Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse patched_c.LYU


  • This topic is locked This topic is locked
16 replies to this topic

#1 Jam-street

Jam-street

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 16 August 2012 - 03:46 AM

http://www.bleepingcomputer.com/forums/topic465399.html/page__pid__2807444#entry2807444

My windows\system32\services.exe is infected with Trojan horse patched_c.LYU what can i do to remove it?
I'm running on Windows 7 ultimate.
please help me and thanks :)


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Alvin Kiang at 16:12:42 on 2012-08-16
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.844 [GMT 8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Windows\system32\conhost.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\vsnpstd3.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Users\Alvin Kiang\Downloads\New folder\LOLReplay\LOLRecorder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.my/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\alvin kiang\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Facebook Update] "c:\users\alvin kiang\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [GarenaMessenger] "c:\users\alvin kiang\downloads\new folder\garena\garena messenger\GarenaMessenger.exe" -silentrun
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\lolrec~1.lnk - c:\users\alvin kiang\downloads\new folder\lolreplay\LOLRecorder.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7FBE5CBE-53D5-4761-8F09-FADBF159270A} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\alvin kiang\appdata\roaming\mozilla\firefox\profiles\sxzpohkk.default\
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff10.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff7.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff8.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff9.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\alvin kiang\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\users\alvin kiang\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 Atc002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l260x86.sys [2009-6-11 29184]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-3-21 1047552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-14 253088]
S3 AhnRptTfFRegFNT;AhnRptTfFRegFNT;c:\users\alvink~1\appdata\local\temp\nsw5b04.tmp\TfFRegNt.sys [2009-3-11 41728]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2010-10-11 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2010-10-11 79104]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-31 113120]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-3-14 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-8 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-27 1343400]
.
=============== Created Last 30 ================
.
2012-08-15 23:48:56 -------- d-----w- c:\users\alvin kiang\appdata\local\{0C0835EE-AE56-47FC-806F-9E83C4D5E68D}
2012-08-15 23:48:41 -------- d-----w- c:\users\alvin kiang\appdata\local\{CC4112AB-69AA-4988-9546-C1F11CBCD0D8}
2012-08-15 10:27:15 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 10:27:11 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 10:27:08 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 10:27:08 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 10:27:00 41984 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 10:27:00 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-15 10:26:58 769024 ----a-w- c:\windows\system32\localspl.dll
2012-08-15 10:06:04 -------- d-----w- c:\users\alvin kiang\appdata\local\{447AF21C-1865-40F1-B9BC-54773EB7CF55}
2012-08-15 10:05:40 -------- d-----w- c:\users\alvin kiang\appdata\local\{51ECE8E4-24CD-49DB-8459-A1D79CA9E950}
2012-08-14 17:11:17 -------- d-----w- c:\users\alvin kiang\appdata\local\{F4439161-D5A4-4ECC-A303-4C9DC92125B2}
2012-08-14 17:11:04 -------- d-----w- c:\users\alvin kiang\appdata\local\{894CF15C-4147-40CA-9DA9-7617F35B26B3}
2012-08-14 15:01:35 -------- d-----w- c:\users\alvin kiang\appdata\local\{E7E29BF5-793F-4DB7-A194-087D13C515A2}
2012-08-13 23:59:52 -------- d-----w- c:\users\alvin kiang\appdata\local\{133F8D70-886A-4DD3-B528-34752665F317}
2012-08-13 23:59:30 -------- d-----w- c:\users\alvin kiang\appdata\local\{0CD16A67-604A-4FFB-96BA-D1AB651D192F}
2012-08-13 05:57:02 -------- d-----w- c:\users\alvin kiang\appdata\local\{D58A328E-1183-4997-9490-515F8D545BF1}
2012-08-13 05:56:50 -------- d-----w- c:\users\alvin kiang\appdata\local\{44998609-71FE-4B45-9F3B-D27DF5F7E5AE}
2012-08-12 17:56:22 -------- d-----w- c:\users\alvin kiang\appdata\local\{B30DAE10-5A9C-450D-90B7-B109F06219EB}
2012-08-12 05:55:48 -------- d-----w- c:\users\alvin kiang\appdata\local\{F42BF83F-43B7-4FBB-AFE7-67B102325F0C}
2012-08-12 05:55:28 -------- d-----w- c:\users\alvin kiang\appdata\local\{C2C4C471-61D0-4A67-AB54-CE2069182318}
2012-08-11 13:56:07 -------- d-----w- c:\users\alvin kiang\appdata\local\{2BD461BB-FBBE-4D7A-8942-EDE91DCC9B2E}
2012-08-11 13:55:53 -------- d-----w- c:\users\alvin kiang\appdata\local\{428E1D70-C0B8-4B0F-A329-A1777313E9A7}
2012-08-11 01:55:23 -------- d-----w- c:\users\alvin kiang\appdata\local\{66B465FC-5E96-43B7-8548-61BE13BBEC3A}
2012-08-11 01:55:06 -------- d-----w- c:\users\alvin kiang\appdata\local\{2802364F-A094-44DF-B5AF-5322EA581F05}
2012-08-10 11:30:10 -------- d-----w- c:\users\alvin kiang\appdata\local\{05FCFEDF-CBB9-425B-8588-F868453D658D}
2012-08-10 11:29:53 -------- d-----w- c:\users\alvin kiang\appdata\local\{5C40A71A-F602-476E-9D0C-207934ABCE87}
2012-08-09 23:54:12 -------- d-----w- c:\users\alvin kiang\appdata\local\{9332D81A-ECE8-4A98-84AE-FD9CBA561960}
2012-08-09 23:53:55 -------- d-----w- c:\users\alvin kiang\appdata\local\{34D81D2A-B197-4E15-B9C1-D58AA3F34A31}
2012-08-09 06:53:35 -------- d-----w- c:\users\alvin kiang\appdata\local\{A17B6991-B2BF-4803-8715-BFF922FF199A}
2012-08-09 06:53:19 -------- d-----w- c:\users\alvin kiang\appdata\local\{F5673C98-BCE4-483C-9ED6-AF7AE9CBD2CA}
2012-08-08 12:02:03 -------- d-----w- c:\users\alvin kiang\appdata\local\{19C606EC-C480-46CB-B2B9-441A6F2C806F}
2012-08-08 12:01:45 -------- d-----w- c:\users\alvin kiang\appdata\local\{636D615B-E33C-4B68-A220-59DB2771388C}
2012-08-08 00:01:09 -------- d-----w- c:\users\alvin kiang\appdata\local\{A2C786D4-0880-4326-A3BB-1538273635A6}
2012-08-08 00:00:58 -------- d-----w- c:\users\alvin kiang\appdata\local\{9A08E5B0-1318-4631-BC35-52192320933C}
2012-08-07 11:50:49 -------- d-----w- c:\users\alvin kiang\appdata\local\{B37CDE4A-1178-4335-AB3B-CDC92CB32D03}
2012-08-07 11:50:35 -------- d-----w- c:\users\alvin kiang\appdata\local\{F0E2DEEA-711C-4D26-967C-D58F5CFB4727}
2012-08-06 23:50:01 -------- d-----w- c:\users\alvin kiang\appdata\local\{8FB00208-2B03-4922-94A5-50112CB6293D}
2012-08-06 23:49:46 -------- d-----w- c:\users\alvin kiang\appdata\local\{C2584523-C560-4147-89CA-C50E4DA1656D}
2012-08-06 14:37:01 -------- d-----w- c:\users\alvin kiang\appdata\local\{B2EFE8D8-A0A7-4A41-9298-C47FEF38F41E}
2012-08-06 08:21:32 -------- d-----w- c:\users\alvin kiang\appdata\local\{469E1900-9BEC-48A2-A337-1E1D9B389136}
2012-08-05 17:12:12 -------- d-----w- c:\users\alvin kiang\appdata\local\{01419587-5C30-41E3-979C-61F596DC03EC}
2012-08-05 17:12:00 -------- d-----w- c:\users\alvin kiang\appdata\local\{6C77CE1C-45B2-478B-B5DA-6FEEFE8706A2}
2012-08-05 04:42:07 -------- d-----w- c:\users\alvin kiang\appdata\local\{C78DCD22-9BDA-455D-8F2C-3943E252C5F5}
2012-08-05 04:41:51 -------- d-----w- c:\users\alvin kiang\appdata\local\{A35380B8-EA01-4E40-9104-E898271A9D50}
2012-08-04 09:57:39 -------- d-----w- c:\users\alvin kiang\appdata\roaming\.minecraft
2012-08-03 11:58:09 -------- d-----w- c:\users\alvin kiang\appdata\local\{8953512E-76A9-4D84-8CF7-0D574B12FB8B}
2012-08-03 11:57:50 -------- d-----w- c:\users\alvin kiang\appdata\local\{97CDE54C-ECC8-4CE3-AA75-00FADCEAE480}
2012-08-02 23:57:19 -------- d-----w- c:\users\alvin kiang\appdata\local\{2E8C7B55-1629-4AE3-9CC3-66FB651B949F}
2012-08-02 23:57:08 -------- d-----w- c:\users\alvin kiang\appdata\local\{43A3B2C7-9F07-48C3-AC2C-0B3AE56FF07D}
2012-08-02 07:47:03 -------- d-----w- c:\users\alvin kiang\appdata\local\{0D2B665C-78CE-4E72-A6A7-D30149DF09A8}
2012-08-02 07:46:43 -------- d-----w- c:\users\alvin kiang\appdata\local\{793BFC4A-8117-4AFC-B4B4-70B1CD877A80}
2012-08-01 23:50:22 -------- d-----w- c:\users\alvin kiang\appdata\local\{61915369-77D7-4B1E-9DAD-900FE8DBA675}
2012-08-01 15:08:19 -------- d-----w- c:\users\alvin kiang\appdata\local\{EF1444AA-A0E3-4AF4-99FF-17905A72CE04}
2012-08-01 06:15:51 -------- d-----w- c:\users\alvin kiang\appdata\local\{37C5F612-70B6-4EE5-BD52-EEA1B2D16D6F}
2012-07-30 16:01:12 -------- d-----w- c:\users\alvin kiang\appdata\local\{82B13E2B-7DDF-4692-9E02-79D5066CF84A}
2012-07-30 16:00:57 -------- d-----w- c:\users\alvin kiang\appdata\local\{A9957E98-22DE-415B-9E20-B7AC94A6B4B1}
2012-07-30 00:06:35 -------- d-----w- c:\users\alvin kiang\appdata\local\{B86C85AA-3E19-42BB-8ADC-08EF0AD5CD08}
2012-07-30 00:06:22 -------- d-----w- c:\users\alvin kiang\appdata\local\{0AB32DCB-C0DB-4526-904F-7F554BAEA97B}
2012-07-29 05:35:15 -------- d-----w- c:\users\alvin kiang\appdata\local\{269B9E41-58FA-418F-8C0F-017D3FD6B35D}
2012-07-29 05:34:57 -------- d-----w- c:\users\alvin kiang\appdata\local\{C59959E8-ED62-45F5-8D73-F152D63A1ACF}
2012-07-28 04:37:57 -------- d-----w- c:\users\alvin kiang\appdata\local\{FEFA2B59-33BF-4152-AB0D-1FB611981DBB}
2012-07-28 04:37:46 -------- d-----w- c:\users\alvin kiang\appdata\local\{4D2BDF13-02AE-4884-96CB-F46279ABB84E}
2012-07-27 11:21:12 -------- d-----w- c:\users\alvin kiang\appdata\local\{CD47F37D-F018-40DE-8F4E-40E638B54748}
2012-07-27 11:20:58 -------- d-----w- c:\users\alvin kiang\appdata\local\{156A5E6C-EAE0-465A-BEB9-25B5572B6823}
2012-07-26 05:50:45 -------- d-----w- c:\users\alvin kiang\appdata\local\{0FE07EA8-AD09-46B0-8EC6-22F0527921BE}
2012-07-26 05:50:29 -------- d-----w- c:\users\alvin kiang\appdata\local\{C3D7E5FF-5012-4711-B3B9-91354AA89B86}
2012-07-25 08:26:23 -------- d-----w- c:\users\alvin kiang\appdata\local\{4C63B257-6595-44C9-B64A-044E4FD4017B}
2012-07-25 08:26:06 -------- d-----w- c:\users\alvin kiang\appdata\local\{C5EE63A9-C514-4370-9FE6-77C7E81FDEAB}
2012-07-24 09:15:19 -------- d-----w- c:\users\alvin kiang\appdata\local\{B21832FB-A877-4003-9381-208007C48F5C}
2012-07-24 09:15:01 -------- d-----w- c:\users\alvin kiang\appdata\local\{F4525812-01A3-49E8-96FD-9B9E2F346199}
2012-07-23 13:06:55 -------- d-----w- c:\users\alvin kiang\appdata\local\{F4A05CD2-F7F0-4B18-8091-519291EE5E37}
2012-07-23 13:06:44 -------- d-----w- c:\users\alvin kiang\appdata\local\{A5B01D0A-9B0B-469B-8AFA-5C9B5FB0855A}
2012-07-23 00:00:26 -------- d-----w- c:\users\alvin kiang\appdata\local\{31B6562F-D9E3-48A1-B608-2F57B11590E1}
2012-07-23 00:00:09 -------- d-----w- c:\users\alvin kiang\appdata\local\{67020FCA-D9BE-45B0-888E-D6FAE786CB85}
2012-07-22 11:50:56 -------- d-----w- c:\users\alvin kiang\appdata\local\{5E1D7D7B-2843-4DEA-BCC4-A21A1E2FAD08}
2012-07-22 11:50:44 -------- d-----w- c:\users\alvin kiang\appdata\local\{DEF2731F-8E6F-442B-8E75-066BC51FB42C}
2012-07-21 18:35:52 -------- d-----w- c:\users\alvin kiang\appdata\local\{1D484AF9-B73A-43C7-AF05-29D151EA405A}
2012-07-21 18:35:38 -------- d-----w- c:\users\alvin kiang\appdata\local\{EFF28A12-DEA2-4A51-AE5F-0E33F323D2BF}
2012-07-21 06:35:00 -------- d-----w- c:\users\alvin kiang\appdata\local\{7181A86D-453E-45D1-9293-A9C0FDCD66BD}
2012-07-21 06:34:44 -------- d-----w- c:\users\alvin kiang\appdata\local\{13994A45-23CB-49B2-AD31-8710EFB5CC99}
2012-07-20 11:32:37 -------- d-----w- c:\users\alvin kiang\appdata\local\{1EAECE95-EEBA-4320-85AF-0442904045CB}
2012-07-20 11:32:19 -------- d-----w- c:\users\alvin kiang\appdata\local\{5AB4AB00-AF13-48FB-AB4C-E9CD1AEA66E7}
2012-07-19 05:12:12 -------- d-----w- c:\users\alvin kiang\appdata\local\{1D35F960-6717-4E92-91A0-29F1DD1CE4A7}
2012-07-19 05:11:55 -------- d-----w- c:\users\alvin kiang\appdata\local\{EA44B014-84A8-436C-970C-DF5AA18556C0}
2012-07-18 08:03:29 -------- d-----w- c:\users\alvin kiang\appdata\local\{A34EBCB8-EF4A-4125-8DFE-2A6BF6E28816}
2012-07-18 08:03:15 -------- d-----w- c:\users\alvin kiang\appdata\local\{F36C2961-557E-4C08-AE86-574C8AD73AE2}
.
==================== Find3M ====================
.
2012-06-29 00:16:58 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-06 12:59:42 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-04 14:34:35 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 07:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 07:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 16:14:29.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:34 AM

Posted 16 August 2012 - 05:54 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Jam-street

Jam-street
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 16 August 2012 - 11:16 PM

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 17-08-2012 11:56:44
Running from E:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r [1409024 2009-05-17] (VIA)
HKLM\...\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" [37888 2010-01-13] (Nullsoft, Inc.)
HKLM\...\Run: [snpstd3] C:\Windows\vsnpstd3.exe [827392 2006-09-18] ()
HKLM\...\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe [2339168 2012-01-17] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-01] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-17] (Sun Microsystems, Inc.)
HKU\Alvin Kiang\...\Run: [Google Update] "C:\Users\Alvin Kiang\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-03-21] (Google Inc.)
HKU\Alvin Kiang\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Alvin Kiang\...\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" [319792 2010-03-22] (BitTorrent, Inc.)
HKU\Alvin Kiang\...\Run: [Facebook Update] "C:\Users\Alvin Kiang\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-12] (Facebook Inc.)
HKU\Alvin Kiang\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17148552 2012-02-28] (Skype Technologies S.A.)
HKU\Alvin Kiang\...\Run: [GarenaMessenger] "C:\Users\Alvin Kiang\Downloads\New folder\Garena\Garena Messenger\GarenaMessenger.exe" -silentrun [7723384 2012-08-14] ()
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1174016 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [1174016 2010-11-20] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\LOLRecorder.lnk
ShortcutTarget: LOLRecorder.lnk -> (No File)

================================ Services (Whitelisted) ==================

2 AVGIDSAgent; "C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" [7391072 2012-01-30] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files\AVG\AVG10\avgwdsvc.exe" [269520 2011-02-07] (AVG Technologies CZ, s.r.o.)
2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
3 MozillaMaintenance; "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" [113120 2012-07-13] (Mozilla Foundation)
3 npggsvc; C:\Windows\system32\GameMon.des -service [4116984 2011-05-03] (INCA Internet Co., Ltd.)
2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [158856 2012-02-28] (Skype Technologies)

========================== Drivers (Whitelisted) =============

3 AhnRptTfFRegFNT; \??\C:\Users\ALVINK~1\AppData\Local\Temp\nsw5B04.tmp\TfFRegNt.sys [41728 2009-03-10] (AhnLab, Inc.)
3 Atc002; C:\Windows\System32\DRIVERS\l260x86.sys [29184 2009-07-13] (Atheros Communications, Inc.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134480 2011-05-27] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [22992 2011-02-21] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24144 2011-02-09] (AVG Technologies CZ, s.r.o. )
3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [21968 2011-02-09] (AVG Technologies CZ, s.r.o. )
1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [248656 2011-01-06] (AVG Technologies CZ, s.r.o.)
1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [34896 2011-02-28] (AVG Technologies CZ, s.r.o.)
0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-03-16] (AVG Technologies CZ, s.r.o.)
1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [297168 2011-04-04] (AVG Technologies CZ, s.r.o.)
3 Mkd2kfNt; C:\Windows\System32\drivers\Mkd2kfNt.sys [131072 2008-10-17] (AhnLab, Inc.)
3 Mkd2Nadr; C:\Windows\System32\drivers\Mkd2Nadr.sys [79104 2008-10-17] (AhnLab, Inc.)
3 msloop; C:\Windows\System32\DRIVERS\loop.sys [5632 2009-07-13] (Microsoft Corporation)
3 SNPSTD3; C:\Windows\System32\DRIVERS\snpstd3.sys [10252544 2007-03-27] (Sonix Co. Ltd.)
4 sptd; C:\Windows\System32\Drivers\sptd.sys [721904 2010-08-16] (Duplex Secure Ltd.)
3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1047552 2009-05-07] (VIA Technologies, Inc.)
3 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]
3 GGSAFERDriver; \??\C:\Users\Alvin Kiang\Downloads\New folder\Garena\Garena Messenger\Room\safedrv.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-16 15:56 - 2012-08-16 15:56 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{6D151B6C-250D-4810-89EE-109F3E67F695}
2012-08-16 15:56 - 2012-08-16 15:56 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{5F8E8B03-B5C4-4A59-9B72-48674C3324B7}
2012-08-16 07:07 - 2012-08-16 07:07 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{CED7A7DF-4C94-4753-A8E6-5B889B4B6163}
2012-08-16 03:49 - 2012-08-16 03:49 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{08372273-B875-43DD-BCD3-B74E897883E6}
2012-08-16 00:04 - 2012-08-16 00:07 - 00000176 ____A C:\Users\Alvin Kiang\defogger_reenable
2012-08-16 00:04 - 2012-08-16 00:04 - 00000458 ____A C:\Users\Alvin Kiang\Downloads\defogger_disable.log
2012-08-15 15:48 - 2012-08-15 15:49 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{0C0835EE-AE56-47FC-806F-9E83C4D5E68D}
2012-08-15 15:48 - 2012-08-15 15:48 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{CC4112AB-69AA-4988-9546-C1F11CBCD0D8}
2012-08-15 09:55 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 09:55 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 09:55 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-15 09:55 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 09:55 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 09:55 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-15 09:55 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 09:55 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 09:55 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 09:55 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-15 09:55 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 09:55 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 09:55 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 09:55 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 02:27 - 2012-07-18 09:47 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 02:27 - 2012-07-04 13:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 02:27 - 2012-07-04 13:14 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 02:27 - 2012-07-04 13:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 02:27 - 2012-05-04 23:46 - 00400896 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-15 02:27 - 2012-02-10 21:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-15 02:27 - 2012-02-10 21:37 - 00317440 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-15 02:26 - 2012-05-13 20:33 - 00769024 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-15 02:06 - 2012-08-15 02:06 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{447AF21C-1865-40F1-B9BC-54773EB7CF55}
2012-08-15 02:05 - 2012-08-15 02:05 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{51ECE8E4-24CD-49DB-8459-A1D79CA9E950}
2012-08-14 09:11 - 2012-08-14 09:11 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{F4439161-D5A4-4ECC-A303-4C9DC92125B2}
2012-08-14 09:11 - 2012-08-14 09:11 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{894CF15C-4147-40CA-9DA9-7617F35B26B3}
2012-08-14 07:01 - 2012-08-14 07:01 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{E7E29BF5-793F-4DB7-A194-087D13C515A2}
2012-08-13 15:59 - 2012-08-13 16:00 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{133F8D70-886A-4DD3-B528-34752665F317}
2012-08-13 15:59 - 2012-08-13 15:59 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{0CD16A67-604A-4FFB-96BA-D1AB651D192F}
2012-08-12 21:57 - 2012-08-12 21:57 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{D58A328E-1183-4997-9490-515F8D545BF1}
2012-08-12 21:56 - 2012-08-12 21:57 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{44998609-71FE-4B45-9F3B-D27DF5F7E5AE}
2012-08-12 09:56 - 2012-08-12 09:56 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{B30DAE10-5A9C-450D-90B7-B109F06219EB}
2012-08-11 21:55 - 2012-08-12 09:56 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{C2C4C471-61D0-4A67-AB54-CE2069182318}
2012-08-11 21:55 - 2012-08-11 21:56 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{F42BF83F-43B7-4FBB-AFE7-67B102325F0C}
2012-08-11 05:56 - 2012-08-11 05:56 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{2BD461BB-FBBE-4D7A-8942-EDE91DCC9B2E}
2012-08-11 05:55 - 2012-08-11 05:56 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{428E1D70-C0B8-4B0F-A329-A1777313E9A7}
2012-08-10 17:55 - 2012-08-10 17:55 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{66B465FC-5E96-43B7-8548-61BE13BBEC3A}
2012-08-10 17:55 - 2012-08-10 17:55 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{2802364F-A094-44DF-B5AF-5322EA581F05}
2012-08-10 03:30 - 2012-08-10 03:30 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{05FCFEDF-CBB9-425B-8588-F868453D658D}
2012-08-10 03:29 - 2012-08-10 03:30 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{5C40A71A-F602-476E-9D0C-207934ABCE87}
2012-08-09 15:54 - 2012-08-09 15:54 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{9332D81A-ECE8-4A98-84AE-FD9CBA561960}
2012-08-09 15:53 - 2012-08-09 15:54 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{34D81D2A-B197-4E15-B9C1-D58AA3F34A31}
2012-08-08 22:53 - 2012-08-08 22:53 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{F5673C98-BCE4-483C-9ED6-AF7AE9CBD2CA}
2012-08-08 22:53 - 2012-08-08 22:53 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{A17B6991-B2BF-4803-8715-BFF922FF199A}
2012-08-08 06:51 - 2012-08-09 00:35 - 00000000 ____D C:\Users\Alvin Kiang\Documents\LOLReplay
2012-08-08 06:50 - 2012-08-08 06:50 - 01424103 ____A C:\Users\Alvin Kiang\Downloads\LOLReplay-0.7.9.34.exe
2012-08-08 06:50 - 2012-08-08 06:50 - 01424103 ____A C:\Users\Alvin Kiang\Downloads\LOLReplay-0.7.9.34 (1).exe
2012-08-08 04:02 - 2012-08-08 04:02 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{19C606EC-C480-46CB-B2B9-441A6F2C806F}
2012-08-08 04:01 - 2012-08-08 04:01 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{636D615B-E33C-4B68-A220-59DB2771388C}
2012-08-07 16:01 - 2012-08-07 16:01 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{A2C786D4-0880-4326-A3BB-1538273635A6}
2012-08-07 16:00 - 2012-08-07 16:01 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{9A08E5B0-1318-4631-BC35-52192320933C}
2012-08-07 03:50 - 2012-08-07 03:51 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{B37CDE4A-1178-4335-AB3B-CDC92CB32D03}
2012-08-07 03:50 - 2012-08-07 03:50 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{F0E2DEEA-711C-4D26-967C-D58F5CFB4727}
2012-08-06 15:50 - 2012-08-06 15:50 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{8FB00208-2B03-4922-94A5-50112CB6293D}
2012-08-06 15:49 - 2012-08-06 15:49 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{C2584523-C560-4147-89CA-C50E4DA1656D}
2012-08-06 06:37 - 2012-08-06 06:37 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{B2EFE8D8-A0A7-4A41-9298-C47FEF38F41E}
2012-08-06 00:21 - 2012-08-06 00:21 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{469E1900-9BEC-48A2-A337-1E1D9B389136}
2012-08-05 09:12 - 2012-08-05 09:12 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{6C77CE1C-45B2-478B-B5DA-6FEEFE8706A2}
2012-08-05 09:12 - 2012-08-05 09:12 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{01419587-5C30-41E3-979C-61F596DC03EC}
2012-08-04 20:42 - 2012-08-04 20:42 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{C78DCD22-9BDA-455D-8F2C-3943E252C5F5}
2012-08-04 20:41 - 2012-08-04 20:42 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{A35380B8-EA01-4E40-9104-E898271A9D50}
2012-08-04 01:57 - 2012-08-04 02:04 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Roaming\.minecraft
2012-08-03 03:58 - 2012-08-03 03:58 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{8953512E-76A9-4D84-8CF7-0D574B12FB8B}
2012-08-03 03:57 - 2012-08-03 03:58 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{97CDE54C-ECC8-4CE3-AA75-00FADCEAE480}
2012-08-02 15:57 - 2012-08-02 15:57 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{43A3B2C7-9F07-48C3-AC2C-0B3AE56FF07D}
2012-08-02 15:57 - 2012-08-02 15:57 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{2E8C7B55-1629-4AE3-9CC3-66FB651B949F}
2012-08-01 23:47 - 2012-08-01 23:47 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{0D2B665C-78CE-4E72-A6A7-D30149DF09A8}
2012-08-01 23:46 - 2012-08-01 23:46 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{793BFC4A-8117-4AFC-B4B4-70B1CD877A80}
2012-08-01 15:50 - 2012-08-01 15:50 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{61915369-77D7-4B1E-9DAD-900FE8DBA675}
2012-08-01 07:08 - 2012-08-01 07:08 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{EF1444AA-A0E3-4AF4-99FF-17905A72CE04}
2012-07-31 22:15 - 2012-07-31 22:15 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{37C5F612-70B6-4EE5-BD52-EEA1B2D16D6F}
2012-07-30 23:35 - 2012-07-30 23:35 - 00028035 ____A C:\Users\Alvin Kiang\Downloads\Publisher Stream (1).csv
2012-07-30 23:27 - 2012-07-30 23:27 - 00028036 ____A C:\Users\Alvin Kiang\Downloads\Publisher Stream.tsv
2012-07-30 23:23 - 2012-07-30 23:24 - 00028036 ____A C:\Users\Alvin Kiang\Downloads\Publisher Stream.csv
2012-07-30 09:01 - 2012-07-30 09:01 - 00000000 ____D C:\Users\All Users\Mozilla
2012-07-30 09:01 - 2012-07-30 09:01 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2012-07-30 08:52 - 2012-07-30 08:56 - 16814136 ____A (Mozilla) C:\Users\Alvin Kiang\Downloads\Firefox Setup 14.0.1.exe
2012-07-30 08:01 - 2012-07-30 08:01 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{82B13E2B-7DDF-4692-9E02-79D5066CF84A}
2012-07-30 08:00 - 2012-07-30 08:01 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{A9957E98-22DE-415B-9E20-B7AC94A6B4B1}
2012-07-29 16:06 - 2012-07-29 16:06 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{B86C85AA-3E19-42BB-8ADC-08EF0AD5CD08}
2012-07-29 16:06 - 2012-07-29 16:06 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{0AB32DCB-C0DB-4526-904F-7F554BAEA97B}
2012-07-28 21:35 - 2012-07-28 21:35 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{269B9E41-58FA-418F-8C0F-017D3FD6B35D}
2012-07-28 21:34 - 2012-07-28 21:35 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{C59959E8-ED62-45F5-8D73-F152D63A1ACF}
2012-07-27 20:37 - 2012-07-27 20:38 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{FEFA2B59-33BF-4152-AB0D-1FB611981DBB}
2012-07-27 20:37 - 2012-07-27 20:37 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{4D2BDF13-02AE-4884-96CB-F46279ABB84E}
2012-07-27 03:21 - 2012-07-27 03:21 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{CD47F37D-F018-40DE-8F4E-40E638B54748}
2012-07-27 03:20 - 2012-07-27 03:21 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{156A5E6C-EAE0-465A-BEB9-25B5572B6823}
2012-07-25 21:50 - 2012-07-25 21:50 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{C3D7E5FF-5012-4711-B3B9-91354AA89B86}
2012-07-25 21:50 - 2012-07-25 21:50 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{0FE07EA8-AD09-46B0-8EC6-22F0527921BE}
2012-07-25 00:26 - 2012-07-25 00:26 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{C5EE63A9-C514-4370-9FE6-77C7E81FDEAB}
2012-07-25 00:26 - 2012-07-25 00:26 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{4C63B257-6595-44C9-B64A-044E4FD4017B}
2012-07-24 01:15 - 2012-07-24 01:15 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{F4525812-01A3-49E8-96FD-9B9E2F346199}
2012-07-24 01:15 - 2012-07-24 01:15 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{B21832FB-A877-4003-9381-208007C48F5C}
2012-07-23 05:06 - 2012-07-23 05:07 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{F4A05CD2-F7F0-4B18-8091-519291EE5E37}
2012-07-23 05:06 - 2012-07-23 05:06 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{A5B01D0A-9B0B-469B-8AFA-5C9B5FB0855A}
2012-07-22 16:00 - 2012-07-22 16:00 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{67020FCA-D9BE-45B0-888E-D6FAE786CB85}
2012-07-22 16:00 - 2012-07-22 16:00 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{31B6562F-D9E3-48A1-B608-2F57B11590E1}
2012-07-22 03:50 - 2012-07-22 03:51 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{5E1D7D7B-2843-4DEA-BCC4-A21A1E2FAD08}
2012-07-22 03:50 - 2012-07-22 03:50 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{DEF2731F-8E6F-442B-8E75-066BC51FB42C}
2012-07-21 10:35 - 2012-07-21 10:36 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{1D484AF9-B73A-43C7-AF05-29D151EA405A}
2012-07-21 10:35 - 2012-07-21 10:35 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{EFF28A12-DEA2-4A51-AE5F-0E33F323D2BF}
2012-07-20 22:35 - 2012-07-20 22:35 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{7181A86D-453E-45D1-9293-A9C0FDCD66BD}
2012-07-20 22:34 - 2012-07-20 22:34 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{13994A45-23CB-49B2-AD31-8710EFB5CC99}
2012-07-20 03:32 - 2012-07-20 03:32 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{5AB4AB00-AF13-48FB-AB4C-E9CD1AEA66E7}
2012-07-20 03:32 - 2012-07-20 03:32 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{1EAECE95-EEBA-4320-85AF-0442904045CB}
2012-07-18 21:12 - 2012-07-18 21:12 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{1D35F960-6717-4E92-91A0-29F1DD1CE4A7}
2012-07-18 21:11 - 2012-07-18 21:12 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{EA44B014-84A8-436C-970C-DF5AA18556C0}
2012-07-18 00:03 - 2012-07-18 00:03 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{F36C2961-557E-4C08-AE86-574C8AD73AE2}
2012-07-18 00:03 - 2012-07-18 00:03 - 00000000 ____D C:\Users\Alvin Kiang\AppData\Local\{A34EBCB8-EF4A-4125-8DFE-2A6BF6E28816}


============ 3 Months Modified Files ========================

2012-08-16 19:51 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-16 19:51 - 2009-07-13 20:39 - 00180218 ____A C:\Windows\setupact.log
2012-08-16 19:50 - 2010-03-21 03:54 - 00726142 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-16 19:42 - 2009-07-13 20:34 - 00019968 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-16 19:42 - 2009-07-13 20:34 - 00019968 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-16 16:04 - 2010-03-21 04:33 - 00000932 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3980687463-4182405442-2259493067-1000UA.job
2012-08-16 16:04 - 2010-03-21 04:33 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3980687463-4182405442-2259493067-1000Core.job
2012-08-16 10:34 - 2012-04-14 06:46 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-16 09:10 - 2012-02-23 08:59 - 00000952 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3980687463-4182405442-2259493067-1000UA.job
2012-08-16 03:10 - 2012-02-23 08:59 - 00000930 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3980687463-4182405442-2259493067-1000Core.job
2012-08-16 00:07 - 2012-08-16 00:04 - 00000176 ____A C:\Users\Alvin Kiang\defogger_reenable
2012-08-16 00:04 - 2012-08-16 00:04 - 00000458 ____A C:\Users\Alvin Kiang\Downloads\defogger_disable.log
2012-08-15 20:09 - 2010-03-21 03:50 - 01150482 ____A C:\Windows\WindowsUpdate.log
2012-08-15 15:47 - 2009-07-13 20:33 - 00288192 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-15 09:57 - 2010-03-25 05:06 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-15 03:07 - 2011-05-23 06:05 - 00002445 ____A C:\Users\Alvin Kiang\Desktop\Google Chrome.lnk
2012-08-08 06:50 - 2012-08-08 06:50 - 01424103 ____A C:\Users\Alvin Kiang\Downloads\LOLReplay-0.7.9.34.exe
2012-08-08 06:50 - 2012-08-08 06:50 - 01424103 ____A C:\Users\Alvin Kiang\Downloads\LOLReplay-0.7.9.34 (1).exe
2012-08-01 23:45 - 2009-07-13 20:53 - 00032628 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-30 23:35 - 2012-07-30 23:35 - 00028035 ____A C:\Users\Alvin Kiang\Downloads\Publisher Stream (1).csv
2012-07-30 23:27 - 2012-07-30 23:27 - 00028036 ____A C:\Users\Alvin Kiang\Downloads\Publisher Stream.tsv
2012-07-30 23:24 - 2012-07-30 23:23 - 00028036 ____A C:\Users\Alvin Kiang\Downloads\Publisher Stream.csv
2012-07-30 09:01 - 2010-07-03 03:15 - 00001092 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-30 08:56 - 2012-07-30 08:52 - 16814136 ____A (Mozilla) C:\Users\Alvin Kiang\Downloads\Firefox Setup 14.0.1.exe
2012-07-18 09:47 - 2012-08-15 02:27 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-15 09:58 - 2010-03-30 08:11 - 00011264 ____A C:\Users\Alvin Kiang\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-15 08:16 - 2012-07-15 08:16 - 00095232 ____A C:\Users\Alvin Kiang\Desktop\Sabre.MSWMM
2012-07-15 07:21 - 2012-07-15 07:21 - 03262277 ____A C:\Users\Alvin Kiang\Downloads\Facebook Insights Data Export - BlackBerry Malaysia - 2012-07-15 (1).xls
2012-07-15 07:18 - 2012-07-15 07:18 - 05552533 ____A C:\Users\Alvin Kiang\Downloads\Facebook Insights Data Export - BlackBerry Malaysia - 2012-07-15.xls
2012-07-15 07:00 - 2012-07-15 07:00 - 00001251 ____A C:\Users\Public\Desktop\YTD Video Downloader.lnk
2012-07-15 07:00 - 2012-07-15 06:59 - 05414584 ____A C:\Users\Alvin Kiang\Downloads\YTDSetup.exe
2012-07-15 06:41 - 2012-07-15 06:41 - 02316621 ____A C:\Users\Alvin Kiang\Downloads\RIM Content Schedule 16th to 29th July.xlsx
2012-07-15 06:40 - 2012-07-15 06:39 - 07357440 ____A C:\Users\Alvin Kiang\Downloads\MM26_ENU.msi
2012-07-15 06:38 - 2012-07-15 06:38 - 00129024 ____A C:\Users\Alvin Kiang\Downloads\Video for Sabre.MSWMM
2012-07-04 13:16 - 2012-08-15 02:27 - 00057344 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 13:14 - 2012-08-15 02:27 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 13:14 - 2012-08-15 02:27 - 00041984 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-06-30 04:51 - 2012-06-30 04:51 - 01323645 ____A C:\Users\Alvin Kiang\Downloads\RADTools.exe
2012-06-28 16:52 - 2012-08-15 09:55 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 16:27 - 2012-08-15 09:55 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 16:16 - 2012-08-15 09:55 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 16:09 - 2012-08-15 09:55 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 16:09 - 2012-08-15 09:55 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 16:08 - 2012-08-15 09:55 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 16:07 - 2012-08-15 09:55 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 16:06 - 2012-08-15 09:55 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 16:04 - 2012-08-15 09:55 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 16:04 - 2012-08-15 09:55 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 16:01 - 2012-08-15 09:55 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 16:01 - 2012-08-15 09:55 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 16:00 - 2012-08-15 09:55 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 15:57 - 2012-08-15 09:55 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-25 03:40 - 2011-05-25 00:38 - 00045270 ____A C:\Users\Alvin Kiang\AppData\Roaming\room_v3.dat
2012-06-16 04:09 - 2012-06-16 04:09 - 00277248 ____A (Premium) C:\Users\Alvin Kiang\Downloads\DownloadSetup.exe
2012-06-16 04:09 - 2012-06-16 04:09 - 00037835 ____A C:\Users\Alvin Kiang\Downloads\[isoHunt] 49fb7236e299a97fd385cd11bb386aec6a898733.torrent
2012-06-08 20:41 - 2012-07-11 16:12 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-06 04:59 - 2012-06-06 04:59 - 01070152 ____A (Microsoft Corporation) C:\Windows\System32\MSCOMCTL.OCX
2012-06-05 21:05 - 2012-07-11 16:12 - 01390080 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:05 - 2012-07-11 16:12 - 01236992 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:03 - 2012-07-11 16:12 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-04 07:37 - 2011-12-30 06:08 - 00002101 ____A C:\Users\Public\Desktop\League of Legends.lnk
2012-06-04 06:57 - 2010-07-14 22:05 - 00369328 ____A C:\Windows\PFRO.log
2012-06-04 06:34 - 2009-07-13 18:05 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2012-06-02 14:19 - 2012-06-20 22:22 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-20 22:22 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-20 22:22 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-20 22:21 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-20 22:21 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-20 22:22 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-20 22:21 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-01 23:19 - 2012-06-20 22:21 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-01 23:12 - 2012-06-20 22:21 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 20:45 - 2012-07-11 16:12 - 00134000 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 20:45 - 2012-07-11 16:12 - 00067440 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 20:40 - 2012-07-11 16:12 - 00369336 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 20:40 - 2012-07-11 16:12 - 00225280 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 20:39 - 2012-07-11 16:12 - 00219136 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-29 06:20 - 2012-05-29 06:20 - 00001256 ____A C:\Users\Public\Desktop\Steam.lnk
2012-05-29 06:14 - 2012-05-29 06:13 - 01606656 ____A C:\Users\Alvin Kiang\Downloads\SteamInstall (1).msi


ZeroAccess:
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\@
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\L
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\n
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\L\00000004.@
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U\00000004.@
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U\00000008.@
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U\000000cb.@
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U\80000000.@
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U\80000032.@

ZeroAccess:
C:\Users\Alvin Kiang\AppData\Local\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}
C:\Users\Alvin Kiang\AppData\Local\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\@
C:\Users\Alvin Kiang\AppData\Local\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\L
C:\Users\Alvin Kiang\AppData\Local\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\n
C:\Users\Alvin Kiang\AppData\Local\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 2047.24 MB
Available physical RAM: 1633.31 MB
Total Pagefile: 2047.24 MB
Available Pagefile: 1639.25 MB
Total Virtual: 2047.88 MB
Available Virtual: 1968.7 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:129.31 GB) NTFS
2 Drive e: () (Removable) (Total:0.96 GB) (Free:0.51 GB) FAT
3 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
4 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 981 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 465 GB 101 MB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y System Rese NTFS Partition 100 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 465 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 981 MB 0 B

==================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

Last Boot: 2012-08-10 11:03

======================= End Of Log ==========================
Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 2012-08-17 12:07:16
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

thanks again in advance.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:34 AM

Posted 17 August 2012 - 08:41 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}
C:\Users\Alvin Kiang\AppData\Local\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}
C:\Windows\assembly\GAC\Desktop.ini
replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe 
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Jam-street

Jam-street
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 17 August 2012 - 12:30 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 2012-08-18 00:24:15 Run:1
Running from E:\

==============================================

C:\Windows\Installer\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc} moved successfully.
C:\Users\Alvin Kiang\AppData\Local\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

ComboFix 12-08-17.01 - Alvin Kiang 08/18/2012 1:35.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.1041 [GMT 8:00]
Running from: c:\users\Alvin Kiang\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Alvin Kiang\AppData\Roaming\Identities\.minecraft\bin\natives\jinput-dx8.dll
c:\users\Alvin Kiang\AppData\Roaming\Identities\.minecraft\bin\natives\jinput-dx8_64.dll
c:\users\Alvin Kiang\AppData\Roaming\Identities\.minecraft\bin\natives\jinput-raw.dll
c:\users\Alvin Kiang\AppData\Roaming\Identities\.minecraft\bin\natives\jinput-raw_64.dll
c:\users\Alvin Kiang\AppData\Roaming\Identities\.minecraft\bin\natives\lwjgl.dll
c:\users\Alvin Kiang\AppData\Roaming\Identities\.minecraft\bin\natives\lwjgl64.dll
c:\users\Alvin Kiang\AppData\Roaming\Identities\.minecraft\bin\natives\OpenAL32.dll
c:\users\Alvin Kiang\AppData\Roaming\Identities\.minecraft\bin\natives\OpenAL64.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-17 to 2012-08-17 )))))))))))))))))))))))))))))))
.
.
2012-08-17 19:56 . 2012-08-17 19:56 -------- d-----w- C:\FRST
2012-08-17 17:44 . 2012-08-17 17:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-15 10:27 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 10:27 . 2012-07-18 17:47 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 10:27 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 10:27 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 10:27 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 10:27 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-15 10:26 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
2012-08-04 09:57 . 2012-08-04 10:04 -------- d-----w- c:\users\Alvin Kiang\AppData\Roaming\.minecraft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-06 12:59 . 2012-06-06 12:59 1070152 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-06-06 05:05 . 2012-07-12 00:12 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-12 00:12 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-12 00:12 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-04 14:34 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-06-02 22:19 . 2012-06-21 06:22 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 06:22 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 06:21 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 06:21 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 06:22 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 06:22 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 06:21 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 07:19 . 2012-06-21 06:21 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 07:12 . 2012-06-21 06:21 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 04:45 . 2012-07-12 00:12 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-12 00:12 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-12 00:12 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-12 00:12 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-12 00:12 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-14 00:17 . 2012-07-30 17:01 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-03-22 319792]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Facebook Update"="c:\users\Alvin Kiang\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552]
"GarenaMessenger"="c:\users\Alvin Kiang\Downloads\New folder\Garena\Garena Messenger\GarenaMessenger.exe" [2012-08-14 7723384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2009-05-18 1409024]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-17 2339168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
LOLRecorder.lnk - c:\users\Alvin Kiang\Downloads\New folder\LOLReplay\LOLRecorder.exe [2012-7-26 521216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 AhnRptTfFRegFNT;AhnRptTfFRegFNT;c:\users\ALVINK~1\AppData\Local\Temp\nsw5B04.tmp\TfFRegNt.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\users\Alvin Kiang\Downloads\New folder\Garena\Garena Messenger\Room\safedrv.sys [x]
R3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNt.sys [x]
R3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [x]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [x]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [x]
S3 Atc002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l260x86.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 14:46]
.
2012-08-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3980687463-4182405442-2259493067-1000Core.job
- c:\users\Alvin Kiang\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-23 11:04]
.
2012-08-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3980687463-4182405442-2259493067-1000UA.job
- c:\users\Alvin Kiang\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-23 11:04]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3980687463-4182405442-2259493067-1000Core.job
- c:\users\Alvin Kiang\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-21 12:33]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3980687463-4182405442-2259493067-1000UA.job
- c:\users\Alvin Kiang\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-21 12:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.my/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Alvin Kiang\AppData\Roaming\Mozilla\Firefox\Profiles\sxzpohkk.default\
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\windows\system32\AUDIODG.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\program files\AVG\AVG10\avgnsx.exe
c:\program files\AVG\AVG10\avgemcx.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\windows\system32\sppsvc.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\program files\AVG\AVG10\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2012-08-18 01:52:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-17 17:52
ComboFix2.txt 2012-08-17 17:01
.
Pre-Run: 141,677,756,416 bytes free
Post-Run: 146,332,696,576 bytes free
.
- - End Of File - - 72D2E7EC0FA260FCC5B60398E87813BF


That is it. I will not be around for 3 days. sorry if i do not reply in time.

Edited by Jam-street, 17 August 2012 - 12:56 PM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:34 AM

Posted 17 August 2012 - 02:44 PM

I will not be around for 3 days. sorry if i do not reply in time.

no problem, I will keep the thread open for you


please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish



NEXT



Please re-run the gmer scan as you did before, i want to make sure the hidden file reported has been deleted.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Jam-street

Jam-street
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 20 August 2012 - 06:42 AM

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.20.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Alvin Kiang :: ALVINKIANG-PC [administrator]

Protection: Enabled

8/20/2012 2:09:11 PM
mbam-log-2012-08-20 (14-09-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 185783
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Alvin Kiang\Downloads\ubiorbitapi_r2.dll (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Users\Alvin Kiang\Downloads\DownloadSetup.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.

(end)

C:\FRST\Quarantine\services.exe Win32/Sirefef.FC trojan
C:\FRST\Quarantine\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\n Win32/Sirefef.EV trojan
C:\FRST\Quarantine\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U\00000004.@ Win32/Conedex.D trojan
C:\FRST\Quarantine\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U\000000cb.@ Win32/Conedex.E trojan
C:\FRST\Quarantine\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U\80000000.@ a variant of Win32/Sirefef.FA trojan
C:\FRST\Quarantine\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\U\80000032.@ a variant of Win32/Sirefef.FD trojan
C:\FRST\Quarantine\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\{b58d7fde-711a-c5ad-9ca1-6d06d8dd3ebc}\n Win32/Sirefef.EV trojan
C:\Users\Alvin Kiang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SJ6UUPCR\imp[2].js HTML/Iframe.B.Gen virus
C:\Users\Alvin Kiang\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\31c5206-55ba66bf Java/TrojanDownloader.OpenConnection.AP trojan
C:\Users\Alvin Kiang\Desktop\PenDrive BackUp\Shell\.Spotlight-V100.lnk Win32/Dorkbot.D worm
C:\Users\Alvin Kiang\Desktop\PenDrive BackUp\Shell\.Trashes.lnk Win32/Dorkbot.D worm
C:\Users\Alvin Kiang\Desktop\PenDrive BackUp\Shell\Creatives template.lnk Win32/Dorkbot.D worm
C:\Users\Alvin Kiang\Desktop\PenDrive BackUp\Shell\No.lnk Win32/Dorkbot.D worm
C:\Users\Alvin Kiang\Desktop\PenDrive BackUp\Shell\Print.lnk Win32/Dorkbot.D worm
C:\Users\Alvin Kiang\Desktop\PenDrive BackUp\Shell\Publicity Materials.lnk Win32/Dorkbot.D worm
C:\Users\Alvin Kiang\Desktop\PenDrive BackUp\Shell\Reference press materials.lnk Win32/Dorkbot.D worm
C:\Users\Alvin Kiang\Desktop\PenDrive BackUp\Shell\Template for presentation on 21 Sept.lnk Win32/Dorkbot.D worm


GMER LOG

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-20 19:39:25
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKS-00UU3A0 rev.01.03B01
Running: gmer.exe; Driver: C:\Users\ALVINK~1\AppData\Local\Temp\pflyrkow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x91FF47A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x91FF4848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x91FF48E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x91FF4980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwRollbackEnlistment + 1409 8306C989 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8308C4E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 1667 83093A24 4 Bytes [A0, 47, FF, 91]
.text ntoskrnl.exe!KeRemoveQueueEx + 1937 83093CF4 8 Bytes [48, 48, FF, 91, E4, 48, FF, ...] {DEC EAX; DEC EAX; CALL [ECX-0x6e00b71c]}
.text ntoskrnl.exe!KeRemoveQueueEx + 19AB 83093D68 4 Bytes [80, 49, FF, 91] {OR BYTE [ECX-0x1], 0x91}
? System32\drivers\mbgxrfyj.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtCreateFile + 6 778755CE 4 Bytes [28, 00, 18, 00] {SUB [EAX], AL; SBB [EAX], AL}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtCreateFile + B 778755D3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtMapViewOfSection + 6 77875C2E 1 Byte [28]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtMapViewOfSection + 6 77875C2E 4 Bytes [28, 03, 18, 00] {SUB [EBX], AL; SBB [EAX], AL}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtMapViewOfSection + B 77875C33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenFile + 6 77875CDE 4 Bytes [68, 00, 18, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenFile + B 77875CE3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenProcess + 6 77875D8E 4 Bytes [A8, 01, 18, 00] {TEST AL, 0x1; SBB [EAX], AL}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenProcess + B 77875D93 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenProcessToken + B 77875DA3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenProcessTokenEx + 6 77875DAE 4 Bytes [A8, 02, 18, 00] {TEST AL, 0x2; SBB [EAX], AL}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenProcessTokenEx + B 77875DB3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenThread + 6 77875E0E 4 Bytes [68, 01, 18, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenThread + B 77875E13 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenThreadToken + 6 77875E1E 4 Bytes [68, 02, 18, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenThreadToken + B 77875E23 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtOpenThreadTokenEx + B 77875E33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtQueryAttributesFile + 6 77875F3E 4 Bytes [A8, 00, 18, 00] {TEST AL, 0x0; SBB [EAX], AL}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtQueryAttributesFile + B 77875F43 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtQueryFullAttributesFile + B 77875FF3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtSetInformationFile + 6 7787663E 4 Bytes [28, 01, 18, 00] {SUB [ECX], AL; SBB [EAX], AL}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtSetInformationFile + B 77876643 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtSetInformationThread + 6 7787669E 4 Bytes [28, 02, 18, 00] {SUB [EDX], AL; SBB [EAX], AL}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtSetInformationThread + B 778766A3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 1 Byte [68]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 4 Bytes [68, 03, 18, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2592] ntdll.dll!NtUnmapViewOfSection + B 778769C3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtCreateFile + 6 778755CE 4 Bytes [28, 00, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtCreateFile + B 778755D3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtMapViewOfSection + 6 77875C2E 1 Byte [28]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtMapViewOfSection + 6 77875C2E 4 Bytes [28, 03, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtMapViewOfSection + B 77875C33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenFile + 6 77875CDE 4 Bytes [68, 00, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenFile + B 77875CE3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenProcess + 6 77875D8E 4 Bytes [A8, 01, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenProcess + B 77875D93 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenProcessToken + B 77875DA3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenProcessTokenEx + 6 77875DAE 4 Bytes [A8, 02, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenProcessTokenEx + B 77875DB3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenThread + 6 77875E0E 4 Bytes [68, 01, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenThread + B 77875E13 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenThreadToken + 6 77875E1E 4 Bytes [68, 02, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenThreadToken + B 77875E23 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtOpenThreadTokenEx + B 77875E33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtQueryAttributesFile + 6 77875F3E 4 Bytes [A8, 00, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtQueryAttributesFile + B 77875F43 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtQueryFullAttributesFile + B 77875FF3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtSetInformationFile + 6 7787663E 4 Bytes [28, 01, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtSetInformationFile + B 77876643 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtSetInformationThread + 6 7787669E 4 Bytes [28, 02, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtSetInformationThread + B 778766A3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 1 Byte [68]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 4 Bytes [68, 03, 35, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[2736] ntdll.dll!NtUnmapViewOfSection + B 778769C3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtCreateFile + 6 778755CE 4 Bytes [28, 00, 11, 00] {SUB [EAX], AL; ADC [EAX], EAX}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtCreateFile + B 778755D3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtMapViewOfSection + 6 77875C2E 1 Byte [28]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtMapViewOfSection + 6 77875C2E 4 Bytes [28, 03, 11, 00] {SUB [EBX], AL; ADC [EAX], EAX}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtMapViewOfSection + B 77875C33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenFile + 6 77875CDE 4 Bytes [68, 00, 11, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenFile + B 77875CE3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenProcess + 6 77875D8E 4 Bytes [A8, 01, 11, 00] {TEST AL, 0x1; ADC [EAX], EAX}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenProcess + B 77875D93 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenProcessToken + B 77875DA3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenProcessTokenEx + 6 77875DAE 4 Bytes [A8, 02, 11, 00] {TEST AL, 0x2; ADC [EAX], EAX}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenProcessTokenEx + B 77875DB3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenThread + 6 77875E0E 4 Bytes [68, 01, 11, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenThread + B 77875E13 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenThreadToken + 6 77875E1E 4 Bytes [68, 02, 11, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenThreadToken + B 77875E23 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtOpenThreadTokenEx + B 77875E33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtQueryAttributesFile + 6 77875F3E 4 Bytes [A8, 00, 11, 00] {TEST AL, 0x0; ADC [EAX], EAX}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtQueryAttributesFile + B 77875F43 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtQueryFullAttributesFile + B 77875FF3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtSetInformationFile + 6 7787663E 4 Bytes [28, 01, 11, 00] {SUB [ECX], AL; ADC [EAX], EAX}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtSetInformationFile + B 77876643 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtSetInformationThread + 6 7787669E 4 Bytes [28, 02, 11, 00] {SUB [EDX], AL; ADC [EAX], EAX}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtSetInformationThread + B 778766A3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 1 Byte [68]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 4 Bytes [68, 03, 11, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3644] ntdll.dll!NtUnmapViewOfSection + B 778769C3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtCreateFile + 6 778755CE 4 Bytes [28, 00, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtCreateFile + B 778755D3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtMapViewOfSection + 6 77875C2E 1 Byte [28]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtMapViewOfSection + 6 77875C2E 4 Bytes [28, 03, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtMapViewOfSection + B 77875C33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenFile + 6 77875CDE 4 Bytes [68, 00, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenFile + B 77875CE3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenProcess + 6 77875D8E 4 Bytes [A8, 01, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenProcess + B 77875D93 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenProcessToken + B 77875DA3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenProcessTokenEx + 6 77875DAE 4 Bytes [A8, 02, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenProcessTokenEx + B 77875DB3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenThread + 6 77875E0E 4 Bytes [68, 01, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenThread + B 77875E13 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenThreadToken + 6 77875E1E 4 Bytes [68, 02, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenThreadToken + B 77875E23 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtOpenThreadTokenEx + B 77875E33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtQueryAttributesFile + 6 77875F3E 4 Bytes [A8, 00, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtQueryAttributesFile + B 77875F43 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtQueryFullAttributesFile + B 77875FF3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtSetInformationFile + 6 7787663E 4 Bytes [28, 01, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtSetInformationFile + B 77876643 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtSetInformationThread + 6 7787669E 4 Bytes [28, 02, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtSetInformationThread + B 778766A3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 1 Byte [68]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 4 Bytes [68, 03, 25, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3676] ntdll.dll!NtUnmapViewOfSection + B 778769C3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtCreateFile + 6 778755CE 4 Bytes [28, 00, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtCreateFile + B 778755D3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtMapViewOfSection + 6 77875C2E 1 Byte [28]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtMapViewOfSection + 6 77875C2E 4 Bytes [28, 03, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtMapViewOfSection + B 77875C33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenFile + 6 77875CDE 4 Bytes [68, 00, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenFile + B 77875CE3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenProcess + 6 77875D8E 4 Bytes [A8, 01, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenProcess + B 77875D93 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenProcessToken + B 77875DA3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenProcessTokenEx + 6 77875DAE 4 Bytes [A8, 02, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenProcessTokenEx + B 77875DB3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenThread + 6 77875E0E 4 Bytes [68, 01, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenThread + B 77875E13 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenThreadToken + 6 77875E1E 4 Bytes [68, 02, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenThreadToken + B 77875E23 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtOpenThreadTokenEx + B 77875E33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtQueryAttributesFile + 6 77875F3E 4 Bytes [A8, 00, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtQueryAttributesFile + B 77875F43 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtQueryFullAttributesFile + B 77875FF3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtSetInformationFile + 6 7787663E 4 Bytes [28, 01, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtSetInformationFile + B 77876643 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtSetInformationThread + 6 7787669E 4 Bytes [28, 02, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtSetInformationThread + B 778766A3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 1 Byte [68]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 4 Bytes [68, 03, 27, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[3724] ntdll.dll!NtUnmapViewOfSection + B 778769C3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtCreateFile + 6 778755CE 4 Bytes [28, 00, 3C, 00] {SUB [EAX], AL; CMP AL, 0x0}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtCreateFile + B 778755D3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtMapViewOfSection + 6 77875C2E 1 Byte [28]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtMapViewOfSection + 6 77875C2E 4 Bytes [28, 03, 3C, 00] {SUB [EBX], AL; CMP AL, 0x0}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtMapViewOfSection + B 77875C33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenFile + 6 77875CDE 4 Bytes [68, 00, 3C, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenFile + B 77875CE3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenProcess + 6 77875D8E 4 Bytes [A8, 01, 3C, 00] {TEST AL, 0x1; CMP AL, 0x0}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenProcess + B 77875D93 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenProcessToken + B 77875DA3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenProcessTokenEx + 6 77875DAE 4 Bytes [A8, 02, 3C, 00] {TEST AL, 0x2; CMP AL, 0x0}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenProcessTokenEx + B 77875DB3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenThread + 6 77875E0E 4 Bytes [68, 01, 3C, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenThread + B 77875E13 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenThreadToken + 6 77875E1E 4 Bytes [68, 02, 3C, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenThreadToken + B 77875E23 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtOpenThreadTokenEx + B 77875E33 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtQueryAttributesFile + 6 77875F3E 4 Bytes [A8, 00, 3C, 00] {TEST AL, 0x0; CMP AL, 0x0}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtQueryAttributesFile + B 77875F43 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtQueryFullAttributesFile + B 77875FF3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtSetInformationFile + 6 7787663E 4 Bytes [28, 01, 3C, 00] {SUB [ECX], AL; CMP AL, 0x0}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtSetInformationFile + B 77876643 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtSetInformationThread + 6 7787669E 4 Bytes [28, 02, 3C, 00] {SUB [EDX], AL; CMP AL, 0x0}
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtSetInformationThread + B 778766A3 1 Byte [E2]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 1 Byte [68]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtUnmapViewOfSection + 6 778769BE 4 Bytes [68, 03, 3C, 00]
.text C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\Application\chrome.exe[5288] ntdll.dll!NtUnmapViewOfSection + B 778769C3 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF7 0xF1 0x9F 0x97 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x72 0xFD 0xA3 0x76 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x01 0xD0 0xA0 0x31 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF7 0xF1 0x9F 0x97 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x72 0xFD 0xA3 0x76 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x01 0xD0 0xA0 0x31 ...

---- Files - GMER 1.0.15 ----

File C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\User Data\Default\Cache\f_001905 25644 bytes
File C:\Users\Alvin Kiang\AppData\Local\Google\Chrome\User Data\Default\History Index 2012-07-journal 12824 bytes

---- EOF - GMER 1.0.15 ----

Thanks for waiting :)

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:34 AM

Posted 20 August 2012 - 07:19 AM

looks better!

ESET has detected infection in the PenDrive backup

"C:\Users\Alvin Kiang\Desktop\PenDrive BackUp\Shell\.Spotlight-V100.lnk Win32/Dorkbot.D worm"

so I would delete this folder completely

C:\Users\Alvin Kiang\Desktop\PenDrive BackUp

Then I would format the pen drive (if you still have it) as it is likely infected as well.



NEXT


please run the following:

Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Users\Alvin Kiang\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SJ6UUPCR\imp[2].js" "C:\Users\Alvin Kiang\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\31c5206-55ba66bf"



NEXT


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Jam-street

Jam-street
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 20 August 2012 - 08:33 AM

MiniToolBox by Farbar Version: 23-07-2012
Ran by Alvin Kiang (administrator) on 20-08-2012 at 21:30:42
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
µTorrent (Version: 2.0.0)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Flash Player 11 Plugin (Version: 11.2.202.233)
Adobe Reader 9.5.0 (Version: 9.5.0)
AVG 2011 (Version: 10.0.1424)
AVG 2011 (Version: 10.0.2437)
Battle for Wesnoth 1.10.0 (Version: 1.10.0)
Battle for Wesnoth 1.9.10 (Version: 1.9.10)
Battle for Wesnoth 1.9.8 (Version: 1.9.8)
D3DX10 (Version: 15.4.2368.0902)
DAEMON Tools Toolbar (Version: 1.0.8.0552)
ESET Online Scanner v3
Facebook Video Calling 1.2.0.159 (Version: 1.2.159)
Garena - Heroes of Newerth (Version: 2011)
Garena - League of Legends (Version: 2011)
Garena 2010 (Version: 2010)
Garena Classic 2011 (Version: 2011)
Garena Plus (Version: 2011)
Google Chrome (Version: 21.0.1180.79)
Heroes of Might and Magic V Collector Edition
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
K-Lite Codec Pack 5.8.3 (Basic) (Version: 5.8.3)
LOLReplay (Version: 0.7.9.34)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Might & Magic Heroes VI (Version: 1.0)
Mozilla Firefox 14.0.1 (x86 en-US) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 14.0.1)
MSVCRT (Version: 15.4.2862.0708)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
OpenAL
Pando Media Booster (Version: 2.3.4.3)
Plants vs. Zombies
Platform (Version: 1.34)
Skype Toolbars (Version: 1.0.4051)
Skype™ 5.8 (Version: 5.8.158)
SPORE™ (Version: 1.00.0000)
Steam (Version: 1.0.0.0)
Team Fortress 2
Ubisoft Game Launcher (Version: 1.0.0.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687400) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VIA Platform Device Manager (Version: 1.34)
VirtualDJ Home FREE (Version: 7.0.5)
Winamp (Version: 5.572 )
Winamp Detector Plug-in (Version: 1.0.0.1)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Movie Maker 2.6 (Version: 2.6.4037.0)
WinRAR archiver
WinZip 15.0 (Version: 15.0.9334)
YTD Video Downloader 3.9

**** End of log ****

Farbar Service Scanner Version: 06-08-2012
Ran by Alvin Kiang (administrator) on 20-08-2012 at 21:32:00
Running from "C:\Users\Alvin Kiang\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

I do not see any difference yet so far.

Edited by Jam-street, 20 August 2012 - 08:34 AM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:34 AM

Posted 20 August 2012 - 11:48 AM

I do not see any difference yet so far.

please explain what symptoms you are experiencing?

NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT

P2P - I see you have P2P software utorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.

I would strongly recommend that you uninstall this now. You can do so via Control Panel >> Programs and Features.


NEXT



your BITS registry key is missing, we need to replace it or your windows update wont work

please download the attached reg fix and save it to your desktop, right click it and allow it to merge to your registry (then delete the file as you wont need it again)





NEXT


Please advise any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Jam-street

Jam-street
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 20 August 2012 - 01:07 PM

My computer slowed down since it got infected. Is it okay now?

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:34 AM

Posted 20 August 2012 - 01:31 PM

try running a defrag, then let me know if the speed is back

First open an elevated Command Prompt
  • Go to Start > All Programs > Accessories
  • right click on the Command Prompt and choose “Run as administrator”
  • Type the following see how much your hard drive is fragmented (in this example, your C:\ drive):
  • defrag c: -a (be patient, this can take a while)
  • The resulting analysis will tell you a “Percent file fragmentation” and at the bottom, if you need to defragment the drive or not.
  • To fully defragment your C:\ drive type the following:
  • defrag c: -w
  • Give it time to run (it can take a while, best to leave the computer alone) and then you’re done!

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Jam-street

Jam-street
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 21 August 2012 - 10:57 AM

It says i dont need a defrag but i think the speed restored just that i didnt notice it until now. Thank you so much for your help! Cheers! :)

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:34 AM

Posted 21 August 2012 - 01:06 PM

We just have some housekeeping to do now,

Please do the following:


You can delete the DDS and all the Farbar logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Jam-street

Jam-street
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:34 PM

Posted 22 August 2012 - 01:34 AM

The speed has restored. Thanks for your help once again :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users