Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/Trojan in services.exe, Sirefef


  • This topic is locked This topic is locked
27 replies to this topic

#1 Kanon9

Kanon9

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 30 July 2012 - 04:26 PM

Hello, about 2 weeks ago I started to have browser redirection problems. I ran avast, Malwarebytes, and Superantispyware and removed all threats found and the problem stopped. However, recently avast has been popping up warnings every few minutes about malware and trojans being blocked in C:\Windows\System32\systems.exe. A scan with avast also revealed Sirefef-PL [Rtk] in C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini. I then ran malwayrebytes and no infections were found. Any help is appreciated. Thank you.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Nick at 17:12:37 on 2012-07-30
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3895.1904 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\dleacoms.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe
C:\windows\System32\svchost.exe -k HPZ12
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\ThpSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\windows\system32\svchost.exe -k HPService
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\Teco.exe
C:\Windows\System32\ThpSrv.exe
C:\Program Files\TOSHIBA\BulletinBoard\TosNcCore.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Mnet\QuickManager2\MRDaemon.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Nick\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Users\Nick\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\MarkAny\ContentSAFER\MAAgent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\TOSHIBA\FlashCards\Hotkey\TcrdKBB.exe
C:\windows\system32\igfxext.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe
C:\windows\system32\msiexec.exe
C:\windows\system32\vssvc.exe
C:\windows\System32\svchost.exe -k swprv
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.daum.net/
uDefault_Page_URL = hxxp://www.google.com/ig?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {687578B9-7132-4A7A-80E4-30EE31099E03} - No File
uRun: [MRDaemon.exe] C:\Program Files (x86)\Mnet\QuickManager2\MRDaemon.exe
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [Akamai NetSession Interface] "C:\Users\Nick\AppData\Local\Akamai\netsession_win.exe"
uRun: [Facebook Update] "C:\Users\Nick\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [ShowBatteryBar] "C:\Program Files\BatteryBar\ShowBatteryBar.exe" show
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [TUSBSleepChargeSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [MAAgent] C:\Program Files (x86)\MarkAny\ContentSAFER\MAAgent.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
mRun: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - C:\Users\Nick\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - C:\Users\Nick\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {DFBBCB52-4D9F-4D0E-BF4A-A51223FC2541} - hxxp://patch.mnet.com/Ver2/App/totalApp/mnethelper/MnetHelper2_20100303.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{2E9B50A8-29E3-4A67-B32D-27CB47F9C2FD} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{2E9B50A8-29E3-4A67-B32D-27CB47F9C2FD}\1457975657E676 : DhcpNameServer = 216.68.4.10 216.68.5.10
TCP: Interfaces\{2E9B50A8-29E3-4A67-B32D-27CB47F9C2FD}\3716573656C6168627 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E9B50A8-29E3-4A67-B32D-27CB47F9C2FD}\445414C435F4E40514E44535 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{2E9B50A8-29E3-4A67-B32D-27CB47F9C2FD}\B496C6C616378616E6462716 : DhcpNameServer = 10.0.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\windows\SysWOW64\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - C:\PROGRA~2\MarkAny\CONTEN~1\MACSMA~1.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {687578B9-7132-4A7A-80E4-30EE31099E03} - No File
mRun-x64: [TUSBSleepChargeSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
mRun-x64: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [MAAgent] C:\Program Files (x86)\MarkAny\ContentSAFER\MAAgent.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun-x64: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
mRun-x64: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
AppInit_DLLs-X64: C:\windows\SysWOW64\guard32.dll
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
SEH-X64: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - C:\PROGRA~2\MarkAny\CONTEN~1\MACSMA~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\2r3zqcmf.default\
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Nick\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Nick\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\windows\system32\DRIVERS\thpdrv.sys --> C:\windows\system32\DRIVERS\thpdrv.sys [?]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\windows\system32\DRIVERS\Thpevm.SYS --> C:\windows\system32\DRIVERS\Thpevm.SYS [?]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\windows\system32\DRIVERS\tos_sps64.sys --> C:\windows\system32\DRIVERS\tos_sps64.sys [?]
R1 aswSP;aswSP;C:\windows\system32\drivers\aswSP.sys --> C:\windows\system32\drivers\aswSP.sys [?]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\windows\system32\DRIVERS\cmdguard.sys --> C:\windows\system32\DRIVERS\cmdguard.sys [?]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\windows\system32\DRIVERS\cmdhlp.sys --> C:\windows\system32\DRIVERS\cmdhlp.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 Akamai;Akamai NetSession Interface;C:\windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 aswFsBlk;aswFsBlk;C:\windows\system32\drivers\aswFsBlk.sys --> C:\windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\windows\system32\drivers\aswMonFlt.sys --> C:\windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2012-7-26 40384]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-10-27 252784]
R2 CLPSLS;COMODO livePCsupport Service;C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1267000]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]
R2 dlea_device;dlea_device;C:\windows\system32\dleacoms.exe -service --> C:\windows\system32\dleacoms.exe -service [?]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-4-13 13336]
R2 NovacomD;Palm Novacom;C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-6-24 72192]
R2 rimspci;rimspci;C:\windows\system32\DRIVERS\rimspe64.sys --> C:\windows\system32\DRIVERS\rimspe64.sys [?]
R2 risdpcie;risdpcie;C:\windows\system32\DRIVERS\risdpe64.sys --> C:\windows\system32\DRIVERS\risdpe64.sys [?]
R2 rixdpcie;rixdpcie;C:\windows\system32\DRIVERS\rixdpe64.sys --> C:\windows\system32\DRIVERS\rixdpe64.sys [?]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\TECO\TecoService.exe [2009-9-28 251760]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;C:\windows\system32\DRIVERS\TVALZFL.sys --> C:\windows\system32\DRIVERS\TVALZFL.sys [?]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-4-13 2314240]
R3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2012-7-26 40384]
R3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2012-7-26 40384]
R3 FwLnk;FwLnk Driver;C:\windows\system32\DRIVERS\FwLnk.sys --> C:\windows\system32\DRIVERS\FwLnk.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\windows\system32\DRIVERS\HECIx64.sys --> C:\windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\windows\system32\DRIVERS\Impcd.sys --> C:\windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\windows\system32\DRIVERS\IntcDAud.sys --> C:\windows\system32\DRIVERS\IntcDAud.sys [?]
R3 PGEffect;Pangu effect driver;C:\windows\system32\DRIVERS\pgeffect.sys --> C:\windows\system32\DRIVERS\pgeffect.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\windows\system32\DRIVERS\rtl8192se.sys --> C:\windows\system32\DRIVERS\rtl8192se.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-4-13 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-11-5 137560]
R3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2009-11-10 824688]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-18 135664]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-10-6 1030600]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-6-18 135664]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 51445112]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-26 113120]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 SrvHsfHDA;SrvHsfHDA;C:\windows\system32\DRIVERS\VSTAZL6.SYS --> C:\windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\windows\system32\DRIVERS\VSTDPV6.SYS --> C:\windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
.scr=DWGTrueViewScriptFile
.
=============== Created Last 30 ================
.
2012-07-30 21:07:47 -------- d-----w- C:\ProgramData\Comodo
2012-07-30 21:07:45 348160 ----a-w- C:\windows\SysWow64\msvcr71.dll
2012-07-30 21:07:45 1060864 ----a-w- C:\windows\SysWow64\mfc71.dll
2012-07-30 21:07:45 -------- d-----w- C:\Program Files\COMODO
2012-07-26 22:09:13 61008 ----a-w- C:\windows\System32\drivers\aswMonFlt.sys
2012-07-26 22:08:13 38848 ----a-w- C:\windows\avastSS.scr
2012-07-26 08:41:48 -------- d-----w- C:\Program Files (x86)\ASIO4ALL v2
2012-07-26 08:23:26 -------- d-----w- C:\Users\Nick\AppData\Roaming\SynthMaker
2012-07-26 07:00:55 -------- d-----w- C:\Users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2012-07-26 07:00:26 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-07-26 07:00:26 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-07-26 02:11:14 -------- d-----w- C:\Program Files (x86)\AVG
2012-07-26 02:06:33 -------- d--h--w- C:\ProgramData\Common Files
2012-07-26 02:06:33 -------- d-----w- C:\ProgramData\MFAData
2012-07-11 08:41:27 -------- d-sh--w- C:\windows\SysWow64\%APPDATA%
2012-07-11 07:06:48 3148800 ----a-w- C:\windows\System32\win32k.sys
2012-07-11 05:35:17 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DE673837-D114-41B9-A25A-40E413615097}\mpengine.dll
2012-07-09 03:24:17 -------- d-----w- C:\Users\Nick\AppData\Local\CRE
2012-07-09 03:24:11 -------- d-----w- C:\Program Files (x86)\Conduit
2012-07-09 03:24:08 -------- d-----w- C:\Users\Nick\AppData\Local\Conduit
.
==================== Find3M ====================
.
2012-06-06 06:06:16 2004480 ----a-w- C:\windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\windows\SysWow64\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe
2012-06-02 05:50:10 458704 ----a-w- C:\windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\windows\SysWow64\sspicli.dll
2012-05-15 04:01:31 1188864 ----a-w- C:\windows\System32\wininet.dll
2012-05-15 03:03:54 981504 ----a-w- C:\windows\SysWow64\wininet.dll
2012-05-04 11:06:22 5559664 ----a-w- C:\windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
.
============= FINISH: 17:15:33.02 ===============

BC AdBot (Login to Remove)

 


#2 Kanon9

Kanon9
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 30 July 2012 - 04:27 PM

forgot the attach file

Attached Files



#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 31 July 2012 - 02:52 PM

please run the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 Kanon9

Kanon9
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 31 July 2012 - 05:43 PM

Thanks for the help.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 31-07-2012 18:23:56
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [] [x]
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [166424 2009-11-13] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [390168 2009-11-13] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [408600 2009-11-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8312352 2009-11-02] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1870120 2009-10-15] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [506208 2009-10-29] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [911160 2009-10-26] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1482592 2009-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [707416 2009-11-10] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [ThpSrv] C:\windows\system32\thpsrv /logon [x]
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2009-11-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [34648 2009-10-28] (TOSHIBA Corporation)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2327952 2010-07-21] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices [112512 2010-01-21] (Microsoft Corporation)
HKLM\...\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h [9569096 2012-03-11] (COMODO)
HKLM-x32\...\Run: [TUSBSleepChargeSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe [x]
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-10-02] (Intel Corporation)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2446648 2009-11-05] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-07-12] ()
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2011-09-07] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [MAAgent] C:\Program Files (x86)\MarkAny\ContentSAFER\MAAgent.exe [61440 2008-09-19] ((?)????)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui [2837864 2010-06-28] (AVAST Software)
HKLM-x32\...\Run: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe [213304 2011-11-23] (COMODO)
HKLM-x32\...\Run: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe [184120 2011-11-23] (COMODO)
HKU\Nick\...\Run: [MRDaemon.exe] C:\Program Files (x86)\Mnet\QuickManager2\MRDaemon.exe [274432 2010-12-14] (Hanmaro Inc)
HKU\Nick\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Nick\...\Run: [Akamai NetSession Interface] "C:\Users\Nick\AppData\Local\Akamai\netsession_win.exe" [4327744 2012-05-26] (Akamai Technologies, Inc)
HKU\Nick\...\Run: [Facebook Update] "C:\Users\Nick\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)
HKU\Nick\...\Run: [ShowBatteryBar] "C:\Program Files\BatteryBar\ShowBatteryBar.exe" show [89600 2009-05-28] ()
HKU\Nick\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5661056 2012-07-09] (SUPERAntiSpyware.com)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
AppInit_DLLs: C:\windows\system32\guard64.dll

==================== Services (Whitelisted) ======

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
2 Akamai; C:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll [4419392 2012-07-10] (Akamai Technologies, Inc)
2 avast! Antivirus; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [40384 2010-06-28] (AVAST Software)
3 avast! Mail Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [40384 2010-06-28] (AVAST Software)
3 avast! Web Scanner; "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" [40384 2010-06-28] (AVAST Software)
2 CLPSLS; C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe [1267000 2011-11-23] (COMODO)
2 cmdAgent; "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe" [2815496 2012-03-11] (COMODO)
2 dlea_device; C:\windows\system32\dleacoms.exe -service [1054888 2009-07-01] ( )
2 NovacomD; C:\Program Files\Palm, Inc\novacomd\amd64\novacomd.exe [72192 2011-06-24] (Palm)
3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74392 2009-04-30] (MicroVision Development, Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2314240 2009-09-30] (Intel Corporation)

========================== Drivers (Whitelisted) =============

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [20048 2010-06-28] (ALWIL Software)
2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [61008 2010-06-28] (ALWIL Software)
1 aswRdr; C:\Windows\System32\Drivers\aswRdr.sys [28752 2010-06-28] (ALWIL Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [121936 2010-06-28] (ALWIL Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [51280 2010-06-28] (ALWIL Software)
1 cmdGuard; C:\Windows\System32\Drivers\cmdGuard.sys [577824 2012-03-11] (COMODO)
1 cmdHlp; C:\Windows\System32\Drivers\cmdHlp.sys [43248 2012-03-11] (COMODO)
1 inspect; C:\Windows\System32\Drivers\inspect.sys [93200 2012-02-03] (COMODO)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-06-19] (Duplex Secure Ltd.)
3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena\plugins\UI\safedrv.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-31 13:40 - 2012-07-31 14:18 - 00000000 ____D C:\Users\All Users\CPA_VA
2012-07-31 13:38 - 2012-07-31 13:38 - 00000000 ____D C:\Users\Public\Documents\COMODO
2012-07-30 13:24 - 2012-07-30 13:24 - 00026386 ____A C:\Users\Nick\Desktop\dds.txt
2012-07-30 13:24 - 2012-07-30 13:24 - 00005239 ____A C:\Users\Nick\Desktop\attach.txt
2012-07-30 13:08 - 2012-07-30 13:08 - 00001846 ____A C:\Users\Public\Desktop\COMODO Firewall.lnk
2012-07-30 13:07 - 2012-07-30 13:10 - 00000000 ____D C:\Users\All Users\Comodo
2012-07-30 13:07 - 2012-07-30 13:07 - 01060864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc71.dll
2012-07-30 13:07 - 2012-07-30 13:07 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2012-07-30 13:07 - 2012-07-30 13:07 - 00001056 ____A C:\Users\Public\Desktop\COMODO GeekBuddy.lnk
2012-07-30 13:07 - 2012-07-30 13:07 - 00000000 ____D C:\Program Files\COMODO
2012-07-30 12:54 - 2012-07-30 12:54 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Toshiba
2012-07-30 12:54 - 2012-07-30 12:54 - 00000000 ____D C:\Users\Administrator\AppData\Local\TOSHIBA_Corporation
2012-07-30 12:53 - 2012-07-30 12:53 - 00161208 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-30 12:53 - 2012-07-30 12:53 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Roxio
2012-07-30 12:53 - 2012-07-30 12:53 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Intel Corporation
2012-07-30 12:53 - 2012-07-30 12:53 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer
2012-07-30 12:53 - 2012-07-30 12:53 - 00000000 ____D C:\Users\Administrator\AppData\Local\Toshiba
2012-07-30 12:52 - 2012-07-30 12:52 - 00000020 __ASH C:\Users\Administrator\ntuser.ini
2012-07-30 12:52 - 2012-07-30 12:52 - 00000000 ____D C:\users\Administrator
2012-07-29 20:37 - 2012-07-29 20:37 - 00607260 ____R (Swearware) C:\Users\Nick\Desktop\dds.com
2012-07-26 14:09 - 2012-07-26 14:09 - 00001863 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-26 14:09 - 2010-06-28 12:37 - 00121936 ____A (ALWIL Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-26 14:09 - 2010-06-28 12:37 - 00051280 ____A (ALWIL Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-26 14:09 - 2010-06-28 12:33 - 00061008 ____A (ALWIL Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-26 14:09 - 2010-06-28 12:33 - 00028752 ____A (ALWIL Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-07-26 14:09 - 2010-06-28 12:32 - 00020048 ____A (ALWIL Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-26 14:08 - 2010-06-28 12:57 - 00165032 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe
2012-07-26 14:08 - 2010-06-28 12:57 - 00038848 ____A (ALWIL Software) C:\Windows\avastSS.scr
2012-07-26 00:41 - 2012-07-26 00:41 - 00000000 ____D C:\Program Files (x86)\ASIO4ALL v2
2012-07-26 00:23 - 2012-07-26 00:23 - 00000000 ____D C:\Users\Nick\AppData\Roaming\SynthMaker
2012-07-25 23:00 - 2012-07-25 23:00 - 00001819 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-07-25 23:00 - 2012-07-25 23:00 - 00000000 ____D C:\Users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2012-07-25 23:00 - 2012-07-25 23:00 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-07-25 23:00 - 2012-07-25 23:00 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-07-25 18:11 - 2012-07-25 18:11 - 00000000 ____D C:\Program Files (x86)\AVG
2012-07-25 18:06 - 2012-07-29 15:46 - 00000000 ____D C:\Users\All Users\MFAData
2012-07-11 00:41 - 2012-07-11 00:41 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-10 23:06 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-10 21:38 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 21:38 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-10 21:38 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 21:38 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 21:38 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-10 21:38 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-10 21:38 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-10 21:38 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-10 21:38 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 21:38 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 21:38 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 21:38 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 21:38 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 21:38 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-10 21:38 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-10 21:38 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-10 21:38 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-10 21:38 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-10 21:38 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-08 19:24 - 2012-07-10 15:21 - 00000000 ____D C:\Users\Nick\AppData\Local\Conduit
2012-07-08 19:24 - 2012-07-08 19:24 - 00000000 ____D C:\Users\Nick\AppData\Local\CRE
2012-07-08 19:24 - 2012-07-08 19:24 - 00000000 ____D C:\Program Files (x86)\Conduit


============ 3 Months Modified Files ========================

2012-07-31 14:15 - 2010-06-18 18:45 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-31 14:15 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-31 14:14 - 2009-07-13 20:51 - 00215558 ____A C:\Windows\setupact.log
2012-07-31 14:06 - 2009-07-13 21:13 - 00779132 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-31 13:48 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-31 13:48 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-31 13:47 - 2010-06-18 18:45 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-31 00:19 - 2011-12-05 22:09 - 00000924 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-896223013-503850747-3944495299-1000UA.job
2012-07-30 15:52 - 2011-12-05 22:09 - 00000902 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-896223013-503850747-3944495299-1000Core.job
2012-07-30 13:24 - 2012-07-30 13:24 - 00026386 ____A C:\Users\Nick\Desktop\dds.txt
2012-07-30 13:24 - 2012-07-30 13:24 - 00005239 ____A C:\Users\Nick\Desktop\attach.txt
2012-07-30 13:08 - 2012-07-30 13:08 - 00001846 ____A C:\Users\Public\Desktop\COMODO Firewall.lnk
2012-07-30 13:07 - 2012-07-30 13:07 - 01060864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc71.dll
2012-07-30 13:07 - 2012-07-30 13:07 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2012-07-30 13:07 - 2012-07-30 13:07 - 00001056 ____A C:\Users\Public\Desktop\COMODO GeekBuddy.lnk
2012-07-30 12:53 - 2012-07-30 12:53 - 00161208 ____A C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-30 12:52 - 2012-07-30 12:52 - 00000020 __ASH C:\Users\Administrator\ntuser.ini
2012-07-30 12:03 - 2009-12-11 22:43 - 00374740 ____A C:\Windows\PFRO.log
2012-07-29 20:37 - 2012-07-29 20:37 - 00607260 ____R (Swearware) C:\Users\Nick\Desktop\dds.com
2012-07-26 14:09 - 2012-07-26 14:09 - 00001863 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-26 14:09 - 2010-06-18 23:13 - 00000000 ____A C:\Windows\SysWOW64\config.nt
2012-07-25 23:00 - 2012-07-25 23:00 - 00001819 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-07-25 00:50 - 2011-04-14 17:17 - 587681368 ____A C:\Windows\MEMORY.DMP
2012-07-22 13:05 - 2010-04-13 07:41 - 01713035 ____A C:\Windows\WindowsUpdate.log
2012-07-11 13:10 - 2009-07-13 20:45 - 00535072 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-10 23:01 - 2010-09-28 08:43 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-02 12:59 - 2009-07-13 21:08 - 00032626 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-11 19:08 - 2012-07-10 23:06 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-10 21:38 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-10 21:38 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-10 21:38 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-10 21:38 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-10 21:38 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-10 21:38 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-10 21:38 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-10 21:38 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-19 08:30 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-19 08:30 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-19 08:30 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-19 08:29 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-19 08:29 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-19 08:30 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-19 08:29 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-19 08:29 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-19 08:29 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:50 - 2012-07-10 21:38 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-10 21:38 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-10 21:38 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-10 21:38 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-10 21:38 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-10 21:38 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-10 21:38 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-10 21:38 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-10 21:38 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-14 20:01 - 2012-06-15 15:39 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 19:59 - 2012-06-15 15:39 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 19:03 - 2012-06-15 15:39 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 19:00 - 2012-06-15 15:39 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-04 03:06 - 2012-06-15 15:38 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-15 15:38 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-15 15:38 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe


ZeroAccess:
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\@
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\L
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\U
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\L\00000004.@
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\L\1afb2d56
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\L\201d3dde
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\U\00000008.@
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\U\000000cb.@
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\U\80000064.@

ZeroAccess:
C:\Users\Nick\AppData\Local\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}
C:\Users\Nick\AppData\Local\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\@
C:\Users\Nick\AppData\Local\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\L
C:\Users\Nick\AppData\Local\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\U
C:\Users\Nick\AppData\Local\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\L\00000004.@
C:\Users\Nick\AppData\Local\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\L\1afb2d56
C:\Users\Nick\AppData\Local\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\U\00000008.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 3894.85 MB
Available physical RAM: 3311.04 MB
Total Pagefile: 3893 MB
Available Pagefile: 3294.55 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (TI105322W0F) (Fixed) (Total:453.89 GB) (Free:147.55 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (KINGSTON) (Removable) (Total:3.65 GB) (Free:2.82 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 3745 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 453 GB 1501 MB
Partition 3 Primary 10 GB 455 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI105322W0F NTFS Partition 453 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3741 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F KINGSTON FAT32 Removable 3741 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-18 15:39

======================= End Of Log ==========================


Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-31 18:25:53
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 31 July 2012 - 06:00 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
HKLM\...\Run: [] [x]
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}
C:\Users\Nick\AppData\Local\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe | C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 Kanon9

Kanon9
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 31 July 2012 - 08:07 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-31 19:09:12 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\Installer\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0} moved successfully.
C:\Users\Nick\AppData\Local\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
Could not find C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe |.

==== End of Fixlog ====






ComboFix 12-07-30.03 - Nick 07/31/2012 19:44:54.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3895.2578 [GMT -4:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\SPL252E.tmp
c:\windows\Downloaded Program Files\IDropPTB.dll
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
.
.
2012-08-01 02:23 . 2012-08-01 02:23 -------- d-----w- C:\FRST
2012-07-31 23:58 . 2012-07-31 23:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-31 21:40 . 2012-07-31 22:18 -------- d-----w- c:\programdata\CPA_VA
2012-07-30 21:07 . 2012-07-30 21:10 -------- d-----w- c:\programdata\Comodo
2012-07-30 21:07 . 2012-07-30 21:07 -------- d-----w- c:\program files\COMODO
2012-07-30 21:07 . 2012-07-30 21:07 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2012-07-30 21:07 . 2012-07-30 21:07 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll
2012-07-30 20:52 . 2012-07-30 20:52 -------- d-----w- c:\users\Administrator
2012-07-26 22:09 . 2010-06-28 20:32 20048 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-26 22:09 . 2010-06-28 20:37 121936 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-26 22:09 . 2010-06-28 20:33 28752 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-26 22:09 . 2010-06-28 20:37 51280 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-26 22:09 . 2010-06-28 20:33 61008 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-26 22:08 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2012-07-26 22:08 . 2010-06-28 20:57 165032 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-07-26 08:41 . 2012-07-26 08:41 -------- d-----w- c:\program files (x86)\ASIO4ALL v2
2012-07-26 08:23 . 2012-07-26 08:23 -------- d-----w- c:\users\Nick\AppData\Roaming\SynthMaker
2012-07-26 07:00 . 2012-07-26 07:00 -------- d-----w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2012-07-26 07:00 . 2012-07-26 07:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-07-26 07:00 . 2012-07-26 07:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-07-26 02:11 . 2012-07-26 02:11 -------- d-----w- c:\program files (x86)\AVG
2012-07-26 02:06 . 2012-07-29 23:46 -------- d-----w- c:\programdata\MFAData
2012-07-26 02:06 . 2012-07-26 02:06 -------- d--h--w- c:\programdata\Common Files
2012-07-11 08:41 . 2012-07-11 08:41 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-11 07:06 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-09 03:24 . 2012-07-09 03:24 -------- d-----w- c:\users\Nick\AppData\Local\CRE
2012-07-09 03:24 . 2012-07-09 03:24 -------- d-----w- c:\program files (x86)\Conduit
2012-07-09 03:24 . 2012-07-10 23:21 -------- d-----w- c:\users\Nick\AppData\Local\Conduit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 07:01 . 2010-09-28 16:43 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-02 22:19 . 2012-06-19 16:29 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 16:30 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-19 16:30 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 16:30 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 16:29 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-19 16:30 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 16:29 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-19 16:29 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-19 16:29 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 04:04 . 2012-07-11 05:35 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DE673837-D114-41B9-A25A-40E413615097}\mpengine.dll
2012-05-15 04:01 . 2012-06-15 23:39 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-15 23:39 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-15 23:39 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-04 11:06 . 2012-06-15 23:38 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-15 23:38 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-15 23:38 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MRDaemon.exe"="c:\program files (x86)\Mnet\QuickManager2\MRDaemon.exe" [2010-12-15 274432]
"Akamai NetSession Interface"="c:\users\Nick\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
"Facebook Update"="c:\users\Nick\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
"ShowBatteryBar"="c:\program files\BatteryBar\ShowBatteryBar.exe" [2009-05-28 89600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-09 5661056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-11-05 2446648]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-07-13 498160]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"MAAgent"="c:\program files (x86)\MarkAny\ContentSAFER\MAAgent.exe" [2008-09-19 61440]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 213304]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 184120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-19 135664]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-06-25 72192]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-10-06 1030600]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\plugins\UI\safedrv.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-19 135664]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 51445112]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-27 113120]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-11-05 137560]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-11-10 824688]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-19 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-19 834544]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 34880]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 14784]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2009-07-24 482384]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-03-12 577824]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2012-03-12 43248]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 61008]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-10-28 252784]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1267000]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe [2009-07-01 1054888]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-07-02 60416]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2009-07-29 81408]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2009-07-05 55808]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-09-28 251760]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 51600]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 9216]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 244736]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-07-31 236544]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-10-02 946688]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-896223013-503850747-3944495299-1000Core.job
- c:\users\Nick\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-06 23:14]
.
2012-07-31 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-896223013-503850747-3944495299-1000UA.job
- c:\users\Nick\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-06 23:14]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-19 02:45]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-19 02:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 390168]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-14 408600]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-03 8312352]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-11-05 709976]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 112512]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 9569096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.daum.net/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\Nick\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\Nick\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {DFBBCB52-4D9F-4D0E-BF4A-A51223FC2541} - hxxp://patch.mnet.com/Ver2/App/totalApp/mnethelper/MnetHelper2_20100303.cab
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\2r3zqcmf.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
Wow6432Node-HKLM-Run-TUSBSleepChargeSrv - %ProgramFiles(x86)%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
Toolbar-Locked - (no file)
WebBrowser-{687578B9-7132-4A7A-80E4-30EE31099E03} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe
HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
AddRemove-{FBBC4667-2521-4E78-B1BD-8706F774549B} - c:\programdata\{5D8BE403-3090-4297-B98F-65CBBE9DBF71}\Best Buy Software Installer Setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-07-31 20:11:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-01 00:11
.
Pre-Run: 158,261,522,432 bytes free
Post-Run: 159,830,331,392 bytes free
.
- - End Of File - - A5E4AA1C994E0CB73469D60D2BDE6DAE

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 31 July 2012 - 08:22 PM

please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 Kanon9

Kanon9
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 01 August 2012 - 03:05 AM

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.01.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Nick :: NICK-PC [administrator]

7/31/2012 10:22:57 PM
mbam-log-2012-07-31 (22-22-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218655
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




C:\FRST\Quarantine\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\U\00000008.@ Win64/Agent.BA trojan
C:\FRST\Quarantine\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\U\000000cb.@ Win64/Conedex.B trojan
C:\FRST\Quarantine\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\{5e52bfba-36e4-b6eb-58b5-eff0d3ca0cd0}\U\00000008.@ Win64/Agent.BA trojan
C:\Program Files (x86)\uTorrent\[ Eraz3r ] Korg Legacy Complete\[ Eraz3r ] Korg Legacy Complete.rar a variant of Win32/Keygen.AD application
C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir Win64/Patched.B.Gen trojan
C:\Users\Nick\Downloads\StepMania-3.9a.exe Win32/OpenCandy application




MiniToolBox by Farbar Version: 23-07-2012
Ran by Nick (administrator) on 01-08-2012 at 04:03:38
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

Torrent (Version: 3.1.3)
64 Bit HP CIO Components Installer (Version: 6.2.2)
7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.1.102.55)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Reader 9.4.6 (Version: 9.4.6)
Akamai NetSession Interface
Akamai NetSession Interface Service
Alien Swarm
Amazon MP3 Downloader 1.0.10
Apple Application Support (Version: 2.1.7)
Apple Mobile Device Support (Version: 5.1.1.4)
Apple Software Update (Version: 2.1.3.127)
ASIO4ALL (Version: 2.10)
AuditionSEA (Version: Client)
Autodesk Design Review 2010 (Version: 10.0.0.108)
Autodesk Inventor 2010 (Version: 14.0.0000.22302)
Autodesk Inventor 2010 English Language Pack (Version: 14.0.0000.22302)
Autodesk Inventor Content Center Libraries 2010 (Desktop Content) (Version: 14.0.0000.22302)
Autodesk Inventor Professional 2010 (Version: 14.0.0000.22302)
BatteryBar (remove only)
Bonjour (Version: 3.0.0.10)
Catan Online World (Version: 3.728)
COMODO GeekBuddy (Version: 3.3.217083.59)
COMODO Internet Security (Version: 5.10.31649.2253)
ContentSAFER
Counter-Strike: Source
D3DX10 (Version: 15.4.2368.0902)
Daum ũ̹ ȭ (Version: )
Definition Update for Microsoft Office 2010 (KB982726) 64-Bit Edition
Dev-C++ 5 beta 9 release (4.9.9.2)
Diablo III (Version: 1.0.1.9558)
Diablo III Beta (Version: 0.11.0.9359)
DJ_AIO_06_F4500_SW_MIN (Version: 140.0.690.000)
Dolby Control Center (Version: 2.2.1)
DWG TrueView 2010 (Version: 18.0.55.0)
ESET Online Scanner v3
Facebook Plug-In
Facebook Video Calling 1.2.0.159 (Version: 1.2.159)
FL Studio 9
Free Audio CD Burner version 1.4.7
Free Studio version 4.7
Free YouTube Download version 3.0.22.221 (Version: 3.0.22.221)
Free YouTube to MP3 Converter version 3.10.15.1228
Google Earth (Version: 6.1.0.5001)
Google Update Helper (Version: 1.3.21.115)
Hardcore
HP Deskjet F4500 All-in-One Driver 14.0 Rel. 6 (Version: 14.0)
HP Photosmart D110 All-In-One Driver 14.0 Rel. 7 (Version: 14.0)
IL Download Manager
Intel® Control Center (Version: 1.2.0.1006)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.1986)
Intel® Management Engine Components (Version: 6.0.0.1179)
Intel® Rapid Storage Technology (Version: 9.5.0.1037)
iTunes (Version: 10.6.1.7)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
Junk Mail filter update (Version: 15.4.3502.0922)
KORG Legacy Collection - LegacyCell (Version: 1.2.3)
League of Legends (Version: 1.3)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
MATLAB R2010b (Version: 7.11)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Expression Encoder 4 (Version: 4.0.3205.0)
Microsoft Expression Encoder 4 Screen Capture Codec (Version: 4.0.3205.0)
Microsoft IntelliPoint 8.0 (Version: 8.0.225.0)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Office 32-bit Components 2010 (Version: 14.0.4734.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared 32-bit MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Suite Activation Assistant (Version: 2.9)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Works (Version: 9.7.0621)
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Mnet Media QuickManager2
Mozilla Firefox 14.0.1 (x86 en-US) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 14.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Network64 (Version: 140.0.215.000)
Novacomd (Version: 1.0.0.76)
Pando Media Booster (Version: 2.6.0.6)
PDFZilla V1.2.9
PlayReady PC Runtime amd64 (Version: 1.3.0)
PoiZone
Portal 2
PS_AIO_07_D110_SW_Min (Version: 140.0.142.000)
QuickTime (Version: 7.72.80.56)
Realtek Ethernet Controller Driver (Version: 1.00.0008)
Realtek High Definition Audio Driver (Version: 6.0.1.5972)
Realtek WLAN Driver (Version: 2.00.0006)
RICOH R5U230 Media Driver ver.2.06.03.02 (Version: 2.06.03.02)
RollerCoaster Tycoon 2
RollerCoaster Tycoon 3 (Version: 1.00.000)
Roxio Burn (Version: 1.2)
Roxio Express Labeler 3 (Version: 3.2.1)
Roxio Roxio Burn (Version: 1.0.0)
Roxio Update Manager (Version: 6.0.0)
Sakura
Sawer
Scan (Version: 140.0.80.000)
Skype Click to Call (Version: 5.6.8442)
Skype 5.5 (Version: 5.5.124)
Spotify (Version: 0.5.2)
Starcraft
StarCraft II (Version: 1.4.2.20141)
Steam (Version: 1.0.0.0)
StepMania 3.9a (remove only)
SUPERAntiSpyware (Version: 5.5.1012)
Synaptics Pointing Device Driver (Version: 14.0.11.0)
System Requirements Lab (Version: 4.1.71.0)
System Requirements Lab CYRI (Version: 4.5.1.0)
System Requirements Lab for Intel (Version: 4.5.3.0)
Toolbox (Version: 140.0.428.000)
Toshiba Application Installer (Version: 9.0.0.9)
TOSHIBA Assist (Version: 3.00.10)
TOSHIBA Bulletin Board (Version: 1.5.05.64)
TOSHIBA ConfigFree (Version: 8.0.25)
TOSHIBA Disc Creator (Version: 2.1.0.2 for x64)
TOSHIBA DVD PLAYER (Version: 3.01.1.07-A)
TOSHIBA eco Utility (Version: 1.1.12.64)
TOSHIBA Extended Tiles for Windows Mobility Center (Version: )
TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)
TOSHIBA Face Recognition (Version: 3.1.3.64)
TOSHIBA Hardware Setup (Version: 2.00.15)
TOSHIBA HDD Protection (Version: 2.2.0.3)
TOSHIBA HDD/SSD Alert (Version: 3.1.64.4)
TOSHIBA Media Controller (Version: 1.0.65)
TOSHIBA PC Health Monitor (Version: 1.5.1.64)
TOSHIBA Quality Application (Version: 1.0.1)
TOSHIBA Recovery Media Creator (Version: 2.1.0.4 for x64)
TOSHIBA ReelTime (Version: 1.5.07.64)
TOSHIBA Service Station (Version: 2.1.40)
TOSHIBA Speech System Applications (Version: 1.00.2518)
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password (Version: 2.00.11)
TOSHIBA USB Sleep and Charge Utility (Version: 1.3.2.0)
TOSHIBA Value Added Package (Version: 1.2.32.64)
TOSHIBA Web Camera Application (Version: 1.1.1.7)
ToshibaRegistration (Version: 1.0.3)
Toxic Biohazard
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553092)
VBA (2627.01) (Version: 6.03.00.9402)
Ventrilo Client for Windows x64 (Version: 3.0.8.0)
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
VLC media player 1.1.11 (Version: 1.1.11)
Windows Driver Package - Palm (WinUSB) Palm Devices (10/09/2009 1.0.1) (Version: 10/09/2009 1.0.1)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3502.0922)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3502.0922)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
WinRAR 4.00 (64-bit) (Version: 4.00.0)

**** End of log ****





Farbar Service Scanner Version: 26-07-2012
Ran by Nick (administrator) on 01-08-2012 at 04:04:22
Running from "C:\Users\Nick\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 01 August 2012 - 10:31 AM

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DDS::
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

File::
C:\Program Files (x86)\uTorrent\[ Eraz3r ] Korg Legacy Complete\[ Eraz3r ] Korg Legacy Complete.rar 
C:\Users\Nick\Downloads\StepMania-3.9a.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Please download the attached reg fix and save it to your desktop, double click it and allow it to merge into your registry (then delete the file as you wont need it any more)




NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT


P2P - I see you have P2P software utorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.

I would strongly recommend that you uninstall this now. You can do so via Control Panel >> Programs and features.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Kanon9

Kanon9
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 01 August 2012 - 08:15 PM

ComboFix 12-07-31.03 - Nick 08/01/2012 17:51:04.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3895.2472 [GMT -4:00]
Running from: c:\users\Nick\Desktop\ComboFix.exe
Command switches used :: c:\users\Nick\Desktop\cfscript.txt
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files (x86)\uTorrent\[ Eraz3r ] Korg Legacy Complete\[ Eraz3r ] Korg Legacy Complete.rar"
"c:\users\Nick\Downloads\StepMania-3.9a.exe"
.
.
((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
.
.
2012-08-01 22:02 . 2012-08-01 22:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-01 02:30 . 2012-08-01 02:30 -------- d-----w- c:\program files (x86)\ESET
2012-08-01 02:23 . 2012-08-01 02:23 -------- d-----w- C:\FRST
2012-08-01 01:04 . 2012-08-01 21:47 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DE673837-D114-41B9-A25A-40E413615097}\offreg.dll
2012-07-31 21:40 . 2012-07-31 22:18 -------- d-----w- c:\programdata\CPA_VA
2012-07-30 21:07 . 2012-07-30 21:10 -------- d-----w- c:\programdata\Comodo
2012-07-30 21:07 . 2012-07-30 21:07 -------- d-----w- c:\program files\COMODO
2012-07-30 21:07 . 2012-07-30 21:07 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2012-07-30 21:07 . 2012-07-30 21:07 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll
2012-07-30 20:52 . 2012-07-30 20:52 -------- d-----w- c:\users\Administrator
2012-07-26 22:09 . 2010-06-28 20:32 20048 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-26 22:09 . 2010-06-28 20:37 121936 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-26 22:09 . 2010-06-28 20:33 28752 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-26 22:09 . 2010-06-28 20:37 51280 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-26 22:09 . 2010-06-28 20:33 61008 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-26 22:08 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2012-07-26 22:08 . 2010-06-28 20:57 165032 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-07-26 08:41 . 2012-07-26 08:41 -------- d-----w- c:\program files (x86)\ASIO4ALL v2
2012-07-26 08:23 . 2012-07-26 08:23 -------- d-----w- c:\users\Nick\AppData\Roaming\SynthMaker
2012-07-26 07:00 . 2012-07-26 07:00 -------- d-----w- c:\users\Nick\AppData\Roaming\SUPERAntiSpyware.com
2012-07-26 07:00 . 2012-07-26 07:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-07-26 07:00 . 2012-07-26 07:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-07-26 02:11 . 2012-07-26 02:11 -------- d-----w- c:\program files (x86)\AVG
2012-07-26 02:06 . 2012-07-29 23:46 -------- d-----w- c:\programdata\MFAData
2012-07-26 02:06 . 2012-07-26 02:06 -------- d--h--w- c:\programdata\Common Files
2012-07-11 08:41 . 2012-07-11 08:41 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-11 07:06 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 05:35 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DE673837-D114-41B9-A25A-40E413615097}\mpengine.dll
2012-07-09 03:24 . 2012-07-09 03:24 -------- d-----w- c:\users\Nick\AppData\Local\CRE
2012-07-09 03:24 . 2012-07-09 03:24 -------- d-----w- c:\program files (x86)\Conduit
2012-07-09 03:24 . 2012-07-10 23:21 -------- d-----w- c:\users\Nick\AppData\Local\Conduit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 07:01 . 2010-09-28 16:43 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-03 17:46 . 2010-06-19 07:11 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-19 16:29 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 16:30 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-19 16:30 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 16:30 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 16:29 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-19 16:30 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 16:29 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-19 16:29 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-19 16:29 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-15 04:01 . 2012-06-15 23:39 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-15 23:39 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-15 23:39 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-04 11:06 . 2012-06-15 23:38 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-15 23:38 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-15 23:38 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-01_00.01.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-07-26 09:07 . 2012-08-01 00:01 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-07-26 09:07 . 2012-08-01 21:28 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 05:10 . 2012-08-01 21:29 44444 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-06-19 05:35 . 2012-08-01 21:29 16356 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-896223013-503850747-3944495299-1000_UserData.bin
+ 2010-06-19 02:29 . 2012-08-01 21:36 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-06-19 02:29 . 2012-08-01 00:00 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-19 02:29 . 2012-08-01 21:36 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-06-19 02:29 . 2012-08-01 00:00 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-01 00:00 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-01 21:36 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-22 02:09 . 2012-07-31 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-06-22 02:09 . 2012-08-01 23:28 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-13 17:14 . 2012-07-31 23:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-13 17:14 . 2012-08-01 23:28 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-08-01 00:00 . 2012-08-01 00:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-01 21:27 . 2012-08-01 21:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-01 00:00 . 2012-08-01 00:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-01 21:27 . 2012-08-01 21:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-07-31 23:59 457884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-08-01 08:59 457884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2012-08-01 00:01 5111808 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-01 21:28 5111808 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-01 00:01 3506176 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-01 21:28 3506176 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-19 20:48 . 2012-08-01 23:28 1425764 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2010-07-05 15:12 . 2012-07-31 23:59 2634304 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-896223013-503850747-3944495299-1000-8192.dat
+ 2010-07-05 15:12 . 2012-08-01 08:59 2634304 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-896223013-503850747-3944495299-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MRDaemon.exe"="c:\program files (x86)\Mnet\QuickManager2\MRDaemon.exe" [2010-12-15 274432]
"Akamai NetSession Interface"="c:\users\Nick\AppData\Local\Akamai\netsession_win.exe" [2012-05-26 4327744]
"Facebook Update"="c:\users\Nick\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]
"ShowBatteryBar"="c:\program files\BatteryBar\ShowBatteryBar.exe" [2009-05-28 89600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-09 5661056]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]
"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-11-05 2446648]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-07-13 498160]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"MAAgent"="c:\program files (x86)\MarkAny\ContentSAFER\MAAgent.exe" [2008-09-19 61440]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 213304]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 184120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-19 135664]
R2 NovacomD;Palm Novacom;c:\program files\Palm, Inc\novacomd\amd64\novacomd.exe [2011-06-25 72192]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-10-06 1030600]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\plugins\UI\safedrv.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-19 135664]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 51445112]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-27 113120]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-19 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-19 834544]
S0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\DRIVERS\thpdrv.sys [2009-06-29 34880]
S0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\DRIVERS\Thpevm.SYS [2009-06-29 14784]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [2009-07-24 482384]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2012-03-12 577824]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2012-03-12 43248]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 61008]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2009-10-28 252784]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1267000]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
S2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe [2009-07-01 1054888]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2009-07-02 60416]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2009-07-29 81408]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe64.sys [2009-07-05 55808]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-09-28 251760]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2314240]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 51600]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 9216]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 151936]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-10-30 244736]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-07-31 236544]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2009-10-02 946688]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-11-05 137560]
S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-11-10 824688]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-896223013-503850747-3944495299-1000Core.job
- c:\users\Nick\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-06 23:14]
.
2012-08-01 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-896223013-503850747-3944495299-1000UA.job
- c:\users\Nick\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-12-06 23:14]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-19 02:45]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-06-19 02:45]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-14 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-14 390168]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-14 408600]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-03 8312352]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"HSON"="c:\program files (x86)\TOSHIBA\TBS\HSON.exe" [BU]
"SmoothView"="c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe" [BU]
"00TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"Teco"="c:\program files (x86)\TOSHIBA\TECO\Teco.exe" [BU]
"TosWaitSrv"="c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe" [BU]
"SmartFaceVWatcher"="c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-11-05 709976]
"TosNC"="c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe" [BU]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 112512]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 9569096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.daum.net/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\Nick\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\Nick\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {DFBBCB52-4D9F-4D0E-BF4A-A51223FC2541} - hxxp://patch.mnet.com/Ver2/App/totalApp/mnethelper/MnetHelper2_20100303.cab
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\2r3zqcmf.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-01 19:32:26
ComboFix-quarantined-files.txt 2012-08-01 23:32
ComboFix2.txt 2012-08-01 00:11
.
Pre-Run: 158,243,475,456 bytes free
Post-Run: 157,829,611,520 bytes free
.
- - End Of File - - 7EDA810E3CAE0E430FDD03FF1A4F149F

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 01 August 2012 - 08:23 PM

How is the computer running now?

Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Kanon9

Kanon9
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 01 August 2012 - 08:44 PM

I scanned with avast and it found sirefef-PL [Rtk] in C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 01 August 2012 - 08:58 PM

please confirm that avast found those files in the C:\FRST\Quarantine folder

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Kanon9

Kanon9
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 01 August 2012 - 10:28 PM

Avast found it in C:\Windows\assembly\GAC_32\Desktop.ini and C:\Windows\assembly\GAC_64\Desktop.ini

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:07 PM

Posted 01 August 2012 - 10:31 PM

Please rerun FRST and post a fresh log

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users