Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Run|Regedit32 (Trojan.Agent)


  • This topic is locked This topic is locked
26 replies to this topic

#1 Sandehshrew

Sandehshrew

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 14 July 2012 - 10:52 PM

Unable to remove this bug using Avira antivirus or Norman and cannot find anything in the reference materials on site. Would appreciate your help and will grovel at your feet....

DDR

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Sandra at 5:00:10 on 2012-07-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.46.1053.18.6124.4193 [GMT 2:00]
.
AV: Norman Security Suite *Disabled/Updated* {D038CA80-26F3-90BF-94AA-03C4D945E661}
SP: Norman Security Suite *Disabled/Updated* {6B592B64-00C9-9F31-AE1A-38B6A2C2ACDC}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Norman\Npm\Bin\elogsvc.exe
C:\Program Files\Norman\Ngs\Bin\Nnf.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\ProgramData\DatacardService\HWDeviceService64.exe
C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe
C:\Program Files\Norman\Nvc\bin\nhs.exe
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskhost.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Users\Sandra\fccu4o20iv.exe
C:\Windows\System32\StikyNot.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\McAfee Security Scan\3.0.271\SSScheduler.exe
C:\Windows\SysWOW64\atwtusb.exe
C:\Windows\SysWOW64\WTMKM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Norman\Npm\Bin\zlh.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\SysWOW64\RunDll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Users\Sandra\Downloads\STRANGE THINGS (dad)\avira_free_antivirus_en.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Users\Sandra\AppData\Local\Temp\RarSFX0\presetup.exe
C:\Program Files\Samsung\SamsungFastStart\SmartRestarter.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
C:\Users\Sandra\AppData\Local\Temp\RarSFX0\setup.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avconfig.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe
C:\program files (x86)\avira\antivir desktop\avscan.exe
C:\windows\SysWOW64\NOTEPAD.EXE
C:\windows\system32\prevhost.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://samsung.msn.com
uDefault_Page_URL = hxxp://samsung.msn.com
mStart Page = hxxp://samsung.msn.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Samsung BHO Class: {aa609d72-8482-4076-8991-8cdae5b93bcb} - C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [Google Update] "C:\Users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [AdobeBridge]
uRun: [fccu4o20iv1] C:\Users\Sandra\fccu4o20iv.exe
uRun: [fccu4o20iv] C:\Users\Sandra\fccu4o20iv.exe
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [Regedit32] C:\windows\system32\regedit.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [atwtusb] atwtusb.exe
mRun: [MacrokeyManager] WTMKM.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRun: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\3.0.271\SSScheduler.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Skicka bild till &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Skicka sida till &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {328ECD19-C167-40eb-A0C7-16FE7634105E} - {94BB0C4C-B957-479A-85E4-42F53B89F681} - C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{138C7D88-8082-4D8C-8D6C-B41C60BB400F} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3141BF4D-2BE6-43AD-B395-73C144E5ADC1} : NameServer = 80.251.201.177 80.251.201.178
TCP: Interfaces\{5737D4BA-3D94-49B4-A65B-E8A03CE05FC6} : NameServer = 80.251.201.177 80.251.201.178
TCP: Interfaces\{A7525278-4695-4DBF-8671-5979EE6EBF8C} : NameServer = 80.251.201.177 80.251.201.178
TCP: Interfaces\{E1603C5A-1A2D-41FD-974D-5971C1B3B5F3} : DhcpNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{9FDDE16B-836F-4806-AB1F-1455CBEFF289}
{AA609D72-8482-4076-8991-8CDAE5B93BCB}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun-x64: [atwtusb] atwtusb.exe
mRun-x64: [MacrokeyManager] WTMKM.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRun-x64: [Norman ZANDA] "C:\Program Files\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Sandra\AppData\Roaming\Mozilla\Firefox\Profiles\y1h6qm4v.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B04d40bb0-c95f-4d47-adc3-ae1073c88cf3%7D&mid=279ffbbb992347d0a0ccd15756fba782-2d0b87e949501fc153ea3771b6c94fcb37453848&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-05-26%2012%3A53%3A01&sap=ku&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Sandra\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_257.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SABI;SAMSUNG Kernel Driver For Windows 7;\??\C:\windows\system32\Drivers\SABI.sys --> C:\windows\system32\Drivers\SABI.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-7-15 86224]
R2 HWDeviceService64.exe;HWDeviceService64.exe;C:\ProgramData\DatacardService\HWDeviceService64.exe [2011-3-14 346976]
R2 NHS;Norman Hash Server;C:\Program Files\Norman\Nvc\Bin\nhs.exe [2012-5-27 793520]
R2 NNFSVC;Norman Network Filtering service;C:\Program Files\Norman\Ngs\Bin\nnf.exe [2012-5-27 231216]
R2 NVOY;Norman Resource Provider;C:\Program Files\Norman\Npm\Bin\nvoy.exe [2012-5-27 100936]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-4-14 2348352]
R2 TurboB;Turbo Boost UI Monitor driver;C:\windows\system32\DRIVERS\TurboB.sys --> C:\windows\system32\DRIVERS\TurboB.sys [?]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-7-29 2656280]
R3 BTWAMPFL;BTWAMPFL;C:\windows\system32\DRIVERS\btwampfl.sys --> C:\windows\system32\DRIVERS\btwampfl.sys [?]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\windows\system32\DRIVERS\clwvd.sys --> C:\windows\system32\DRIVERS\clwvd.sys [?]
R3 huawei_enumerator;huawei_enumerator;C:\windows\system32\DRIVERS\ew_jubusenum.sys --> C:\windows\system32\DRIVERS\ew_jubusenum.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\windows\system32\drivers\nvhda64v.sys --> C:\windows\system32\drivers\nvhda64v.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
S1 avkmgr;avkmgr;C:\windows\system32\DRIVERS\avkmgr.sys --> C:\windows\system32\DRIVERS\avkmgr.sys [?]
S1 NGS;Norman General Security Driver;C:\Program Files\Norman\Ngs\Bin\ngs64.sys [2012-5-27 22368]
S2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-7-15 110032]
S2 avgntflt;avgntflt;C:\windows\system32\DRIVERS\avgntflt.sys --> C:\windows\system32\DRIVERS\avgntflt.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Tjänsten Google Update (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-14 116648]
S2 Mobile Partner. RunOuc;Mobile Partner. OUC;C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe [2012-1-17 246112]
S2 Norman ZANDA;Norman ZANDA;C:\Program Files\Norman\Npm\Bin\zanda.exe [2012-5-27 431320]
S2 nregsec;Norman Registry Security driver;C:\Program Files\Norman\Ngs\Bin\nregsec64.sys [2012-5-27 63032]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]
S3 BtFilter;BtFilter;C:\windows\system32\DRIVERS\btfilter.sys --> C:\windows\system32\DRIVERS\btfilter.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-1-19 138360]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\windows\system32\DRIVERS\ew_hwusbdev.sys --> C:\windows\system32\DRIVERS\ew_hwusbdev.sys [?]
S3 ew_usbenumfilter;huawei_CompositeFilter;C:\windows\system32\DRIVERS\ew_usbenumfilter.sys --> C:\windows\system32\DRIVERS\ew_usbenumfilter.sys [?]
S3 ewusbmbb;HUAWEI USB-WWAN miniport;C:\windows\system32\DRIVERS\ewusbwwan.sys --> C:\windows\system32\DRIVERS\ewusbwwan.sys [?]
S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 gupdatem;Tjänsten Google Update (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-14 116648]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\3.0.271\McCHSvc.exe [2012-3-13 237272]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-26 113120]
S3 nsesvc;Norman Scanner Engine Service;C:\Program Files\Norman\Nse\Bin\nsesvc.exe [2012-5-27 423752]
S3 NvcMFlt;NvcMFlt;C:\windows\system32\DRIVERS\nvcv64mf.sys --> C:\windows\system32\DRIVERS\nvcv64mf.sys [?]
S3 nvcoas;Norman Virus Control on-access component;C:\Program Files\Norman\Nvc\Bin\nvcoas.exe [2012-7-5 287312]
S3 Samsung UPD Service;Samsung UPD Service;"C:\windows\System32\SUPDSvc.exe" --> C:\windows\System32\SUPDSvc.exe [?]
S3 Scheduler;Norman Scheduler Service;C:\Program Files\Norman\Npm\Bin\scheduler.exe [2012-5-27 148240]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]
S3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2010-10-8 150016]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-07-15 02:24:41 98848 ----a-w- C:\windows\System32\drivers\avgntflt.sys
2012-07-15 02:24:41 27760 ----a-w- C:\windows\System32\drivers\avkmgr.sys
2012-07-15 02:23:40 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B81B2870-AC2D-4B16-973C-7EDFD0DBD1EC}\mpengine.dll
2012-07-14 23:16:56 -------- d-----w- C:\Users\Sandra\AppData\Roaming\Malwarebytes
2012-07-14 23:16:48 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-14 23:16:47 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-14 22:27:47 -------- d-----w- C:\Users\Sandra\AppData\Roaming\Avira
2012-07-14 22:22:21 -------- d-----w- C:\ProgramData\Avira
2012-07-14 22:22:21 -------- d-----w- C:\Program Files (x86)\Avira
2012-07-04 22:15:25 57440 ----a-w- C:\windows\System32\drivers\nvcv64mf.sys
2012-07-02 20:45:16 -------- d-----w- C:\ProgramData\McAfee Security Scan
2012-07-02 20:45:01 -------- d-----w- C:\Program Files (x86)\McAfee Security Scan
2012-07-01 19:00:47 -------- d-----w- C:\Users\Sandra\AppData\Local\Diagnostics
2012-06-23 09:05:03 -------- d-----w- C:\Users\Sandra\AppData\Roaming\Gensokyo.org
2012-06-23 09:04:56 -------- d-----w- C:\Users\Sandra\AppData\Roaming\ShanghaiAlice
2012-06-17 18:48:02 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-17 18:48:01 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
.
==================== Find3M ====================
.
2012-06-10 18:06:25 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-10 18:06:25 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
2012-05-27 18:57:47 1700352 ----a-w- C:\windows\SysWow64\gdiplus.dll
2012-05-04 23:42:08 8744608 ----a-w- C:\windows\SysWow64\FlashPlayerInstaller.exe
.
============= FINISH: 5:01:12,10 ===============

GMER Report

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-15 05:50:28
Windows 6.1.7601 Service Pack 1
Running: gmer.exe


---- Services - GMER 1.0.15 ----

Service C:\SystemRoot\System32\Drivers\812de3bbdb8eba7d.sys (*** hidden *** ) [BOOT] 812de3bbdb8eba7d <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????&????H?????????????????Offers permanent protection against viruses and malware with the Avira search engine.???WUDFCoInstaller.dll??t????????????v??????????????????????????????????????????????????????i??,%????*??????s??t???????????????#???????????????????STORAGE\Volume\_??_USBSTOR#Disk&Ven_Apple&Prod_iPod&Rev_1.62#000A27001BA1BF32&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}??????????????????????????????avgntflt????? ?????????????????????0?????????????????????????????????????n??????????????????s?????????????????????????????V?????????????er??????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ???'???????HJ???/???????????????9???9???9???%???????????????????9???9???/???????????!???/?????????????????????????? ??????????????????? ??????????? ??????????????????? ?????? ??????Windows-sk?tsel?????? ??????????????????????????????N?CE??00D-????N??????9????X?{4991D34B-80A1-4291-83B6-3328366B9097}????0?? N?????????????????????? ?????????????????????0???
Reg HKLM\SYSTEM\CurrentControlSet\services\812de3bbdb8eba7d@ImagePath \SystemRoot\System32\Drivers\812de3bbdb8eba7d.sys
Reg HKLM\SYSTEM\CurrentControlSet\services\812de3bbdb8eba7d@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\services\812de3bbdb8eba7d@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\812de3bbdb8eba7d@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\812de3bbdb8eba7d@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\812de3bbdb8eba7d@Tag 1
Reg HKLM\SYSTEM\CurrentControlSet\services\812de3bbdb8eba7d@DisplayName fccu4o20iv.exe
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002454f1e1f4
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde6a3c77
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971071c90
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e0ca946f190a
Reg HKLM\SYSTEM\ControlSet002\services\812de3bbdb8eba7d@ImagePath \SystemRoot\System32\Drivers\812de3bbdb8eba7d.sys
Reg HKLM\SYSTEM\ControlSet002\services\812de3bbdb8eba7d@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\812de3bbdb8eba7d@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\812de3bbdb8eba7d@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\812de3bbdb8eba7d@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\812de3bbdb8eba7d@Tag 1
Reg HKLM\SYSTEM\ControlSet002\services\812de3bbdb8eba7d@DisplayName fccu4o20iv.exe
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002454f1e1f4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde6a3c77 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971071c90 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e0ca946f190a (not active ControlSet)

---- EOF - GMER 1.0.15 ----
Attached File  Attach.zip   2.95KB   3 downloads

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:11 PM

Posted 15 July 2012 - 09:10 PM

Hi Sandehshrew,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

Combofix
This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Please download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<
3. Double click on combofix.exe & follow the prompts.

Important:
  • Do not mouseclick combofix's window while it's running. That may cause it to stall.
  • If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

In your next reply, please include:
  • Combofix log
  • How is your computer running now? Please be as descriptive as possible. Include any word-for-word error messages that you may have, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 Sandehshrew

Sandehshrew
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 16 July 2012 - 07:46 PM

Sorry for the delay in responding!

With regard to performance issues. Firefox and several other programs have trouble starting, it took up to 20 minutes for it to start up. Google Chorme started up immediatelly. A couple of days ago, the taskmanager didn't work at all, but now it seems to be working fine. My antivirus programs are being blocked. CDs are inoperable. I few days ago, it wouldn't read USB devices, but I tried it again and it seems to be working again.

My machine is settings are swedish so i had to translate the Combofix report as it was generated automatically in Swedish- If you have any questions please feel free to ask and I will try to answer.

Thanks a lot for your help!

ComboFix 12-07-16.01 - Sandra 2012-07-17 0:45.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.46.1053.18.6124.4725 [GMT 2:00]
Running from: c: \ users \ Sandra \ Desktop \ ComboFix.exe
BY: Norman Security Suite * Disabled / Updated * {D038CA80-26F3-90BF-94AA-03C4D945E661}
SP: Norman Security Suite * Disabled / Updated * {6B592B64-00C9-9F31-AE1A-38B6A2C2ACDC}
SP: Windows Defender * Disabled / Outdated * {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((Files created by the 2012-06-16 2012-07-16)))))))))))) ))))))))))))))))))
.
.
2012-07-16 22:57. 2012-07-16 22:57 -------- d ----- w c: \ users \ UpdatusUser \ AppData \ Local \ Temp
2012-07-16 22:57. 2012-07-16 22:57 -------- d ----- w c: \ users \ Default \ AppData \ Local \ Temp
2012-07-15 03:44. 2012-07-15 03:47 -------- d ----- w c: \ users \ Sandra \ AppData \ Local \ Microsoft Games
2012-07-15 02:24. 2012-05-02 13:24 27,760 ---- aw c: \ windows \ system32 \ drivers \ avkmgr.sys
2012-07-15 02:24. 2012-04-27 08:20 132 832 ---- aw c: \ windows \ system32 \ drivers \ avipbb.sys
2012-07-15 02:24. 2012-04-24 22:32 98,848 ---- aw c: \ windows \ system32 \ drivers \ avgntflt.sys
2012-07-15 02:23. 2012-05-08 17:02 8,955,792 ---- aw c: \ data \ Microsoft \ Windows Defender \ Definition Updates \ {B81B2870-AC2D-4B16-973C-7EDFD0DBD1EC} \ mpengine.dll
2012-07-14 23:16. 2012-07-14 23:16 -------- d ----- w c: \ users \ Sandra \ AppData \ Roaming \ Malwarebytes
2012-07-14 23:16. 2012-07-14 23:16 -------- d ----- w c: \ data \ Malwarebytes
2012-07-14 23:16. 2012-07-15 12:19 -------- d ----- w c: \ program files (x86) \ Malwarebytes' Anti-Malware
2012-07-14 22:27. 2012-07-14 22:27 -------- d ----- w c: \ users \ Sandra \ AppData \ Roaming \ Avira
2012-07-14 22:22. 2012-07-14 22:22 -------- d ----- w c: \ data \ Avira
2012-07-14 22:22. 2012-07-14 22:22 -------- d ----- w c: \ program files (x86) \ Avira
2012-07-14 01:52. 2012-07-14 01:54 -------- d ----- w c: \ program files (x86) \ Google
2012-07-04 22:15. 2012-06-27 12:42 57,440 ---- aw c: \ windows \ system32 \ drivers \ nvcv64mf.sys
2012-07-02 20:45. 2012-07-15 12:19 -------- d ----- w c: \ data \ McAfee Security Scan
2012-07-02 20:45. 2012-07-02 20:45 -------- d ----- w c: \ program files (x86) \ McAfee Security Scan
2012-07-01 19:00. 2012-07-01 19:00 -------- d ----- w c: \ users \ Sandra \ AppData \ Local \ Diagnostics
2012-06-23 09:05. 2012-06-23 09:05 -------- d ----- w c: \ users \ Sandra \ AppData \ Roaming \ Gensokyo.org
2012-06-23 09:04. 2012-06-23 09:04 -------- d ----- w c: \ users \ Sandra \ AppData \ Roaming \ Shanghai Alice
2012-06-17 18:48. 2012-06-17 18:48 421 200 ---- aw c: \ program files (x86) \ Mozilla Firefox \ msvcp100.dll
2012-06-17 18:48. 2012-06-17 18:48 770 384 ---- aw c: \ program files (x86) \ Mozilla Firefox \ msvcr100.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((Find3M Report)))))))) )))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 18:06. 2012-03-30 19:23 70,344 ---- aw c: \ windows \ syswow64 \ FlashPlayerCPLApp.cpl
2012-06-10 18:06. 2012-03-30 19:23 426 184 ---- aw c: \ windows \ syswow64 \ FlashPlayerApp.exe
2012-06-01 22:49. 2012-06-01 22:49 163 048 ---- aw c: \ data \ Microsoft \ Windows \ SQM \ Manifest \ Sqm10141.bin
2012-05-27 18:57. 2012-05-27 18:57 1,700,352 ---- aw c: \ windows \ syswow64 \ Gdiplus.dll
2012-05-04 23:42. 2012-05-01 02:42 8,744,608 ---- aw c: \ windows \ syswow64 \ FlashPlayerInstaller.exe
.
.
------- Sigcheck -------
Note: Unsigned files Are not Necessarily malware.
.
[-] 1601-01-01 00:00. ! HASH: COULD NOT OPEN FILE!! . 0th . [------] .. c: \ windows \ system32 \ drivers \ Atapi.sys
.
[-] 1601-01-01 00:00. ! HASH: COULD NOT OPEN FILE!! . 0th . [------] .. c: \ windows \ system32 \ drivers \ asyncmac.sys
.
[-] 1601-01-01 00:00. ! HASH: COULD NOT OPEN FILE!! . 0th . [------] .. c: \ windows \ system32 \ drivers \ kbdclass.sys
.
[-] 1601-01-01 00:00. ! HASH: COULD NOT OPEN FILE!! . 0th . [------] .. c: \ windows \ system32 \ drivers \ Ndis.sys
.
[-] 1601-01-01 00:00. ! HASH: COULD NOT OPEN FILE!! . 0th . [------] .. c: \ windows \ system32 \ drivers \ Ntfs.sys
.
[-] 1601-01-01 00:00. ! HASH: COULD NOT OPEN FILE!! . 0th . [------] .. c: \ windows \ system32 \ drivers \ null.sys
.
[-] 1601-01-01 00:00. ! HASH: COULD NOT OPEN FILE!! . 0th . [------] .. c: \ windows \ system32 \ drivers \ Tcpip.sys
.
[-] 1601-01-01 00:00. ! HASH: COULD NOT OPEN FILE!! . 0th . [------] .. c: \ windows \ system32 \ drivers \ tdx.sys
.
[7] 2012-03-31. 28F44480E411C3DDF04B63F6560E6EF4. 3,913,072th . [6.1.7601.17803] .. c: \ windows \ erdnt \ cache86 \ ntoskrnl.exe
[7] 2012-03-31. 28F44480E411C3DDF04B63F6560E6EF4. 3,913,072th . [6.1.7601.17803] .. c: \ windows \ SysWOW64 \ ntoskrnl.exe
[7] 2012-03-31. 28F44480E411C3DDF04B63F6560E6EF4. 3,913,072th . [6.1.7601.17803] ..
[7] 2012-03-31. 2E02A17E8965AD671E4987E503AD38B1. 3916656th . [6.1.7601.21955] ..
[7] 2012-03-06. 53B4BDEA12A032EEC71E60B6BFF42F37. 3,913,072th . [6.1.7601.17790] ..
[7] 2012-03-06. 57B7DE30C4E65AD19CA13AC3065EE60B. 3916656th . [6.1.7601.21936] ..
[7] 2011-11-19. F0F0E99A65F598A1A7720F5111C4DA8F. 3913584th . [6.1.7601.17727] ..
[7] 2011-11-19. 00B12EA93ED392FBD09F07B63E926647. 3916656th . [6.1.7601.21863] ..
[7] 2011-06-23. 90EFDB506F6140EEA9DEE398D9449D86. 3912576th . [6.1.7601.21755] ..
[7] 2011-06-23. FB58ABD5E1F75A2CF713C9DFF0EC0804. 3912576th . [6.1.7601.17640] ..
[7] 2011-04-09. 5D21C487F79F8245E799071589E035BF. 3912576th . [6.1.7601.17592] ..
[7] 2011-04-09. D385343510B75545EC5DB3A64C2D2492. 3912576th . [6.1.7601.21701] ..
[7] 2010-11-21. 2088D9994332583EDB3C561DE31EA5AD. 3911040th . [6.1.7601.17514] ..
[-] 1601-01-01 00:00. ! HASH: COULD NOT OPEN FILE!! . 0th . [------] .. c: \ windows \ system32 \ ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((Start points of the code))))))))))))) ))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legitimate default entries are not shown.
REGEDIT4
.
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Steam" = "c: \ program files (x86) \ Steam \ Steam.exe" [2012-01-17 1242448]
"Fccu4o20iv1" = "c: \ users \ Sandra \ fccu4o20iv.exe" [1601-01-01 0]
"Fccu4o20iv" = "c: \ users \ Sandra \ fccu4o20iv.exe" [1601-01-01 0]
"RESTART_STICKY_NOTES" = "c: \ windows \ System32 \ StikyNot.exe" [2007-03-29 320 672]
"Regedit32" = "c: \ windows \ system32 \ regedit.exe" [2009-07-14 398 336]
.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Microsoft \ Windows \ CurrentVersion \ Run]
"APSDaemon" = "c: \ program files (x86) \ Common Files \ Apple \ Apple Application Support \ APSDaemon.exe" [2011-11-01 59 240]
"ITunesHelper" = "c: \ program files (x86) \ iTunes \ iTunesHelper.exe" [2011-12-08 421 736]
"Switchboard" = "c: \ program files (x86) \ Common Files \ Adobe \ Switchboard \ SwitchBoard.exe" [2010-02-19 517 096]
"AdobeCS5ServiceManager" = "c: \ program files (x86) \ Common Files \ Adobe \ CS5ServiceManager \ CS5ServiceManager.exe" [2010-02-22 406 992]
"Atwtusb" = "atwtusb.exe" [2007-08-31 364,192]
"MacrokeyManager" = "WTMKM.exe" [2007-09-03 1,969,824]
"SunJavaUpdateSched" = "c: \ program files (x86) \ Common Files \ Java \ Java Update \ jusched.exe" [2012-01-18 254 696]
"Adobe Reader Speed ​​Launcher" = "c: \ program files (x86) \ Adobe \ Reader 9.0 \ Reader \ Reader_sl.exe" [2012-01-03 37 296]
"Adobe ARM" = "c: \ program files (x86) \ Common Files \ Adobe \ ARM \ 1.0 \ AdobeARM.exe" [2012-01-02 843 712]
"ArcSoft Connection Service" = "c: \ program files (x86) \ Common Files \ ArcSoft \ Connection Service \ Bin \ ACDaemon.exe" [2010-10-27 207 424]
"Norman Zanda" = "c: \ program files \ Norman \ npm \ Bin \ ZLH.EXE" [2012-02-14 348 560]
"Avgnt" = "c: \ program files (x86) \ Avira \ AntiVir Desktop \ avgnt.exe" [2012-05-01 348 624]
.
c: \ data \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \
Bluetooth.lnk - c: \ program files \ WIDCOMM \ Bluetooth Software \ BTTray.exe [2011-2-8 1136928]
McAfee Security Scan Plus.lnk - c: \ program files (x86) \ McAfee Security Scan \ 3.0.271 \ SSScheduler.exe [2012-3-13 274 328]
.
[HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ current version \ policies \ system]
"ConsentPromptBehaviorAdmin" = 5 (0x5)
"ConsentPromptBehaviorUser" = 3 (0x3)
"EnableUIADesktopToggle" = 0 (0x0)
.
[HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ lsa]
Security Packages REG_MULTI_SZ Kerberos msv1_0 SChannel wdigest tspkg pku2u livessp
.
R0 AVGIDSHA; AVGIDSHA; c: \ windows \ system32 \ DRIVERS \ avgidsha.sys [x]
R0 SMR250; Symantec SMC Utility Service 2.5.0: c: \ windows \ System32 \ drivers \ SMR250.SYS [x]
R1 avkmgr; avkmgr; c: \ windows \ system32 \ DRIVERS \ avkmgr.sys [2012-05-02 27 760]
R1 NGS; Norman General Security Driver: c: \ program files \ norman \ ngs \ bin \ ngs64.sys [2011-07-12 22 368]
R2 clr_optimization_v4.0.30319_64; Microsoft. NET Framework NGEN v4.0.30319_X64; c: \ windows \ Microsoft.NET \ Framework64 \ v4.0.30319 \ mscorsvw.exe [2010-03-18 138 576]
R2 gupdate; Google Update Service (gupdate); c: \ program files (x86) \ Google \ Update \ googleupdate.exe [2012-07-14 116 648]
R2 Mobile Partner. RunOuc; Mobile Partner. OUC; c: \ program files (x86) \ Mobile Partner \ UpdateDog \ ouc.exe [2012-01-17 246 112]
R2 nregsec; Norman Registry Security drives, c: \ program files \ Norman \ Ng \ Bin \ nregsec64.sys [2011-11-11 63 032]
R2 Update Skype: Skype Updater; c: \ program files (x86) \ Skype \ Updater \ Updater.exe [2012-02-29 158 856]
R3 BTFilter; BTFilter; c: \ windows \ system32 \ DRIVERS \ btfilter.sys [x]
R3 EraserUtilRebootDrv; EraserUtilRebootDrv; c: \ program files (x86) \ Common Files \ Symantec Shared \ EENGINE \ EraserUtilRebootDrv.sys [2012-01-17 138 360]
R3 ew_hwusbdev; Huawei Mobile Broadband USB PNP Device: c: \ windows \ system32 \ DRIVERS \ ew_hwusbdev.sys [x]
R3 ew_usbenumfilter; huawei_CompositeFilter; c: \ windows \ system32 \ DRIVERS \ ew_usbenumfilter.sys [x]
R3 ewusbmbb; HUAWEI USB WWAN miniport; c: \ windows \ system32 \ DRIVERS \ ewusbwwan.sys [x]
R3 gupdatem: Google Update Service (gupdatem); c: \ program files (x86) \ Google \ Update \ googleupdate.exe [2012-07-14 116 648]
R3 McComponentHostService; McAfee Security Scan Component Host Service; c: \ program files (x86) \ McAfee Security Scan \ 3.0.271 \ McCHSvc.exe [2012-03-13 237 272]
R3 Mozilla Maintenance; Mozilla Maintenance Service; c: \ program files (x86) \ Mozilla Maintenance Service \ maintenanceservice.exe [2012-06-17 113 120]
R3 nsesvc: Norman Scanner Engine Service; c: \ program files \ Norman \ nse \ bin \ NSESVC.EXE [2011-03-08 423 752]
R3 NvcMFlt; NvcMFlt; c: \ windows \ system32 \ DRIVERS \ nvcv64mf.sys [2012-06-27 57 440]
R3 nvcoas; Norman Virus Control on-access component: c: \ program files \ Norman \ NVC \ Bin \ nvcoas.exe [2012-06-28 287 312]
R3 Samsung UPD Service; Samsung UPD Service: c: \ windows \ System32 \ SUPDSvc.exe [2010-08-09 166 704]
R3 Scheduler; Norman Scheduler Service: C: \ Program Files \ Norman \ npm \ Bin \ scheduler.exe [2011-04-11 148 240]
R3 Switchboard: Switchboard: c: \ program files (x86) \ Common Files \ Adobe \ Switchboard \ SwitchBoard.exe [2010-02-19 517 096]
R3 TsUsbFlt; TsUsbFlt; c: \ windows \ system32 \ drivers \ tsusbflt.sys [x]
R3 TsUsbGD; Remote Desktop Generic USB Device: c: \ windows \ system32 \ drivers \ TsUsbGD.sys [x]
R3 Turbo Boost, Intel ® Turbo Boost Technology Monitor 2.0; c: \ program files \ Intel \ Turbo Boost \ TurboBoost.exe [2010-10-08 150 016]
R3 USBAAPL64: Apple Mobile USB Driver: c: \ windows \ system32 \ Drivers \ usbaapl64.sys [x]
R3 WatAdminSvc; Windows Activation Technologies Service; c: \ windows \ system32 \ Wat \ WatAdminSvc.exe [2012-01-19 1255736]
R4 wlcrasvc; Windows Live Mesh remote connections service; c: \ program files \ Windows Live \ Mesh \ wlcrasvc.exe [2010-09-22 57 184]
S1 SABI; SAMSUNG Kernel Driver For Windows 7: c: \ windows \ system32 \ Drivers \ SABI.sys [x]
S2 AntiVirSchedulerService; Avira Scheduler: c: \ program files (x86) \ Avira \ AntiVir Desktop \ sched.exe [2012-05-01 86 224]
S2 HWDeviceService64.exe; HWDeviceService64.exe; c: \ data \ Data Card Service \ HWDeviceService64.exe [2011-03-14 346 976]
S2 NHS; Norman Hash Server; c: \ program files \ Norman \ nvc \ bin \ nhs.exe [2012-05-10 793 520]
S2 NNFSVC; Norman Network Filtering Service: c: \ program files \ Norman \ Ng \ Bin \ Nnf.exe [2011-11-14 231 216]
S2 NVOY; Norman Resource Provider: c: \ program files \ Norman \ npm \ bin \ nvoy.exe [2011-10-19 100 936]
S2 nvUpdatusService; NVIDIA Update Service Daemon; c: \ program files (x86) \ NVIDIA Corporation \ NVIDIA Update Core \ daemonu.exe [2012-03-01 2348352]
S2 TurboB; Turbo Boost UI Monitor runs; c: \ windows \ system32 \ DRIVERS \ TurboB.sys [x]
S2 UNS: Intel ® Management and Security Application User Notification Service: c: \ program files (x86) \ Intel \ Intel ® Management Engine Components \ NOS \ UNS.exe [2010-12-21 2.65628 million]
S3 BTWAMPFL; BTWAMPFL; c: \ windows \ system32 \ DRIVERS \ btwampfl.sys [x]
S3 btwl2cap; Bluetooth L2CAP Service; c: \ windows \ system32 \ DRIVERS \ btwl2cap.sys [x]
S3 clwvd; CyberLink Virtual WebCam Driver: c: \ windows \ system32 \ DRIVERS \ clwvd.sys [x]
S3 huawei_enumerator; huawei_enumerator; c: \ windows \ system32 \ DRIVERS \ ew_jubusenum.sys [x]
S3 MEIx64: Intel ® Management Engine Interface; c: \ windows \ system32 \ DRIVERS \ HECIx64.sys [x]
S3 NVHDA; Service for NVIDIA High Definition Audio Driver: c: \ windows \ system32 \ drivers \ nvhda64v.sys [x]
S3 RTL8167, Realtek 8167 NT Driver: c: \ windows \ system32 \ DRIVERS \ Rt64win7.sys [x]
.
.
--- Other Services / Drivers in mind ---
.
* Deregistered * - 812de3bbdb8eba7d
.
Contents of folder 'Scheduled Tasks'
.
2012-07-16 c: \ windows \ Tasks \ GoogleUpdateTaskMachineCore.job
- C: \ program files (x86) \ Google \ Update \ googleupdate.exe [2012-07-14 01:52]
.
2012-07-16 c: \ windows \ Tasks \ GoogleUpdateTaskMachineUA.job
- C: \ program files (x86) \ Google \ Update \ googleupdate.exe [2012-07-14 01:52]
.
2012-07-12 c: \ windows \ Tasks \ Google Update Task Users-1-5-21-2098825367-3721180495-2186962920-1000Core.job
- C: \ users \ Sandra \ AppData \ Local \ Google \ Update \ googleupdate.exe [2012-04-30 21:18]
.
2012-07-16 c: \ windows \ Tasks \ Google Update Task Users-1-5-21-2098825367-3721180495-2186962920-1000UA.job
- C: \ users \ Sandra \ AppData \ Local \ Google \ Update \ googleupdate.exe [2012-04-30 21:18]
.
.
--------- X64 Entries -----------
.
.

@ = "{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT \ CLSID \ {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-06-20 17:02 755 224 ---- aw c: \ program files (x86) \ Google \ Drive \ googledrivesync64.dll
.

@ = "{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT \ CLSID \ {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-06-20 17:02 755 224 ---- aw c: \ program files (x86) \ Google \ Drive \ googledrivesync64.dll
.

@ = "{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT \ CLSID \ {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-06-20 17:02 755 224 ---- aw c: \ program files (x86) \ Google \ Drive \ googledrivesync64.dll
.

@ = "{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT \ CLSID \ {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-06-20 17:02 755 224 ---- aw c: \ program files (x86) \ Google \ Drive \ googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"RtHDVCpl" = "c: \ program files \ Realtek \ Audio \ HDA \ RAVCpl64.exe" [2011-06-25 11.8954 million]
"AdobeAAMUpdater-1.0" = "c: \ program files (x86) \ Common Files \ Adobe \ OOBE \ PDAPP \ UWA \ UpdaterStartupUtility.exe" [2010-03-06 500 208]
.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
"LoadAppInit_DLLs" = 0x1
.
------- Supplementary Scan -------
.
uLocal Page = c: \ windows \ system32 \ blank.htm
uStart Page = hxxp :/ / samsung.msn.com
mStart Page = hxxp :/ / samsung.msn.com
mLocal Page = c: \ windows \ SysWOW64 \ blank.htm
uInternet Settings, ProxyOverride = *. local
IE: Send image to & Bluetooth Device ... - C: \ program files \ WIDCOMM \ Bluetooth Software \ btsendto_ie_ctx.htm
IE: Send page to & Bluetooth Device ... - C: \ program files \ WIDCOMM \ Bluetooth Software \ btsendto_ie.htm
TCP = DhcpNameServer 192.168.1.1
TCP: Interfaces \ {3141BF4D-2BE6-43AD-B395-73C144E5ADC1}: NameServer = 80,251,201,177 80,251,201,178
TCP: Interfaces \ {5737D4BA-3D94-49B4-A65B-E8A03CE05FC6}: NameServer = 80,251,201,177 80,251,201,178
TCP: Interfaces \ {A7525278-4695-4DBF-8671-5979EE6EBF8C}: NameServer = 80,251,201,177 80,251,201,178
FF - Profile Path - c: \ users \ Sandra \ AppData \ Roaming \ Mozilla \ Firefox \ Profiles \ y1h6qm4v.default \
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL -
.
---- ORPHANS ITEMS REMOVED ----
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Adobe Bridge - (no file)
Toolbar-Locked - (no file)
HKLM-Run-Synth Penh - c: \ program files (x86) \ Synaptics \ SynTP \ iTunesHelper.exe
.
.
.
[HKEY_LOCAL_MACHINE \ system \ ControlSet001 \ Services \ 812de3bbdb8eba7d]
"ImagePath" = "\ SystemRoot \ System32 \ Drivers \ 812de3bbdb8eba7d.sys"
.
--------------------- LOCKED INDEX KEYS ---------------------
.
[HKEY_LOCAL_MACHINE \ software \ Classes \ Wow6432Node \ CLSID \ {A483C63A-CDBC-426E-BF93-872502E8144E}]
@ Denied: (A 2) (Everyone)
@ = "Flash Broker"

.

"Enabled" = dword: 00000001
.

@ = "C: \ \ WINDOWS \ \ SysWOW64 \ \ Macromed \ \ Flash \ \ FlashUtil32_11_2_202_235_ActiveX.exe"
.

@ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE \ software \ Classes \ Wow6432Node \ CLSID \ {D27CDB6E-AE6D-11CF-96B8-444 553 540 000}]
@ Denied: (A 2) (Everyone)
@ = "Shockwave Flash Object"
.

@ = "C: \ \ WINDOWS \ \ SysWOW64 \ \ Macromed \ \ Flash \ \ Flash32_11_2_202_235.ocx"
"ThreadingModel" = "Apartment"
.

@ = "0"
.

@ = "ShockwaveFlash.ShockwaveFlash.11"
.

@ = "C: \ \ WINDOWS \ \ SysWOW64 \ \ Macromed \ \ Flash \ \ Flash32_11_2_202_235.ocx, 1"
.

@ = "{D27CDB6B-AE6D-11CF-96B8-444 553 540 000}"
.

@ = "1.0"
.

@ = "ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE \ software \ Classes \ Wow6432Node \ CLSID \ {D27CDB70-AE6D-11CF-96B8-444 553 540 000}]
@ Denied: (A 2) (Everyone)
@ = "Macromedia Flash Factory Object"
.

@ = "C: \ \ WINDOWS \ \ SysWOW64 \ \ Macromed \ \ Flash \ \ Flash32_11_2_202_235.ocx"
"ThreadingModel" = "Apartment"
.

@ = "FlashFactory.FlashFactory.1"
.

@ = "C: \ \ WINDOWS \ \ SysWOW64 \ \ Macromed \ \ Flash \ \ Flash32_11_2_202_235.ocx, 1"
.

@ = "{D27CDB6B-AE6D-11CF-96B8-444 553 540 000}"
.

@ = "1.0"
.

@ = "FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE \ software \ Classes \ Wow6432Node \ Interface \ {E3F2C3CB-5EB8-4A04-B22c-7E3B4B6AF30F}]
@ Denied: (A 2) (Everyone)
@ = "IFlashBroker4"
.

@ = "{00020424-0000-0000-C000-000000000046}"
.

@ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version" = "1.0"
.

@ Denied: (A) (Users)
@ Denied: (A) (Everyone)
@ Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial" = dword: 00000000
.

@ Denied: (A) (Users)
@ Denied: (A) (Everyone)
@ Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial" = dword: 00000000
.

@ Denied: (A) (Users)
@ Denied: (A) (Everyone)
@ Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial" = dword: 00000000
.
[HKEY_LOCAL_MACHINE \ system \ ControlSet001 \ Control \ PCW \ Security]
@ Denied: (Full) (Everyone)
.
Completion time: 2012-07-17 01:02:25
ComboFix-quarantined-files.txt 2012-07-16 23:02
.
Before the scan: 71,554,215,936 bytes free
Post-Run: 78,332,239,872 bytes free
.
- End Of File - CDE5DBE9ED8E1F39803DB3ECAB7BA6C2

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:11 PM

Posted 16 July 2012 - 08:35 PM

Sandehshrew,

No problem with the delay. You're welcome, I'm glad to help. :)

I don't mind that you've translated the log into English, but if that takes too much time to translate future logs, I don't really need them to be translated, since I can understand the general output of the log even if it's not in English.

[7] 2012-03-31. 28F44480E411C3DDF04B63F6560E6EF4. 3,913,072th . [6.1.7601.17803] ..
[7] 2012-03-31. 2E02A17E8965AD671E4987E503AD38B1. 3916656th . [6.1.7601.21955] ..
[7] 2012-03-06. 53B4BDEA12A032EEC71E60B6BFF42F37. 3,913,072th . [6.1.7601.17790] ..
[7] 2012-03-06. 57B7DE30C4E65AD19CA13AC3065EE60B. 3916656th . [6.1.7601.21936] ..
[7] 2011-11-19. F0F0E99A65F598A1A7720F5111C4DA8F. 3913584th . [6.1.7601.17727] ..
[7] 2011-11-19. 00B12EA93ED392FBD09F07B63E926647. 3916656th . [6.1.7601.21863] ..
[7] 2011-06-23. 90EFDB506F6140EEA9DEE398D9449D86. 3912576th . [6.1.7601.21755] ..
[7] 2011-06-23. FB58ABD5E1F75A2CF713C9DFF0EC0804. 3912576th . [6.1.7601.17640] ..
[7] 2011-04-09. 5D21C487F79F8245E799071589E035BF. 3912576th . [6.1.7601.17592] ..
[7] 2011-04-09. D385343510B75545EC5DB3A64C2D2492. 3912576th . [6.1.7601.21701] ..
[7] 2010-11-21. 2088D9994332583EDB3C561DE31EA5AD. 3911040th . [6.1.7601.17514] ..

Are there files associated with these lines in the original log? They should look similar to the other lines around them, with files listed after the ..


Multiple Antivirus Programs Installed
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to Programs and Features in the Control Panel and remove either Avira or Norman Security Suite.



Rerun Combofix
Open notepad and copy/paste the text in the box below into it:

http://www.bleepingcomputer.com/forums/topic460700.html

Collect::
C:\SystemRoot\System32\Drivers\812de3bbdb8eba7d.sys

Driver::
812de3bbdb8eba7d

MIA::
C:\Windows\system32\drivers\Atapi.sys
C:\Windows\system32\drivers\asyncmac.sys
c:\windows\system32\drivers\kbdclass.sys
c:\windows\system32\drivers\Ndis.sys
c:\windows\system32\drivers\Ntfs.sys
c:\windows\system32\drivers\null.sys
C:\windows\system32\drivers\Tcpip.sys
c:\windows\system32\drivers\tdx.sys

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

If asked to update Combofix, please allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:11 PM

Posted 18 July 2012 - 08:49 PM

Sandehshrew,

It has been two days since my last post. Do you still need help?

If you do, please follow my previous instructions. :thumbup2:
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 Sandehshrew

Sandehshrew
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 20 July 2012 - 01:03 AM

My deepest appologies, my excuse is that I wasn't sure how to handle these programs, and just to be sure I waited for a family member to come back from work. Turns out that I missed him every night. However, I tried to run the programs on my own, I hope I did it correctly. I hope this is what you needed.
Thank you very much for your help!

ComboFix 12-07-19.02 - Sandra 2012-07-20 7:36.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.46.1053.18.6124.4517 [GMT 2:00]
Körs från: c:\users\Sandra\Desktop\ComboFix.exe
Kommandoväxlar som använts :: c:\users\Sandra\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((( Filer skapade från 2012-06-20 till 2012-07-20 ))))))))))))))))))))))))))))))
.
.
2012-07-20 05:50 . 2012-07-20 05:50 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-20 05:50 . 2012-07-20 05:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-15 03:44 . 2012-07-15 03:47 -------- d-----w- c:\users\Sandra\AppData\Local\Microsoft Games
2012-07-15 02:24 . 2012-05-02 13:24 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-15 02:24 . 2012-04-27 08:20 132832 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-07-15 02:24 . 2012-04-24 22:32 98848 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-07-15 02:23 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B81B2870-AC2D-4B16-973C-7EDFD0DBD1EC}\mpengine.dll
2012-07-14 23:16 . 2012-07-14 23:16 -------- d-----w- c:\users\Sandra\AppData\Roaming\Malwarebytes
2012-07-14 23:16 . 2012-07-14 23:16 -------- d-----w- c:\programdata\Malwarebytes
2012-07-14 23:16 . 2012-07-15 12:19 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-14 22:27 . 2012-07-14 22:27 -------- d-----w- c:\users\Sandra\AppData\Roaming\Avira
2012-07-14 22:22 . 2012-07-14 22:22 -------- d-----w- c:\programdata\Avira
2012-07-14 22:22 . 2012-07-14 22:22 -------- d-----w- c:\program files (x86)\Avira
2012-07-14 01:52 . 2012-07-14 01:54 -------- d-----w- c:\program files (x86)\Google
2012-07-01 19:00 . 2012-07-01 19:00 -------- d-----w- c:\users\Sandra\AppData\Local\Diagnostics
2012-06-23 09:05 . 2012-06-23 09:05 -------- d-----w- c:\users\Sandra\AppData\Roaming\Gensokyo.org
2012-06-23 09:04 . 2012-06-23 09:04 -------- d-----w- c:\users\Sandra\AppData\Roaming\ShanghaiAlice
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 18:06 . 2012-03-30 19:23 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-10 18:06 . 2012-03-30 19:23 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-01 22:49 . 2012-06-01 22:49 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-27 18:57 . 2012-05-27 18:57 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
2012-05-09 01:12 . 2012-04-14 05:13 57848688 ----a-w- c:\windows\system32\MRT.exe
2012-05-04 23:42 . 2012-05-01 02:42 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-16_22.57.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-12 07:16 . 2011-10-12 07:16 15144 c:\windows\SysWOW64\drivers\rtport.sys
+ 2009-07-13 23:38 . 2009-07-13 23:38 15360 c:\windows\system32\vga.dll
+ 2010-11-21 03:09 . 2012-07-17 04:46 58334 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-07-19 00:26 45658 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-01-17 14:43 . 2012-07-19 00:26 17502 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2098825367-3721180495-2186962920-1000_UserData.bin
- 2012-01-17 14:43 . 2012-07-16 22:41 17502 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2098825367-3721180495-2186962920-1000_UserData.bin
+ 2009-07-14 00:16 . 2009-07-14 00:16 17408 c:\windows\system32\tsddd.dll
+ 2009-07-14 00:16 . 2009-07-14 01:32 32256 c:\windows\system32\RDPREFDD.dll
+ 2009-07-13 23:19 . 2009-07-14 01:45 57424 c:\windows\system32\PSHED.DLL
+ 2009-07-13 23:19 . 2009-07-14 01:41 36864 c:\windows\system32\pcwum.dll
+ 2009-07-13 23:22 . 2009-07-14 01:48 32832 c:\windows\system32\mcupdate_AuthenticAMD.dll
+ 2011-07-29 00:27 . 2011-02-05 17:10 20352 c:\windows\system32\kdusb.dll
+ 2011-07-29 00:27 . 2011-02-05 17:10 17792 c:\windows\system32\kdcom.dll
+ 2011-07-29 00:27 . 2011-02-05 17:10 19328 c:\windows\system32\kd1394.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 10240 c:\windows\system32\kbdnecat.dll
+ 2009-07-13 23:37 . 2009-07-14 01:41 12288 c:\windows\system32\KBDKOR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:41 12800 c:\windows\system32\KBDJPN.DLL
+ 2009-07-13 23:38 . 2009-07-13 23:38 14848 c:\windows\system32\framebuf.dll
+ 2009-07-13 23:37 . 2009-07-14 01:27 34816 c:\windows\system32\f3ahvoas.dll
+ 2011-07-29 00:32 . 2011-01-25 09:34 18432 c:\windows\system32\drivers\vwifimp.sys
+ 2011-07-29 00:32 . 2011-01-25 09:34 60416 c:\windows\system32\drivers\vwififlt.sys
+ 2009-07-14 00:07 . 2009-07-14 00:07 24576 c:\windows\system32\drivers\vwifibus.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 21504 c:\windows\system32\drivers\ws2ifsl.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 71552 c:\windows\system32\drivers\volmgr.sys
+ 2009-07-13 23:19 . 2009-07-14 01:45 16464 c:\windows\system32\drivers\wmilib.sys
+ 2009-07-13 23:31 . 2009-07-13 23:31 14336 c:\windows\system32\drivers\wmiacpi.sys
+ 2009-07-13 23:29 . 2009-07-14 01:45 22096 c:\windows\system32\drivers\wimmount.sys
+ 2009-07-13 23:19 . 2009-07-14 01:45 17488 c:\windows\system32\drivers\viaide.sys
+ 2009-07-13 23:38 . 2009-07-13 23:38 29184 c:\windows\system32\drivers\vgapnp.sys
+ 2009-07-13 23:38 . 2009-07-13 23:38 29184 c:\windows\system32\drivers\vga.sys
+ 2009-07-14 00:09 . 2009-07-14 00:09 12800 c:\windows\system32\drivers\wfplwf.sys
+ 2009-07-14 00:01 . 2009-07-14 01:45 36432 c:\windows\system32\drivers\vdrvroot.sys
+ 2009-07-13 23:19 . 2009-07-14 01:45 42064 c:\windows\system32\drivers\WdfLdr.sys
+ 2009-07-13 23:19 . 2009-07-14 01:45 21056 c:\windows\system32\drivers\wd.sys
+ 2009-07-13 23:37 . 2009-07-13 23:37 42496 c:\windows\system32\drivers\watchdog.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 88576 c:\windows\system32\drivers\wanarp.sys
+ 2009-07-14 00:02 . 2009-07-14 00:02 27776 c:\windows\system32\drivers\wacompen.sys
+ 2011-07-29 00:29 . 2011-03-25 03:29 30720 c:\windows\system32\drivers\usbuhci.sys
+ 2011-07-29 00:28 . 2011-03-11 04:37 91648 c:\windows\system32\drivers\USBSTOR.SYS
+ 2010-11-21 03:24 . 2010-11-21 03:24 31744 c:\windows\system32\drivers\usbrpm.sys
+ 2009-07-14 00:38 . 2009-07-14 00:38 25088 c:\windows\system32\drivers\usbprint.sys
+ 2011-07-29 00:29 . 2011-03-25 03:29 25600 c:\windows\system32\drivers\usbohci.sys
+ 2011-07-29 00:29 . 2011-03-25 03:29 52736 c:\windows\system32\drivers\usbehci.sys
+ 2011-07-29 00:29 . 2011-03-25 03:29 98816 c:\windows\system32\drivers\usbccgp.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 32896 c:\windows\system32\drivers\USBCAMD2.sys
+ 2011-08-02 16:38 . 2011-08-02 16:38 51712 c:\windows\system32\drivers\usbaapl64.sys
+ 2009-07-14 00:09 . 2009-07-14 00:09 19968 c:\windows\system32\drivers\usb8023.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 48640 c:\windows\system32\drivers\umbus.sys
+ 2009-07-13 23:38 . 2009-07-14 01:45 64592 c:\windows\system32\drivers\ULIAGPKX.SYS
+ 2009-07-13 23:38 . 2009-07-14 01:45 64080 c:\windows\system32\drivers\UAGP35.SYS
+ 2010-10-08 01:23 . 2010-10-08 01:23 19192 c:\windows\system32\drivers\TurboB.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 31232 c:\windows\system32\drivers\TsUsbGD.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 59392 c:\windows\system32\drivers\TsUsbFlt.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 39424 c:\windows\system32\drivers\tssecsrv.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 63360 c:\windows\system32\drivers\termdd.sys
+ 2012-03-14 06:54 . 2012-02-17 04:57 23552 c:\windows\system32\drivers\tdtcp.sys
+ 2009-07-14 00:16 . 2009-07-14 00:16 15872 c:\windows\system32\drivers\tdpipe.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 26624 c:\windows\system32\drivers\tdi.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 45056 c:\windows\system32\drivers\tcpipreg.sys
+ 2009-07-14 00:01 . 2009-07-14 00:01 29184 c:\windows\system32\drivers\tape.sys
+ 2009-07-14 00:00 . 2009-07-14 01:45 12496 c:\windows\system32\drivers\swenum.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 68864 c:\windows\system32\drivers\stream.sys
+ 2009-07-13 21:59 . 2009-07-14 01:45 24656 c:\windows\system32\drivers\stexstor.sys
+ 2011-07-29 03:41 . 2009-08-07 01:35 11576 c:\windows\system32\drivers\SSPORT.sys
+ 2009-07-13 20:27 . 2009-07-14 01:45 19008 c:\windows\system32\drivers\spldr.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 20992 c:\windows\system32\drivers\smclib.sys
+ 2009-07-14 00:09 . 2009-07-14 00:09 93184 c:\windows\system32\drivers\smb.sys
+ 2009-07-13 21:59 . 2009-07-14 01:45 80464 c:\windows\system32\drivers\sisraid4.sys
+ 2009-06-10 20:37 . 2009-07-14 01:45 43584 c:\windows\system32\drivers\sisraid2.sys
+ 2009-07-14 00:01 . 2009-07-14 00:01 16896 c:\windows\system32\drivers\sfloppy.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 14336 c:\windows\system32\drivers\sffp_sd.sys
+ 2009-07-14 00:01 . 2009-07-14 00:01 13824 c:\windows\system32\drivers\sffp_mmc.sys
+ 2009-07-14 00:01 . 2009-07-14 00:01 14336 c:\windows\system32\drivers\sffdisk.sys
+ 2009-07-14 00:35 . 2009-07-14 00:35 12288 c:\windows\system32\drivers\serscan.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 26624 c:\windows\system32\drivers\sermouse.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 94208 c:\windows\system32\drivers\serial.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 23552 c:\windows\system32\drivers\serenum.sys
+ 2009-07-14 02:36 . 2009-06-10 20:37 23040 c:\windows\system32\drivers\secdrv.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 29696 c:\windows\system32\drivers\scfilter.sys
+ 2011-07-29 00:26 . 2009-07-20 16:17 30776 c:\windows\system32\drivers\SABI3.dll
+ 2011-07-29 00:08 . 2010-10-07 02:59 13824 c:\windows\system32\drivers\SABI.sys
+ 2009-07-14 00:08 . 2009-07-14 00:08 76800 c:\windows\system32\drivers\rspndr.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 11264 c:\windows\system32\drivers\rootmdm.sys
+ 2009-07-14 00:09 . 2009-07-14 00:09 41472 c:\windows\system32\drivers\RNDISMP.sys
+ 2009-07-14 00:17 . 2009-07-14 00:17 24064 c:\windows\system32\drivers\rdpbus.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 83968 c:\windows\system32\drivers\rassstp.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 92672 c:\windows\system32\drivers\raspppoe.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 14848 c:\windows\system32\drivers\rasacd.sys
+ 2009-07-14 00:09 . 2009-07-14 00:09 46592 c:\windows\system32\drivers\qwavedrv.sys
+ 2009-07-13 23:19 . 2009-07-13 23:19 60416 c:\windows\system32\drivers\processr.sys
+ 2009-07-13 23:19 . 2009-07-14 01:45 50768 c:\windows\system32\drivers\pcw.sys
+ 2009-07-13 23:19 . 2009-07-14 01:45 48720 c:\windows\system32\drivers\pciidex.sys
+ 2009-07-13 23:19 . 2009-07-14 01:45 12352 c:\windows\system32\drivers\pciide.sys
+ 2012-05-08 21:09 . 2012-03-17 07:58 75120 c:\windows\system32\drivers\partmgr.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 97280 c:\windows\system32\drivers\parport.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 72832 c:\windows\system32\drivers\ohci1394.sys
+ 2009-07-13 23:21 . 2009-07-13 23:21 24576 c:\windows\system32\drivers\nsiproxy.sys
+ 2009-07-13 23:19 . 2009-07-13 23:19 44032 c:\windows\system32\drivers\npfs.sys
+ 2009-07-13 21:59 . 2009-07-14 01:48 51264 c:\windows\system32\drivers\nfrd960.sys
+ 2009-07-14 00:09 . 2009-07-14 00:09 44544 c:\windows\system32\drivers\netbios.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 57856 c:\windows\system32\drivers\ndproxy.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 56832 c:\windows\system32\drivers\ndisuio.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 24064 c:\windows\system32\drivers\ndistapi.sys
+ 2009-07-14 00:08 . 2009-07-14 00:08 35328 c:\windows\system32\drivers\ndiscap.sys
+ 2009-07-13 23:23 . 2009-07-14 01:48 60496 c:\windows\system32\drivers\mup.sys
+ 2009-07-14 00:02 . 2009-07-14 00:02 15360 c:\windows\system32\drivers\MTConfig.sys
+ 2009-07-13 23:31 . 2009-07-14 01:48 32320 c:\windows\system32\drivers\mssmbios.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 11136 c:\windows\system32\drivers\mskssrv.sys
+ 2009-07-13 23:19 . 2009-07-14 01:48 15424 c:\windows\system32\drivers\msisadrv.sys
+ 2009-07-13 23:19 . 2009-07-13 23:19 26112 c:\windows\system32\drivers\msfs.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 31104 c:\windows\system32\drivers\msahci.sys
+ 2009-07-14 00:08 . 2009-07-14 00:08 77312 c:\windows\system32\drivers\mpsdrv.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 94592 c:\windows\system32\drivers\mountmgr.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 31232 c:\windows\system32\drivers\mouhid.sys
+ 2009-07-13 23:19 . 2009-07-14 01:48 49216 c:\windows\system32\drivers\mouclass.sys
+ 2009-07-13 23:38 . 2009-07-13 23:38 30208 c:\windows\system32\drivers\monitor.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 40448 c:\windows\system32\drivers\modem.sys
+ 2009-06-10 20:37 . 2009-07-14 01:48 35392 c:\windows\system32\drivers\megasas.sys
+ 2009-07-14 00:01 . 2009-07-14 00:01 22016 c:\windows\system32\drivers\mcd.sys
+ 2009-07-13 21:59 . 2009-07-14 01:48 65600 c:\windows\system32\drivers\lsi_sas2.sys
+ 2009-07-14 00:08 . 2009-07-14 00:08 60928 c:\windows\system32\drivers\lltdio.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 20992 c:\windows\system32\drivers\ksthunk.sys
+ 2012-01-29 21:10 . 2011-11-17 06:49 95600 c:\windows\system32\drivers\ksecdd.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 33280 c:\windows\system32\drivers\kbdhid.sys
+ 2009-07-13 23:19 . 2009-07-14 01:48 50768 c:\windows\system32\drivers\kbdclass.sys
+ 2009-07-13 23:31 . 2009-07-14 01:48 20544 c:\windows\system32\drivers\isapnp.sys
+ 2009-07-14 00:08 . 2009-07-14 00:08 17920 c:\windows\system32\drivers\irenum.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 78848 c:\windows\system32\drivers\IPMIDrv.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 82944 c:\windows\system32\drivers\ipfltdrv.sys
+ 2009-07-13 23:19 . 2009-07-13 23:19 62464 c:\windows\system32\drivers\intelppm.sys
+ 2009-07-13 23:19 . 2009-07-14 01:48 16960 c:\windows\system32\drivers\intelide.sys
+ 2009-07-13 21:59 . 2009-07-14 01:48 44112 c:\windows\system32\drivers\iirsp.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 14720 c:\windows\system32\drivers\hwpolicy.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 78720 c:\windows\system32\drivers\HpSAMD.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 30208 c:\windows\system32\drivers\hidusb.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 32896 c:\windows\system32\drivers\hidparse.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 46592 c:\windows\system32\drivers\hidir.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 76800 c:\windows\system32\drivers\hidclass.sys
+ 2009-07-13 23:31 . 2009-07-13 23:31 26624 c:\windows\system32\drivers\hidbatt.sys
+ 2011-07-29 03:38 . 2010-10-20 00:34 56344 c:\windows\system32\drivers\HECIx64.sys
+ 2009-07-13 22:53 . 2009-06-10 20:31 31232 c:\windows\system32\drivers\hcw85cir.sys
+ 2012-01-17 20:09 . 2009-05-18 12:17 34152 c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2009-07-13 23:38 . 2009-07-14 01:47 65088 c:\windows\system32\drivers\GAGP30KX.SYS
+ 2012-02-12 09:22 . 2011-05-13 14:37 48488 c:\windows\system32\drivers\fssfltr.sys
+ 2009-07-13 23:26 . 2009-07-14 01:47 55376 c:\windows\system32\drivers\fsdepends.sys
+ 2012-04-11 01:00 . 2012-03-01 06:46 23408 c:\windows\system32\drivers\fs_rec.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 24576 c:\windows\system32\drivers\flpydisk.sys
+ 2009-07-13 23:25 . 2009-07-13 23:25 34304 c:\windows\system32\drivers\filetrace.sys
+ 2009-07-13 23:34 . 2009-07-14 01:47 70224 c:\windows\system32\drivers\fileinfo.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 29696 c:\windows\system32\drivers\fdc.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 32768 c:\windows\system32\drivers\ewdcsc.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 13952 c:\windows\system32\drivers\ew_usbenumfilter.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 28672 c:\windows\system32\drivers\ew_juextctrl.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 69632 c:\windows\system32\drivers\ew_jucdcecm.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 98816 c:\windows\system32\drivers\ew_jucdcacm.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 86016 c:\windows\system32\drivers\ew_jubusenum.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 22016 c:\windows\system32\drivers\ew_hwupgrade.sys
+ 2009-07-13 23:38 . 2009-07-13 23:38 98816 c:\windows\system32\drivers\dxg.sys
+ 2009-07-13 23:38 . 2009-07-13 23:38 16896 c:\windows\system32\drivers\dxapi.sys
+ 2009-07-13 23:21 . 2009-07-14 01:43 55128 c:\windows\system32\drivers\dumpfve.sys
+ 2009-07-13 23:19 . 2009-07-14 01:47 28736 c:\windows\system32\drivers\Dumpata.sys
+ 2011-07-29 00:31 . 2011-04-22 22:15 27520 c:\windows\system32\drivers\Diskdump.sys
+ 2009-07-13 23:19 . 2009-07-14 01:47 73280 c:\windows\system32\drivers\disk.sys
+ 2009-07-13 23:37 . 2009-07-13 23:37 40448 c:\windows\system32\drivers\discache.sys
+ 2009-07-14 00:01 . 2009-07-14 01:47 24144 c:\windows\system32\drivers\crcdisk.sys
+ 2009-07-14 00:01 . 2009-07-14 01:47 39504 c:\windows\system32\drivers\crashdmp.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 38912 c:\windows\system32\drivers\CompositeBus.sys
+ 2009-07-13 23:31 . 2009-07-14 01:52 21584 c:\windows\system32\drivers\compbatt.sys
+ 2009-07-13 23:19 . 2009-07-14 01:52 17488 c:\windows\system32\drivers\cmdide.sys
+ 2009-07-13 23:31 . 2009-07-13 23:31 17664 c:\windows\system32\drivers\CmBatt.sys
+ 2010-11-10 00:04 . 2010-11-10 00:04 31088 c:\windows\system32\drivers\clwvd.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 45568 c:\windows\system32\drivers\circlass.sys
+ 2009-07-13 23:19 . 2009-07-13 23:19 92160 c:\windows\system32\drivers\cdfs.sys
+ 2012-01-17 14:49 . 2011-02-08 19:13 21416 c:\windows\system32\drivers\btwrchid.sys
+ 2012-01-17 14:49 . 2011-02-08 19:13 39464 c:\windows\system32\drivers\btwl2cap.sys
+ 2012-01-19 23:02 . 2011-04-28 03:54 80384 c:\windows\system32\drivers\BTHUSB.SYS
+ 2009-07-14 00:06 . 2009-07-14 00:06 72192 c:\windows\system32\drivers\bthmodem.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 41984 c:\windows\system32\drivers\bthenum.sys
+ 2009-07-14 01:20 . 2009-06-10 20:41 14720 c:\windows\system32\drivers\BrUsbSer.sys
+ 2009-07-14 01:20 . 2009-06-10 20:41 14976 c:\windows\system32\drivers\BrUsbMdm.sys
+ 2009-07-14 01:20 . 2009-06-10 20:41 47104 c:\windows\system32\drivers\BrSerWdm.sys
+ 2009-07-14 01:05 . 2009-07-14 01:01 95232 c:\windows\system32\drivers\bridge.sys
+ 2009-07-14 01:19 . 2009-06-10 20:41 18432 c:\windows\system32\drivers\BrFiltLo.sys
+ 2012-01-18 23:21 . 2011-02-23 04:55 90624 c:\windows\system32\drivers\bowser.sys
+ 2009-07-13 23:35 . 2009-07-13 23:35 45056 c:\windows\system32\drivers\blbdrive.sys
+ 2009-07-13 23:31 . 2009-07-14 01:52 28240 c:\windows\system32\drivers\battc.sys
+ 2009-07-13 23:19 . 2009-07-14 01:52 24128 c:\windows\system32\drivers\atapi.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 23040 c:\windows\system32\drivers\asyncmac.sys
+ 2009-07-13 21:59 . 2009-07-14 01:52 97856 c:\windows\system32\drivers\arcsas.sys
+ 2009-07-13 21:59 . 2009-07-14 01:52 87632 c:\windows\system32\drivers\arc.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 61440 c:\windows\system32\drivers\appid.sys
+ 2011-07-29 00:28 . 2011-03-11 06:41 27008 c:\windows\system32\drivers\amdxata.sys
+ 2009-07-13 23:19 . 2009-07-13 23:19 60928 c:\windows\system32\drivers\amdppm.sys
+ 2009-07-13 23:19 . 2009-07-13 23:19 64512 c:\windows\system32\drivers\amdk8.sys
+ 2009-07-13 23:19 . 2009-07-14 01:52 15440 c:\windows\system32\drivers\amdide.sys
+ 2009-07-13 23:19 . 2009-07-14 01:52 15440 c:\windows\system32\drivers\aliide.sys
+ 2009-07-13 23:38 . 2009-07-14 01:52 61008 c:\windows\system32\drivers\AGP440.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 60416 c:\windows\system32\drivers\agilevpn.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 12800 c:\windows\system32\drivers\acpipmi.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 68096 c:\windows\system32\drivers\1394bus.sys
+ 2012-01-18 23:22 . 2011-10-26 05:21 43520 c:\windows\system32\csrsrv.dll
+ 2012-01-17 14:44 . 2012-07-16 23:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-17 14:44 . 2012-07-01 20:22 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-17 14:44 . 2012-07-16 23:23 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-01-17 14:44 . 2012-07-01 20:22 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-01 20:22 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-16 23:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-13 23:19 . 2009-07-14 01:52 23120 c:\windows\system32\BOOTVID.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8704 c:\windows\system32\KBDYCL.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDYCC.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDYBA.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDYAK.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDWOL.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDVNTC.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDUZB.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDUSX.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDUSR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDUSL.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDUSA.DLL
+ 2010-11-21 03:23 . 2010-11-21 03:23 7168 c:\windows\system32\KBDUS.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDURDU.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDUR1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDUR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDUKX.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDUK.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDUGHR1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDUGHR.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDTURME.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 8192 c:\windows\system32\KBDTUQ.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 8192 c:\windows\system32\KBDTUF.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDTIPRC.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDTH3.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDTH2.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDTH1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDTH0.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDTAT.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDTAJIK.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDSYR2.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDSYR1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDSW09.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDSW.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDSP.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDSORST.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDSORS1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDSOREX.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDSN1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8704 c:\windows\system32\KBDSMSNO.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8704 c:\windows\system32\KBDSMSFI.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDSL1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDSL.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 8192 c:\windows\system32\KBDSG.DLL
+ 2010-11-21 03:23 . 2010-11-21 03:23 7680 c:\windows\system32\KBDSF.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDRU1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDRU.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8704 c:\windows\system32\KBDROST.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8704 c:\windows\system32\KBDROPR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDRO.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7680 c:\windows\system32\KBDPO.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDPL1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDPL.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDPASH.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDNSO.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDNO1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDNO.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7680 c:\windows\system32\KBDNEPR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8704 c:\windows\system32\kbdnecnt.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\kbdnec95.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\kbdnec.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDNE.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDMONMO.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDMON.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDMLT48.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDMLT47.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDMAORI.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDMACST.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDMAC.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDLV1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDLV.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDLT2.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDLT1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDLT.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 8192 c:\windows\system32\kbdlk41a.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDLAO.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDLA.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDKYR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDKHMR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDKAZ.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDIULAT.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDIT142.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDIT.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDIR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDINUK2.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDINTEL.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7680 c:\windows\system32\KBDINTAM.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDINPUN.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDINORI.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDINMAR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDINMAL.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDINKAN.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDINHIN.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDINGUJ.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDINDEV.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7680 c:\windows\system32\KBDINBEN.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDINBE2.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDINBE1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDINASA.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDIC.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDIBO.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\kbdibm02.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDHU1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDHU.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 9728 c:\windows\system32\KBDHEPT.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDHELA3.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDHELA2.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDHEB.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDHE319.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDHE220.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDHE.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDHAU.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDGRLND.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7680 c:\windows\system32\KBDGR1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDGR.DLL
+ 2010-11-21 03:23 . 2010-11-21 03:23 8192 c:\windows\system32\KBDGKL.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\kbdgeoqw.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\kbdgeoer.dll
+ 2010-11-21 03:24 . 2010-11-21 03:24 6656 c:\windows\system32\KBDGEO.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDGAE.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDFR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDFO.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDFI1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDFI.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDFC.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDFA.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDEST.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDES.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDDV.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDDIV2.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDDIV1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDDA.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDCZ2.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 8192 c:\windows\system32\KBDCZ1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDCZ.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\KBDCR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8704 c:\windows\system32\KBDCAN.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDCA.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDBULG.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDBU.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDBR.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDBLR.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDBHC.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDBGPH1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDBGPH.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDBENE.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDBE.DLL
+ 2010-11-21 03:24 . 2010-11-21 03:24 7168 c:\windows\system32\KBDBASH.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDAZEL.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDAZE.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\kbdax2.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDARMW.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDARME.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\KBDAL.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDA3.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 6656 c:\windows\system32\KBDA2.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\KBDA1.DLL
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\kbd106n.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 8192 c:\windows\system32\kbd106.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\kbd103.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\kbd101c.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\kbd101b.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 7168 c:\windows\system32\kbd101a.dll
+ 2009-07-13 23:37 . 2009-07-14 01:28 7680 c:\windows\system32\kbd101.dll
+ 2011-07-29 00:29 . 2011-03-25 03:28 7936 c:\windows\system32\drivers\usbd.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 9728 c:\windows\system32\drivers\umpass.sys
+ 2009-07-14 00:16 . 2009-07-14 00:16 8192 c:\windows\system32\drivers\RDPREFMP.sys
+ 2009-07-14 00:16 . 2009-07-14 00:16 7680 c:\windows\system32\drivers\RDPENCDD.sys
+ 2009-07-14 00:16 . 2009-07-14 00:16 7680 c:\windows\system32\drivers\RDPCDD.sys
+ 2009-07-13 23:19 . 2009-07-13 23:19 6144 c:\windows\system32\drivers\null.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 8064 c:\windows\system32\drivers\mstee.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 6784 c:\windows\system32\drivers\mspqm.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 7168 c:\windows\system32\drivers\mspclock.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 8192 c:\windows\system32\drivers\mshidkmdf.sys
+ 2009-07-13 23:31 . 2009-07-13 23:31 9728 c:\windows\system32\drivers\errdev.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 5632 c:\windows\system32\drivers\drmkaud.sys
+ 2009-07-14 01:20 . 2009-06-10 20:41 8704 c:\windows\system32\drivers\BrFiltUp.sys
+ 2009-07-14 00:00 . 2009-07-14 00:00 6656 c:\windows\system32\drivers\beep.sys
+ 2012-07-19 00:13 . 2012-07-19 00:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-16 22:28 . 2012-07-16 22:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-19 00:13 . 2012-07-19 00:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-16 22:28 . 2012-07-16 22:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-29 00:27 . 2011-02-05 17:06 605552 c:\windows\system32\winload.exe
+ 2012-01-17 19:31 . 2012-07-19 15:17 299548 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2010-11-21 03:24 . 2010-11-21 03:24 147456 c:\windows\system32\RDPENCDD.dll
+ 2010-11-21 03:24 . 2010-11-21 03:24 274944 c:\windows\system32\rdpdd.dll
+ 2010-11-21 03:24 . 2010-11-21 03:24 299392 c:\windows\system32\mcupdate_GenuineIntel.dll
+ 2010-11-21 03:24 . 2010-11-21 03:24 263040 c:\windows\system32\hal.dll
+ 2010-11-21 03:23 . 2010-11-21 03:23 172544 c:\windows\system32\drivers\WUDFRd.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 112128 c:\windows\system32\drivers\WUDFPf.sys
+ 2009-06-10 20:37 . 2009-07-14 01:45 161872 c:\windows\system32\drivers\vsmraid.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 295808 c:\windows\system32\drivers\volsnap.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 363392 c:\windows\system32\drivers\volmgrx.sys
+ 2009-07-13 23:38 . 2009-07-13 23:38 129024 c:\windows\system32\drivers\videoprt.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 215936 c:\windows\system32\drivers\vhdmp.sys
+ 2009-07-13 23:22 . 2009-07-14 01:45 654928 c:\windows\system32\drivers\Wdf01000.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 184960 c:\windows\system32\drivers\usbvideo.sys
+ 2011-07-29 00:29 . 2011-03-25 03:29 325120 c:\windows\system32\drivers\usbport.sys
+ 2011-07-29 00:29 . 2011-03-25 03:29 343040 c:\windows\system32\drivers\usbhub.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 100352 c:\windows\system32\drivers\usbcir.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 328192 c:\windows\system32\drivers\udfs.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 125440 c:\windows\system32\drivers\tunnel.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 119296 c:\windows\system32\drivers\tdx.sys
+ 2011-07-29 00:28 . 2011-03-11 06:41 189824 c:\windows\system32\drivers\storport.sys
+ 2011-07-29 00:31 . 2011-04-29 03:05 168448 c:\windows\system32\drivers\srvnet.sys
+ 2011-07-29 00:31 . 2011-04-29 03:05 410112 c:\windows\system32\drivers\srv2.sys
+ 2011-07-29 00:31 . 2011-04-29 03:06 467456 c:\windows\system32\drivers\srv.sys
+ 2009-06-10 20:48 . 2009-06-10 20:48 426496 c:\windows\system32\drivers\spsys.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 171392 c:\windows\system32\drivers\scsiport.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 103808 c:\windows\system32\drivers\sbp2port.sys
+ 2011-07-28 23:57 . 2011-01-27 05:35 425064 c:\windows\system32\drivers\Rt64win7.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 146432 c:\windows\system32\drivers\rmcast.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 158720 c:\windows\system32\drivers\rfcomm.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 213888 c:\windows\system32\drivers\rdyboost.sys
+ 2012-03-14 06:54 . 2012-02-17 04:58 210944 c:\windows\system32\drivers\rdpwd.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 309248 c:\windows\system32\drivers\rdbss.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 111104 c:\windows\system32\drivers\raspptp.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 129536 c:\windows\system32\drivers\rasl2tp.sys
+ 2009-07-13 21:59 . 2009-07-14 01:45 128592 c:\windows\system32\drivers\ql40xx.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 230400 c:\windows\system32\drivers\portcls.sys
+ 2009-07-13 23:51 . 2009-07-14 01:01 651264 c:\windows\system32\drivers\PEAuth.sys
+ 2009-07-13 23:31 . 2009-07-14 01:45 220752 c:\windows\system32\drivers\pcmcia.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 184704 c:\windows\system32\drivers\pci.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 131584 c:\windows\system32\drivers\pacer.sys
+ 2011-07-29 00:28 . 2011-03-11 06:41 166272 c:\windows\system32\drivers\nvstor.sys
+ 2011-07-29 00:28 . 2011-03-11 06:41 148352 c:\windows\system32\drivers\nvraid.sys
+ 2009-07-14 00:07 . 2009-07-14 00:07 318976 c:\windows\system32\drivers\nwifi.sys
+ 2012-04-14 04:52 . 2012-01-17 12:45 188224 c:\windows\system32\drivers\nvhda64v.sys
+ 2009-07-13 23:38 . 2009-07-14 01:48 122960 c:\windows\system32\drivers\NV_AGP.SYS
+ 2010-11-21 03:24 . 2010-11-21 03:24 376192 c:\windows\system32\drivers\netio.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 261632 c:\windows\system32\drivers\netbt.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 164352 c:\windows\system32\drivers\ndiswan.sys
+ 2011-07-29 00:32 . 2010-12-29 10:57 951680 c:\windows\system32\drivers\ndis.sys
+ 2011-07-29 00:26 . 2008-08-12 19:03 627200 c:\windows\system32\drivers\msvcr90.dll
+ 2010-11-21 03:24 . 2010-11-21 03:24 366976 c:\windows\system32\drivers\msrpc.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 273792 c:\windows\system32\drivers\msiscsi.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 140672 c:\windows\system32\drivers\msdsm.sys
+ 2011-07-29 00:31 . 2011-04-27 02:39 128000 c:\windows\system32\drivers\mrxsmb20.sys
+ 2012-01-18 23:22 . 2011-07-09 02:46 288768 c:\windows\system32\drivers\mrxsmb10.sys
+ 2011-07-29 00:31 . 2011-04-27 02:40 158208 c:\windows\system32\drivers\mrxsmb.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 140800 c:\windows\system32\drivers\mrxdav.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 155008 c:\windows\system32\drivers\mpio.sys
+ 2009-07-13 21:59 . 2009-07-14 01:48 284736 c:\windows\system32\drivers\MegaSR.sys
+ 2011-07-29 00:26 . 2009-08-10 22:06 304128 c:\windows\system32\drivers\MakeMarkerFile.exe
+ 2009-07-13 23:26 . 2009-07-13 23:26 113152 c:\windows\system32\drivers\luafv.sys
+ 2009-07-13 21:59 . 2009-07-14 01:48 115776 c:\windows\system32\drivers\lsi_scsi.sys
+ 2009-07-13 21:59 . 2009-07-14 01:48 106560 c:\windows\system32\drivers\lsi_sas.sys
+ 2009-07-13 21:59 . 2009-07-14 01:48 114752 c:\windows\system32\drivers\lsi_fc.sys
+ 2012-01-29 21:10 . 2011-11-17 06:49 152432 c:\windows\system32\drivers\ksecpkg.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 243712 c:\windows\system32\drivers\ks.sys
+ 2009-07-14 00:09 . 2009-07-14 00:09 120320 c:\windows\system32\drivers\irda.sys
+ 2009-07-14 00:10 . 2009-07-14 00:10 116224 c:\windows\system32\drivers\ipnat.sys
+ 2011-07-29 00:28 . 2011-03-11 06:41 410496 c:\windows\system32\drivers\iaStorV.sys
+ 2011-07-28 23:54 . 2011-02-17 23:11 439320 c:\windows\system32\drivers\iaStor.sys
+ 2009-07-13 23:19 . 2009-07-13 23:19 105472 c:\windows\system32\drivers\i8042prt.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 753664 c:\windows\system32\drivers\http.sys
+ 2009-07-14 00:06 . 2009-07-14 00:06 100864 c:\windows\system32\drivers\hidbth.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 350208 c:\windows\system32\drivers\HdAudio.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 122368 c:\windows\system32\drivers\hdaudbus.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 288640 c:\windows\system32\drivers\FWPKCLNT.SYS
+ 2010-11-21 03:24 . 2010-11-21 03:24 223248 c:\windows\system32\drivers\fvevol.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 289664 c:\windows\system32\drivers\fltMgr.sys
+ 2009-07-13 23:23 . 2009-07-13 23:23 204800 c:\windows\system32\drivers\fastfat.sys
+ 2009-07-13 23:23 . 2009-07-13 23:23 195072 c:\windows\system32\drivers\exfat.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 415744 c:\windows\system32\drivers\ewusbwwan.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 222464 c:\windows\system32\drivers\ewusbmdm.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 212992 c:\windows\system32\drivers\ew_juwwanecm.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 117248 c:\windows\system32\drivers\ew_hwusbdev.sys
+ 2009-06-10 20:36 . 2009-07-14 01:47 530496 c:\windows\system32\drivers\elxstor.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 258048 c:\windows\system32\drivers\dxgmms1.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 982912 c:\windows\system32\drivers\dxgkrnl.sys
+ 2009-07-14 00:06 . 2009-07-14 01:01 116224 c:\windows\system32\drivers\drmk.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 102400 c:\windows\system32\drivers\dfsc.sys
+ 2012-01-29 21:10 . 2011-11-17 06:44 459232 c:\windows\system32\drivers\cng.sys
+ 2010-11-21 03:24 . 2010-11-21 03:24 179072 c:\windows\system32\drivers\Classpnp.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 147456 c:\windows\system32\drivers\cdrom.sys
+ 2009-06-10 20:34 . 2009-06-10 20:34 468480 c:\windows\system32\drivers\bxvbda.sys
+ 2012-01-17 14:49 . 2011-02-08 19:13 138280 c:\windows\system32\drivers\btwavdt.sys
+ 2012-01-17 14:49 . 2011-02-08 19:13 107560 c:\windows\system32\drivers\btwaudio.sys
+ 2012-01-17 14:49 . 2011-02-08 19:13 349736 c:\windows\system32\drivers\btwampfl.sys
+ 2012-01-19 23:02 . 2011-04-28 03:55 552960 c:\windows\system32\drivers\bthport.sys
+ 2009-07-14 00:07 . 2009-07-14 00:07 118784 c:\windows\system32\drivers\bthpan.sys
+ 2011-07-20 23:16 . 2011-07-06 06:16 289704 c:\windows\system32\drivers\btfilter.sys
+ 2009-07-14 01:19 . 2009-07-14 01:19 286720 c:\windows\system32\drivers\BrSerId.sys
+ 2009-06-10 20:34 . 2009-06-10 20:34 270848 c:\windows\system32\drivers\b57nd60a.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 155520 c:\windows\system32\drivers\ataport.sys
+ 2009-06-10 20:37 . 2009-07-14 01:52 194128 c:\windows\system32\drivers\amdsbs.sys
+ 2011-07-29 00:28 . 2011-03-11 06:41 107904 c:\windows\system32\drivers\amdsata.sys
+ 2012-02-14 20:48 . 2011-12-28 03:59 498688 c:\windows\system32\drivers\afd.sys
+ 2009-07-13 21:59 . 2009-07-14 01:52 182864 c:\windows\system32\drivers\adpu320.sys
+ 2009-07-13 21:59 . 2009-07-14 01:52 339536 c:\windows\system32\drivers\adpahci.sys
+ 2009-06-10 20:36 . 2009-07-14 01:52 491088 c:\windows\system32\drivers\adp94xx.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 334208 c:\windows\system32\drivers\acpi.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 229888 c:\windows\system32\drivers\1394ohci.sys
+ 2009-07-13 23:19 . 2009-07-14 01:52 367696 c:\windows\system32\clfs.sys
+ 2010-11-21 03:23 . 2010-11-21 03:23 780008 c:\windows\system32\ci.dll
+ 2010-11-21 03:24 . 2010-11-21 03:24 144384 c:\windows\system32\cdd.dll
+ 2011-07-29 00:28 . 2011-02-19 09:00 367616 c:\windows\system32\atmfd.dll
- 2009-07-14 05:01 . 2012-07-16 10:29 317248 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-07-19 00:12 317248 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-05-08 21:10 . 2012-03-31 03:10 3146240 c:\windows\system32\win32k.sys
+ 2012-05-08 21:10 . 2012-03-31 06:05 5559664 c:\windows\system32\ntoskrnl.exe
+ 2012-01-17 19:35 . 2012-01-17 19:34 1490656 c:\windows\system32\drivers\WdfCoInstaller01007.dll
+ 2012-05-08 21:09 . 2012-03-30 11:35 1918320 c:\windows\system32\drivers\tcpip.sys
+ 2011-07-29 03:51 . 2011-02-04 03:59 1413680 c:\windows\system32\drivers\SynTP.sys
+ 2011-07-28 23:54 . 2011-06-25 02:48 2905320 c:\windows\system32\drivers\RTKVHD64.sys
+ 2009-06-10 20:37 . 2009-07-14 01:45 1524816 c:\windows\system32\drivers\ql2300.sys
+ 2011-07-29 00:28 . 2011-03-11 06:41 1659776 c:\windows\system32\drivers\ntfs.sys
+ 2012-01-17 19:35 . 2012-01-17 19:34 1001472 c:\windows\system32\drivers\mod7700.sys
+ 2009-06-10 20:37 . 2009-06-10 20:37 6108416 c:\windows\system32\drivers\igdkmd64.sys
+ 2009-06-10 20:34 . 2009-06-10 20:34 3286016 c:\windows\system32\drivers\evbda.sys
+ 2011-07-28 23:58 . 2010-07-29 00:23 3065408 c:\windows\system32\drivers\BCMWL664.SYS
- 2012-01-17 22:34 . 2012-07-03 09:32 1550122 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2098825367-3721180495-2186962920-1000-12288.dat
+ 2012-01-17 22:34 . 2012-07-17 02:50 1550122 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2098825367-3721180495-2186962920-1000-12288.dat
+ 2012-04-14 04:52 . 2012-03-01 00:02 13626688 c:\windows\system32\drivers\nvlddmkm.sys
+ 2012-01-17 18:56 . 2012-07-19 00:12 30212928 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2098825367-3721180495-2186962920-1000-8192.dat
- 2012-01-17 18:56 . 2012-07-16 10:29 30212928 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2098825367-3721180495-2186962920-1000-8192.dat
.
-- 'Snapshot' återställt till dagens datum --
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-01-17 1242448]
"fccu4o20iv1"="c:\users\Sandra\fccu4o20iv.exe" [1601-01-01 0]
"fccu4o20iv"="c:\users\Sandra\fccu4o20iv.exe" [1601-01-01 0]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2007-03-29 320672]
"Regedit32"="c:\windows\system32\regedit.exe" [2009-07-14 398336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"atwtusb"="atwtusb.exe" [2007-08-31 364192]
"MacrokeyManager"="WTMKM.exe" [2007-09-03 1969824]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-05-01 348624]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-2-8 1136928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [x]
R0 SMR250;Symantec SMR Utility Service 2.5.0;c:\windows\System32\drivers\SMR250.SYS [x]
R1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2012-05-02 27760]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Tjänsten Google Update (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 116648]
R2 Mobile Partner. RunOuc;Mobile Partner. OUC;c:\program files (x86)\Mobile Partner\UpdateDog\ouc.exe [2012-01-17 246112]
R2 NNFSVC;Norman Network Filtering service;c:\program files\Norman\Ngs\Bin\Nnf.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2011-07-06 289704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-01-17 138360]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2012-01-17 117248]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [2012-01-17 13952]
R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [2012-01-17 415744]
R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 116648]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-19 113120]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2010-08-09 166704]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-10-08 150016]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-19 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2010-10-07 13824]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-05-01 86224]
S2 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [2011-03-14 346976]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2010-10-08 19192]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-21 2656280]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2011-02-08 349736]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2011-02-08 39464]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-11-10 31088]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2012-01-17 86016]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-27 425064]
.
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*Deregistered* - 812de3bbdb8eba7d
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 01:52]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 01:52]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2098825367-3721180495-2186962920-1000Core.job
- c:\users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-30 21:18]
.
2012-07-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2098825367-3721180495-2186962920-1000UA.job
- c:\users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-30 21:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-06-20 17:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-06-20 17:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-06-20 17:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-06-20 17:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-25 11895400]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
------- Extra genomsökning -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://samsung.msn.com
mStart Page = hxxp://samsung.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Skicka bild till &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Skicka sida till &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3141BF4D-2BE6-43AD-B395-73C144E5ADC1}: NameServer = 80.251.201.177 80.251.201.178
TCP: Interfaces\{5737D4BA-3D94-49B4-A65B-E8A03CE05FC6}: NameServer = 80.251.201.177 80.251.201.178
TCP: Interfaces\{A7525278-4695-4DBF-8671-5979EE6EBF8C}: NameServer = 80.251.201.177 80.251.201.178
FF - ProfilePath - c:\users\Sandra\AppData\Roaming\Mozilla\Firefox\Profiles\y1h6qm4v.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B04d40bb0-c95f-4d47-adc3-ae1073c88cf3%7D&mid=279ffbbb992347d0a0ccd15756fba782-2d0b87e949501fc153ea3771b6c94fcb37453848&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-05-26%2012%3A53%3A01&sap=ku&q=
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\812de3bbdb8eba7d]
"ImagePath"="\SystemRoot\System32\Drivers\812de3bbdb8eba7d.sys"
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Sluttid: 2012-07-20 07:54:45
ComboFix-quarantined-files.txt 2012-07-20 05:54
ComboFix2.txt 2012-07-17 03:21
ComboFix3.txt 2012-07-16 23:02
.
Före genomsökningen: 76 302 331 904 byte ledigt
Efter genomsökningen: 76 249 186 304 byte ledigt
.
- - End Of File - - 2A51406278CDE22B42697E35DD94A481

#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:11 PM

Posted 20 July 2012 - 07:07 AM

Sandehshrew,

Yes, you did run the programs correctly.

FRST
Please download Farbar Recovery Scan Tool 64-Bit and save it to a USB flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

- OR -

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 Sandehshrew

Sandehshrew
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 21 July 2012 - 05:41 PM

Hello again!
I'll be gone for about a week, starting on monday. I am unsure if I will be able to connect to the internet at all during that time, but I will respond as soon as I get back! I do really really appreciate that you take your time to help me, it's very kind of you!

Here is the log:

Scan result of Farbar Recovery Scan Tool Version: 20-07-2012 01
Ran by SYSTEM at 22-07-2012 00:21:20
Running from H:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11895400 2011-06-24] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [500208 2010-03-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-12-07] (Apple Inc.)
HKLM-x32\...\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin [406992 2010-02-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [atwtusb] atwtusb.exe [x]
HKLM-x32\...\Run: [MacrokeyManager] WTMKM.exe [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min [348624 2012-05-01] (Avira Operations GmbH & Co. KG)
HKU\Sandra\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1242448 2012-01-17] (Valve Corporation)
HKU\Sandra\...\Run: [fccu4o20iv1] C:\Users\Sandra\fccu4o20iv.exe [37376 2012-05-15] ()
HKU\Sandra\...\Run: [fccu4o20iv] C:\Users\Sandra\fccu4o20iv.exe [37376 2012-05-15] ()
HKU\Sandra\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Sandra\...\Run: [Regedit32] C:\windows\system32\regedit.exe [x]
HKU\UpdatusUser\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1242448 2012-01-17] (Valve Corporation)
HKU\UpdatusUser\...\Run: [Google Update] "C:\Users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-04-30] (Google Inc.)
HKU\UpdatusUser\...\Run: [AdobeBridge] [x]
HKU\UpdatusUser\...\Run: [fccu4o20iv] C:\Users\UpdatusUser\fccu4o20iv.exe [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3141BF4D-2BE6-43AD-B395-73C144E5ADC1}: [NameServer]80.251.201.177 80.251.201.178
Tcpip\..\Interfaces\{5737D4BA-3D94-49B4-A65B-E8A03CE05FC6}: [NameServer]80.251.201.177 80.251.201.178
Tcpip\..\Interfaces\{A7525278-4695-4DBF-8671-5979EE6EBF8C}: [NameServer]80.251.201.177 80.251.201.178
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

==================== Services (Whitelisted) ======

2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe" [86224 2012-05-01] (Avira Operations GmbH & Co. KG)
2 AntiVirService; "C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe" [110032 2012-05-01] (Avira Operations GmbH & Co. KG)
2 HWDeviceService64.exe; "C:\ProgramData\DatacardService\HWDeviceService64.exe" -/service [346976 2011-03-14] ()
2 Mobile Partner. RunOuc; C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe [246112 2012-01-17] ()
2 RichVideo; "C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe" [244904 2009-11-30] ()
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2656280 2010-12-20] (Intel Corporation)
2 NNFSVC; "C:\Program Files\Norman\Ngs\Bin\Nnf.exe" [x]

========================== Drivers (Whitelisted) =============

0 812de3bbdb8eba7d; C:\Windows\System32\Drivers\812de3bbdb8eba7d.sys [82368 2012-05-16] ()
2 avgntflt; C:\Windows\System32\Drivers\avgntflt.sys [98848 2012-04-24] (Avira GmbH)
1 avipbb; C:\Windows\System32\Drivers\avipbb.sys [132832 2012-04-27] (Avira GmbH)
1 avkmgr; C:\Windows\System32\Drivers\avkmgr.sys [27760 2012-05-02] (Avira GmbH)
3 BtFilter; C:\Windows\System32\Drivers\BtFilter.sys [289704 2011-07-05] (Atheros)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [482936 2012-01-17] (Symantec Corporation)
3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138360 2012-01-17] (Symantec Corporation)
3 ewusbmbb; C:\Windows\System32\DRIVERS\ewusbwwan.sys [415744 2012-01-17] (Huawei Technologies Co., Ltd.)
3 ew_hwusbdev; C:\Windows\System32\Drivers\ew_hwusbdev.sys [117248 2012-01-17] (Huawei Technologies Co., Ltd.)
3 ew_usbenumfilter; C:\Windows\System32\Drivers\ew_usbenumfilter.sys [13952 2012-01-17] (Huawei Technologies Co., Ltd.)
3 huawei_enumerator; C:\Windows\System32\DRIVERS\ew_jubusenum.sys [86016 2012-01-17] (Huawei Technologies Co., Ltd.)
3 rtport; C:\Windows\SysWow64\Drivers\rtport.sys [15144 2011-10-11] (Windows ® 2003 DDK 3790 provider)
0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
0 SMR250; C:\Windows\System32\drivers\SMR250.SYS [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-22 00:21 - 2012-07-22 00:21 - 00000000 ____D C:\FRST
2012-07-21 13:59 - 2012-07-21 13:59 - 01437781 ____A (Farbar) C:\Users\Sandra\Desktop\FRST64.exe
2012-07-20 01:26 - 2012-07-21 06:42 - 00000000 ____D C:\Users\Sandra\Downloads\Ö NEW2
2012-07-19 21:54 - 2012-07-19 21:54 - 00068669 ____A C:\ComboFix.txt
2012-07-16 14:42 - 2012-07-19 21:54 - 00000000 ____D C:\Qoobox
2012-07-16 14:42 - 2012-07-16 14:58 - 00000000 ____D C:\Windows\erdnt
2012-07-16 14:42 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-07-16 14:42 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-07-16 14:42 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-07-16 14:42 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-07-16 14:42 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-07-16 14:42 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-07-16 14:42 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-07-16 14:42 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-07-16 14:36 - 2012-07-19 21:32 - 04582475 ____R (Swearware) C:\Users\Sandra\Desktop\ComboFix.exe
2012-07-15 20:18 - 2012-07-15 20:19 - 00000000 ____D C:\Users\Sandra\AppData\Local\{0B9606E5-92F2-4CDD-8732-535CD25CFB64}
2012-07-15 20:06 - 2012-07-15 20:06 - 00000000 ____D C:\Users\Sandra\AppData\Local\{EA06E4BE-5876-492C-AEAA-F7428C369661}
2012-07-15 20:06 - 2012-07-15 20:06 - 00000000 ____D C:\Users\Sandra\AppData\Local\{75D7EC3B-E065-4CA9-9E51-1046D6969573}
2012-07-15 00:08 - 2012-07-20 01:26 - 00000000 ____D C:\Users\Sandra\Downloads\å get stuff in here
2012-07-14 19:44 - 2012-07-14 19:47 - 00000000 ____D C:\Users\Sandra\AppData\Local\Microsoft Games
2012-07-14 18:24 - 2012-07-14 18:24 - 00002070 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2012-07-14 18:24 - 2012-05-02 05:24 - 00027760 ____A (Avira GmbH) C:\Windows\System32\Drivers\avkmgr.sys
2012-07-14 18:24 - 2012-04-27 00:20 - 00132832 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys
2012-07-14 18:24 - 2012-04-24 14:32 - 00098848 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys
2012-07-14 15:16 - 2012-07-15 04:19 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-14 15:16 - 2012-07-14 15:16 - 00000000 ____D C:\Users\Sandra\AppData\Roaming\Malwarebytes
2012-07-14 15:16 - 2012-07-14 15:16 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-14 14:27 - 2012-07-14 14:27 - 00000000 ____D C:\Users\Sandra\AppData\Roaming\Avira
2012-07-14 14:22 - 2012-07-14 14:22 - 00000000 ____D C:\Users\All Users\Avira
2012-07-14 14:22 - 2012-07-14 14:22 - 00000000 ____D C:\Program Files (x86)\Avira
2012-07-13 18:14 - 2012-07-13 18:50 - 00000000 ____D C:\Users\Sandra\Desktop\Ny mapp (2)
2012-07-13 17:54 - 2012-07-13 17:54 - 00000000 ____D C:\Users\Sandra\AppData\LocalGoogle
2012-07-13 17:52 - 2012-07-21 14:02 - 00000994 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-13 17:52 - 2012-07-20 23:28 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-13 17:52 - 2012-07-13 17:54 - 00000000 ____D C:\Program Files (x86)\Google
2012-07-13 00:32 - 2012-07-13 00:32 - 676954153 ____A C:\Windows\MEMORY.DMP
2012-07-13 00:32 - 2012-07-13 00:32 - 00292640 ____A C:\Windows\Minidump\071312-21153-01.dmp
2012-07-13 00:32 - 2012-07-13 00:32 - 00000000 ____D C:\Windows\Minidump
2012-06-30 21:02 - 2012-06-30 21:05 - 00000000 ____D C:\Users\Sandra\Downloads\Yen-Cat
2012-06-30 14:42 - 2012-07-06 11:42 - 00000000 ____D C:\Users\Sandra\Downloads\INSP
2012-06-27 23:44 - 2012-07-19 21:32 - 00000000 ____D C:\Users\Sandra\Downloads\STRANGE THINGS (dad)
2012-06-27 13:45 - 2012-07-18 19:52 - 00000000 ____D C:\Users\Sandra\Downloads\Slugbox
2012-06-25 23:28 - 2012-07-01 13:32 - 00000000 ____D C:\Users\Sandra\Downloads\Video files MUSIC TO CONVERT
2012-06-25 01:23 - 2012-06-25 01:24 - 00000000 ____D C:\Users\Sandra\Downloads\Iatia
2012-06-23 01:06 - 2012-06-23 01:08 - 00000991 ____A C:\Users\Sandra\Desktop\th13e - genväg.lnk
2012-06-23 01:05 - 2012-06-23 01:05 - 00000000 ____D C:\Users\Sandra\AppData\Roaming\Gensokyo.org
2012-06-23 01:04 - 2012-06-23 01:04 - 00000000 ____D C:\Users\Sandra\AppData\Roaming\ShanghaiAlice
2012-06-23 01:03 - 2012-06-23 01:03 - 00000000 ____D C:\Users\Sandra\Downloads\Touhou 13
2012-06-23 00:27 - 2012-06-23 00:27 - 00001305 ____A C:\Users\Sandra\Desktop\th12e - genväg.lnk
2012-06-23 00:24 - 2012-06-23 00:25 - 00000000 ____D C:\Users\Sandra\Downloads\Touhou 12

============ 3 Months Modified Files ========================

2012-07-21 14:02 - 2012-07-13 17:52 - 00000994 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-21 13:59 - 2012-07-21 13:59 - 01437781 ____A (Farbar) C:\Users\Sandra\Desktop\FRST64.exe
2012-07-21 13:49 - 2012-04-30 13:18 - 00001008 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2098825367-3721180495-2186962920-1000UA.job
2012-07-21 08:53 - 2012-01-21 08:19 - 00000132 ____A C:\Users\Sandra\AppData\Roaming\Adobe PNG Format CS5 Prefs
2012-07-20 23:28 - 2012-07-13 17:52 - 00000990 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-20 23:28 - 2012-04-30 13:18 - 00000956 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2098825367-3721180495-2186962920-1000Core.job
2012-07-20 05:50 - 2012-05-15 20:12 - 00001456 ____A C:\Users\Sandra\AppData\Local\Adobe Save for Web 12.0 Prefs
2012-07-20 03:35 - 2009-07-13 20:51 - 00078606 ____A C:\Windows\setupact.log
2012-07-19 22:29 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-19 22:29 - 2009-07-13 20:45 - 00021200 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-19 22:10 - 2010-11-20 19:47 - 00432454 ____A C:\Windows\PFRO.log
2012-07-19 22:10 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-19 21:54 - 2012-07-19 21:54 - 00068669 ____A C:\ComboFix.txt
2012-07-19 21:50 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-07-19 21:32 - 2012-07-16 14:36 - 04582475 ____R (Swearware) C:\Users\Sandra\Desktop\ComboFix.exe
2012-07-14 22:53 - 2011-07-28 20:15 - 00661744 ____A C:\Windows\System32\perfh01D.dat
2012-07-14 22:53 - 2011-07-28 20:15 - 00141514 ____A C:\Windows\System32\perfc01D.dat
2012-07-14 22:53 - 2009-07-13 21:13 - 01573176 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-14 18:24 - 2012-07-14 18:24 - 00002070 ____A C:\Users\Public\Desktop\Avira Control Center.lnk
2012-07-13 00:32 - 2012-07-13 00:32 - 676954153 ____A C:\Windows\MEMORY.DMP
2012-07-13 00:32 - 2012-07-13 00:32 - 00292640 ____A C:\Windows\Minidump\071312-21153-01.dmp
2012-07-12 13:24 - 2012-04-30 13:18 - 00002368 ____A C:\Users\Sandra\Desktop\Google Chrome.lnk
2012-07-11 02:35 - 2011-07-29 07:49 - 01458957 ____A C:\Windows\WindowsUpdate.log
2012-06-23 01:08 - 2012-06-23 01:06 - 00000991 ____A C:\Users\Sandra\Desktop\th13e - genväg.lnk
2012-06-23 00:27 - 2012-06-23 00:27 - 00001305 ____A C:\Users\Sandra\Desktop\th12e - genväg.lnk
2012-06-17 10:45 - 2009-07-13 21:08 - 00032514 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-10 10:06 - 2012-03-30 11:23 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-10 10:06 - 2012-03-30 11:23 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-05-27 10:57 - 2012-05-27 10:57 - 01700352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
2012-05-27 05:07 - 2012-05-27 05:07 - 00002139 ____A C:\Users\Public\Desktop\Media Impression.lnk
2012-05-26 05:15 - 2012-05-26 05:15 - 00002014 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-05-26 02:27 - 2012-05-26 02:27 - 00000822 ____A C:\Users\Public\Desktop\CCleaner.lnk
2012-05-16 21:17 - 2012-05-16 21:17 - 00082368 ____A C:\Windows\System32\Drivers\812de3bbdb8eba7d.sys
2012-05-15 14:37 - 2012-05-15 14:37 - 00037376 ____A C:\Users\Sandra\fccu4o20iv.exe
2012-05-09 05:18 - 2009-07-13 20:45 - 04836032 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-08 17:12 - 2012-04-13 21:13 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-04 15:42 - 2012-04-30 18:42 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-02 05:24 - 2012-07-14 18:24 - 00027760 ____A (Avira GmbH) C:\Windows\System32\Drivers\avkmgr.sys
2012-04-27 00:20 - 2012-07-14 18:24 - 00132832 ____A (Avira GmbH) C:\Windows\System32\Drivers\avipbb.sys
2012-04-24 14:32 - 2012-07-14 18:24 - 00098848 ____A (Avira GmbH) C:\Windows\System32\Drivers\avgntflt.sys


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 6123.55 MB
Available physical RAM: 5409.48 MB
Total Pagefile: 6121.75 MB
Available Pagefile: 5404.4 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:201 GB) (Free:72.14 GB) NTFS
2 Drive d: () (Fixed) (Total:240.49 GB) (Free:240.31 GB) NTFS
3 Drive f: (SAMSUNG_REC) (Fixed) (Total:24.18 GB) (Free:0.94 GB) NTFS ==>[System with boot components (obtained from reading drive)]
5 Drive h: (Pen_Disk) (Fixed) (Total:7.53 GB) (Free:4.83 GB) NTFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 1024 KB
Disk 1 Online 7712 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 201 GB 101 MB
Partition 0 Extended 240 GB 201 GB
Partition 4 Logical 240 GB 201 GB
Partition 3 Recovery 24 GB 441 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 201 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D NTFS Partition 240 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F SAMSUNG_REC NTFS Partition 24 GB Healthy Hidden

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7711 MB 31 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H Pen_Disk NTFS Partition 7711 MB Healthy

==================================================================================

testsigning: ==> Check for possible unsigned malware driver <===== ATTENTION!


==========================================================

Last Boot: 2012-07-18 18:57

======================= End Of Log ==========================

#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:11 PM

Posted 22 July 2012 - 07:31 PM

Sandehshrew,

Reply whenever you can, I'm patient. :)

:step1: Rerun Combofix
Open notepad and copy/paste the text in the box below into it:

http://www.bleepingcomputer.com/forums/topic460700.html

Collect::
C:\Users\Sandra\fccu4o20iv.exe
C:\Windows\System32\Drivers\812de3bbdb8eba7d.sys

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fccu4o20iv1"=-
"fccu4o20i"=-

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

If asked to update Combofix, please allow it to update.

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**
When Combofix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.

:step2: xPUD

If you have any problems or questions following these instructions, please ask me!

  • Insert your USB drive.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format (Note that this will erase any files you have on your flashdrive. Please move any files you want to keep to your computer before completing this step.)
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-windows-latest.exe that you just downloaded.
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will write files to your USB device and make it bootable
  • Once the files have been written to the device you will be prompted to reboot ~ do NOT reboot and instead just Exit the UNetbootin interface
  • Next, download dumpit and save it to the same flash drive where you installed xPUD.
  • Remove the USB and insert it in the ailing computer
  • Power on the computer and press F12 then choose to boot from the USB
  • After selecting a language and readying the system, a Welcome to xPUD screen will appear
  • Click the File tab
  • Expand mnt by clicking the plus sign to it's left
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Double click dumpit.
  • It will create some MBR copies on the USB drive.
  • When it completes press Enter to exit the Terminal window.
  • Remove the USB drive, then locate on it an mbr.zip file, and upload that here as an attachment please.
mbr.zip should be created on your flash drive, please attach it to your next reply.

In your next reply, please include:
  • Combofix log
  • Attach the mbr.zip file

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 Sandehshrew

Sandehshrew
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 31 July 2012 - 07:35 PM

Jason-
I allowed Combofix to run for approximately 20 minutes and it continued to give the same error message; a registry flag was preventing it from running the script. I was unable to boot from my USB because hitting F12 did not bring up any options at startup. I did press F2 and try to change the boot order in the BIOS but could not find the option to do so. I need help getting my computer to boot from USB so I can send you the additional file you requested (mbr.zip)

I restarted my computer in safe mode and ran Combofix and it generated the following report:

ComboFix 12-07-30.03 - Sandra 2012-08-01 0:16.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.46.1053.18.6124.4612 [GMT 2:00]
Körs från: c:\users\Sandra\Desktop\ComboFix.exe
Kommandoväxlar som använts :: c:\users\Sandra\Desktop\cfscript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Sandra\fccu4o20iv.exe . . . . misslyckades radera
.
.
(((((((((((((((((((((((( Filer skapade från 2012-06-28 till 2012-07-31 ))))))))))))))))))))))))))))))
.
.
2012-07-31 22:26 . 2012-07-31 22:26 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-07-31 22:26 . 2012-07-31 22:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-22 08:21 . 2012-07-22 08:21 -------- d-----w- C:\FRST
2012-07-15 03:44 . 2012-07-15 03:47 -------- d-----w- c:\users\Sandra\AppData\Local\Microsoft Games
2012-07-15 02:24 . 2012-05-02 13:24 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-15 02:24 . 2012-04-27 08:20 132832 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-07-15 02:24 . 2012-04-24 22:32 98848 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-07-15 02:23 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B81B2870-AC2D-4B16-973C-7EDFD0DBD1EC}\mpengine.dll
2012-07-14 23:16 . 2012-07-14 23:16 -------- d-----w- c:\users\Sandra\AppData\Roaming\Malwarebytes
2012-07-14 23:16 . 2012-07-14 23:16 -------- d-----w- c:\programdata\Malwarebytes
2012-07-14 23:16 . 2012-07-15 12:19 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-14 22:27 . 2012-07-14 22:27 -------- d-----w- c:\users\Sandra\AppData\Roaming\Avira
2012-07-14 22:22 . 2012-07-14 22:22 -------- d-----w- c:\programdata\Avira
2012-07-14 22:22 . 2012-07-14 22:22 -------- d-----w- c:\program files (x86)\Avira
2012-07-14 01:52 . 2012-07-14 01:54 -------- d-----w- c:\program files (x86)\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 18:06 . 2012-03-30 19:23 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-10 18:06 . 2012-03-30 19:23 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-01 22:49 . 2012-06-01 22:49 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-27 18:57 . 2012-05-27 18:57 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
2012-05-15 22:37 . 2012-05-15 22:37 37376 ----a-w- c:\users\Sandra\fccu4o20iv.exe
2012-05-09 01:12 . 2012-04-14 05:13 57848688 ----a-w- c:\windows\system32\MRT.exe
2012-05-04 23:42 . 2012-05-01 02:42 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-07-20_05.50.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-07-30 00:43 58614 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-07-31 21:40 45810 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-01-17 14:43 . 2012-07-31 21:40 18106 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2098825367-3721180495-2186962920-1000_UserData.bin
- 2012-07-19 00:13 . 2012-07-19 00:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-31 22:59 . 2012-07-31 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-19 00:13 . 2012-07-19 00:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-07-31 22:59 . 2012-07-31 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-17 19:31 . 2012-07-31 00:10 300398 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2011-07-29 04:15 . 2012-07-15 06:53 661744 c:\windows\system32\perfh01D.dat
+ 2011-07-29 04:15 . 2012-07-31 22:16 661744 c:\windows\system32\perfh01D.dat
- 2009-07-14 02:36 . 2012-07-15 06:53 652148 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-07-31 22:16 652148 c:\windows\system32\perfh009.dat
+ 2011-07-29 04:15 . 2012-07-31 22:16 141514 c:\windows\system32\perfc01D.dat
- 2011-07-29 04:15 . 2012-07-15 06:53 141514 c:\windows\system32\perfc01D.dat
- 2009-07-14 02:36 . 2012-07-15 06:53 121080 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-07-31 22:16 121080 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-07-19 00:12 317248 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-07-31 22:27 317248 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-17 18:56 . 2012-07-31 22:27 31660344 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2098825367-3721180495-2186962920-1000-8192.dat
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-01-17 1242448]
"fccu4o20iv"="c:\users\Sandra\fccu4o20iv.exe" [2012-05-15 37376]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2007-03-29 320672]
"Regedit32"="c:\windows\system32\regedit.exe" [2009-07-14 398336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"atwtusb"="atwtusb.exe" [2007-08-31 364192]
"MacrokeyManager"="WTMKM.exe" [2007-09-03 1969824]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-05-01 348624]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-2-8 1136928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [x]
R0 SMR250;Symantec SMR Utility Service 2.5.0;c:\windows\System32\drivers\SMR250.SYS [x]
R1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2012-05-02 27760]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Tjänsten Google Update (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 116648]
R2 Mobile Partner. RunOuc;Mobile Partner. OUC;c:\program files (x86)\Mobile Partner\UpdateDog\ouc.exe [2012-01-17 246112]
R2 NNFSVC;Norman Network Filtering service;c:\program files\Norman\Ngs\Bin\Nnf.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2011-07-06 289704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-01-17 138360]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2012-01-17 117248]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [2012-01-17 13952]
R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [2012-01-17 415744]
R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 116648]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-19 113120]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2010-08-09 166704]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-10-08 150016]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-19 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2010-10-07 13824]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-05-01 86224]
S2 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [2011-03-14 346976]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2010-10-08 19192]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-21 2656280]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2011-02-08 349736]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2011-02-08 39464]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-11-10 31088]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2012-01-17 86016]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-27 425064]
.
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*Deregistered* - 812de3bbdb8eba7d
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 01:52]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 01:52]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2098825367-3721180495-2186962920-1000Core.job
- c:\users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-30 21:18]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2098825367-3721180495-2186962920-1000UA.job
- c:\users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-30 21:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-06-20 17:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-06-20 17:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-06-20 17:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-06-20 17:02 755224 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-25 11895400]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
------- Extra genomsökning -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://samsung.msn.com
mStart Page = hxxp://samsung.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Skicka bild till &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Skicka sida till &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3141BF4D-2BE6-43AD-B395-73C144E5ADC1}: NameServer = 80.251.201.177 80.251.201.178
TCP: Interfaces\{5737D4BA-3D94-49B4-A65B-E8A03CE05FC6}: NameServer = 80.251.201.177 80.251.201.178
TCP: Interfaces\{A7525278-4695-4DBF-8671-5979EE6EBF8C}: NameServer = 80.251.201.177 80.251.201.178
FF - ProfilePath - c:\users\Sandra\AppData\Roaming\Mozilla\Firefox\Profiles\y1h6qm4v.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B04d40bb0-c95f-4d47-adc3-ae1073c88cf3%7D&mid=279ffbbb992347d0a0ccd15756fba782-2d0b87e949501fc153ea3771b6c94fcb37453848&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-05-26%2012%3A53%3A01&sap=ku&q=
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\812de3bbdb8eba7d]
"ImagePath"="\SystemRoot\System32\Drivers\812de3bbdb8eba7d.sys"
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andra processer som körs ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\programdata\Mobile Partner\OnlineUpdate\ouc.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Samsung\Easy Display Manager\WifiManager.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
c:\program files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe
c:\program files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
c:\program files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Sluttid: 2012-08-01 01:16:01 - datorn startades om.
ComboFix-quarantined-files.txt 2012-07-31 23:16
ComboFix2.txt 2012-07-20 05:54
ComboFix3.txt 2012-07-17 03:21
ComboFix4.txt 2012-07-16 23:02
.
Före genomsökningen: 78 817 816 576 byte ledigt
Efter genomsökningen: 78 413 459 456 byte ledigt
.
- - End Of File - - 06A9251FCAF4BF0E1D76544D16A77BEF

I will let you know

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:11 PM

Posted 01 August 2012 - 03:31 PM

Sandehshrew,

The malware on this computer is difficult to remove.

:step1: Rerun Combofix
Please delete the Combofix and Cfscript files on your desktop. Do not make any other changes to your computer.

Please download a NEW version of Combofix from one of these links, and save it to your desktop.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you do not know how to do this you can find out >here< or >here<

Rootkit::
C:\Users\Sandra\fccu4o20iv.exe
C:\Windows\System32\Drivers\812de3bbdb8eba7d.sys

Driver::
812de3bbdb8eba7d

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.


:step2: dumpit

Let's try dumpit a different way. If you have any questions or run into any problems, please let me know.

Please create this bootable CD.

  • Save these files to your Desktop
  • Open BurnCDCC and Extract All files to to it's own folder
  • Double Click BurnCDCC
  • Click Browse and navigate to the Puppy Linux ISO file you just downloaded
  • click on it and click Open
  • IMPORTANT: Adjust the speed bar to CD: 4x DVD: 1x
  • Click Start
  • Your CD Burner Tray will open automatically
  • Insert a blank CD and close the tray
  • Click OK
The CD should eject when finished.

Download and save pldumpit.exe to your USB device.

To use the CD

  • Insert the CD and restart the computer
  • When the computer first starts please press the key indicated on the screen to enter the bios or setup.
  • Make the necessary changes to make the CD first in the boot order
  • Save the changes and exit the bios/setup
  • Your computer will restart and boot from the Puppy Linux Live CD
You can save these instructions to a notepad on your usb device. Once you have mounted the drives you should be able view them by clicking on them.

  • Set your language, time. etc preferences and continue
  • Click the Mount Icon located at the top left of your desktop (should be 3rd from the left top row)
  • A Window will open, click mount for each drive listed
  • if you have a USB Flash Drive connected it's usually automatically mounted upon boot, but click the "usbdrv" tab and make sure it is mounted.

In the lower left you will see some icons with a green light on them. Click on the one that represents your usb device.
  • locate pldumpit.exe
  • right click it and select rename
  • please remove only the .exe from the file path
  • click rename
  • click on pldumpit
  • a window will open please hit enter when told to to close the window
  • there should now be a file named mbr.zip in the list of files
  • close all windows
  • click menu
  • highlight shutdown
  • click reboot
  • use the arrow key to select Do not save
  • hit enter
  • remove the CD before the computer restarts and allow the computer to boot

Please attach MBR.zip to your next reply.


In your next reply, please include:
  • Combofix log
  • Attach the mbr.zip file
  • How is your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 Sandehshrew

Sandehshrew
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 06 August 2012 - 08:39 PM

Hello again Jason,
I'm very sorry for taking so long, I've been waiting for one of my family members to help me with this. I also started having problems to start up my computer. It failed to start and sent me to the recovery center twice. It still takes about 20 minutes for the computer to start up completely.

Thank you once again!

Here is the log:
ComboFix 12-08-05.02 - Sandra 2012-08-07 2:07.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.46.1053.18.6124.4953 [GMT 2:00]
Körs från: c:\users\Sandra\Desktop\ComboFix.exe
Kommandoväxlar som använts :: c:\users\Sandra\Desktop\CFScript.txt.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Skapade en ny återställningspunkt
.
.
((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\TEMP
c:\users\Sandra\fccu4o20iv.exe . . . . misslyckades radera
.
.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_812DE3BBDB8EBA7D
-------\Service_812de3bbdb8eba7d
.
.
(((((((((((((((((((((((( Filer skapade från 2012-07-07 till 2012-08-07 ))))))))))))))))))))))))))))))
.
.
2012-07-15 02:24 . 2012-05-02 13:24 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-07-15 02:24 . 2012-04-27 08:20 132832 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-07-15 02:24 . 2012-04-24 22:32 98848 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-07-14 23:16 . 2012-07-15 12:19 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-14 22:22 . 2012-07-14 22:22 -------- d-----w- c:\program files (x86)\Avira
2012-07-14 01:52 . 2012-07-14 01:54 -------- d-----w- c:\program files (x86)\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-10 18:06 . 2012-03-30 19:23 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-10 18:06 . 2012-03-30 19:23 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-27 18:57 . 2012-05-27 18:57 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
2012-05-09 01:12 . 2012-04-14 05:13 57848688 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-07-20_05.50.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-08-04 16:27 58814 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-04 16:27 46102 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-01-17 14:43 . 2012-08-04 16:27 18226 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2098825367-3721180495-2186962920-1000_UserData.bin
- 2012-07-15 12:16 . 2012-07-15 02:14 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2012-07-15 12:16 . 2012-08-05 02:09 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2012-01-17 14:44 . 2012-07-16 23:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-17 14:44 . 2012-08-01 16:36 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-17 14:44 . 2012-07-16 23:23 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-17 14:44 . 2012-08-01 16:36 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-01 16:36 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-16 23:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-08-06 23:32 99680 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-08-07 00:46 . 2012-08-07 00:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-19 00:13 . 2012-07-19 00:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-07 00:46 . 2012-08-07 00:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-19 00:13 . 2012-07-19 00:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-17 19:31 . 2012-08-06 22:21 301448 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2011-07-29 04:15 . 2012-08-06 23:55 661744 c:\windows\system32\perfh01D.dat
- 2011-07-29 04:15 . 2012-07-15 06:53 661744 c:\windows\system32\perfh01D.dat
+ 2009-07-14 02:36 . 2012-08-06 23:55 652148 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-07-15 06:53 652148 c:\windows\system32\perfh009.dat
+ 2011-07-29 04:15 . 2012-08-06 23:55 141514 c:\windows\system32\perfc01D.dat
- 2011-07-29 04:15 . 2012-07-15 06:53 141514 c:\windows\system32\perfc01D.dat
+ 2009-07-14 02:36 . 2012-08-06 23:55 121080 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-07-15 06:53 121080 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-07-19 00:12 317248 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-08-07 00:15 317248 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-17 18:56 . 2012-08-07 00:15 31933384 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2098825367-3721180495-2186962920-1000-8192.dat
+ 2012-08-04 17:21 . 2012-08-04 17:21 12752896 c:\windows\Installer\3d94b9.msi
.
(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-04 1353080]
"fccu4o20iv1"="c:\users\Sandra\fccu4o20iv.exe" [2012-05-15 37376]
"fccu4o20iv"="c:\users\Sandra\fccu4o20iv.exe" [2012-05-15 37376]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2007-03-29 320672]
"Regedit32"="c:\windows\system32\regedit.exe" [2009-07-14 398336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"atwtusb"="atwtusb.exe" [2007-08-31 364192]
"MacrokeyManager"="WTMKM.exe" [2007-09-03 1969824]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-05-01 348624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [x]
R0 SMR250;Symantec SMR Utility Service 2.5.0;c:\windows\System32\drivers\SMR250.SYS [x]
R1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2012-05-02 27760]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Tjänsten Google Update (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 116648]
R2 Mobile Partner. RunOuc;Mobile Partner. OUC;c:\program files (x86)\Mobile Partner\UpdateDog\ouc.exe [2012-01-17 246112]
R2 NNFSVC;Norman Network Filtering service;c:\program files\Norman\Ngs\Bin\Nnf.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2011-07-06 289704]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2011-02-08 39464]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-01-17 138360]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2012-01-17 117248]
R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [2012-01-17 13952]
R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [2012-01-17 415744]
R3 gupdatem;Tjänsten Google Update (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 116648]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-19 113120]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2010-08-09 166704]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-10-08 150016]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Aktiveringsteknologier för Windows-tjänst;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-19 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2010-10-07 13824]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2012-05-01 86224]
S2 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [2011-03-14 346976]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2010-10-08 19192]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-21 2656280]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2011-02-08 349736]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [2010-11-10 31088]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2012-01-17 86016]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-20 56344]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-27 425064]
.
.
--- Övriga tjänster/drivrutiner i minnet ---
.
*Deregistered* - 812de3bbdb8eba7d
.
Innehåll i mappen 'Schemalagda aktiviteter':
.
2012-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 01:52]
.
2012-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-07-14 01:52]
.
2012-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2098825367-3721180495-2186962920-1000Core.job
- c:\users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-30 21:18]
.
2012-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2098825367-3721180495-2186962920-1000UA.job
- c:\users\Sandra\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-30 21:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-07-20 13:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-07-20 13:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-07-20 13:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-07-20 13:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-25 11895400]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"combofix"="c:\combofix\CF15276.3XE" [2010-11-21 345088]
.
------- Extra genomsökning -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://samsung.msn.com
mStart Page = hxxp://samsung.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Skicka bild till &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Skicka sida till &Bluetooth-enhet... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3141BF4D-2BE6-43AD-B395-73C144E5ADC1}: NameServer = 80.251.201.177 80.251.201.178
TCP: Interfaces\{5737D4BA-3D94-49B4-A65B-E8A03CE05FC6}: NameServer = 80.251.201.177 80.251.201.178
TCP: Interfaces\{A7525278-4695-4DBF-8671-5979EE6EBF8C}: NameServer = 80.251.201.177 80.251.201.178
FF - ProfilePath - c:\users\Sandra\AppData\Roaming\Mozilla\Firefox\Profiles\y1h6qm4v.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B04d40bb0-c95f-4d47-adc3-ae1073c88cf3%7D&mid=279ffbbb992347d0a0ccd15756fba782-2d0b87e949501fc153ea3771b6c94fcb37453848&ds=AVG&v=11.0.0.9&lang=en&pr=fr&d=2012-05-26%2012%3A53%3A01&sap=ku&q=
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\812de3bbdb8eba7d]
"ImagePath"="\SystemRoot\System32\Drivers\812de3bbdb8eba7d.sys"
.
--------------------- LÅSTA REGISTERNYCKLAR ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andra processer som körs ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\programdata\Mobile Partner\OnlineUpdate\ouc.exe
c:\program files (x86)\CyberLink\Shared files\RichVideo.exe
c:\program files (x86)\Samsung\Easy Display Manager\WifiManager.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
c:\program files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe
c:\program files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
c:\program files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Sluttid: 2012-08-07 03:03:16 - datorn startades om.
ComboFix-quarantined-files.txt 2012-08-07 01:03
ComboFix2.txt 2012-07-31 23:16
ComboFix3.txt 2012-07-20 05:54
ComboFix4.txt 2012-07-17 03:21
ComboFix5.txt 2012-08-07 00:06
.
Före genomsökningen: 75 869 630 464 byte ledigt
Efter genomsökningen: 75 312 975 872 byte ledigt
.
- - End Of File - - F0DB15EA68F279D9D19F90A44EF8B13F

#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:11 PM

Posted 06 August 2012 - 09:05 PM

Sandehshrew,

Don't worry about taking so long.

Please also follow my previous instructions (I have copied them below:)

dumpit
Let's try dumpit a different way. If you have any questions or run into any problems, please let me know.

Please create this bootable CD.

  • Save these files to your Desktop
  • Open BurnCDCC and Extract All files to to it's own folder
  • Double Click BurnCDCC
  • Click Browse and navigate to the Puppy Linux ISO file you just downloaded
  • click on it and click Open
  • IMPORTANT: Adjust the speed bar to CD: 4x DVD: 1x
  • Click Start
  • Your CD Burner Tray will open automatically
  • Insert a blank CD and close the tray
  • Click OK
The CD should eject when finished.

Download and save pldumpit.exe to your USB device.

To use the CD

  • Insert the CD and restart the computer
  • When the computer first starts please press the key indicated on the screen to enter the bios or setup.
  • Make the necessary changes to make the CD first in the boot order
  • Save the changes and exit the bios/setup
  • Your computer will restart and boot from the Puppy Linux Live CD
You can save these instructions to a notepad on your usb device. Once you have mounted the drives you should be able view them by clicking on them.

  • Set your language, time. etc preferences and continue
  • Click the Mount Icon located at the top left of your desktop (should be 3rd from the left top row)
  • A Window will open, click mount for each drive listed
  • if you have a USB Flash Drive connected it's usually automatically mounted upon boot, but click the "usbdrv" tab and make sure it is mounted.

In the lower left you will see some icons with a green light on them. Click on the one that represents your usb device.
  • locate pldumpit.exe
  • right click it and select rename
  • please remove only the .exe from the file path
  • click rename
  • click on pldumpit
  • a window will open please hit enter when told to to close the window
  • there should now be a file named mbr.zip in the list of files
  • close all windows
  • click menu
  • highlight shutdown
  • click reboot
  • use the arrow key to select Do not save
  • hit enter
  • remove the CD before the computer restarts and allow the computer to boot

Please attach MBR.zip to your next reply.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 Sandehshrew

Sandehshrew
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:11 PM

Posted 06 August 2012 - 11:01 PM

Jason, here is the mbr attatchment.

Attached Files

  • Attached File  mbr.zip   2.21KB   7 downloads


#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:11 PM

Posted 07 August 2012 - 08:16 AM

Sandehshrew,

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


TDSSKiller
  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users