () -- C:\Users\kingy\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/03/01 22:22:52 | 000,030,528 | ---- | C] () -- C:\Windows\GVTDrv64.sys
[2011/03/01 22:13:38 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\CommCmd.dll
[2011/03/01 21:54:12 | 000,072,304 | R--- | C] () -- C:\Windows\SysWow64\XSrvSetup.exe
[2011/03/01 21:48:11 | 000,000,010 | ---- | C] () -- C:\Windows\GSetup.ini

========== LOP Check ==========

[2012/03/18 12:56:51 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Actual Tools
[2011/05/01 18:48:03 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\AnvSoft
[2011/10/14 23:53:36 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Bioshock
[2011/06/26 16:57:37 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Bitcoin
[2012/06/05 03:30:10 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\BitComet
[2011/10/16 18:58:27 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Command and Conquer 4
[2011/06/03 16:29:42 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\DAEMON Tools Lite
[2011/12/09 22:58:18 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\DisplayTune
[2011/12/16 15:46:29 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\DNA
[2012/03/03 09:36:47 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\MotioninJoy
[2011/03/26 21:20:08 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\My Battle for Middle-earth™ II Files
[2011/03/11 21:46:16 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\My Games
[2011/03/27 19:38:25 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\OpenOffice.org
[2011/03/01 23:56:00 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Opera
[2012/05/23 20:08:47 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Origin
[2012/05/14 01:01:49 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\PacificPoker
[2011/06/28 20:42:37 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Perpetuum Planner
[2012/03/16 13:55:32 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Sierra Wireless
[2012/05/14 17:04:55 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Soldat
[2012/06/06 08:05:14 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\Telstra
[2012/03/16 15:02:15 | 000,000,000 | ---D | M] -- C:\Users\kingy\AppData\Roaming\TS3Client
[2012/01/06 01:26:55 | 000,032,540 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

Attached Files

  • Attached File  DDS.zip   10.54KB   0 downloads

Edited by Taurich, 05 June 2012 - 10:10 PM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:05 PM

Posted 08 June 2012 - 08:57 PM

Hi

Please run the following:

download Farbar Recovery Scan Tool and save it to a flash drive.
(you need the 64bit version)
Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally

[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Taurich

Taurich
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 09 June 2012 - 05:17 PM

Scan result of Farbar Recovery Scan Tool Version: 09-06-2012 01
Ran by SYSTEM at 10-06-2012 08:05:20
Running from J:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10135584 2010-03-26] (Realtek Semiconductor)
HKLM\...\Run: [nctpi] rundll32.exe "C:\Users\kingy\AppData\Roaming\nctpi.dll",SteamClient [127488 2012-06-04] (DT Soft Ltd)
HKLM\...\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h [9569096 2012-03-11] (COMODO)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-11-20] (NEC Electronics Corporation)
HKLM-x32\...\Run: [EaseUs Watch] "G:\Program Files (x86)\EaseUS\Todo Backup\bin\EuWatch.exe" [x]
HKLM-x32\...\Run: [EaseUs Tray] "G:\Program Files (x86)\EaseUS\Todo Backup\bin\TrayNotify.exe" [x]
HKLM-x32\...\Run: [PivotSoftware] "C:\Program Files (x86)\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe" -delay=10 [110192 2010-05-12] ()
HKLM-x32\...\Run: [DT ACR] C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR [121456 2011-05-25] (Portrait Displays, Inc.)
HKLM-x32\...\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2008-08-13] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "F:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [x]
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "F:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [x]
HKLM-x32\...\Run: [Adobe_ID0ENQBO] C:\PROGRA~2\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [378224 2008-08-14] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BigPondWirelessBroadbandCM] "C:\Program Files (x86)\Telstra\Mobile Broadband Manager\TelstraUCM.exe" -tsr [6199192 2011-09-12] (Telstra)
HKLM-x32\...\Run: [Vs6sXYle8XGBDXh] C:\Users\kingy\AppData\Roaming\CodeArchiver.exe [x]
HKLM-x32\...\Run: [SyncCenter] "C:\Program Files (x86)\Common Files\Sync\SyncCenter.exe" /t [x]
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-03] (Malwarebytes Corporation)
HKLM-x32\...\Run: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe [213304 2011-11-23] (COMODO)
HKLM-x32\...\Run: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe [184120 2011-11-23] (COMODO)
HKU\kingy\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [1305408 2011-01-20] (DT Soft Ltd)
HKU\kingy\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2012-03-18] (Valve Corporation)
HKU\kingy\...\Run: [DS3 Tool] C:\Program Files\MotioninJoy\ds3\DS3_Tool.exe -mini [110352 2010-12-31] (www.motioninjoy.com)
HKU\kingy\...\Run: [Actual Multiple Monitors] "C:\Program Files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsCenter.exe" [1495880 2011-11-22] (Actual Tools)
HKU\kingy\...\Run: [Vs6sXYle8XGBDXh] C:\Users\kingy\AppData\Roaming\CodeArchiver.exe [x]
HKU\kingy\...\Run: [msbriw] "C:\Windows\System32\rundll32.exe" "C:\Users\kingy\AppData\Roaming\msbriw.dll",GetShaderOutputSemantics [351232 2012-06-07] (C-Media Electronics Inc.)
HKU\kingy\...\Run: [Geotag Security] C:\Program Files (x86)\Geotag Security\GeotagSecurity.exe -hide [3973512 2011-10-10] ()
HKU\kingy\...\Winlogon: [Userinit] C:\Users\kingy\AppData\Roaming\CodeArchiver.exe,C:\WINDOWS\System32\userinit.exe, [30208 2009-07-13] (Microsoft Corporation)
HKU\kingy\...\Winlogon: [Shell] explorer.exe
HKLM-x32\...\RunOnce: [DES2] C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2.exe state [354856 2010-04-14] ()
HKLM-x32\...\RunOnce: [XHD_II] C:\Program Files (x86)\gigabyte\xhd_ii\xhd2_tray.exe [207400 2009-10-06] ()
Tcpip\Parameters: [DhcpNameServer] 61.9.211.33 61.9.188.33
AppInit_DLLs: C:\Windows\system32\guard64.dll
Tcpip\..\Interfaces\{98901648-FAE4-4D53-9267-489D792ADC2C}: [NameServer]8.26.56.26,156.154.70.22
Startup: C:\Users\kingy\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Services (Whitelisted) ======

3 Adobe Version Cue CS4; "C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service [284016 2008-08-14] (Adobe Systems Incorporated)
3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-05] ()
3 BITCOMET_HELPER_SERVICE; C:\Program Files\BitComet\tools\BitCometService.exe -service [1296728 2010-12-28] (www.BitComet.com)
2 CLPSLS; C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe [1267000 2011-11-23] (COMODO)
2 cmdAgent; "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe" [2815496 2012-03-11] (COMODO)
2 DES2 Service; "C:\Program Files (x86)\GIGABYTE\EnergySaver2\des2svr.exe" [68136 2009-06-16] ()
2 DragonUpdater; C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [412304 2012-05-29] ()
2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129648 2011-05-25] (Portrait Displays, Inc.)
2 JMB36X; C:\Windows\SysWOW64\XSrvSetup.exe [72304 2010-01-18] ()
2 Marvell RAID; C:\Program Files (x86)\Marvell\raid\svc\mvraidsvc.exe [235560 2010-03-07] ()
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-03] (Malwarebytes Corporation)
2 MRUWebService; "C:\Program Files (x86)\Marvell\raid\Apache2\bin\httpd.exe" -k runservice [24635 2008-06-12] (Apache Software Foundation)
2 PdiService; C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [113264 2011-05-04] (Portrait Displays, Inc.)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-06-02] ()
2 Smart TimeLock; C:\Program Files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe [114688 2009-10-12] (Gigabyte Technology CO., LTD.)
2 SwiCardDetectSvc; "C:\Program Files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe" [317296 2011-06-23] (Sierra Wireless, Inc.)
2 EaseUS Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe [x]
2 Guard Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe [x]
2 PanService; C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [x]

========================== Drivers (Whitelisted) =============

2 adfs; C:\Windows\SysWow64\Drivers\adfs.sys [74720 2008-08-13] (Adobe Systems, Inc.)
3 AIDA64Driver; \??\C:\Program Files (x86)\FinalWire\AIDA64 Extreme Edition\kerneld.x64 [27808 2011-05-04] ()
1 AppleCharger; C:\Windows\System32\Drivers\AppleCharger.sys [21544 2010-04-21] ()
2 atksgt; C:\Windows\System32\Drivers\atksgt.sys [310984 2011-06-02] ()
1 cmdGuard; C:\Windows\System32\Drivers\cmdGuard.sys [577824 2012-03-11] (COMODO)
1 cmdHlp; C:\Windows\System32\Drivers\cmdHlp.sys [43248 2012-03-11] (COMODO)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [254528 2011-06-02] (DT Soft Ltd)
3 etdrv; \??\C:\Windows\etdrv.sys [25640 2012-01-03] (Windows ® Server 2003 DDK provider)
0 EUBAKUP; C:\Windows\System32\Drivers\EUBAKUP.sys [44680 2011-10-21] (CHENGDU YIWO Tech Development Co., Ltd)
0 EUBKMON; C:\Windows\System32\Drivers\EUBKMON.sys [50312 2011-10-21] ()
1 EUDSKACS; C:\Windows\System32\Drivers\EUDSKACS.sys [19592 2011-10-21] (CHENGDU YIWO Tech Development Co., Ltd)
1 EUFDDISK; C:\Windows\System32\Drivers\EUFDDISK.sys [189576 2011-10-21] (CHENGDU YIWO Tech Development Co., Ltd)
3 gdrv; \??\C:\Windows\gdrv.sys [25640 2012-06-09] (Windows ® Server 2003 DDK provider)
3 GVTDrv64; \??\C:\Windows\GVTDrv64.sys [30528 2012-01-14] ()
1 inspect; C:\Windows\System32\Drivers\inspect.sys [93200 2012-02-03] (COMODO)
1 ISODrive; \??\C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys [115600 2010-01-28] (EZB Systems, Inc.)
0 JRAID; C:\Windows\System32\Drivers\JRAID.sys [115312 2010-01-27] (JMicron Technology Corp.)
2 lirsgt; C:\Windows\System32\Drivers\lirsgt.sys [42696 2011-06-02] ()
3 massfilter; C:\Windows\System32\Drivers\massfilter.sys [9216 2010-07-15] (ZTE Incorporated)
3 massfilter_lte; C:\Windows\System32\Drivers\massfilter_lte.sys [18456 2011-08-08] (HandSet Incorporated)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-04-03] (Malwarebytes Corporation)
0 mv91cons; C:\Windows\System32\Drivers\mv91cons.sys [22568 2009-10-26] (Marvell Semiconductor Inc.)
3 PdiPorts; C:\Windows\System32\Drivers\PdiPorts.sys [20592 2011-05-04] (Portrait Displays, Inc.)
3 RTCore64; \??\C:\Program Files (x86)\EVGA Precision\RTCore64.sys [14440 2011-01-17] ()
2 RtNdPt60; C:\Windows\System32\Drivers\RtNdPt60.sys [27136 2009-07-19] (Realtek )
3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam60.sys [51712 2009-12-21] (Realtek Corporation)
3 RTVLANPT; C:\Windows\System32\DRIVERS\RtVlan60.sys [24064 2007-12-02] (Windows ® Codename Longhorn DDK provider)
0 speedfan; C:\Windows\SysWow64\speedfan.sys [29592 2011-03-18] (Almico Software)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [513080 2011-10-14] (Duplex Secure Ltd.)
3 swg3kser00; C:\Windows\System32\Drivers\swg3kser00.sys [258432 2011-07-20] (Sierra Wireless Incorporated)
3 swiwdmbx; C:\Windows\System32\DRIVERS\swiwdmbx64.sys [109312 2011-07-20] (Sierra Wireless Inc.)
3 SWNC8UA3; C:\Windows\System32\Drivers\SWNC8UA3.sys [249344 2011-07-20] (Sierra Wireless Inc.)
3 TEAM; C:\Windows\System32\DRIVERS\RtTeam60.sys [51712 2009-12-21] (Realtek Corporation)
3 TrojanKillerDriver; C:\Windows\System32\DRIVERS\gtkdrv.sys [16640 2012-01-04] (Windows ® Win 7 DDK provider)
3 ZTEusbmdm6k; C:\Windows\System32\Drivers\ZTEusbmdm6k.sys [121344 2010-07-15] (ZTE Incorporated)
3 ZTEusbnmea; C:\Windows\System32\Drivers\ZTEusbnmea.sys [121344 2010-07-15] (ZTE Incorporated)
3 ZTEusbser6k; C:\Windows\System32\Drivers\ZTEusbser6k.sys [121344 2010-07-15] (ZTE Incorporated)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-06-09 14:01 - 2012-06-09 14:01 - 00137471 ____A C:\Users\kingy\Desktop\topic455995.html
2012-06-09 14:01 - 2012-06-09 14:01 - 00000000 ____D C:\Users\kingy\Desktop\topic455995_files
2012-06-08 19:18 - 2012-06-08 19:18 - 00065536 __ASH C:\Windows\System32\config\COMPONENTS{e56777cc-5d62-11e0-ac9a-df6340cf5120}.TxR.blf
2012-06-08 16:41 - 2012-06-08 16:42 - 09316328 ____A C:\Users\kingy\Downloads\19 - AlienHand - We Are EVE (FF12 version).mp3
2012-06-07 13:20 - 2012-06-07 13:23 - 00000245 ____A C:\Users\kingy\Documents\link.txt
2012-06-07 12:50 - 2012-06-08 04:56 - 00001051 ____A C:\Users\Public\Desktop\Comodo Dragon.lnk
2012-06-07 12:50 - 2012-06-07 12:50 - 00001846 ____A C:\Users\Public\Desktop\COMODO Firewall.lnk
2012-06-07 12:50 - 2012-06-07 12:50 - 00001058 ____A C:\Users\Public\Desktop\COMODO GeekBuddy.lnk
2012-06-07 12:50 - 2012-06-07 12:50 - 00000000 ____D C:\Program Files\COMODO
2012-06-07 08:08 - 2012-06-07 08:08 - 00291104 ____A C:\Windows\Minidump\060812-17674-01.dmp
2012-06-07 07:00 - 2012-06-07 07:00 - 00351232 ____A (C-Media Electronics Inc.) C:\Users\kingy\AppData\Roaming\msbriw.dll
2012-06-07 07:00 - 2012-06-07 07:00 - 00291112 ____A C:\Windows\Minidump\060812-17799-01.dmp
2012-06-07 07:00 - 2012-06-07 07:00 - 00000000 ____D C:\Users\kingy\AppData\Local\{91B6F8BD-B0B1-11E1-8270-B8AC6F996F26}
2012-06-05 21:41 - 2012-06-08 08:45 - 00000000 ____D C:\Users\All Users\Comodo
2012-06-05 21:39 - 2012-06-05 21:39 - 00000000 ____D C:\Users\kingy\AppData\Local\Privatefirewall
2012-06-05 21:35 - 2012-06-09 13:08 - 00000028 ____A C:\Windows\ODBC.INI
2012-06-05 21:35 - 2012-06-05 21:35 - 03735376 ____A (PWI, Inc. ) C:\Users\kingy\Downloads\privatefirewall.exe
2012-06-05 21:35 - 2012-06-05 21:35 - 00000000 ____D C:\Users\All Users\Privacyware
2012-06-05 21:16 - 2012-06-05 21:16 - 00000000 ____D C:\Users\All Users\CPA_VA
2012-06-05 20:51 - 2012-06-05 20:51 - 00000000 ____D C:\Users\Public\Documents\COMODO
2012-06-05 18:34 - 2012-06-08 04:56 - 00000000 ____D C:\Program Files (x86)\Comodo
2012-06-05 18:34 - 2012-06-05 18:34 - 01700352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
2012-06-05 18:34 - 2012-06-05 18:34 - 00000000 ____D C:\Users\kingy\AppData\Local\Comodo
2012-06-05 15:01 - 2012-06-05 15:01 - 00010791 ____A C:\Users\kingy\Documents\DDS.zip
2012-06-05 15:00 - 2012-06-05 15:00 - 00023749 ____A C:\Users\kingy\Documents\DDS.txt
2012-06-05 15:00 - 2012-06-05 15:00 - 00014734 ____A C:\Users\kingy\Documents\Attach.txt
2012-06-05 14:14 - 2012-06-05 14:14 - 00302592 ____A C:\Users\kingy\Downloads\sijqrsdx.exe
2012-06-05 14:06 - 2012-06-05 14:06 - 04538040 ____A (Swearware) C:\Users\kingy\Desktop\ComboFix.exe
2012-06-05 13:54 - 2012-06-05 14:22 - 00106074 ____A C:\Users\kingy\Desktop\OTL.Txt
2012-06-05 13:54 - 2012-06-05 14:13 - 00055366 ____A C:\Users\kingy\Desktop\Extras.Txt
2012-06-05 13:50 - 2012-06-05 13:50 - 00596480 ____A (OldTimer Tools) C:\Users\kingy\Desktop\OTL.exe
2012-06-05 13:48 - 2012-06-05 13:48 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\kingy\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-05 13:48 - 2012-06-05 13:48 - 00001122 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-05 13:48 - 2012-06-05 13:48 - 00000000 ____D C:\Users\kingy\AppData\Roaming\Malwarebytes
2012-06-05 13:48 - 2012-06-05 13:48 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-05 13:48 - 2012-06-05 13:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-05 13:48 - 2012-04-03 21:56 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-05 13:46 - 2012-06-05 13:47 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\kingy\Desktop\tdsskiller.exe
2012-06-05 12:39 - 2012-06-05 14:04 - 00000011 ____A C:\Users\kingy\Documents\virus.txt
2012-06-04 11:20 - 2012-06-04 11:20 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-04 10:55 - 2012-06-04 10:55 - 00023315 ____A C:\Users\kingy\Documents\scan-2012-06-05 [04-44-54].log
2012-06-04 10:16 - 2012-06-04 10:44 - 00000000 ____D C:\Program Files (x86)\GridinSoft Trojan Killer
2012-06-04 10:16 - 2012-06-04 10:16 - 00001152 ____A C:\Users\Public\Desktop\Trojan Killer.lnk
2012-06-04 09:37 - 2012-06-04 10:54 - 00466180 ____A C:\Windows\ntbtlog.txt
2012-06-04 09:26 - 2012-06-04 09:26 - 00127488 __ASH (DT Soft Ltd) C:\Users\kingy\AppData\Roaming\nctpi.dll
2012-06-04 06:34 - 2012-06-04 06:35 - 00000977 ____A C:\Users\kingy\Desktop\SiSi.lnk
2012-06-02 16:19 - 2012-06-02 20:37 - 00000000 ____D C:\Users\kingy\AppData\Local\ESN Sonar
2012-06-02 02:15 - 2012-06-08 08:47 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2012-06-02 02:15 - 2012-06-08 01:49 - 00000000 ____D C:\Program Files (x86)\Battlelog Web Plugins
2012-06-02 02:15 - 2012-06-02 02:15 - 00000000 ____D C:\Users\kingy\Documents\Battlefield 3
2012-06-02 02:14 - 2012-06-02 05:02 - 00000000 ____D C:\Users\All Users\EA Logs
2012-06-02 02:14 - 2012-06-02 02:14 - 00000000 ____D C:\Users\All Users\EA Core
2012-06-02 01:29 - 2012-06-02 01:30 - 00000000 ____D C:\Users\Public\Update
2012-06-02 01:18 - 2012-06-02 01:18 - 00000857 ____A C:\Users\Public\Desktop\Battlefield 3.lnk
2012-06-02 00:49 - 2010-06-01 10:55 - 00527192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAudio2_7.dll
2012-06-02 00:49 - 2010-06-01 10:55 - 00518488 ____A (Microsoft Corporation) C:\Windows\System32\XAudio2_7.dll
2012-06-02 00:49 - 2010-06-01 10:55 - 00239960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine3_7.dll
2012-06-02 00:49 - 2010-06-01 10:55 - 00176984 ____A (Microsoft Corporation) C:\Windows\System32\xactengine3_7.dll
2012-06-02 00:49 - 2010-06-01 10:55 - 00077656 ____A (Microsoft Corporation) C:\Windows\System32\XAPOFX1_5.dll
2012-06-02 00:49 - 2010-06-01 10:55 - 00074072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\XAPOFX1_5.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 02526056 ____A (Microsoft Corporation) C:\Windows\System32\D3DCompiler_43.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 02401112 ____A (Microsoft Corporation) C:\Windows\System32\D3DX9_43.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 02106216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_43.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 01998168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_43.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 01907552 ____A (Microsoft Corporation) C:\Windows\System32\d3dcsx_43.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 01868128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dcsx_43.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 00511328 ____A (Microsoft Corporation) C:\Windows\System32\d3dx10_43.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 00470880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_43.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 00276832 ____A (Microsoft Corporation) C:\Windows\System32\d3dx11_43.dll
2012-06-02 00:49 - 2010-05-25 17:41 - 00248672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx11_43.dll
2012-05-29 10:00 - 2012-05-29 10:00 - 00291168 ____A C:\Windows\Minidump\053012-19593-01.dmp
2012-05-26 00:03 - 2012-05-26 00:03 - 00000008 ____A C:\Users\kingy\Documents\88.txt
2012-05-23 02:06 - 2012-05-23 02:08 - 00000000 ____D C:\Program Files (x86)\Origin
2012-05-23 01:57 - 2012-05-23 01:57 - 00291112 ____A C:\Windows\Minidump\052312-16348-01.dmp
2012-05-23 00:22 - 2012-05-23 00:22 - 01584080 ____A C:\Users\kingy\Downloads\cope.wav
2012-05-21 00:41 - 2012-05-21 00:41 - 00020714 ____A C:\Users\kingy\Downloads\580096_2980218839082_1670270080_1805394_454705101_n.jpg
2012-05-20 08:16 - 2012-05-20 08:16 - 00291168 ____A C:\Windows\Minidump\052112-16848-01.dmp
2012-05-20 00:17 - 2012-05-20 00:17 - 00000000 ____D C:\Users\kingy\AppData\Local\Geotag Security
2012-05-20 00:17 - 2012-05-20 00:17 - 00000000 ____D C:\Program Files (x86)\Geotag Security
2012-05-15 10:47 - 2012-05-15 10:54 - 00017408 ____A C:\Users\kingy\Documents\clintsres.doc
2012-05-15 07:48 - 2012-05-15 07:48 - 00291112 ____A C:\Windows\Minidump\051612-20046-01.dmp
2012-05-14 06:13 - 2012-05-14 06:13 - 00001509 ____A C:\Users\kingy\Documents\clintsresbackup.rtf
2012-05-13 23:05 - 2012-05-13 23:05 - 00000638 ____A C:\Users\kingy\Desktop\Soldat Mod Starter.lnk
2012-05-13 12:47 - 2012-05-13 12:47 - 00000056 ____A C:\Users\kingy\Documents\dasilk.txt
2012-05-13 06:59 - 2012-05-31 04:21 - 00000000 ____D C:\Users\kingy\Documents\888poker
2012-05-13 06:59 - 2012-05-13 07:01 - 00000000 ____D C:\Users\kingy\AppData\Roaming\PacificPoker
2012-05-13 06:59 - 2012-05-13 06:59 - 00002016 ____A C:\Users\UpdatusUser\Desktop\888poker.lnk
2012-05-13 06:59 - 2012-05-13 06:59 - 00002016 ____A C:\Users\kingy\Desktop\888poker.lnk
2012-05-13 06:59 - 2012-05-13 06:59 - 00000000 ____D C:\Program Files (x86)\PacificPoker
2012-05-12 02:38 - 2012-05-12 02:38 - 00000000 ____D C:\Users\All Users\Mozilla
2012-05-12 02:38 - 2012-05-12 02:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-05-12 02:35 - 2012-05-12 02:35 - 00291112 ____A C:\Windows\Minidump\051212-17487-01.dmp
2012-05-11 06:56 - 2012-05-11 06:48 - 00679091 ____A C:\Users\kingy\Documents\IMG_0008.JPG
2012-05-11 06:56 - 2012-05-11 06:48 - 00671692 ____A C:\Users\kingy\Documents\IMG_0007.JPG
2012-05-11 06:56 - 2012-05-11 06:48 - 00650213 ____A C:\Users\kingy\Documents\IMG_0006.JPG
2012-05-11 06:56 - 2012-05-11 06:47 - 00814257 ____A C:\Users\kingy\Documents\IMG_0005.JPG
2012-05-11 06:56 - 2012-05-11 06:47 - 00682014 ____A C:\Users\kingy\Documents\IMG_0004.JPG
2012-05-11 06:56 - 2012-05-11 06:47 - 00594719 ____A C:\Users\kingy\Documents\IMG_0003.JPG
2012-05-11 06:56 - 2012-05-11 06:46 - 00642992 ____A C:\Users\kingy\Documents\IMG_0002.JPG


============ 3 Months Modified Files and Folders =============

2012-06-10 08:05 - 2012-06-10 08:05 - 00000000 ____D C:\FRST
2012-06-09 14:02 - 2011-03-01 03:33 - 01478270 ____A C:\Windows\WindowsUpdate.log
2012-06-09 14:01 - 2012-06-09 14:01 - 00137471 ____A C:\Users\kingy\Desktop\topic455995.html
2012-06-09 14:01 - 2012-06-09 14:01 - 00000000 ____D C:\Users\kingy\Desktop\topic455995_files
2012-06-09 13:56 - 2009-07-13 21:13 - 00713888 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-09 13:47 - 2009-07-13 20:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-06-09 13:47 - 2009-07-13 20:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-06-09 13:41 - 2011-03-01 04:17 - 00025640 ____A (Windows ® Server 2003 DDK provider) C:\Windows\gdrv.sys
2012-06-09 13:40 - 2012-04-03 00:20 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-06-09 13:40 - 2012-02-12 01:35 - 00000000 ____D C:\Program Files (x86)\Steam
2012-06-09 13:40 - 2011-11-29 07:14 - 00000008 ____A C:\Windows\mvraidver.dat
2012-06-09 13:40 - 2011-03-04 09:42 - 00000000 ____D C:\Fraps
2012-06-09 13:40 - 2011-03-01 04:23 - 00000000 ____D C:\Users\All Users\NVIDIA
2012-06-09 13:40 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-06-09 13:40 - 2009-07-13 20:51 - 00080872 ____A C:\Windows\setupact.log
2012-06-09 13:08 - 2012-06-05 21:35 - 00000028 ____A C:\Windows\ODBC.INI
2012-06-09 13:02 - 2011-03-19 07:06 - 00007602 ____A C:\Users\kingy\AppData\Local\Resmon.ResmonCfg
2012-06-09 12:51 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2012-06-09 12:20 - 2012-03-17 19:45 - 00000000 ____D C:\users\UpdatusUser
2012-06-09 12:18 - 2009-07-13 21:08 - 00032584 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-09 02:09 - 2012-03-15 19:59 - 00000000 ____D C:\Users\kingy\AppData\Roaming\Telstra
2012-06-08 19:18 - 2012-06-08 19:18 - 00065536 __ASH C:\Windows\System32\config\COMPONENTS{e56777cc-5d62-11e0-ac9a-df6340cf5120}.TxR.blf
2012-06-08 18:06 - 2011-06-22 02:38 - 00000000 ____D C:\Users\kingy\AppData\Local\ElevatedDiagnostics
2012-06-08 17:12 - 2011-12-22 19:07 - 00000000 ____D C:\Users\kingy\AppData\Roaming\vlc
2012-06-08 16:42 - 2012-06-08 16:41 - 09316328 ____A C:\Users\kingy\Downloads\19 - AlienHand - We Are EVE (FF12 version).mp3
2012-06-08 14:25 - 2011-12-06 04:02 - 00000000 ____D C:\Users\kingy\.pyfa
2012-06-08 10:49 - 2011-03-01 04:46 - 00000000 ____D C:\Program Files (x86)\EVGA Precision
2012-06-08 08:47 - 2012-06-02 02:15 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2012-06-08 08:47 - 2011-10-15 14:18 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2012-06-08 08:47 - 2011-10-15 14:18 - 00280904 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2012-06-08 08:45 - 2012-06-05 21:41 - 00000000 ____D C:\Users\All Users\Comodo
2012-06-08 04:56 - 2012-06-07 12:50 - 00001051 ____A C:\Users\Public\Desktop\Comodo Dragon.lnk
2012-06-08 04:56 - 2012-06-05 18:34 - 00000000 ____D C:\Program Files (x86)\Comodo
2012-06-08 01:49 - 2012-06-02 02:15 - 00000000 ____D C:\Program Files (x86)\Battlelog Web Plugins
2012-06-07 13:23 - 2012-06-07 13:20 - 00000245 ____A C:\Users\kingy\Documents\link.txt
2012-06-07 12:50 - 2012-06-07 12:50 - 00001846 ____A C:\Users\Public\Desktop\COMODO Firewall.lnk
2012-06-07 12:50 - 2012-06-07 12:50 - 00001058 ____A C:\Users\Public\Desktop\COMODO GeekBuddy.lnk
2012-06-07 12:50 - 2012-06-07 12:50 - 00000000 ____D C:\Program Files\COMODO
2012-06-07 12:50 - 2011-03-01 03:42 - 00000000 ____D C:\Users\kingy\AppData\LocalLow
2012-06-07 08:08 - 2012-06-07 08:08 - 00291104 ____A C:\Windows\Minidump\060812-17674-01.dmp
2012-06-07 08:08 - 2011-03-11 23:40 - 00000000 ____D C:\Windows\Minidump
2012-06-07 07:00 - 2012-06-07 07:00 - 00351232 ____A (C-Media Electronics Inc.) C:\Users\kingy\AppData\Roaming\msbriw.dll
2012-06-07 07:00 - 2012-06-07 07:00 - 00291112 ____A C:\Windows\Minidump\060812-17799-01.dmp
2012-06-07 07:00 - 2012-06-07 07:00 - 00000000 ____D C:\Users\kingy\AppData\Local\{91B6F8BD-B0B1-11E1-8270-B8AC6F996F26}
2012-06-07 06:59 - 2011-05-15 13:36 - 00012736 ____A C:\Windows\PFRO.log
2012-06-07 02:58 - 2011-03-01 09:41 - 00000000 ____D C:\Users\kingy\AppData\Roaming\BitComet
2012-06-05 23:25 - 2012-04-23 09:35 - 00001377 ____A C:\Windows\System32\Drivers\etc\hosts
2012-06-05 21:39 - 2012-06-05 21:39 - 00000000 ____D C:\Users\kingy\AppData\Local\Privatefirewall
2012-06-05 21:35 - 2012-06-05 21:35 - 03735376 ____A (PWI, Inc. ) C:\Users\kingy\Downloads\privatefirewall.exe
2012-06-05 21:35 - 2012-06-05 21:35 - 00000000 ____D C:\Users\All Users\Privacyware
2012-06-05 21:16 - 2012-06-05 21:16 - 00000000 ____D C:\Users\All Users\CPA_VA
2012-06-05 20:51 - 2012-06-05 20:51 - 00000000 ____D C:\Users\Public\Documents\COMODO
2012-06-05 18:34 - 2012-06-05 18:34 - 01700352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
2012-06-05 18:34 - 2012-06-05 18:34 - 00000000 ____D C:\Users\kingy\AppData\Local\Comodo
2012-06-05 15:01 - 2012-06-05 15:01 - 00010791 ____A C:\Users\kingy\Documents\DDS.zip
2012-06-05 15:00 - 2012-06-05 15:00 - 00023749 ____A C:\Users\kingy\Documents\DDS.txt
2012-06-05 15:00 - 2012-06-05 15:00 - 00014734 ____A C:\Users\kingy\Documents\Attach.txt
2012-06-05 14:22 - 2012-06-05 13:54 - 00106074 ____A C:\Users\kingy\Desktop\OTL.Txt
2012-06-05 14:14 - 2012-06-05 14:14 - 00302592 ____A C:\Users\kingy\Downloads\sijqrsdx.exe
2012-06-05 14:13 - 2012-06-05 13:54 - 00055366 ____A C:\Users\kingy\Desktop\Extras.Txt
2012-06-05 14:06 - 2012-06-05 14:06 - 04538040 ____A (Swearware) C:\Users\kingy\Desktop\ComboFix.exe
2012-06-05 14:04 - 2012-06-05 12:39 - 00000011 ____A C:\Users\kingy\Documents\virus.txt
2012-06-05 13:50 - 2012-06-05 13:50 - 00596480 ____A (OldTimer Tools) C:\Users\kingy\Desktop\OTL.exe
2012-06-05 13:48 - 2012-06-05 13:48 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\kingy\Downloads\mbam-setup-1.61.0.1400.exe
2012-06-05 13:48 - 2012-06-05 13:48 - 00001122 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-06-05 13:48 - 2012-06-05 13:48 - 00000000 ____D C:\Users\kingy\AppData\Roaming\Malwarebytes
2012-06-05 13:48 - 2012-06-05 13:48 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-06-05 13:48 - 2012-06-05 13:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-05 13:47 - 2012-06-05 13:46 - 02127448 ____A (Kaspersky Lab ZAO) C:\Users\kingy\Desktop\tdsskiller.exe
2012-06-04 11:20 - 2012-06-04 11:20 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-04 10:55 - 2012-06-04 10:55 - 00023315 ____A C:\Users\kingy\Documents\scan-2012-06-05 [04-44-54].log
2012-06-04 10:54 - 2012-06-04 09:37 - 00466180 ____A C:\Windows\ntbtlog.txt
2012-06-04 10:44 - 2012-06-04 10:16 - 00000000 ____D C:\Program Files (x86)\GridinSoft Trojan Killer
2012-06-04 10:16 - 2012-06-04 10:16 - 00001152 ____A C:\Users\Public\Desktop\Trojan Killer.lnk
2012-06-04 09:26 - 2012-06-04 09:26 - 00127488 __ASH (DT Soft Ltd) C:\Users\kingy\AppData\Roaming\nctpi.dll
2012-06-04 06:35 - 2012-06-04 06:34 - 00000977 ____A C:\Users\kingy\Desktop\SiSi.lnk
2012-06-02 20:37 - 2012-06-02 16:19 - 00000000 ____D C:\Users\kingy\AppData\Local\ESN Sonar
2012-06-02 05:02 - 2012-06-02 02:14 - 00000000 ____D C:\Users\All Users\EA Logs
2012-06-02 02:29 - 2011-10-14 06:46 - 00076888 ____A C:\Windows\SysWOW64\PnkBstrA.exe
2012-06-02 02:15 - 2012-06-02 02:15 - 00000000 ____D C:\Users\kingy\Documents\Battlefield 3
2012-06-02 02:15 - 2011-10-14 06:48 - 00000000 ____D C:\Users\kingy\AppData\Local\PunkBuster
2012-06-02 02:14 - 2012-06-02 02:14 - 00000000 ____D C:\Users\All Users\EA Core
2012-06-02 02:14 - 2012-03-05 20:56 - 00000000 ____D C:\Users\All Users\Electronic Arts
2012-06-02 01:30 - 2012-06-02 01:29 - 00000000 ____D C:\Users\Public\Update
2012-06-02 01:20 - 2012-03-05 20:56 - 00000000 ____D C:\Users\All Users\Origin
2012-06-02 01:18 - 2012-06-02 01:18 - 00000857 ____A C:\Users\Public\Desktop\Battlefield 3.lnk
2012-06-02 01:18 - 2011-03-01 04:45 - 00300706 ____A C:\Windows\DirectX.log
2012-05-31 04:21 - 2012-05-13 06:59 - 00000000 ____D C:\Users\kingy\Documents\888poker
2012-05-29 10:00 - 2012-05-29 10:00 - 00291168 ____A C:\Windows\Minidump\053012-19593-01.dmp
2012-05-29 10:00 - 2012-03-19 20:38 - 00000438 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2012-05-26 00:03 - 2012-05-26 00:03 - 00000008 ____A C:\Users\kingy\Documents\88.txt
2012-05-23 02:08 - 2012-05-23 02:06 - 00000000 ____D C:\Program Files (x86)\Origin
2012-05-23 02:08 - 2012-03-05 20:56 - 00000000 ____D C:\Users\kingy\AppData\Roaming\Origin
2012-05-23 02:07 - 2012-03-05 20:56 - 00003615 ____A C:\Windows\KB893803v2.log
2012-05-23 02:06 - 2012-03-05 20:56 - 00000992 ____A C:\Users\Public\Desktop\Origin.lnk
2012-05-23 01:57 - 2012-05-23 01:57 - 00291112 ____A C:\Windows\Minidump\052312-16348-01.dmp
2012-05-23 00:22 - 2012-05-23 00:22 - 01584080 ____A C:\Users\kingy\Downloads\cope.wav
2012-05-21 00:41 - 2012-05-21 00:41 - 00020714 ____A C:\Users\kingy\Downloads\580096_2980218839082_1670270080_1805394_454705101_n.jpg
2012-05-20 08:16 - 2012-05-20 08:16 - 00291168 ____A C:\Windows\Minidump\052112-16848-01.dmp
2012-05-20 00:17 - 2012-05-20 00:17 - 00000000 ____D C:\Users\kingy\AppData\Local\Geotag Security
2012-05-20 00:17 - 2012-05-20 00:17 - 00000000 ____D C:\Program Files (x86)\Geotag Security
2012-05-18 21:16 - 2011-03-03 08:33 - 00001456 ____A C:\Users\kingy\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-05-16 17:36 - 2012-02-14 01:33 - 00074752 __ASH C:\Users\kingy\Documents\Thumbs.db
2012-05-16 03:28 - 2011-03-11 03:14 - 00000000 ____D C:\Users\kingy\Documents\My ISO Files
2012-05-15 10:54 - 2012-05-15 10:47 - 00017408 ____A C:\Users\kingy\Documents\clintsres.doc
2012-05-15 07:48 - 2012-05-15 07:48 - 00291112 ____A C:\Windows\Minidump\051612-20046-01.dmp
2012-05-15 07:48 - 2011-03-02 07:06 - 00081008 ____A C:\Users\kingy\AppData\Local\GDIPFONTCACHEV1.DAT
2012-05-15 07:48 - 2009-07-13 20:45 - 02929896 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-14 06:13 - 2012-05-14 06:13 - 00001509 ____A C:\Users\kingy\Documents\clintsresbackup.rtf
2012-05-13 23:05 - 2012-05-13 23:05 - 00000638 ____A C:\Users\kingy\Desktop\Soldat Mod Starter.lnk
2012-05-13 23:04 - 2011-10-14 04:04 - 00000000 ____D C:\Users\kingy\AppData\Roaming\Soldat
2012-05-13 12:47 - 2012-05-13 12:47 - 00000056 ____A C:\Users\kingy\Documents\dasilk.txt
2012-05-13 07:01 - 2012-05-13 06:59 - 00000000 ____D C:\Users\kingy\AppData\Roaming\PacificPoker
2012-05-13 06:59 - 2012-05-13 06:59 - 00002016 ____A C:\Users\UpdatusUser\Desktop\888poker.lnk
2012-05-13 06:59 - 2012-05-13 06:59 - 00002016 ____A C:\Users\kingy\Desktop\888poker.lnk
2012-05-13 06:59 - 2012-05-13 06:59 - 00000000 ____D C:\Program Files (x86)\PacificPoker
2012-05-13 06:18 - 2012-01-31 04:03 - 00000000 ____D C:\Users\kingy\Desktop\New folder
2012-05-12 09:15 - 2011-09-30 07:23 - 00000000 ____D C:\Users\kingy\AppData\Local\Microsoft Games
2012-05-12 02:38 - 2012-05-12 02:38 - 00000000 ____D C:\Users\All Users\Mozilla
2012-05-12 02:38 - 2012-05-12 02:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-05-12 02:38 - 2011-04-16 20:30 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-05-12 02:35 - 2012-05-12 02:35 - 00291112 ____A C:\Windows\Minidump\051212-17487-01.dmp
2012-05-11 06:48 - 2012-05-11 06:56 - 00679091 ____A C:\Users\kingy\Documents\IMG_0008.JPG
2012-05-11 06:48 - 2012-05-11 06:56 - 00671692 ____A C:\Users\kingy\Documents\IMG_0007.JPG
2012-05-11 06:48 - 2012-05-11 06:56 - 00650213 ____A C:\Users\kingy\Documents\IMG_0006.JPG
2012-05-11 06:47 - 2012-05-11 06:56 - 00814257 ____A C:\Users\kingy\Documents\IMG_0005.JPG
2012-05-11 06:47 - 2012-05-11 06:56 - 00682014 ____A C:\Users\kingy\Documents\IMG_0004.JPG
2012-05-11 06:47 - 2012-05-11 06:56 - 00594719 ____A C:\Users\kingy\Documents\IMG_0003.JPG
2012-05-11 06:46 - 2012-05-11 06:56 - 00642992 ____A C:\Users\kingy\Documents\IMG_0002.JPG
2012-05-10 18:11 - 2011-03-01 04:53 - 00000000 ____D C:\Program Files (x86)\Opera
2012-05-10 18:06 - 2012-04-19 21:40 - 00000095 ____A C:\Users\kingy\Documents\page.html
2012-05-09 16:16 - 2012-05-09 16:09 - 00000185 ____A C:\Users\kingy\Documents\go.bat
2012-05-09 15:23 - 2012-05-09 15:23 - 00000000 ___AH C:\Users\kingy\Documents\Default.rdp
2012-05-09 11:04 - 2012-05-09 10:39 - 00000000 ____D C:\Program Files (x86)\The KMPlayer
2012-05-09 10:40 - 2012-05-09 10:40 - 00001048 ____A C:\Users\kingy\Desktop\KMPlayer.lnk
2012-05-09 10:40 - 2012-05-09 10:40 - 00000000 ____D C:\Users\kingy\Documents\The KMPlayer
2012-05-09 10:40 - 2012-05-09 10:40 - 00000000 ____D C:\Program Files (x86)\kmpmediatoolbar
2012-05-09 10:38 - 2012-05-09 10:36 - 28841000 ____A C:\Users\kingy\Desktop\KMPlayer_EN_3.2.0.0.exe
2012-05-09 10:35 - 2012-05-09 10:35 - 00309856 ____A (Softonic) C:\Users\kingy\Downloads\kmplayer_downloader.exe
2012-05-02 07:30 - 2011-03-01 06:51 - 00000000 ____D C:\Users\All Users\CCP
2012-05-01 09:29 - 2012-05-01 08:51 - 18266992 ____A C:\Users\kingy\Downloads\pyfa-1.1.6-escalation-win32.zip
2012-04-27 22:16 - 2012-04-27 22:16 - 00000359 ____A C:\Users\kingy\Desktop\Recycle Bin - Shortcut.lnk
2012-04-25 13:56 - 2012-04-25 13:56 - 54335138 ____A C:\Users\kingy\Downloads\Alex smoke less.psd
2012-04-25 04:38 - 2012-04-25 04:38 - 03078248 ____A C:\Users\kingy\Downloads\Versions export folder.zip
2012-04-25 04:36 - 2012-04-25 04:36 - 01730167 ____A C:\Users\kingy\Downloads\Alex smoke less.jpg
2012-04-25 03:17 - 2012-04-25 03:17 - 00001032 ____A C:\Users\kingy\Desktop\Able RAWer.lnk
2012-04-25 03:17 - 2012-04-25 03:17 - 00000000 ____D C:\Program Files (x86)\AbleRAWer
2012-04-25 03:16 - 2012-04-25 03:16 - 02325008 ____A (Graphic-Region Development ) C:\Users\kingy\Downloads\ablerawer14_setup.exe
2012-04-25 03:03 - 2012-04-25 03:03 - 00012928 ____A C:\Users\kingy\Downloads\526171_343326605720467_186592251393904_886859_879403608_n.jpg
2012-04-25 03:00 - 2012-04-25 03:00 - 03233085 ____A C:\Users\kingy\Downloads\177C0010.JPG
2012-04-25 02:55 - 2012-04-25 02:52 - 20376149 ____A C:\Users\kingy\Downloads\177C0010.CR2
2012-04-15 09:01 - 2012-04-15 09:01 - 00000000 ____D C:\Program Files (x86)\RADVideo
2012-04-15 09:01 - 2012-04-15 08:58 - 01323053 ____A C:\Users\kingy\Downloads\RADTools.exe
2012-04-15 02:07 - 2012-04-15 02:07 - 00020914 ____A C:\Users\kingy\Downloads\561958_297756993630926_290687021004590_724375_989648192_n.jpg
2012-04-13 02:46 - 2012-04-13 02:46 - 00044262 ____A C:\Users\kingy\Downloads\535290_10150785065981117_669456116_11818582_1093229697_n.jpg
2012-04-13 01:22 - 2012-04-13 01:05 - 41608380 ____A C:\Users\kingy\Downloads\land_lights_16384.tif
2012-04-13 01:06 - 2012-04-13 01:01 - 21628194 ____A C:\Users\kingy\Downloads\world.200402.3x21600x10800.jpg
2012-04-13 01:03 - 2012-04-13 01:03 - 12398590 ____A C:\Users\kingy\Downloads\BlueMarble_2005_SAm_09_4096.png
2012-04-12 05:25 - 2012-04-12 05:25 - 01177681 ____A C:\Users\kingy\Downloads\522720_3292112935381_1044496704_3921020_1345328825_n.psd
2012-04-12 04:57 - 2012-04-12 04:57 - 00016934 ____A C:\Users\kingy\Downloads\522720_3292112935381_1044496704_3921020_1345328825_n.jpg
2012-04-10 19:28 - 2012-04-10 19:28 - 00000435 ____A C:\Users\kingy\Desktop\SisiLauncher_errorlog.txt
2012-04-07 04:02 - 2012-04-07 04:02 - 00000037 ____A C:\Users\kingy\Documents\lolkwfl.txt
2012-04-05 07:19 - 2012-04-05 07:20 - 00277662 ____A C:\Users\kingy\Documents\eDark Vlc.vlt
2012-04-05 07:19 - 2012-04-05 07:19 - 00277662 ____A C:\Users\kingy\Downloads\eDark Vlc.vlt
2012-04-05 07:14 - 2012-04-05 07:14 - 00071783 ____A C:\Users\kingy\Documents\DestroyVLC.vlt
2012-04-05 06:37 - 2012-04-05 06:37 - 00001079 ____A C:\Users\Public\Desktop\VLC media player.lnk
2012-04-05 06:35 - 2012-04-05 06:35 - 22259528 ____A C:\Users\kingy\Documents\vlc-2.0.1-win32.exe
2012-04-04 20:46 - 2012-04-04 20:46 - 00291112 ____A C:\Windows\Minidump\040512-16801-01.dmp
2012-04-03 21:56 - 2012-06-05 13:48 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-03 00:20 - 2012-04-03 00:20 - 00418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-03 00:20 - 2012-04-03 00:20 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-02 03:43 - 2012-04-02 03:43 - 00040899 ____A C:\Users\kingy\Documents\Untitled.wma
2012-04-02 03:08 - 2012-04-02 03:08 - 00045389 ____A C:\Users\kingy\Documents\Untitled (2).wma
2012-04-02 03:07 - 2012-04-02 03:07 - 00072329 ____A C:\Users\kingy\Documents\Untitled (14).wma
2012-03-31 16:30 - 2012-03-31 16:30 - 00000000 ____D C:\Windows\Sun
2012-03-30 22:51 - 2012-03-30 22:51 - 00291112 ____A C:\Windows\Minidump\033112-17144-01.dmp
2012-03-29 21:12 - 2011-03-01 03:42 - 00000000 ____D C:\users\kingy
2012-03-29 21:11 - 2012-03-29 21:11 - 00291080 ____A C:\Windows\Minidump\033012-16567-01.dmp
2012-03-28 07:41 - 2012-03-28 07:41 - 00000879 ____A C:\Users\kingy\Desktop\iw5sp.exe - Shortcut.lnk
2012-03-28 07:18 - 2012-03-28 07:18 - 00000000 ____D C:\Windows\SysWOW64\directx
2012-03-25 17:36 - 2012-03-25 17:36 - 00000115 ___AH C:\Users\kingy\Downloads\.~lock.LECTURE19-PATHOLOGY_THERAPY.ppt#
2012-03-25 17:36 - 2012-03-25 17:35 - 07720960 ____A C:\Users\kingy\Downloads\LECTURE19-PATHOLOGY_THERAPY.ppt
2012-03-25 04:41 - 2012-03-25 04:40 - 04735171 ____A C:\Users\kingy\Downloads\4K_resolution_sample.ogv
2012-03-23 06:56 - 2012-03-16 00:56 - 00000000 ____D C:\Users\kingy\.matplotlib
2012-03-21 03:23 - 2012-03-21 03:22 - 18472631 ____A C:\Users\kingy\Downloads\pyfa-1.1.4-crucible-win32.zip
2012-03-20 04:21 - 2012-03-16 00:09 - 00000862 ____A C:\Users\kingy\Desktop\ALTS.lnk
2012-03-20 04:13 - 2012-03-16 00:10 - 00000855 ____A C:\Users\kingy\Desktop\EVE.lnk
2012-03-19 04:10 - 2011-11-23 21:09 - 00000000 ____D C:\Users\kingy\Documents\Adobe
2012-03-18 23:33 - 2012-03-18 23:33 - 00000000 ____D C:\_data
2012-03-18 23:30 - 2012-03-18 23:30 - 00000000 ____D C:\Program Files (x86)\Haali
2012-03-18 23:30 - 2012-03-18 23:30 - 00000000 ____D C:\Program Files (x86)\AC3Filter
2012-03-18 21:14 - 2011-05-01 00:48 - 00000000 ____D C:\Users\kingy\Documents\Any Video Converter
2012-03-18 21:03 - 2012-03-18 21:03 - 00001249 ____A C:\Users\kingy\Desktop\Any Video Converter.lnk
2012-03-18 21:03 - 2012-03-18 21:03 - 00000000 ____D C:\Program Files (x86)\AnvSoft
2012-03-17 21:03 - 2012-03-17 21:03 - 00597578 ____A C:\Users\kingy\Documents\pyfabackup.xml
2012-03-17 20:02 - 2012-03-17 20:02 - 00002054 ____A C:\Users\Public\Desktop\Acer eDisplay Management.lnk
2012-03-17 19:45 - 2012-03-17 19:45 - 00000020 ___SH C:\Users\UpdatusUser\ntuser.ini
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\Templates
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\Start Menu
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\PrintHood
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\NetHood
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\My Documents
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\Documents\My Videos
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\Documents\My Pictures
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\Documents\My Music
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\AppData\Local\Temporary Internet Files
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 __SHD C:\Users\UpdatusUser\AppData\Local\History
2012-03-17 19:45 - 2012-03-17 19:45 - 00000000 ____D C:\Users\UpdatusUser\AppData\LocalLow
2012-03-17 19:45 - 2011-03-01 04:23 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2012-03-17 19:45 - 2011-03-01 04:20 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2012-03-17 19:44 - 2012-03-17 19:43 - 00000000 ____D C:\NVIDIA
2012-03-17 19:16 - 2012-03-17 19:16 - 00005732 ____A C:\Users\kingy\Documents\MONITORCONFIG.zip
2012-03-17 18:56 - 2012-03-17 18:56 - 00000000 ____D C:\Users\kingy\AppData\Roaming\Actual Tools
2012-03-17 18:55 - 2012-03-17 18:55 - 00000000 ____D C:\Program Files (x86)\Actual Multiple Monitors
2012-03-17 18:54 - 2012-03-17 18:54 - 00000000 ____D C:\Users\All Users\Caphyon
2012-03-17 08:48 - 2011-03-02 06:10 - 00000000 ____D C:\Program Files\TeamSpeak 3 Client
2012-03-16 00:53 - 2012-03-16 00:53 - 00000000 ____D C:\Program Files\BitComet
2012-03-16 00:53 - 2011-03-01 09:41 - 00000825 ____A C:\Users\Public\Desktop\BitComet.lnk
2012-03-15 21:02 - 2011-03-02 06:17 - 00000000 ____D C:\Users\kingy\AppData\Roaming\TS3Client
2012-03-15 20:14 - 2012-03-15 20:14 - 00000000 ____D C:\Users\All Users\Telstra
2012-03-15 19:57 - 2012-03-15 19:57 - 00054320 ____A C:\Windows\DPINST.LOG
2012-03-15 19:57 - 2012-03-15 19:57 - 00002114 ____A C:\Users\Public\Desktop\Mobile Broadband Manager.lnk
2012-03-15 19:57 - 2012-03-15 19:57 - 00000000 ____D C:\Program Files (x86)\Telstra
2012-03-15 19:57 - 2012-03-15 19:55 - 00000000 ____D C:\Program Files (x86)\Sierra Wireless Inc
2012-03-15 19:55 - 2012-03-15 19:55 - 00000000 ____D C:\Users\kingy\AppData\Roaming\Sierra Wireless
2012-03-15 19:55 - 2012-03-15 19:55 - 00000000 ____D C:\Users\All Users\Sierra Wireless
2012-03-15 19:55 - 2011-03-01 04:03 - 00024312 ____A C:\Windows\ZTEInstallInfo.log
2012-03-15 19:55 - 2011-03-01 04:03 - 00000000 ____D C:\Windows\SysWOW64\SupportAppXL
2012-03-15 19:55 - 2011-03-01 03:50 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-03-14 17:49 - 2012-03-14 07:22 - 00000026 ____A C:\Users\kingy\Documents\post.txt
2012-03-13 17:19 - 2012-03-13 17:19 - 00001287 ____A C:\Users\Public\Desktop\Supreme Commander.lnk
2012-03-13 17:18 - 2011-05-15 21:58 - 00000000 ____D C:\Users\All Users\Media Center Programs

ZeroAccess:
C:\Windows\Installer\{09aadb72-2d62-4357-7bad-f6c4bd88f547}
C:\Windows\Installer\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\@
C:\Windows\Installer\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\U
C:\Windows\Installer\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\U\00000001.@
C:\Windows\Installer\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\U\80000000.@
C:\Windows\Installer\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\U\800000cb.@

ZeroAccess:
C:\Users\kingy\AppData\Local\{09aadb72-2d62-4357-7bad-f6c4bd88f547}
C:\Users\kingy\AppData\Local\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\@
C:\Users\kingy\AppData\Local\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\L
C:\Users\kingy\AppData\Local\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\n
C:\Users\kingy\AppData\Local\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 6142.38 MB
Available physical RAM: 5417.8 MB
Total Pagefile: 6140.53 MB
Available Pagefile: 5410.74 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (Etch-A-Sketch) (Fixed) (Total:60.01 GB) (Free:16.05 GB) NTFS
2 Drive d: (System Reserved) (Fixed) (Total:0.08 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (Apophis) (Fixed) (Total:1863.01 GB) (Free:0.04 GB) NTFS
4 Drive f: (Hurricane) (Fixed) (Total:189.92 GB) (Free:62.52 GB) NTFS
5 Drive h: (Gonzales) (Fixed) (Total:275.27 GB) (Free:123.83 GB) NTFS
7 Drive j: () (Removable) (Total:7.51 GB) (Free:4.73 GB) FAT32
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
9 Drive y: (Safety) (Fixed) (Total:1863.01 GB) (Free:101.59 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 1863 GB 1024 KB
Disk 1 Online 335 GB 1024 KB
Disk 2 Online 1863 GB 0 B
Disk 3 Online 189 GB 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 7712 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1863 GB 1024 KB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y Safety NTFS Partition 1863 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 85 MB 4096 B
Partition 2 Primary 60 GB 85 MB
Partition 3 Primary 275 GB 60 GB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D System Rese NTFS Partition 85 MB Healthy

======================================================================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Etch-A-Sket NTFS Partition 60 GB Healthy

======================================================================================================

Disk: 1
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 H Gonzales NTFS Partition 275 GB Healthy

======================================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1863 GB 1024 KB

======================================================================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E Apophis NTFS Partition 1863 GB Healthy

======================================================================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 189 GB 1024 KB

======================================================================================================

Disk: 3
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F Hurricane NTFS Partition 189 GB Healthy

======================================================================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7711 MB 1024 KB

======================================================================================================

Disk: 5
Partition 1
Type : 0B
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 J FAT32 Removable 7711 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-06-07 16:45

======================= End Of Log ==========================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:05 PM

Posted 09 June 2012 - 05:55 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Vs6sXYle8XGBDXh] C:\Users\kingy\AppData\Roaming\CodeArchiver.exe [x]
HKU\kingy\...\Run: [Vs6sXYle8XGBDXh] C:\Users\kingy\AppData\Roaming\CodeArchiver.exe [x]
HKU\kingy\...\Winlogon: [Userinit] C:\Users\kingy\AppData\Roaming\CodeArchiver.exe,C:\WINDOWS\System32\userinit.exe, [30208 2009-07-13] (Microsoft Corporation)
2012-06-05 14:14 - 2012-06-05 14:14 - 00302592 ____A C:\Users\kingy\Downloads\sijqrsdx.exe
C:\Windows\Installer\{09aadb72-2d62-4357-7bad-f6c4bd88f547}
C:\Users\kingy\AppData\Local\{09aadb72-2d62-4357-7bad-f6c4bd88f547}
C:\Users\kingy\AppData\Roaming\CodeArchiver.exe 
SubSystems: [Windows] ==> ZeroAccess
HKU\kingy\...\Run: [msbriw] "C:\Windows\System32\rundll32.exe" "C:\Users\kingy\AppData\Roaming\msbriw.dll",GetShaderOutputSemantics [351232 2012-06-07] (C-Media Electronics Inc.)
C:\Users\kingy\AppData\Roaming\msbriw.dll
2012-06-07 07:00 - 2012-06-07 07:00 - 00351232 ____A (C-Media Electronics Inc.) C:\Users\kingy\AppData\Roaming\msbriw.dll
2012-06-04 09:26 - 2012-06-04 09:26 - 00127488 __ASH (DT Soft Ltd) C:\Users\kingy\AppData\Roaming\nctpi.dll
HKLM\...\Run: [nctpi] rundll32.exe "C:\Users\kingy\AppData\Roaming\nctpi.dll",SteamClient [127488 2012-06-04] (DT Soft Ltd)
2012-06-07 07:00 - 2012-06-07 07:00 - 00000000 ____D C:\Users\kingy\AppData\Local\{91B6F8BD-B0B1-11E1-8270-B8AC6F996F26}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.



NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Taurich

Taurich
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 09 June 2012 - 07:12 PM

Well, my symptoms of bandwidth use have disappeared, I also appear to have regained permissions on my computer (previously certain things were giving me 'Access Denied' errors)

I did notice that combofix deleted my ICS hosts file? Is this normal behaviour? I actually had ICS turned on for legitimate reasons :)

Thanks for all your help :)


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-06-2012 01
Ran by SYSTEM at 2012-06-10 09:32:04 Run:1
Running from J:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
HKLM-x32\\\.\.\.\\Run\\Vs6sXYle8XGBDXh Value deleted successfully.
HKEY_USERS\kingy\Software\Microsoft\Windows\CurrentVersion\Run\\Vs6sXYle8XGBDXh Value deleted successfully.
HKEY_USERS\kingy\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value deleted successfully.
C:\Users\kingy\Downloads\sijqrsdx.exe moved successfully.
C:\Windows\Installer\{09aadb72-2d62-4357-7bad-f6c4bd88f547} moved successfully.
C:\Users\kingy\AppData\Local\{09aadb72-2d62-4357-7bad-f6c4bd88f547} moved successfully.
C:\Users\kingy\AppData\Roaming\CodeArchiver.exe not found.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
HKEY_USERS\kingy\Software\Microsoft\Windows\CurrentVersion\Run\\msbriw Value deleted successfully.
C:\Users\kingy\AppData\Roaming\msbriw.dll moved successfully.
C:\Users\kingy\AppData\Roaming\msbriw.dll not found.
C:\Users\kingy\AppData\Roaming\nctpi.dll moved successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\nctpi Value deleted successfully.
C:\Users\kingy\AppData\Local\{91B6F8BD-B0B1-11E1-8270-B8AC6F996F26} moved successfully.

==== End of Fixlog ====

CF Log

ComboFix 12-06-09.02 - kingy 10/06/2012 9:35.1.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.6142.4587 [GMT 10:00]
Running from: c:\users\kingy\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\kingy\AppData\Local\Temp\ammemb.dll
c:\users\kingy\AppData\Local\Temp\ammemb64.dll
c:\users\kingy\Documents\scan-2012-06-05 [04-44-54].log
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\SysWow64\tmpAD72.tmp
c:\windows\SysWow64\tmpADC1.tmp
.
c:\windows\system32\Services.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-05-09 to 2012-06-09 )))))))))))))))))))))))))))))))
.
.
2012-06-10 16:05 . 2012-06-10 16:05 -------- d-----w- C:\FRST
2012-06-09 23:40 . 2012-06-09 23:40 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-06-09 23:40 . 2012-06-09 23:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-07 20:50 . 2012-06-07 20:50 -------- d-----w- c:\program files\COMODO
2012-06-06 05:41 . 2012-06-08 16:45 -------- d-----w- c:\programdata\Comodo
2012-06-06 05:39 . 2012-06-06 05:39 -------- d-----w- c:\users\kingy\AppData\Local\Privatefirewall
2012-06-06 05:35 . 2012-06-06 05:35 -------- d-----w- c:\programdata\Privacyware
2012-06-06 05:16 . 2012-06-06 05:16 -------- d-----w- c:\programdata\CPA_VA
2012-06-06 02:34 . 2012-06-06 02:34 -------- d-----w- c:\users\kingy\AppData\Local\Comodo
2012-06-06 02:34 . 2012-06-08 12:56 -------- d-----w- c:\program files (x86)\Comodo
2012-06-06 02:34 . 2012-06-06 02:34 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
2012-06-05 21:48 . 2012-06-05 21:48 -------- d-----w- c:\users\kingy\AppData\Roaming\Malwarebytes
2012-06-05 21:48 . 2012-06-05 21:48 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-05 21:48 . 2012-06-05 21:48 -------- d-----w- c:\programdata\Malwarebytes
2012-06-05 21:48 . 2012-04-04 05:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-04 19:20 . 2012-06-04 19:20 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-04 18:16 . 2012-06-04 18:44 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer
2012-06-03 00:19 . 2012-06-03 04:37 -------- d-----w- c:\users\kingy\AppData\Local\ESN Sonar
2012-06-02 10:15 . 2012-06-08 16:47 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-06-02 10:15 . 2012-06-08 09:49 -------- d-----w- c:\program files (x86)\Battlelog Web Plugins
2012-06-02 10:14 . 2012-06-02 13:02 -------- d-----w- c:\programdata\EA Logs
2012-06-02 10:14 . 2012-06-02 10:14 -------- d-----w- c:\programdata\EA Core
2012-06-02 09:29 . 2012-06-02 09:30 -------- d-----w- c:\users\Public\Update
2012-06-02 08:50 . 2012-06-02 09:18 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller
2012-05-23 10:06 . 2012-05-23 10:08 -------- d-----w- c:\program files (x86)\Origin
2012-05-20 08:17 . 2012-05-20 08:17 -------- d-----w- c:\users\kingy\AppData\Local\Geotag Security
2012-05-20 08:17 . 2012-05-20 08:17 -------- d-----w- c:\program files (x86)\Geotag Security
2012-05-13 14:59 . 2012-05-13 15:01 -------- d-----w- c:\users\kingy\AppData\Roaming\PacificPoker
2012-05-13 14:59 . 2012-05-13 14:59 -------- d-----w- c:\program files (x86)\PacificPoker
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-09 23:41 . 2011-03-01 12:17 25640 ----a-w- c:\windows\gdrv.sys
2012-06-08 16:47 . 2011-10-15 22:18 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-06-08 16:47 . 2011-10-15 22:18 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-06-02 10:29 . 2011-10-14 14:46 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-04-03 08:20 . 2012-04-03 08:20 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-03 08:20 . 2012-04-03 08:20 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[-] 2009-07-14 . 014A9CB92514E27C0107614DF764BC06 . 328704 . . [6.1.7600.16385] .. c:\windows\system32\services.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-03-19 1242448]
"DS3 Tool"="c:\program files\MotioninJoy\ds3\DS3_Tool.exe" [2010-12-31 110352]
"Actual Multiple Monitors"="c:\program files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsCenter.exe" [2011-11-22 1495880]
"Geotag Security"="c:\program files (x86)\Geotag Security\GeotagSecurity.exe" [2011-10-10 3973512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-20 106496]
"PivotSoftware"="c:\program files (x86)\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe" [2010-05-13 110192]
"DT ACR"="c:\program files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" [2011-05-26 121456]
"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"Adobe Acrobat Speed Launcher"="f:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
"Acrobat Assistant 8.0"="f:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"BigPondWirelessBroadbandCM"="c:\program files (x86)\Telstra\Mobile Broadband Manager\TelstraUCM.exe" [2011-09-13 6199192]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 213304]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 184120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"DES2"="c:\program files (x86)\GIGABYTE\EnergySaver2\des2.exe" [2010-04-15 354856]
.
c:\users\kingy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R2 EaseUS Agent;EaseUS Agent;g:\program files (x86)\EaseUS\Todo Backup\bin\Agent.exe [x]
R2 Guard Agent;Guard Agent;g:\program files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe [x]
R2 PanService;PandoraService;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe [x]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-14 284016]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 253600]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [x]
R3 BITCOMET_HELPER_SERVICE;BitComet Disk Boost Service;c:\program files\BitComet\tools\BitCometService.exe [2010-12-28 1296728]
R3 etdrv;etdrv;c:\windows\etdrv.sys [2012-01-03 25640]
R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys [2012-01-14 30528]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]
R3 massfilter_lte;LTE Device Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_lte.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-12 129976]
R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys [x]
R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys [x]
S0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [x]
S0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [x]
S0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\DRIVERS\mv91cons.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [x]
S1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [x]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1267000]
S2 DES2 Service;DES2 Service for Energy Saving.;c:\program files (x86)\GIGABYTE\EnergySaver2\des2svr.exe [2009-06-17 68136]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [2012-05-29 412304]
S2 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe [2010-01-19 72304]
S2 Marvell RAID;Marvell RAID Event Agent;c:\program files (x86)\Marvell\raid\svc\mvraidsvc.exe [2010-03-08 235560]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 MRUWebService;MRU Web Service;c:\program files (x86)\Marvell\raid\Apache2\bin\httpd.exe [2008-06-12 24635]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352]
S2 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-05-05 113264]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [x]
S2 Smart TimeLock;Smart TimeLock Service;c:\program files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe [2009-10-13 114688]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272]
S2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe [2011-06-24 317296]
S3 AIDA64Driver;FinalWire AIDA64 Kernel Driver;c:\program files (x86)\FinalWire\AIDA64 Extreme Edition\kerneld.x64 [2011-05-04 27808]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTCore64;RTCore64;c:\program files (x86)\EVGA Precision\RTCore64.sys [2011-01-17 14440]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\swg3kser00.sys [x]
S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx64.sys [x]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AIDA64DRIVER
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 08:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-26 10135584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 9569096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://go.bigpond.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 61.9.211.33 61.9.211.1
TCP: Interfaces\{711463CA-A967-4C12-8BFC-258DD70045BE}: DhcpNameServer = 61.9.211.33 61.9.211.1
TCP: Interfaces\{98901648-FAE4-4D53-9267-489D792ADC2C}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\kingy\AppData\Roaming\Mozilla\Firefox\Profiles\dvo3fd5v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.eohpoker.com/anon/default.aspx?ReturnUrl=%2fclient%2flaunch.aspx
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-EaseUs Watch - g:\program files (x86)\EaseUS\Todo Backup\bin\EuWatch.exe
Wow6432Node-HKLM-Run-EaseUs Tray - g:\program files (x86)\EaseUS\Todo Backup\bin\TrayNotify.exe
Wow6432Node-HKLM-Run-SyncCenter - c:\program files (x86)\Common Files\Sync\SyncCenter.exe
BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll
AddRemove-4F6D5E84-5826-4394-9F40-3A9A19165651_is1 - c:\program files (x86)\PANDORA.TV\PanService\unins000.exe
AddRemove-EaseUS Todo Backup Free 3.5_is1 - g:\program files (x86)\EaseUS\Todo Backup\unins000.exe
AddRemove-FlatOut Ultimate Carnage - g:\program files (x86)\Empire Interactive\FlatOut Ultimate Carnage\Uninstall.exe
AddRemove-MechWarrior Mercenaries - f:\program files (x86)\Microsoft Games\Mechwarrior Mercenaries\UNINSTAL.EXE
AddRemove-Winamp - f:\music\Winamp\UninstWA.exe
AddRemove-{2A9F95AB-65A3-432c-8631-B8BC5BF7477A} - c:\program files (x86)\Electronic Arts\The Battle for Middle-earth ™ II\EAUninstall.exe
AddRemove-{bd8defa4-19fa-4964-9692-f1122d8a62d9}}_is1 - g:\program files (x86)\Activision\Apache Air Assault\unins000.exe
AddRemove-BitTorrent DNA - c:\users\kingy\Program Files (x86)\DNA\btdna.exe
AddRemove-Winamp Detect - f:\music\Winamp Detect\UninstWaDetect.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AIDA64Driver]
"ImagePath"="\??\c:\program files (x86)\FinalWire\AIDA64 Extreme Edition\kerneld.x64"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2448071376-1067175635-125407750-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:12,6a,06,78,02,a1,7d,5a,7d,30,67,06,69,c1,89,61,bc,ba,42,79,bc,bd,60,
45,cc,cb,66,8e,8e,24,d8,01,d1,f4,58,6b,17,4d,ed,21,b7,77,a1,be,b7,4a,e9,35,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
[HKEY_USERS\S-1-5-21-2448071376-1067175635-125407750-1000\Software\SecuROM\License information*]
"datasecu"=hex:c1,fa,cf,55,12,f1,70,2d,98,a9,3a,00,d5,06,15,66,5e,ee,a5,8b,53,
ff,3b,d1,3a,cd,61,c2,8e,da,3d,cb,70,0b,3e,37,52,9a,54,89,56,e0,02,50,45,9a,\
"rkeysecu"=hex:de,15,fb,db,f1,3d,9e,dd,6f,7b,04,92,dc,cc,7d,18
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlDbg10.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlDbg10.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlDbg10.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlDbg10.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\EVGA Precision\Bundle\OSDServer\RTSS.exe
c:\program files (x86)\EVGA Precision\EVGAPrecision.exe
c:\program files (x86)\FinalWire\AIDA64 Extreme Edition\aida64.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\Acer Display\eDisplay Management\DTHtml.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\program files (x86)\Telstra\Mobile Broadband Manager\SwiApiMuxX.exe
c:\program files (x86)\Portrait Displays\Pivot Pro Plugin\wpctrl.exe
c:\program files (x86)\Portrait Displays\Pivot Pro Plugin\floater.exe
.
**************************************************************************
.
Completion time: 2012-06-10 09:51:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-09 23:51
.
Pre-Run: 16,987,447,296 bytes free
Post-Run: 18,854,338,560 bytes free
.
- - End Of File - - FE62D4373146A1DE9119BD41B03FBB8F

2012-06-09 23:50:31 . 2012-06-09 23:50:31 1,466 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Winamp Detect.reg.dat
2012-06-09 23:50:31 . 2012-06-09 23:50:31 1,202 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-BitTorrent DNA.reg.dat
2012-06-09 23:50:31 . 2012-06-09 23:50:31 1,800 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{bd8defa4-19fa-4964-9692-f1122d8a62d9}}_is1.reg.dat
2012-06-09 23:50:31 . 2012-06-09 23:50:31 1,186 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{2A9F95AB-65A3-432c-8631-B8BC5BF7477A}.reg.dat
2012-06-09 23:50:31 . 2012-06-09 23:50:31 1,036 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Winamp.reg.dat
2012-06-09 23:50:30 . 2012-06-09 23:50:30 812 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-MechWarrior Mercenaries.reg.dat
2012-06-09 23:50:30 . 2012-06-09 23:50:30 1,030 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-FlatOut Ultimate Carnage.reg.dat
2012-06-09 23:50:30 . 2012-06-09 23:50:30 2,472 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-EaseUS Todo Backup Free 3.5_is1.reg.dat
2012-06-09 23:50:30 . 2012-06-09 23:50:30 2,032 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-4F6D5E84-5826-4394-9F40-3A9A19165651_is1.reg.dat
2012-06-09 23:50:17 . 2012-06-09 23:50:17 845 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}.reg.dat
2012-06-09 23:49:17 . 2012-06-09 23:49:17 175 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-SyncCenter.reg.dat
2012-06-09 23:49:02 . 2012-06-09 23:49:02 264 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-EaseUs Tray.reg.dat
2012-06-09 23:49:02 . 2012-06-09 23:49:02 264 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Wow6432Node-HKLM-Run-EaseUs Watch.reg.dat
2012-06-09 23:42:07 . 2011-11-22 13:02:20 489,800 ----a-w- C:\Qoobox\Quarantine\C\Users\kingy\AppData\Local\Temp\ammemb.dll.vir
2012-06-09 23:41:34 . 2012-06-09 23:41:34 374 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\etc\hosts.ics.vir
2012-06-09 23:36:59 . 2012-06-09 23:36:59 5,374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-06-09 23:34:22 . 2012-06-09 23:34:22 51 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-06-04 18:55:01 . 2012-06-04 18:55:01 23,315 ----a-w- C:\Qoobox\Quarantine\C\Users\kingy\Documents\scan-2012-06-05 [04-44-54].log.vir
2012-03-18 02:55:45 . 2011-11-22 13:02:22 1,123,632 ----a-w- C:\Qoobox\Quarantine\C\Users\kingy\AppData\Local\Temp\ammemb64.dll.vir
2011-10-14 14:34:51 . 2008-04-28 04:53:40 805,400 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\tmpADC1.tmp.vir
2011-10-14 14:32:45 . 2008-04-28 04:53:40 805,400 ----a-w- C:\Qoobox\Quarantine\C\Windows\SysWOW64\tmpAD72.tmp.vir

Edited by Taurich, 09 June 2012 - 07:14 PM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:05 PM

Posted 09 June 2012 - 08:23 PM

Hi


combofix deleted my ICS hosts file? Is this normal behaviour

yes, it will reset hosts back to default in case it has been hijacked by malware. You should be able to add your custom host file when we are finished

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe | c:\windows\system32\services.exe

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Taurich

Taurich
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 09 June 2012 - 10:15 PM

I have a couple of logs for you, the ESET scan has actually decided to scan all drives, so that is going to take..... some time. 55min in so far and it's only up to scanning the first folder of G drive. At this rate I'm guessing total scan time will be around 4 hours. Will post the log for that when it is complete



ComboFix 12-06-09.02 - kingy 10/06/2012 11:50:15.2.8 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.61.1033.18.6142.4321 [GMT 10:00]
Running from: c:\users\kingy\Desktop\ComboFix.exe
Command switches used :: c:\users\kingy\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\kingy\AppData\Local\Temp\ammemb.dll
c:\users\kingy\AppData\Local\Temp\ammemb64.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe --> c:\windows\system32\services.exe
.
((((((((((((((((((((((((( Files Created from 2012-05-10 to 2012-06-10 )))))))))))))))))))))))))))))))
.
.
2012-06-10 16:05 . 2012-06-10 16:05 -------- d-----w- C:\FRST
2012-06-10 01:52 . 2012-06-10 01:52 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-06-10 01:52 . 2012-06-10 01:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-10 01:48 . 2012-06-10 01:48 -------- d-----w- c:\programdata\Comodo
2012-06-06 05:39 . 2012-06-06 05:39 -------- d-----w- c:\users\kingy\AppData\Local\Privatefirewall
2012-06-06 05:35 . 2012-06-06 05:35 -------- d-----w- c:\programdata\Privacyware
2012-06-06 05:16 . 2012-06-06 05:16 -------- d-----w- c:\programdata\CPA_VA
2012-06-06 02:34 . 2012-06-06 02:34 -------- d-----w- c:\users\kingy\AppData\Local\Comodo
2012-06-06 02:34 . 2012-06-10 01:46 -------- d-----w- c:\program files (x86)\Comodo
2012-06-06 02:34 . 2012-06-06 02:34 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
2012-06-05 21:48 . 2012-06-05 21:48 -------- d-----w- c:\users\kingy\AppData\Roaming\Malwarebytes
2012-06-05 21:48 . 2012-06-05 21:48 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-05 21:48 . 2012-06-05 21:48 -------- d-----w- c:\programdata\Malwarebytes
2012-06-05 21:48 . 2012-04-04 05:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-04 19:20 . 2012-06-04 19:20 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-04 18:16 . 2012-06-04 18:44 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer
2012-06-03 00:19 . 2012-06-03 04:37 -------- d-----w- c:\users\kingy\AppData\Local\ESN Sonar
2012-06-02 10:15 . 2012-06-08 16:47 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-06-02 10:15 . 2012-06-08 09:49 -------- d-----w- c:\program files (x86)\Battlelog Web Plugins
2012-06-02 10:14 . 2012-06-02 13:02 -------- d-----w- c:\programdata\EA Logs
2012-06-02 10:14 . 2012-06-02 10:14 -------- d-----w- c:\programdata\EA Core
2012-06-02 09:29 . 2012-06-02 09:30 -------- d-----w- c:\users\Public\Update
2012-06-02 08:50 . 2012-06-02 09:18 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller
2012-05-23 10:06 . 2012-05-23 10:08 -------- d-----w- c:\program files (x86)\Origin
2012-05-20 08:17 . 2012-05-20 08:17 -------- d-----w- c:\users\kingy\AppData\Local\Geotag Security
2012-05-20 08:17 . 2012-05-20 08:17 -------- d-----w- c:\program files (x86)\Geotag Security
2012-05-13 14:59 . 2012-05-13 15:01 -------- d-----w- c:\users\kingy\AppData\Roaming\PacificPoker
2012-05-13 14:59 . 2012-05-13 14:59 -------- d-----w- c:\program files (x86)\PacificPoker
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 01:53 . 2011-03-01 12:17 25640 ----a-w- c:\windows\gdrv.sys
2012-06-08 16:47 . 2011-10-15 22:18 283304 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-06-08 16:47 . 2011-10-15 22:18 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-06-02 10:29 . 2011-10-14 14:46 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-04-03 08:20 . 2012-04-03 08:20 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-03 08:20 . 2012-04-03 08:20 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-09_23.42.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-06-09 23:41 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-06-10 01:42 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-06-09 23:41 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-10 01:42 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-09 23:41 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-10 01:42 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:10 . 2012-06-10 01:49 53554 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-03-01 12:19 . 2012-06-10 01:49 23090 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2448071376-1067175635-125407750-1000_UserData.bin
- 2011-03-01 12:19 . 2012-06-09 23:34 23090 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2448071376-1067175635-125407750-1000_UserData.bin
+ 2011-05-13 07:59 . 2012-06-10 01:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-05-13 07:59 . 2012-06-09 23:35 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-05-13 07:59 . 2012-06-10 01:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-05-13 07:59 . 2012-06-09 23:35 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-13 07:59 . 2012-06-10 01:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-05-13 07:59 . 2012-06-09 23:35 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-01 21:58 . 2012-06-10 01:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-01 21:58 . 2012-06-09 23:41 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-01 21:58 . 2012-06-09 23:41 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-01 21:58 . 2012-06-10 01:53 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-06-09 23:41 . 2012-06-09 23:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-10 01:53 . 2012-06-10 01:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-03-01 12:41 . 2012-06-10 01:49 110322 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 02:36 . 2012-06-09 23:39 619206 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-10 01:52 619206 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-10 01:52 107388 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-06-09 23:39 107388 c:\windows\system32\perfc009.dat
- 2011-03-01 11:37 . 2012-06-09 23:42 196608 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-01 11:37 . 2012-06-10 01:47 196608 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 05:01 . 2012-06-09 23:40 379156 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-06-10 01:52 379156 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-03-01 11:37 . 2012-06-10 01:47 4014080 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-03-01 11:37 . 2012-06-09 23:42 4014080 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-09 23:42 2932736 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-10 01:47 2932736 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-07 09:35 . 2012-06-10 01:52 4190180 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2448071376-1067175635-125407750-1000-8192.dat
- 2011-12-07 09:35 . 2012-06-09 23:40 4190180 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2448071376-1067175635-125407750-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-03-19 1242448]
"DS3 Tool"="c:\program files\MotioninJoy\ds3\DS3_Tool.exe" [2010-12-31 110352]
"Actual Multiple Monitors"="c:\program files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsCenter.exe" [2011-11-22 1495880]
"Geotag Security"="c:\program files (x86)\Geotag Security\GeotagSecurity.exe" [2011-10-10 3973512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-20 106496]
"PivotSoftware"="c:\program files (x86)\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe" [2010-05-13 110192]
"DT ACR"="c:\program files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" [2011-05-26 121456]
"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"Adobe Acrobat Speed Launcher"="f:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
"Acrobat Assistant 8.0"="f:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"BigPondWirelessBroadbandCM"="c:\program files (x86)\Telstra\Mobile Broadband Manager\TelstraUCM.exe" [2011-09-13 6199192]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"DES2"="c:\program files (x86)\GIGABYTE\EnergySaver2\des2.exe" [2010-04-15 354856]
.
c:\users\kingy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 EaseUS Agent;EaseUS Agent;g:\program files (x86)\EaseUS\Todo Backup\bin\Agent.exe [x]
R2 Guard Agent;Guard Agent;g:\program files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352]
R2 PanService;PandoraService;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe [x]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-14 284016]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 253600]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [x]
R3 BITCOMET_HELPER_SERVICE;BitComet Disk Boost Service;c:\program files\BitComet\tools\BitCometService.exe [2010-12-28 1296728]
R3 etdrv;etdrv;c:\windows\etdrv.sys [2012-01-03 25640]
R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys [2012-01-14 30528]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]
R3 massfilter_lte;LTE Device Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_lte.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-12 129976]
R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys [x]
R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
R3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\DRIVERS\gtkdrv.sys [x]
S0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [x]
S0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [x]
S0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\DRIVERS\mv91cons.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [x]
S1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [x]
S2 DES2 Service;DES2 Service for Energy Saving.;c:\program files (x86)\GIGABYTE\EnergySaver2\des2svr.exe [2009-06-17 68136]
S2 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe [2010-01-19 72304]
S2 Marvell RAID;Marvell RAID Event Agent;c:\program files (x86)\Marvell\raid\svc\mvraidsvc.exe [2010-03-08 235560]
S2 MRUWebService;MRU Web Service;c:\program files (x86)\Marvell\raid\Apache2\bin\httpd.exe [2008-06-12 24635]
S2 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-05-05 113264]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [x]
S2 Smart TimeLock;Smart TimeLock Service;c:\program files (x86)\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe [2009-10-13 114688]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272]
S2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe [2011-06-24 317296]
S3 AIDA64Driver;FinalWire AIDA64 Kernel Driver;c:\program files (x86)\FinalWire\AIDA64 Extreme Edition\kerneld.x64 [2011-05-04 27808]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTCore64;RTCore64;c:\program files (x86)\EVGA Precision\RTCore64.sys [2011-01-17 14440]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 swg3kser00;Sierra Wireless QMI USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\swg3kser00.sys [x]
S3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx64.sys [x]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\DRIVERS\swnc8ua3.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 08:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-26 10135584]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://go.bigpond.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: Interfaces\{711463CA-A967-4C12-8BFC-258DD70045BE}: DhcpNameServer = 61.9.226.33 61.9.211.1
TCP: Interfaces\{98901648-FAE4-4D53-9267-489D792ADC2C}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\kingy\AppData\Roaming\Mozilla\Firefox\Profiles\dvo3fd5v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.eohpoker.com/anon/default.aspx?ReturnUrl=%2fclient%2flaunch.aspx
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AIDA64Driver]
"ImagePath"="\??\c:\program files (x86)\FinalWire\AIDA64 Extreme Edition\kerneld.x64"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2448071376-1067175635-125407750-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:12,6a,06,78,02,a1,7d,5a,7d,30,67,06,69,c1,89,61,bc,ba,42,79,bc,bd,60,
45,cc,cb,66,8e,8e,24,d8,01,d1,f4,58,6b,17,4d,ed,21,b7,77,a1,be,b7,4a,e9,35,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
[HKEY_USERS\S-1-5-21-2448071376-1067175635-125407750-1000\Software\SecuROM\License information*]
"datasecu"=hex:c1,fa,cf,55,12,f1,70,2d,98,a9,3a,00,d5,06,15,66,5e,ee,a5,8b,53,
ff,3b,d1,3a,cd,61,c2,8e,da,3d,cb,70,0b,3e,37,52,9a,54,89,56,e0,02,50,45,9a,\
"rkeysecu"=hex:de,15,fb,db,f1,3d,9e,dd,6f,7b,04,92,dc,cc,7d,18
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlDbg10.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlDbg10.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlDbg10.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlDbg10.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\EVGA Precision\EVGAPrecision.exe
c:\fraps\fraps.exe
c:\program files (x86)\EVGA Precision\Bundle\OSDServer\RTSS.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
c:\program files (x86)\Acer Display\eDisplay Management\DTHtml.exe
c:\program files (x86)\Telstra\Mobile Broadband Manager\SwiApiMuxX.exe
c:\program files (x86)\FinalWire\AIDA64 Extreme Edition\aida64.exe
c:\program files (x86)\Portrait Displays\Pivot Pro Plugin\wpctrl.exe
c:\program files (x86)\Portrait Displays\Pivot Pro Plugin\floater.exe
.
**************************************************************************
.
Completion time: 2012-06-10 11:54:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-10 01:54
ComboFix2.txt 2012-06-09 23:51
.
Pre-Run: 20,144,427,008 bytes free
Post-Run: 19,945,992,192 bytes free
.
- - End Of File - - 96558472C3036AB2C44677A26B8C1F14

================================================================================================

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.10.01

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
kingy :: SNUGGLEBUNNY [administrator]

Protection: Enabled

10/06/2012 11:57:26
mbam-log-2012-06-10 (11-57-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230681
Time elapsed: 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\kingy\Downloads\kmplayer_downloader.exe (PUP.ToolbarDownloader) -> Quarantined and deleted successfully.

(end)

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:05 PM

Posted 09 June 2012 - 10:25 PM

ok

when ESET completes and you post the log, be sure to let me know how the computer is running and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Taurich

Taurich
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 10 June 2012 - 12:26 AM

Scan complete, didn't know I had a million+ files on my computer haha

There's a lot of false positives here

As for comp performance, I can't really tell. I'm running fairly decent hardware with an overclock, and I've got windows and all my software installed on RAID0 SSD's, so even before we started this process the computer responded very well.
The symptoms that caused me to post this thread had disappeared after we ran the FRST fix a couple posts ago.



C:\FRST\Quarantine\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\U\80000000.@ Win64/Sirefef.AE trojan
C:\FRST\Quarantine\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\{09aadb72-2d62-4357-7bad-f6c4bd88f547}\n Win64/Sirefef.W trojan
C:\FRST\Quarantine\{91B6F8BD-B0B1-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan
C:\Program Files (x86)\GridinSoft Trojan Killer\trojankiller.exe a variant of Win32/1AntiVirus application
C:\Users\kingy\Desktop\KMPlayer_EN_3.2.0.0.exe Win32/OpenCandy application
F:\Program Files (x86)\Activision\Apache Air Assault\yuPlay\yuplay.exe a variant of Win32/Packed.VMProtect.AAD trojan
F:\Program Files (x86)\EA\Bulletstorm\Binaries\Win32\SKIDROW.dll a variant of Win32/Packed.VMProtect.AAA trojan
G:\cnet2_privatefirewall_exe.exe a variant of Win32/InstallCore.D application
G:\Acquisitions\BEASTMAN\SORT\avc-free.exe Win32/OpenCandy application
G:\Acquisitions\SKELETOR DUMP\GAMES\Win XP Prof EN.iso multiple threats
G:\Acquisitions\SKELETOR DUMP\PROGRAMS\AUTODESK.MAYA.V2011.WIN32-ISO\maya2011x32.iso a variant of Win32/Keygen.BL application
G:\Acquisitions\SKELETOR DUMP\PROGRAMS\FL Studio 9\flstudio_9.0.exe Win32/OpenCandy application
G:\Acquisitions\SKELETOR DUMP\PROGRAMS\random programs\asc-setup.exe a variant of Win32/Toolbar.Widgi application
G:\Acquisitions\SKELETOR DUMP\PROGRAMS\random programs\YouTubeDownloaderSetup33.exe a variant of Win32/Toolbar.Widgi application
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\Nod32 fix\NOD32.FiX.v2.1-nsane.exe Win32/RiskWare.HackAV.HT application
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\poweriso keygen\keygen.exe a variant of Win32/Keygen.CP application
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\Tuneup Utilities 2007\keygen.exe a variant of Win32/Keygen.BU application
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\UltraISO\keygen.exe probably a variant of Win32/Agent.NJBRPPU trojan
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\UltraISO\KeyGen\keygen.exe probably a variant of Win32/Agent.NJBRPPU trojan
G:\Assorted\Doc Backups\Old\My Docs\Downloads\Compressed\Internet_Download_Manager_v4.0_Full.zip a variant of Win32/HackTool.Patcher.X application
G:\Assorted\Doc Backups\Old\My Docs\Downloads\Programs\HopsterSetup_2.exe multiple threats
G:\Assorted\Doc Backups\Old\My Docs\My Received Files\Version.zip Win32/ServU-Daemon application
G:\Assorted\Random bleep\Cracks\adobepremiereprov2.0keygenssg.zip a variant of Win32/Keygen.AO application
G:\Assorted\Random bleep\Utilities\lulz\fake_del.exe Win32/BadJoke.FakeDel.A application
G:\Downloads\any-video-converter-free.exe Win32/OpenCandy application
G:\Downloads\avc-free.exe Win32/OpenCandy application
G:\Downloads\mirc715.exe Win32/OpenCandy application
G:\Downloads\soldat163.zip Win32/OpenCandy application
G:\Downloads\soldatpatch150-160.zip Win32/OpenCandy application
G:\Downloads\soldatpatch160-161.zip Win32/OpenCandy application
G:\Downloads\soldatpatch161-162.zip Win32/OpenCandy application
G:\Downloads\Viruses.zip multiple threats
G:\Downloads\Lavalys.EVEREST.Ultimate.Edition.v4.60.1500.Multilingual.Incl.Keygen-BRD\keygen\keygen.exe a variant of Win32/Keygen.AE application
G:\ISO's\Games\BULLETSTORM.iso a variant of Win32/Packed.VMProtect.AAA trojan
G:\ISO's\Games\Anno 1404 Venice\Anno 1404 Venice.iso Win32/Packed.VMProtect.D trojan
G:\ISO's\Games\Apache Air Assault\Apache Air Assault.iso a variant of Win32/Packed.VMProtect.AAD trojan
G:\ISO's\Games\Call of Duty\CoD4MW\COD4MW_1.iso Win32/Keygen.DK application
G:\ISO's\Games\MechWarrior 4 Mercenaries\mechwarrior4mercenaries.all.to.51.03.01.0017.mtx probably a variant of Win32/StartPage.ENQZNMK trojan
G:\ISO's\Games\Need For Speed Carbon\teneke.iso probably a variant of Win32/Agent.KUNSSGB trojan
G:\ISO's\Games\Star Wars Battlefront\Star.Wars.Battlefront.KEYGEN-RELOADED\rld-swbk.exe probably a variant of Win32/Agent.BEMOIYE trojan
G:\ISO's\Games\Star Wars Battlefront\Star.Wars.Battlefront.KEYGEN-RELOADED\rld-swbk.rar probably a variant of Win32/Agent.BEMOIYE trojan
G:\ISO's\Games\Supreme_Commander-HATRED\htd-scom.iso probably a variant of Win32/TrojanDownloader.Obfuscated.MFRBVSS trojan
G:\ISO's\Programs\Adobe Photoshop CS2 ISO + Keygen\CS2keygen.zip a variant of Win32/Keygen.CW application
G:\ISO's\Programs\Adobe Photoshop CS2 ISO + Keygen\keygen.exe a variant of Win32/Keygen.CW application
G:\ISO's\Programs\Aone.Ultra.RM.Converter.v2.4.0.Incl.Keygen-CFF\Aone.Ultra.RM.Converter.v2.4.0.Incl.Keygen-CFF\cffk213_.rar probably a variant of Win32/Agent.KSJOJCN trojan
G:\ISO's\Programs\CS4 Master Collection\disable_activation.cmd BAT/HostsChanger.A application
G:\Music\JOSH DUMP\Saved\guillotine part 2 escape fate.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
G:\Music\JOSH DUMP\Saved\Lemony Snickets A Series Of Unfortunate Events 2004 kvcd (A TUS Release).avi WMA/TrojanDownloader.GetCodec.B trojan
G:\Music\JOSH DUMP\Saved\series of unfortunate events.mpg a variant of WMA/TrojanDownloader.GetCodec.gen trojan
G:\Music\MGMT\MGMT - Oracular Spectacular\03-mgmt-the_youth.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
G:\Programs\mIRC\script\dlls\dmu.dll Win32/HideWindow application
G:\Programs\mIRC\script\dlls\moo.dll probably a variant of Win32/TrojanDropper.Agent.EPBRQCU trojan
G:\Programs\mIRC\script\dlls\stdio.dll probably a variant of Win32/IRCBot.BWELRFB trojan
G:\Programs\mIRC SP\script\dlls\dmu.dll Win32/HideWindow application
G:\Programs\mIRC SP\script\dlls\moo.dll probably a variant of Win32/TrojanDropper.Agent.EPBRQCU trojan
G:\Programs\mIRC SP\script\dlls\stdio.dll probably a variant of Win32/IRCBot.BWELRFB trojan
G:\Programs\mIRC(bot)\script\dlls\dmu.dll Win32/HideWindow application
G:\Programs\mIRC(bot)\script\dlls\moo.dll probably a variant of Win32/TrojanDropper.Agent.EPBRQCU trojan
G:\Programs\mIRC(bot)\script\dlls\stdio.dll probably a variant of Win32/IRCBot.BWELRFB trojan
G:\Programs\Soldat\soldatpatch162-163.exe Win32/OpenCandy application
G:\Programs\Soldat - Copy\soldatpatch162-163.exe Win32/OpenCandy application
G:\Software\Compressed\CloneCD.v5.3.0.1.+.Crack.zip Win32/Adware.Toolbar.888Bar application
G:\Software\Compressed\eqokhhjiif.zip Win32/TrojanDownloader.Small.DDP trojan
G:\Software\Compressed\fakedel.zip Win32/BadJoke.FakeDel.A application
G:\Software\Compressed\fraps.2.0.0.full.by.lled.rar probably a variant of Win32/TrojanDownloader.Agent.IGPHFIS trojan
G:\Software\Compressed\My stuff.rar probably a variant of Win32/Agent.GGAAIOE trojan
G:\Software\Compressed\Nero 5.5.7.8 PLUS KeyGen ShareReactor.zip a variant of Win32/Keygen.CY application
G:\Software\Compressed\sonydvdarchitectv4.0keygenssg.zip a variant of Win32/Keygen.AQ application
G:\Software\Compressed\VIETCONG.V1.41.AMMO-TRN.MYST.ZIP a variant of Win32/GameHack.AD application
G:\Software\Compressed\winampprov5.21.497keygenlz0.zip probably a variant of Win32/Spy.Agent.HOAAUVX trojan
G:\Software\Compressed\wtbwplug.zip probably a variant of Win32/Agent.GYQNTCV trojan
G:\Software\Gaming\Games\Atomica Deluxe\Atomica_Deluxe_2[1].52_by_TSRh.zip a variant of Win32/Keygen.BP application
G:\Software\Gaming\Games\AvP2\AVP2-NOCD.ZIP probably a variant of Win32/TrojanDownloader.Agent.MTUOHQJ trojan
G:\Software\Misc Utilities\Burning & Ripping\Alcohol 120\alcohol120v1.9.5.3105trialpatchtsrh.zip probably a variant of Win32/Agent.JIDJNAV trojan
G:\Software\Misc Utilities\Communication\Chat\mIRC\Themes\botsmircgreen.zip multiple threats
G:\Software\Misc Utilities\Communication\IM\MSN\MsgPlusLive-420.exe a variant of Win32/MessengerPlus application
G:\Software\Misc Utilities\Communication\IM\MSN\MsgPlusLive-450.exe a variant of Win32/Adware.CiDHelp application
G:\Software\Misc Utilities\Tweaks & Overclocking\AIDA64.Extreme.Edition.v1.70.1400.Multilingual.Incl.Keymaker\keygen.exe probably a variant of Win32/Agent.KQUXXKY trojan
G:\Software\Misc Utilities\Tweaks & Overclocking\AIDA64.Extreme.Edition.v1.70.1400.Multilingual.Incl.Keymaker\setup.exe multiple threats
G:\Software\Multimedia\Converters\RM Converter\crack.rar Win32/TrojanDownloader.Small.DDP trojan
G:\Software\Multimedia\Plugins\iPod_Support_v3_06.exe Win32/PrcView application
G:\Software\Programs\495_NetTools4.zip probably unknown NewHeur_PE virus
G:\Software\Programs\Cyberlink PowerDVD 6.x Deluxe eng\pdx-cpd6.exe a variant of Win32/Keygen.CW application
G:\Software\Programs\Premiere\adobepremiereprov7.0keygenssg.zip probably a variant of Win32/Spy.Agent.MJJETOK trojan
G:\Software\Programs\UltraEdit-32.v12.10+3.Incl.Keygen-CORE\keygen.exe a variant of Win32/Keygen.AG application
G:\Torrents\AIDA64.Extreme.Edition.v1.70.1400.Multilingual.Incl.Keymaker\keygen.exe probably a variant of Win32/Agent.KQUXXKY trojan
G:\Torrents\AIDA64.Extreme.Edition.v1.70.1400.Multilingual.Incl.Keymaker\setup.exe multiple threats

#10 Taurich

Taurich
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 10 June 2012 - 01:49 AM

I have however just noticed that my computer is using a whopping 80% of it's available RAM.

Looking at all process in use I can maybe account for 1.8gb RAM, yet my computer is reporting almost 5GB in use!
This is highly unusual

Screenshot attached

EDIT: Restarted and things returned to normal, I have noticed over the last few days that I was having some issues with running out of RAM. I just installed BF3 so was thinking the game was just simply too heavy for the 6GB RAM I currently have, now I'm thinking there's some virus or memory-leaking process that's been causing the issues.

Attached Files


Edited by Taurich, 10 June 2012 - 01:57 AM.


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:05 PM

Posted 10 June 2012 - 08:48 AM

Hi,

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\kingy\Desktop\KMPlayer_EN_3.2.0.0.exe 
G:\cnet2_privatefirewall_exe.exe 
G:\Acquisitions\BEASTMAN\SORT\avc-free.exe 
G:\Acquisitions\SKELETOR DUMP\GAMES\Win XP Prof EN.iso 
G:\Acquisitions\SKELETOR DUMP\PROGRAMS\AUTODESK.MAYA.V2011.WIN32-ISO\maya2011x32.iso 
G:\Acquisitions\SKELETOR DUMP\PROGRAMS\FL Studio 9\flstudio_9.0.exe 
G:\Acquisitions\SKELETOR DUMP\PROGRAMS\random programs\asc-setup.exe 
G:\Acquisitions\SKELETOR DUMP\PROGRAMS\random programs\YouTubeDownloaderSetup33.exe 
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\Nod32 fix\NOD32.FiX.v2.1-nsane.exe 
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\poweriso keygen\keygen.exe a
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\Tuneup Utilities 2007\keygen.exe 
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\UltraISO\keygen.exe 
G:\Assorted\Doc Backups\KEYGENS FOR PROGRAMS\UltraISO\KeyGen\keygen.exe 
G:\Assorted\Doc Backups\Old\My Docs\Downloads\Compressed\Internet_Download_Manager_v4.0_Full.zip 
G:\Assorted\Doc Backups\Old\My Docs\Downloads\Programs\HopsterSetup_2.exe 
G:\Assorted\Doc Backups\Old\My Docs\My Received Files\Version.zip 
G:\Assorted\Random bleep\Cracks\adobepremiereprov2.0keygenssg.zip 
G:\Assorted\Random bleep\Utilities\lulz\fake_del.exe 
G:\Downloads\any-video-converter-free.exe 
G:\Downloads\avc-free.exe 
G:\Downloads\mirc715.exe 
G:\Downloads\soldat163.zip 
G:\Downloads\soldatpatch150-160.zip 
G:\Downloads\soldatpatch160-161.zip 
G:\Downloads\soldatpatch161-162.zip 
G:\Downloads\Viruses.zip 
G:\Downloads\Lavalys.EVEREST.Ultimate.Edition.v4.60.1500.Multilingual.Incl.Keygen-BRD\keygen\keygen.exe 
G:\ISO's\Games\BULLETSTORM.iso 
G:\ISO's\Games\Anno 1404 Venice\Anno 1404 Venice.iso 
G:\ISO's\Games\Apache Air Assault\Apache Air Assault.iso 
G:\ISO's\Games\Call of Duty\CoD4MW\COD4MW_1.iso 
G:\ISO's\Games\MechWarrior 4 Mercenaries\mechwarrior4mercenaries.all.to.51.03.01.0017.mtx 
G:\ISO's\Games\Need For Speed Carbon\teneke.iso 
G:\ISO's\Games\Star Wars Battlefront\Star.Wars.Battlefront.KEYGEN-RELOADED\rld-swbk.exe 
G:\ISO's\Games\Star Wars Battlefront\Star.Wars.Battlefront.KEYGEN-RELOADED\rld-swbk.rar 
G:\ISO's\Games\Supreme_Commander-HATRED\htd-scom.iso 
G:\ISO's\Programs\Adobe Photoshop CS2 ISO + Keygen\CS2keygen.zip 
G:\ISO's\Programs\Adobe Photoshop CS2 ISO + Keygen\keygen.exe 
G:\ISO's\Programs\Aone.Ultra.RM.Converter.v2.4.0.Incl.Keygen-CFF\Aone.Ultra.RM.Converter.v2.4.0.Incl.Keygen-CFF\cffk213_.rar 
G:\ISO's\Programs\CS4 Master Collection\disable_activation.cmd 
G:\Music\JOSH DUMP\Saved\guillotine part 2 escape fate.mp3 
G:\Music\JOSH DUMP\Saved\Lemony Snickets A Series Of Unfortunate Events 2004 kvcd (A TUS Release).avi 
G:\Music\JOSH DUMP\Saved\series of unfortunate events.mpg 
G:\Music\MGMT\MGMT - Oracular Spectacular\03-mgmt-the_youth.mp3 
G:\Programs\Soldat\soldatpatch162-163.exe 
G:\Programs\Soldat - Copy\soldatpatch162-163.exe 
G:\Software\Compressed\CloneCD.v5.3.0.1.+.Crack.zip 
G:\Software\Compressed\eqokhhjiif.zip 
G:\Software\Compressed\fakedel.zip 
G:\Software\Compressed\fraps.2.0.0.full.by.lled.rar 
G:\Software\Compressed\My stuff.rar 
G:\Software\Compressed\Nero 5.5.7.8 PLUS KeyGen ShareReactor.zip 
G:\Software\Compressed\sonydvdarchitectv4.0keygenssg.zip 
G:\Software\Compressed\VIETCONG.V1.41.AMMO-TRN.MYST.ZIP 
G:\Software\Compressed\winampprov5.21.497keygenlz0.zip 
G:\Software\Compressed\wtbwplug.zip 
G:\Software\Gaming\Games\Atomica Deluxe\Atomica_Deluxe_2[1].52_by_TSRh.zip 
G:\Software\Gaming\Games\AvP2\AVP2-NOCD.ZIP probably 
G:\Software\Misc Utilities\Burning & Ripping\Alcohol 120\alcohol120v1.9.5.3105trialpatchtsrh.zip 
G:\Software\Misc Utilities\Communication\Chat\mIRC\Themes\botsmircgreen.zip 
G:\Software\Misc Utilities\Communication\IM\MSN\MsgPlusLive-420.exe 
G:\Software\Misc Utilities\Communication\IM\MSN\MsgPlusLive-450.exe 
G:\Software\Misc Utilities\Tweaks & Overclocking\AIDA64.Extreme.Edition.v1.70.1400.Multilingual.Incl.Keymaker\keygen.exe 
G:\Software\Misc Utilities\Tweaks & Overclocking\AIDA64.Extreme.Edition.v1.70.1400.Multilingual.Incl.Keymaker\setup.exe 
G:\Software\Multimedia\Converters\RM Converter\crack.rar 
G:\Software\Multimedia\Plugins\iPod_Support_v3_06.exe 
G:\Software\Programs\495_NetTools4.zip 
G:\Software\Programs\Cyberlink PowerDVD 6.x Deluxe eng\pdx-cpd6.exe 
G:\Software\Programs\Premiere\adobepremiereprov7.0keygenssg.zip 
G:\Software\Programs\UltraEdit-32.v12.10+3.Incl.Keygen-CORE\keygen.exe 
G:\Torrents\AIDA64.Extreme.Edition.v1.70.1400.Multilingual.Incl.Keymaker\keygen.exe 
G:\Torrents\AIDA64.Extreme.Edition.v1.70.1400.Multilingual.Incl.Keymaker\setup.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


The proliferation of cracks and keygens on your machine is probably the reason your machine was badly compromised. Pirating software in most countries is illegal. Bleeping Computer does not condone the theft of software.

It really isn't worth compromising your machine for, your personal information may have already been compromised as many of these infections are "back door" trojans that allow hackers access to your personal information. As a precaution, change all of your on-line passwords from a machine that has never been infected.

Then I strongly suggest removing the pirated software, the torrent programs and peer to peer programs. Your system will thank you


If there are no other issues then we can clean up our tools


You can delete the DDS and FRST logs and programs from your desktop and the C:\FRST folder from your C:\ drive


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


NEXT



Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:05 PM

Posted 22 June 2012 - 03:32 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users