Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Enless Battle with Sirefef.AZ/.EZ #2


  • This topic is locked This topic is locked
25 replies to this topic

#1 MisterSeek

MisterSeek

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 27 August 2012 - 02:30 AM

Sorry for the previous improper DDS logfile, I figured I would attach it but see that everyone else seems to just Paste it in and attach other relevant files. Like I mentioned, I have always been pretty confident in my ability to get rid of Malware and Rootkits but this has proved way too much. Though scans seem to show that nothing is here I can't help but notice a drastic decline still in my internet performance. There are no redirects but for some reason I still am unable to access the router setup page 192.168.2.1 ... Even though my DNS info looks in order and Subnet mask is 255.255.255.0 . I ran an aswMBR scan per advice on a separate case of Sirefef infection on a separate Tech Forum. And being the now not-so-capable DIYer decided I would use the methods listed here. http://www.techspot.com/community/topics/sirefef-infection-of-desktop-ini-services-exe.182418/ - Although this all appeared to give me a clean bill of health for a moment and boosted internet speeds, things quickly slowed back down and I suspect Further infection. Please! If anyone could help me salvage my current setup I would be most appreciative. I have made backups of everything I would want, but I would rather not have to do anything too drastic if there is still hope to defeat this. Again, attached are my logs with the DDS posted.

Many Thanks,
JT

P.S. If An Admin could delete my previous post I would appreciate it. I would rather not junk up the Thread with Duplicates.
DDS LOG
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Student at 0:37:11 on 2012-08-27
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.8182.6240 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\system32\mfevtps.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\NlsSrv32.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
C:\Program Files (x86)\POWERISO\PWRISOVM.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = 192.168.*.*;*.local;127.0.0.1:9421;<local>
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz0.dll
uURLSearchHooks: H - No File
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz0.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - No File
TB: {B4B3001E-0F56-4E51-8250-BDE11547EC55} - No File
TB: {DE404F4C-3CDE-4D74-A6FB-052D099C104C} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz0.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [HLBackupScheduler] C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe
uRun: [NCsoft]
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{9CC550EC-C3F9-48CA-BBE3-CC245D644E63} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{9CC550EC-C3F9-48CA-BBE3-CC245D644E63}\05E4842333 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9CC550EC-C3F9-48CA-BBE3-CC245D644E63}\2534E4E43502E4564777F627B6 : DhcpNameServer = 192.168.0.1
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - No File
TB-X64: {B4B3001E-0F56-4E51-8250-BDE11547EC55} - No File
TB-X64: {DE404F4C-3CDE-4D74-A6FB-052D099C104C} - No File
TB-X64: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB-X64: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
TB-X64: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz0.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\da8crj8s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - uTorrentControl2 Customized Web Search
FF - prefs.js: browser.search.selectedengine - search the web
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Download Manager\npfpdlm.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\Student\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Student\AppData\LocalLow\Sony Online Entertainment\npsoe.dll
FF - plugin: C:\Users\Student\AppData\LocalLow\Sony Online Entertainment\npsoeact.dll
FF - plugin: C:\Users\Student\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\da8crj8s.default\extensions\{687578b9-7132-4a7a-80e4-30ee31099e03}\plugins\np-mswmp.dll
FF - plugin: C:\Users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\da8crj8s.default\extensions\{cce665dd-f6dd-4808-968e-eaec971f70ef}\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-12-17 1039776]
R2 Credential Vault Host Storage;Credential Vault Host Storage;C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-12-17 31136]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-23 655944]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\system32\mfevtps.exe --> C:\Windows\system32\mfevtps.exe [?]
R2 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\System32\NlsSrv32.exe [2011-4-14 61440]
R2 risdpcie;risdpcie;C:\Windows\system32\DRIVERS\risdpe64.sys --> C:\Windows\system32\DRIVERS\risdpe64.sys [?]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-8-3 379496]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-5-13 2533400]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 cvusbdrv;Dell ControlVault;C:\Windows\system32\Drivers\cvusbdrv.sys --> C:\Windows\system32\Drivers\cvusbdrv.sys [?]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 ManyCam;ManyCam Virtual Webcam;C:\Windows\system32\DRIVERS\mcvidrv_x64.sys --> C:\Windows\system32\DRIVERS\mcvidrv_x64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 mcaudrv_simple;ManyCam Virtual Microphone;C:\Windows\system32\drivers\mcaudrv_x64.sys --> C:\Windows\system32\drivers\mcaudrv_x64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);C:\Windows\system32\DRIVERS\vcsvad.sys --> C:\Windows\system32\DRIVERS\vcsvad.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
S3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]
S3 LVUVC64;Logitech Webcam 120(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
S3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-8-11 113120]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 ScreamBAudioSvc;ScreamBee Audio;C:\Windows\system32\drivers\ScreamingBAudio64.sys --> C:\Windows\system32\drivers\ScreamingBAudio64.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-30 257224]
S4 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe [2010-5-5 89600]
S4 Giraffic;Veoh Giraffic Video Accelerator;C:\Program Files (x86)\Giraffic\Veoh_GirafficWatchdog.exe --service --> C:\Program Files (x86)\Giraffic\Veoh_GirafficWatchdog.exe --service [?]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-3-30 136176]
S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-3-30 136176]
S4 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2009-10-22 19720]
S4 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2009-8-25 103744]
S4 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe [2009-10-22 178920]
S4 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2009-10-22 66896]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
.
=============== Created Last 30 ================
.
2012-08-26 02:47:07 -------- d-----w- C:\FRST
2012-08-26 00:33:20 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2012-08-25 23:46:27 -------- d-----w- C:\_OTL
2012-08-25 23:19:07 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-25 23:09:34 -------- d-----w- C:\Users\Student\AppData\Local\temp
2012-08-25 17:22:18 -------- d-----w- C:\Program Files (x86)\HydraIRC
2012-08-24 01:31:36 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-08-23 22:29:49 -------- d-----w- C:\Program Files (x86)\ESET
2012-08-23 04:24:52 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-08-23 03:12:17 431104 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-08-23 03:12:17 409600 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-08-23 03:12:17 136192 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-08-23 03:12:17 114688 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-08-23 03:12:17 -------- d-----w- C:\Program Files (x86)\OpenAL
2012-08-23 02:58:37 -------- d-----w- C:\Program Files (x86)\Paradox Interactive
2012-08-21 13:39:28 -------- d-sh--w- C:\ProgramData\System Restore
2012-08-21 05:35:34 -------- d-----w- C:\Users\Student\AppData\Local\ManyCam
2012-08-21 05:35:34 -------- d-----w- C:\ProgramData\ManyCam
2012-08-21 05:35:33 -------- d-----w- C:\Users\Student\AppData\Roaming\ManyCam
2012-08-21 05:34:52 -------- d-----w- C:\Program Files (x86)\ManyCam
2012-08-21 00:16:44 -------- d-----w- C:\Users\Student\AppData\Roaming\Motorola
2012-08-21 00:16:44 -------- d-----w- C:\Temp
2012-08-19 01:13:13 -------- d-----w- C:\Users\Student\AppData\Roaming\Xilisoft
2012-08-19 01:11:25 -------- d-----w- C:\ProgramData\Xilisoft
2012-08-19 01:11:25 -------- d-----w- C:\Program Files (x86)\Xilisoft
2012-08-18 11:49:26 -------- d-----w- C:\Program Files (x86)\Amnesia - The Dark Descent
2012-08-11 20:22:30 -------- d-----w- C:\Users\Student\AppData\Roaming\Charles
2012-08-11 20:21:20 -------- d-----w- C:\Program Files\Charles
2012-08-11 11:21:21 -------- d-----w- C:\Users\Student\AppData\Roaming\TrueCrypt
2012-08-11 11:20:45 231376 ----a-w- C:\Windows\System32\drivers\truecrypt.sys
2012-08-11 11:20:02 -------- d-----w- C:\Program Files\TrueCrypt
2012-08-10 17:01:38 -------- d-----w- C:\Program Files (x86)\Geeks3D
2012-08-08 03:04:02 98816 ----a-w- C:\Windows\sed.exe
2012-08-08 03:04:02 256000 ----a-w- C:\Windows\PEV.exe
2012-08-08 03:04:02 208896 ----a-w- C:\Windows\MBR.exe
2012-08-08 02:50:21 -------- d-----w- C:\Windows\pss
2012-08-07 18:05:42 -------- d-----w- C:\Users\Student\AppData\Local\TechSmith
2012-08-07 18:04:29 411480 ----a-w- C:\Windows\SysWow64\tsccvid.dll
2012-08-07 18:04:27 -------- d-----w- C:\Windows\SysWow64\QuickTime
2012-08-07 18:03:47 -------- d-----w- C:\Program Files (x86)\Common Files\TechSmith Shared
2012-08-07 17:45:19 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-08-07 13:19:30 -------- d-----w- C:\Users\Student\AppData\Local\DDMSettings
2012-08-07 03:20:35 -------- d-----w- C:\Users\Student\AppData\Roaming\Fighters
2012-08-07 03:20:29 -------- d-----w- C:\ProgramData\Fighters
2012-07-30 23:33:41 -------- d-----w- C:\ProgramData\29FD
2012-07-29 21:08:06 -------- d-----w- C:\Program Files (x86)\Hero Editor
.
==================== Find3M ====================
.
2012-08-26 00:33:09 916456 ----a-w- C:\Windows\System32\deployJava1.dll
2012-08-26 00:33:09 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
2012-08-07 17:40:15 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-07 17:40:15 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-01 00:01:02 249856 ------w- C:\Windows\Setup1.exe
2012-08-01 00:00:59 73216 ----a-w- C:\Windows\ST6UNST.EXE
2012-06-12 03:02:52 3147264 ----a-w- C:\Windows\System32\win32k.sys
2012-06-06 05:50:50 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 05:50:50 1880064 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 05:09:46 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:09:46 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-02 05:38:26 95088 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:38:24 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:37:45 459216 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:27:02 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:27:00 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:48:39 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:48:35 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:47:31 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:42:51 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-31 04:10:48 126944 ----a-w- C:\Windows\System32\drivers\scdemu.sys
.
============= FINISH: 0:38:21.73 ===============

Attached Files


Edited by MisterSeek, 27 August 2012 - 02:31 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 PM

Posted 27 August 2012 - 06:14 PM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 MisterSeek

MisterSeek
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 29 August 2012 - 11:48 AM

Here are the logs, sorry it took a while to get back to you, the internet stopped working. I ran MBAM just for the heck of it because the internet was not working and I could not get on it to even look at this page. It detected Zaccess And I assume that pertains to ZeroAccess Trojan. Anyway, I got the internet working and here are those logs.

Thanks,
JT

-Log of FRST64

Scan result of Farbar Recovery Scan Tool Version: 29-08-2012 02
Ran by SYSTEM at 29-08-2012 12:35:02
Running from F:\
Windows 7 Enterprise (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-09] (IDT, Inc.)
HKLM\...\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe [375808 2010-02-17] (Alps Electric Co., Ltd.)
HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [335976 2011-08-03] (NVIDIA Corporation)
HKLM\...\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet [1692264 2011-07-05] ()
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM-x32\...\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup [336992 2012-05-30] (Power Software Ltd)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [x]
HKU\Student\...\Run: [HLBackupScheduler] C:\Program Files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe [5247624 2010-12-08] ()
HKU\Student\...\Run: [NCsoft] [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs: c:\PROGRA~2\SHAREA~1\MediaBar\Datamngr\x64\IEBHO.dll

==================== Services (Whitelisted) ======

4 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
4 Giraffic; C:\Program Files (x86)\Giraffic\Veoh_GirafficWatchdog.exe --service [2232504 2012-07-02] (Giraffic)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
4 McAfeeEngineService; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe" [19720 2009-10-22] (McAfee, Inc.)
4 McAfeeFramework; "C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [103744 2009-08-25] (McAfee, Inc.)
4 McShield; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe" [178920 2009-10-22] (McAfee, Inc.)
4 McTaskManager; "C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe" [66896 2009-10-22] (McAfee, Inc.)
2 mfevtp; C:\Windows\system32\mfevtps.exe [79504 2009-10-22] (McAfee, Inc.)
2 nlsX86cc; C:\Windows\SysWow64\NlsSrv32.exe [61440 2009-06-07] (Nalpeiron Ltd.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\STacSV64.exe [244736 2010-03-09] (IDT, Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2533400 2010-04-15] (Intel Corporation)

==================== Drivers (Whitelisted) ===================

3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30304 2010-05-07] ()
3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30304 2010-05-07] ()
3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv_x64.sys [34304 2012-01-10] (ManyCam LLC)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [28160 2012-02-22] (ManyCam LLC)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [97576 2009-10-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [119968 2009-10-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [469144 2009-10-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [77104 2009-10-22] (McAfee, Inc.)
1 mfetdik; C:\Windows\System32\Drivers\mfetdik.sys [83784 2009-10-22] (McAfee, Inc.)
4 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-08-05] (Duplex Secure Ltd.)
3 VCSVADHWSer; C:\Windows\System32\DRIVERS\vcsvad.sys [21504 2008-12-26] (Avnex)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 dump_wmimmc; \??\C:\Program Files (x86)\NCsoft\Lineage II\system\GameGuard\dump_wmimmc.sys [x]
3 NPPTNT2; \??\C:\Windows\system32\npptNT2.sys [x]
3 WPRO_40_1340; C:\Windows\System32\drivers\WPRO_40_1340.sys [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-08-29 07:06 - 2012-08-29 07:06 - 00000000 ____D C:\Users\Student\Documents\Abelssoft
2012-08-29 06:38 - 2012-08-29 06:38 - 00001181 ____A C:\Users\Public\Desktop\YouTube Song Downloader.lnk
2012-08-29 06:38 - 2012-08-29 06:38 - 00000000 ____D C:\Users\Student\AppData\Local\Abelssoft
2012-08-29 06:38 - 2012-08-29 06:38 - 00000000 ____D C:\Program Files (x86)\YouTube Song Downloader
2012-08-29 06:38 - 2012-08-29 06:38 - 00000000 ____D C:\Program Files (x86)\K-Lite Codec Pack
2012-08-29 06:25 - 2012-08-29 06:30 - 12626936 ____A (Abelssoft ) C:\Users\Student\Desktop\ysd.exe
2012-08-29 06:05 - 2012-08-29 06:15 - 00000000 ____D C:\Users\Student\AppData\Local\BearShare
2012-08-29 04:07 - 2012-08-29 05:54 - 00000000 ____D C:\Users\Student\Desktop\Music Stuf
2012-08-29 00:33 - 2012-08-29 07:42 - 00000000 ____D C:\Users\Student\AppData\Roaming\MediaMonkey
2012-08-29 00:33 - 2012-08-29 00:33 - 00000000 ____D C:\Users\Student\AppData\Local\MediaMonkey
2012-08-29 00:33 - 2012-08-29 00:33 - 00000000 ____D C:\Users\All Users\MediaMonkey
2012-08-29 00:33 - 2012-08-29 00:33 - 00000000 ____D C:\Program Files (x86)\MediaMonkey
2012-08-26 21:47 - 2012-08-26 21:47 - 00019708 ____A C:\Users\Student\Desktop\ark.txt
2012-08-26 20:38 - 2012-08-26 20:39 - 00021242 ____A C:\Users\Student\Desktop\DDS.txt
2012-08-26 20:38 - 2012-08-26 20:38 - 00019694 ____A C:\Users\Student\Desktop\Attach.txt
2012-08-26 20:27 - 2012-08-26 20:27 - 00607260 ____R (Swearware) C:\Users\Administrator\Desktop\dds.com
2012-08-26 20:26 - 2012-08-26 20:26 - 00302592 ____A C:\Users\Administrator\Desktop\0q7zruom.exe
2012-08-26 18:30 - 2012-08-26 18:30 - 00000020 ____A C:\Users\Student\defogger_reenable
2012-08-25 22:32 - 2012-08-25 22:32 - 00000000 ____D C:\Users\Student\Downloads\Latest_iXtreme_and_Stock_Firmware_Pack
2012-08-25 22:30 - 2012-08-25 22:31 - 12640515 ____A C:\Users\Student\Downloads\Latest_iXtreme_and_Stock_Firmware_Pack.rar
2012-08-25 18:47 - 2012-08-25 18:47 - 00000000 ____D C:\FRST
2012-08-25 17:19 - 2012-08-25 19:21 - 24874020 ____A C:\Users\Student\Downloads\dynasty7.ntscu.filepost.tv.part2.rar
2012-08-25 16:41 - 2012-08-25 16:41 - 00000000 ____D C:\Users\Administrator\AppData\Local\Adobe
2012-08-25 16:33 - 2012-08-25 16:33 - 00289768 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-08-25 16:33 - 2012-08-25 16:33 - 00189416 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-08-25 16:33 - 2012-08-25 16:33 - 00188904 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-08-25 16:33 - 2012-08-25 16:33 - 00108008 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
2012-08-25 16:33 - 2012-08-25 16:33 - 00000000 ____D C:\Program Files\Java
2012-08-25 16:00 - 2012-08-25 16:24 - 00002750 ____A C:\Users\Administrator\Desktop\FSS.txt
2012-08-25 15:54 - 2012-08-25 15:54 - 00448512 ____A (OldTimer Tools) C:\Users\Administrator\Desktop\TFC.exe
2012-08-25 15:53 - 2012-08-25 15:53 - 00693235 ____A (Farbar) C:\Users\Administrator\Desktop\FSS.exe
2012-08-25 15:47 - 2012-08-28 13:32 - 00002102 ____A C:\Windows\PFRO.log
2012-08-25 15:46 - 2012-08-25 15:46 - 00000000 ____D C:\_OTL
2012-08-25 15:14 - 2012-08-25 15:14 - 00082464 ____A C:\Users\Administrator\Desktop\Extras.Txt
2012-08-25 15:13 - 2012-08-25 15:47 - 00108392 ____A C:\Users\Administrator\Desktop\OTL.Txt
2012-08-25 15:09 - 2012-08-25 15:09 - 00033999 ____A C:\ComboFix.txt
2012-08-25 14:55 - 2012-08-25 14:56 - 00005038 ____A C:\Users\Administrator\Desktop\Rkill.txt
2012-08-25 14:29 - 2012-08-25 14:29 - 01614752 ____A (Bleeping Computer, LLC) C:\Users\Administrator\Desktop\rkill.exe
2012-08-25 14:28 - 2012-08-25 14:28 - 04738846 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe
2012-08-25 14:24 - 2012-08-25 14:24 - 00596480 ____A (OldTimer Tools) C:\Users\Administrator\Desktop\OTL.exe
2012-08-25 14:15 - 2012-08-25 14:15 - 00000433 ____A C:\Users\Administrator\Desktop\fixlist.txt
2012-08-25 14:05 - 2012-08-25 14:05 - 01073005 ____A C:\Users\Administrator\Desktop\[Solved] - Sirefef Infection Of_ Desktop.ini, Services.exe - TechSpot Forums.mht
2012-08-25 10:27 - 2012-08-25 13:39 - 1048576000 ____A C:\Users\Student\Desktop\dynasty7.ntscu.filepost.tv.part1.rar
2012-08-25 10:23 - 2012-08-25 14:05 - 00004613 ____A C:\Users\Student\Desktop\Dynasty Warriors 7 [NTSC-U].txt
2012-08-25 09:22 - 2012-08-25 09:22 - 00000000 ____D C:\Program Files (x86)\HydraIRC
2012-08-24 15:00 - 2012-08-24 15:00 - 00000042 ____A C:\Users\Student\Documents\Uncles.txt
2012-08-24 04:31 - 2012-08-24 04:31 - 00000030 ____A C:\Users\Student\AppData\Roaming\mbam.context.scan
2012-08-24 04:27 - 2012-08-26 01:41 - 00000000 _RAHD C:\Users\Student\Desktop\New folder
2012-08-23 22:11 - 2012-08-23 22:11 - 00110016 ____A C:\Users\Student\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-23 17:31 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-08-23 17:24 - 2012-08-28 11:53 - 00649171 ____A C:\Windows\WindowsUpdate.log
2012-08-23 17:22 - 2012-08-29 07:41 - 00000840 ____A C:\Windows\setupact.log
2012-08-23 17:22 - 2012-08-23 17:22 - 00421776 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-23 17:22 - 2012-08-23 17:22 - 00000000 ____A C:\Windows\setuperr.log
2012-08-23 17:17 - 2012-08-23 17:17 - 00000039 ____A C:\Users\Administrator\Desktop\aadsfewd.txt
2012-08-23 17:14 - 2012-08-23 17:15 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Desktop\asdfasdfasdcc223322.exe
2012-08-23 14:29 - 2012-08-23 14:29 - 00000000 ____D C:\Program Files (x86)\ESET
2012-08-23 08:41 - 2012-08-23 08:41 - 00000668 ____A C:\blitzblank.log
2012-08-23 08:38 - 2012-08-23 08:39 - 01153912 ____A (Emsi Software GmbH) C:\Users\Administrator\Desktop\BlitzBlank.exe
2012-08-23 07:38 - 2012-08-23 18:20 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Skype
2012-08-22 21:15 - 2012-08-23 09:24 - 00004226 ____A C:\Users\Administrator\Documents\aswMBR.txt
2012-08-22 21:15 - 2012-08-23 09:24 - 00000512 ____A C:\Users\Administrator\Documents\MBR.dat
2012-08-22 20:24 - 2012-08-22 20:24 - 00003011 ____A C:\Users\Administrator\Desktop\HiJackThis.lnk
2012-08-22 20:24 - 2012-08-22 20:24 - 00000000 ____D C:\Program Files (x86)\Trend Micro
2012-08-22 20:23 - 2012-08-22 20:23 - 01402880 ____A C:\Users\Administrator\Downloads\HiJackThis.msi
2012-08-22 20:22 - 2012-08-22 20:23 - 03907920 ____A (Piriform Ltd) C:\Users\Administrator\Downloads\ccsetup321.exe
2012-08-22 20:18 - 2012-08-22 20:19 - 04736524 ___RA (Swearware) C:\Users\Administrator\Downloads\ComboFix.exe
2012-08-22 20:17 - 2012-08-22 20:18 - 04731392 ____A (AVAST Software) C:\Users\Administrator\Downloads\aswMBR.exe
2012-08-22 20:08 - 2012-08-22 20:08 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla
2012-08-22 20:08 - 2012-08-22 20:08 - 00000000 ____D C:\Users\Administrator\AppData\Local\Mozilla
2012-08-22 20:07 - 2012-08-22 20:07 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Motorola
2012-08-22 20:07 - 2012-08-22 20:07 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\IObit
2012-08-22 19:12 - 2012-08-22 19:12 - 00431104 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
2012-08-22 19:12 - 2012-08-22 19:12 - 00409600 ____A (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2012-08-22 19:12 - 2012-08-22 19:12 - 00136192 ____A (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
2012-08-22 19:12 - 2012-08-22 19:12 - 00114688 ____A (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
2012-08-22 19:12 - 2012-08-22 19:12 - 00000000 ____D C:\Users\Student\Documents\Penumbra
2012-08-22 19:12 - 2012-08-22 19:12 - 00000000 ____D C:\Program Files (x86)\OpenAL
2012-08-22 18:58 - 2012-08-22 18:58 - 00000000 ____D C:\Program Files (x86)\Paradox Interactive
2012-08-22 16:12 - 2012-08-22 16:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\NVIDIA
2012-08-22 16:11 - 2012-08-29 07:16 - 00000960 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-500UA.job
2012-08-22 16:11 - 2012-08-27 21:14 - 00000938 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-500Core.job
2012-08-22 16:11 - 2012-08-22 16:12 - 00000000 ____D C:\Users\Administrator\AppData\Local\Facebook
2012-08-22 16:11 - 2012-08-22 16:11 - 00501248 ____A (Facebook Inc.) C:\Users\Administrator\Documents\FacebookVideoCallSetup_v1.2.205.0.exe
2012-08-22 09:22 - 2012-08-22 09:22 - 00004196 ____A C:\Users\Administrator\Documents\GetAttachment.jpeg
2012-08-21 09:20 - 2012-08-21 09:58 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Google
2012-08-21 09:19 - 2012-08-21 10:21 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google
2012-08-21 05:39 - 2012-08-21 05:39 - 00000000 __SHD C:\Users\All Users\System Restore
2012-08-21 05:09 - 2012-08-27 10:41 - 00000000 ____D C:\Users\Student\Desktop\sr1
2012-08-20 21:35 - 2012-08-20 21:36 - 00000000 ____D C:\Users\Student\AppData\Roaming\ManyCam
2012-08-20 21:35 - 2012-08-20 21:36 - 00000000 ____D C:\Users\Student\AppData\Local\ManyCam
2012-08-20 21:35 - 2012-08-20 21:35 - 00000000 ____D C:\Users\All Users\ManyCam
2012-08-20 21:34 - 2012-08-20 21:35 - 00000000 ____D C:\Program Files (x86)\ManyCam
2012-08-20 16:16 - 2012-08-20 16:16 - 00000000 ____D C:\Users\Student\AppData\Roaming\Motorola
2012-08-20 13:57 - 2012-08-20 13:59 - 00000000 ____D C:\Users\Student\Desktop\SDL.dll v1.2.13.0 for Amnesia TDD by Pluto
2012-08-18 17:13 - 2012-08-18 17:13 - 00000000 ____D C:\Users\Student\AppData\Roaming\Xilisoft
2012-08-18 17:11 - 2012-08-18 17:11 - 00000000 ____D C:\Users\All Users\Xilisoft
2012-08-18 17:11 - 2012-08-18 17:11 - 00000000 ____D C:\Program Files (x86)\Xilisoft
2012-08-18 09:43 - 2012-08-18 09:43 - 00000000 ____D C:\Users\Student\Documents\Amnesia
2012-08-18 03:49 - 2012-08-18 03:57 - 00000000 ____D C:\Program Files (x86)\Amnesia - The Dark Descent
2012-08-14 04:51 - 2012-08-14 04:51 - 00032727 ____A C:\Users\Student\Desktop\The-best-top-hd-desktop-bleach-wallpaper-bleach-wallpapers-24.jpeg
2012-08-14 04:44 - 2012-08-14 04:44 - 00900096 ____A (Advanced PC Media LLC) C:\Users\Student\Desktop\TweaksLogon.exe
2012-08-14 04:44 - 2012-08-14 04:44 - 00000000 ____D C:\Users\Student\Downloads\tweakslogonzip
2012-08-13 17:55 - 2012-08-13 17:55 - 00001090 ____A C:\Users\Student\Downloads\Documents - Shortcut.lnk
2012-08-13 17:55 - 2012-08-13 17:55 - 00000355 ____A C:\Users\Student\Downloads\Favorites - Shortcut.lnk
2012-08-12 20:46 - 2012-08-12 20:46 - 00000012 ____A C:\Users\Student\Desktop\awedum.txt
2012-08-11 12:22 - 2012-08-11 12:34 - 00000000 ____D C:\Users\Student\AppData\Roaming\Charles
2012-08-11 12:21 - 2012-08-11 12:21 - 00000000 ____D C:\Program Files\Charles
2012-08-11 12:14 - 2012-08-11 12:14 - 00000000 ____D C:\Users\All Users\Mozilla
2012-08-11 12:14 - 2012-08-11 12:14 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-08-11 03:21 - 2012-08-11 03:23 - 00000000 ____D C:\Users\Student\AppData\Roaming\TrueCrypt
2012-08-11 03:20 - 2012-08-11 03:20 - 00231376 ____A (TrueCrypt Foundation) C:\Windows\System32\Drivers\truecrypt.sys
2012-08-11 03:20 - 2012-08-11 03:20 - 00000000 ____D C:\Program Files\TrueCrypt
2012-08-11 02:41 - 2012-08-24 04:29 - 00000000 _RAHD C:\Users\Student\Desktop\PPP
2012-08-10 11:15 - 2012-08-10 12:46 - 00000031 ____A C:\Users\Student\Documents\Yah.txt
2012-08-10 09:01 - 2012-08-10 09:01 - 00000000 ____D C:\Program Files (x86)\Geeks3D
2012-08-07 19:47 - 2012-08-25 16:41 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe
2012-08-07 19:46 - 2012-08-07 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Opera
2012-08-07 19:46 - 2012-08-07 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\Opera
2012-08-07 19:04 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-07 19:04 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-07 19:04 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-07 19:04 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-07 19:04 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-07 18:58 - 2012-08-07 18:58 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer
2012-08-07 18:50 - 2012-08-15 10:02 - 00000000 ____D C:\Windows\pss
2012-08-07 18:50 - 2012-08-07 18:50 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Malwarebytes
2012-08-07 18:47 - 2012-08-25 15:09 - 00000000 ____D C:\Qoobox
2012-08-07 18:47 - 2012-08-23 09:09 - 00000000 ____D C:\Windows\erdnt
2012-08-07 18:45 - 2012-08-07 18:57 - 00000000 ____D C:\users\Administrator
2012-08-07 18:45 - 2012-08-07 18:45 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2012-08-07 18:45 - 2010-12-21 07:51 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia
2012-08-07 18:45 - 2010-09-15 14:37 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help
2012-08-07 10:05 - 2012-08-07 10:05 - 00000000 ____D C:\Users\Student\AppData\Local\TechSmith
2012-08-07 10:04 - 2012-08-07 11:27 - 00000000 ____D C:\Users\Student\Documents\Camtasia Studio
2012-08-07 10:04 - 2012-08-07 10:04 - 00000000 ____D C:\Windows\SysWOW64\QuickTime
2012-08-07 10:04 - 2010-03-04 13:27 - 00411480 ____A (TechSmith Corporation) C:\Windows\SysWOW64\tsccvid.dll
2012-08-07 10:03 - 2012-08-07 10:04 - 00000000 ____D C:\Users\All Users\TechSmith
2012-08-07 10:03 - 2012-08-07 10:03 - 00000000 ____D C:\Program Files (x86)\TechSmith
2012-08-07 09:45 - 2012-08-07 09:45 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-08-07 05:19 - 2012-08-07 05:19 - 00000000 ____D C:\Users\Student\AppData\Local\DDMSettings
2012-08-06 22:29 - 2012-08-14 18:02 - 00000000 ____D C:\Users\Student\Desktop\L33T
2012-08-06 19:21 - 2012-08-06 19:21 - 00000570 ____A C:\Windows\System32\MyDefrag.debuglog
2012-08-06 19:20 - 2012-08-06 19:23 - 00000000 ____D C:\Users\Student\AppData\Roaming\Fighters
2012-08-06 19:20 - 2012-08-06 19:23 - 00000000 ____D C:\Users\All Users\Fighters

==================== 3 Months Modified Files ================================

2012-08-29 08:26 - 2009-07-13 21:13 - 00796420 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-29 07:57 - 2012-03-30 07:42 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-29 07:48 - 2009-07-13 20:45 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-29 07:48 - 2009-07-13 20:45 - 00015152 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-29 07:41 - 2012-08-23 17:22 - 00000840 ____A C:\Windows\setupact.log
2012-08-29 07:41 - 2012-03-30 07:42 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-29 07:41 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-29 07:33 - 2012-03-30 07:41 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-29 07:16 - 2012-08-22 16:11 - 00000960 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-500UA.job
2012-08-29 06:38 - 2012-08-29 06:38 - 00001181 ____A C:\Users\Public\Desktop\YouTube Song Downloader.lnk
2012-08-29 06:30 - 2012-08-29 06:25 - 12626936 ____A (Abelssoft ) C:\Users\Student\Desktop\ysd.exe
2012-08-29 05:48 - 2011-08-30 05:38 - 00000936 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-1000UA.job
2012-08-28 18:50 - 2011-02-02 17:11 - 00008704 ____A C:\Users\Student\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-28 16:46 - 2011-08-30 05:38 - 00000914 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-1000Core.job
2012-08-28 14:00 - 2011-02-11 16:54 - 00000470 ____A C:\Windows\Tasks\ParetoLogic Registration.job
2012-08-28 13:32 - 2012-08-25 15:47 - 00002102 ____A C:\Windows\PFRO.log
2012-08-28 11:53 - 2012-08-23 17:24 - 00649171 ____A C:\Windows\WindowsUpdate.log
2012-08-27 21:14 - 2012-08-22 16:11 - 00000938 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-500Core.job
2012-08-26 21:47 - 2012-08-26 21:47 - 00019708 ____A C:\Users\Student\Desktop\ark.txt
2012-08-26 20:39 - 2012-08-26 20:38 - 00021242 ____A C:\Users\Student\Desktop\DDS.txt
2012-08-26 20:38 - 2012-08-26 20:38 - 00019694 ____A C:\Users\Student\Desktop\Attach.txt
2012-08-26 20:27 - 2012-08-26 20:27 - 00607260 ____R (Swearware) C:\Users\Administrator\Desktop\dds.com
2012-08-26 20:26 - 2012-08-26 20:26 - 00302592 ____A C:\Users\Administrator\Desktop\0q7zruom.exe
2012-08-26 18:30 - 2012-08-26 18:30 - 00000020 ____A C:\Users\Student\defogger_reenable
2012-08-25 22:31 - 2012-08-25 22:30 - 12640515 ____A C:\Users\Student\Downloads\Latest_iXtreme_and_Stock_Firmware_Pack.rar
2012-08-25 19:21 - 2012-08-25 17:19 - 24874020 ____A C:\Users\Student\Downloads\dynasty7.ntscu.filepost.tv.part2.rar
2012-08-25 16:33 - 2012-08-25 16:33 - 00289768 ____A (Oracle Corporation) C:\Windows\System32\javaws.exe
2012-08-25 16:33 - 2012-08-25 16:33 - 00189416 ____A (Oracle Corporation) C:\Windows\System32\javaw.exe
2012-08-25 16:33 - 2012-08-25 16:33 - 00188904 ____A (Oracle Corporation) C:\Windows\System32\java.exe
2012-08-25 16:33 - 2012-08-25 16:33 - 00108008 ____A (Oracle Corporation) C:\Windows\System32\WindowsAccessBridge-64.dll
2012-08-25 16:33 - 2012-06-28 15:17 - 01034216 ____A (Oracle Corporation) C:\Windows\System32\npDeployJava1.dll
2012-08-25 16:33 - 2012-06-28 15:17 - 00916456 ____A (Oracle Corporation) C:\Windows\System32\deployJava1.dll
2012-08-25 16:24 - 2012-08-25 16:00 - 00002750 ____A C:\Users\Administrator\Desktop\FSS.txt
2012-08-25 15:54 - 2012-08-25 15:54 - 00448512 ____A (OldTimer Tools) C:\Users\Administrator\Desktop\TFC.exe
2012-08-25 15:53 - 2012-08-25 15:53 - 00693235 ____A (Farbar) C:\Users\Administrator\Desktop\FSS.exe
2012-08-25 15:47 - 2012-08-25 15:13 - 00108392 ____A C:\Users\Administrator\Desktop\OTL.Txt
2012-08-25 15:14 - 2012-08-25 15:14 - 00082464 ____A C:\Users\Administrator\Desktop\Extras.Txt
2012-08-25 15:09 - 2012-08-25 15:09 - 00033999 ____A C:\ComboFix.txt
2012-08-25 15:07 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini
2012-08-25 14:56 - 2012-08-25 14:55 - 00005038 ____A C:\Users\Administrator\Desktop\Rkill.txt
2012-08-25 14:29 - 2012-08-25 14:29 - 01614752 ____A (Bleeping Computer, LLC) C:\Users\Administrator\Desktop\rkill.exe
2012-08-25 14:28 - 2012-08-25 14:28 - 04738846 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe
2012-08-25 14:24 - 2012-08-25 14:24 - 00596480 ____A (OldTimer Tools) C:\Users\Administrator\Desktop\OTL.exe
2012-08-25 14:15 - 2012-08-25 14:15 - 00000433 ____A C:\Users\Administrator\Desktop\fixlist.txt
2012-08-25 14:05 - 2012-08-25 14:05 - 01073005 ____A C:\Users\Administrator\Desktop\[Solved] - Sirefef Infection Of_ Desktop.ini, Services.exe - TechSpot Forums.mht
2012-08-25 14:05 - 2012-08-25 10:23 - 00004613 ____A C:\Users\Student\Desktop\Dynasty Warriors 7 [NTSC-U].txt
2012-08-25 13:39 - 2012-08-25 10:27 - 1048576000 ____A C:\Users\Student\Desktop\dynasty7.ntscu.filepost.tv.part1.rar
2012-08-24 15:00 - 2012-08-24 15:00 - 00000042 ____A C:\Users\Student\Documents\Uncles.txt
2012-08-24 04:31 - 2012-08-24 04:31 - 00000030 ____A C:\Users\Student\AppData\Roaming\mbam.context.scan
2012-08-23 22:11 - 2012-08-23 22:11 - 00110016 ____A C:\Users\Student\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-23 17:22 - 2012-08-23 17:22 - 00421776 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-23 17:22 - 2012-08-23 17:22 - 00000000 ____A C:\Windows\setuperr.log
2012-08-23 17:17 - 2012-08-23 17:17 - 00000039 ____A C:\Users\Administrator\Desktop\aadsfewd.txt
2012-08-23 17:15 - 2012-08-23 17:14 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Administrator\Desktop\asdfasdfasdcc223322.exe
2012-08-23 09:24 - 2012-08-22 21:15 - 00004226 ____A C:\Users\Administrator\Documents\aswMBR.txt
2012-08-23 09:24 - 2012-08-22 21:15 - 00000512 ____A C:\Users\Administrator\Documents\MBR.dat
2012-08-23 08:41 - 2012-08-23 08:41 - 00000668 ____A C:\blitzblank.log
2012-08-23 08:39 - 2012-08-23 08:38 - 01153912 ____A (Emsi Software GmbH) C:\Users\Administrator\Desktop\BlitzBlank.exe
2012-08-22 22:38 - 2011-02-11 16:53 - 00000444 ____A C:\Windows\Tasks\ParetoLogic Update Version2.job
2012-08-22 20:24 - 2012-08-22 20:24 - 00003011 ____A C:\Users\Administrator\Desktop\HiJackThis.lnk
2012-08-22 20:23 - 2012-08-22 20:23 - 01402880 ____A C:\Users\Administrator\Downloads\HiJackThis.msi
2012-08-22 20:23 - 2012-08-22 20:22 - 03907920 ____A (Piriform Ltd) C:\Users\Administrator\Downloads\ccsetup321.exe
2012-08-22 20:19 - 2012-08-22 20:18 - 04736524 ___RA (Swearware) C:\Users\Administrator\Downloads\ComboFix.exe
2012-08-22 20:18 - 2012-08-22 20:17 - 04731392 ____A (AVAST Software) C:\Users\Administrator\Downloads\aswMBR.exe
2012-08-22 19:12 - 2012-08-22 19:12 - 00431104 ____A (Creative Labs) C:\Windows\System32\wrap_oal.dll
2012-08-22 19:12 - 2012-08-22 19:12 - 00409600 ____A (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2012-08-22 19:12 - 2012-08-22 19:12 - 00136192 ____A (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\System32\OpenAL32.dll
2012-08-22 19:12 - 2012-08-22 19:12 - 00114688 ____A (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
2012-08-22 16:11 - 2012-08-22 16:11 - 00501248 ____A (Facebook Inc.) C:\Users\Administrator\Documents\FacebookVideoCallSetup_v1.2.205.0.exe
2012-08-22 09:22 - 2012-08-22 09:22 - 00004196 ____A C:\Users\Administrator\Documents\GetAttachment.jpeg
2012-08-14 04:51 - 2012-08-14 04:51 - 00032727 ____A C:\Users\Student\Desktop\The-best-top-hd-desktop-bleach-wallpaper-bleach-wallpapers-24.jpeg
2012-08-14 04:44 - 2012-08-14 04:44 - 00900096 ____A (Advanced PC Media LLC) C:\Users\Student\Desktop\TweaksLogon.exe
2012-08-13 17:55 - 2012-08-13 17:55 - 00001090 ____A C:\Users\Student\Downloads\Documents - Shortcut.lnk
2012-08-13 17:55 - 2012-08-13 17:55 - 00000355 ____A C:\Users\Student\Downloads\Favorites - Shortcut.lnk
2012-08-12 20:46 - 2012-08-12 20:46 - 00000012 ____A C:\Users\Student\Desktop\awedum.txt
2012-08-11 03:20 - 2012-08-11 03:20 - 00231376 ____A (TrueCrypt Foundation) C:\Windows\System32\Drivers\truecrypt.sys
2012-08-10 12:46 - 2012-08-10 11:15 - 00000031 ____A C:\Users\Student\Documents\Yah.txt
2012-08-07 18:45 - 2012-08-07 18:45 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2012-08-07 09:40 - 2012-03-30 07:41 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-07 09:40 - 2011-08-27 04:06 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-06 19:21 - 2012-08-06 19:21 - 00000570 ____A C:\Windows\System32\MyDefrag.debuglog
2012-07-31 16:01 - 2010-08-05 18:10 - 00249856 ____N (Microsoft Corporation) C:\Windows\Setup1.exe
2012-07-31 16:00 - 2010-08-05 18:10 - 00073216 ____A (Microsoft Corporation) C:\Windows\ST6UNST.EXE
2012-07-24 08:01 - 2012-07-24 07:58 - 01376768 ____A C:\Users\Student\Downloads\7z920x64.msi
2012-07-11 23:10 - 2009-07-13 18:34 - 00000575 ____A C:\Windows\win.ini
2012-07-10 12:35 - 2012-07-10 12:34 - 18306784 ____A (Ellora Assets Corporation ) C:\Users\Student\Downloads\FreemakeVideoConverter_3.0.2.15.exe
2012-07-09 01:45 - 2012-07-09 00:50 - 1199779840 ____A C:\Users\Student\Desktop\rld-tsmk.iso
2012-07-09 00:56 - 2012-07-09 00:45 - 1828933632 ____A C:\Users\Student\Desktop\rld-tsm1.iso
2012-07-03 09:46 - 2012-08-23 17:31 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-03 07:57 - 2012-07-03 07:57 - 00000065 ____A C:\Users\Student\Documents\worker info.txt
2012-07-03 07:19 - 2012-07-03 07:19 - 08117913 ____A (Igor Pavlov) C:\Users\Student\Downloads\guiminer-20120219.exe
2012-07-03 06:57 - 2012-07-03 06:57 - 12411880 ____A C:\Users\Student\Downloads\bitcoin-0.6.3-win32.zip
2012-07-03 06:31 - 2012-07-03 06:31 - 23748738 ____A (Igor Pavlov) C:\Users\Student\Downloads\tor-browser-2.2.37-1_en-US.exe
2012-07-02 23:19 - 2010-05-05 09:00 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-02 14:01 - 2012-07-02 14:01 - 01525721 ____A C:\Users\Student\Downloads\Diablo3 Offline Client Creator - Updated 2012.rar
2012-07-01 13:13 - 2012-07-01 13:13 - 32288896 ____A (Blizzard Entertainment) C:\Users\Student\Downloads\Diablo-III-Setup-enUS.exe
2012-06-29 16:43 - 2010-09-19 20:47 - 00790810 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-06-28 15:51 - 2012-06-28 15:51 - 12351992 ____A (Opera Software ASA) C:\Users\Student\Downloads\Opera_1200_int_Setup.exe
2012-06-28 15:16 - 2012-06-28 15:16 - 21869488 ____A (Oracle Corporation) C:\Users\Student\Downloads\jre-7u5-windows-x64 (1).exe
2012-06-28 15:15 - 2012-06-28 15:15 - 21869488 ____A (Oracle Corporation) C:\Users\Student\Downloads\jre-7u5-windows-x64.exe.jpg4tm7.partial
2012-06-28 11:05 - 2012-06-28 11:05 - 00000300 ____A C:\Users\Student\Downloads\EuropeBattleNet-hosts-Installer.bat
2012-06-28 10:43 - 2012-06-28 10:43 - 00022075 ____A C:\Users\Student\Downloads\[kat.ph]diablo.iii.collectors.edition.torrent
2012-06-28 07:56 - 2012-06-28 07:56 - 00098901 ____A C:\Users\Student\Downloads\PonyPatcher.zip
2012-06-28 07:38 - 2012-06-28 07:38 - 30872026 ____A C:\Users\Student\Downloads\9991-Downgrade-Patch.zip
2012-06-27 21:33 - 2012-06-27 21:33 - 07336664 ____A (Blizzard Entertainment) C:\Users\Student\Downloads\Diablo-III-8370-enGB-Installer-downloader.exe
2012-06-27 20:48 - 2012-06-27 20:47 - 03831780 ____A C:\Users\Student\Downloads\Tunngle.4.4.1.2.rar
2012-06-11 19:02 - 2012-07-11 23:11 - 03147264 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:30 - 2012-07-10 12:19 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:46 - 2012-07-10 12:19 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 21:50 - 2012-07-10 12:19 - 02003968 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 21:50 - 2012-07-10 12:19 - 01880064 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 21:09 - 2012-07-10 12:19 - 01389568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:09 - 2012-07-10 12:19 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-02 14:19 - 2012-06-27 12:21 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-27 12:21 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-27 12:21 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-27 12:21 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-27 12:21 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-27 12:21 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-27 12:21 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-27 12:20 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-27 12:20 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:49 - 2012-07-11 23:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 23:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 23:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 23:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 23:02 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 23:02 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:04 - 2012-07-11 23:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:03 - 2012-07-11 23:02 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 23:02 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 23:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 23:02 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 23:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 23:02 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 23:02 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 23:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 23:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 23:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 23:02 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 23:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:25 - 2012-07-11 23:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:23 - 2012-07-11 23:02 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 23:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 23:02 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 23:02 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 23:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 23:02 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 23:02 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 23:02 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 21:38 - 2012-07-10 12:19 - 00152432 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:38 - 2012-07-10 12:19 - 00095088 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:37 - 2012-07-10 12:19 - 00459216 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:27 - 2012-07-10 12:19 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:27 - 2012-07-10 12:19 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:48 - 2012-07-10 12:19 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:48 - 2012-07-10 12:19 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:47 - 2012-07-10 12:19 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:42 - 2012-07-10 12:19 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

ZeroAccess:
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\@
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\L
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\n
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\L\00000004.@
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\00000004.@
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\00000008.@
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\000000cb.@
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\80000000.@
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\80000032.@
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\80000064.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-08-26 10:10:47
Restore point made on: 2012-08-28 04:43:58
Restore point made on: 2012-08-29 05:07:41

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8181.83 MB
Available physical RAM: 7338.97 MB
Total Pagefile: 8179.98 MB
Available Pagefile: 7330.65 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

==================== Partitions ============================

1 Drive c: () (Fixed) (Total:465.43 GB) (Free:243.61 GB) NTFS
3 Drive f: () (Removable) (Total:3.73 GB) (Free:2.77 GB) FAT32
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.29 GB) (Free:0.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 3827 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 39 MB 31 KB
Partition 2 Primary 300 MB 40 MB
Partition 3 Primary 465 GB 340 MB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 39 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 300 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 465 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 3827 MB 0 B

==================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

Last Boot: 2012-08-27 15:18

==================== End Of Log =============================


-Log of Search



Farbar Recovery Scan Tool Version: 29-08-2012 02
Ran by SYSTEM at 2012-08-29 12:36:53
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\Services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\erdnt\cache64\Services.exe
[2012-08-23 09:14] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 PM

Posted 29 August 2012 - 05:09 PM

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.



NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 MisterSeek

MisterSeek
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 29 August 2012 - 05:43 PM

Here is the Log for Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 29-08-2012 02
Ran by SYSTEM at 2012-08-29 18:21:49 Run:1
Running from F:\

==============================================

C:\Users\Student\AppData\Local\{181d7f9b-a1b0-bed2-d5e6-1304811f3574} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.

==== End of Fixlog ====

Also, Combofix did run but did not need to restart my system. Also, if at a later point you may give me a recommendation for Antimalware/Spyware/Virus tools let me know.
Thanks for your continued guidance. I will write a splendid review. Here is my combofix log.

ComboFix 12-08-29.03 - Student 08/29/2012 18:28:00.4.8 - x64
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.8182.6662 [GMT -4:00]
Running from: c:\users\Student\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\da8crj8s.default\searchplugins\bing-zugo.xml
c:\users\Student\AppData\Roaming\Studentlog.dat
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-29 )))))))))))))))))))))))))))))))
.
.
2012-08-29 22:36 . 2012-08-29 22:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-29 22:24 . 2012-08-29 22:24 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DDA5E471-5885-41F5-BCBF-86BB2B1E7F81}\offreg.dll
2012-08-29 14:38 . 2012-08-29 14:38 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack
2012-08-29 14:38 . 2012-08-29 14:38 -------- d-----w- c:\users\Student\AppData\Local\Abelssoft
2012-08-29 14:38 . 2012-08-29 14:38 -------- d-----w- c:\program files (x86)\YouTube Song Downloader
2012-08-29 14:05 . 2012-08-29 14:15 -------- d-----w- c:\users\Student\AppData\Local\BearShare
2012-08-29 08:33 . 2012-08-29 08:33 -------- d-----w- c:\users\Student\AppData\Local\MediaMonkey
2012-08-29 08:33 . 2012-08-29 15:42 -------- d-----w- c:\users\Student\AppData\Roaming\MediaMonkey
2012-08-29 08:33 . 2012-08-29 08:33 -------- d-----w- c:\programdata\MediaMonkey
2012-08-29 08:33 . 2012-08-29 08:33 -------- d-----w- c:\program files (x86)\MediaMonkey
2012-08-28 12:05 . 2012-08-20 05:53 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DDA5E471-5885-41F5-BCBF-86BB2B1E7F81}\mpengine.dll
2012-08-26 02:47 . 2012-08-26 02:47 -------- d-----w- C:\FRST
2012-08-26 00:33 . 2012-08-26 00:33 289768 ----a-w- c:\windows\system32\javaws.exe
2012-08-26 00:33 . 2012-08-26 00:33 189416 ----a-w- c:\windows\system32\javaw.exe
2012-08-26 00:33 . 2012-08-26 00:33 188904 ----a-w- c:\windows\system32\java.exe
2012-08-26 00:33 . 2012-08-26 00:33 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-08-26 00:33 . 2012-08-26 00:33 -------- d-----w- c:\program files\Java
2012-08-25 23:46 . 2012-08-25 23:46 -------- d-----w- C:\_OTL
2012-08-25 23:09 . 2012-08-29 22:36 -------- d-----w- c:\users\Student\AppData\Local\temp
2012-08-25 17:22 . 2012-08-25 17:22 -------- d-----w- c:\program files (x86)\HydraIRC
2012-08-24 01:31 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-23 22:29 . 2012-08-23 22:29 -------- d-----w- c:\program files (x86)\ESET
2012-08-23 04:24 . 2012-08-23 04:24 -------- d-----w- c:\program files (x86)\Trend Micro
2012-08-23 03:12 . 2012-08-23 03:12 431104 ----a-w- c:\windows\system32\wrap_oal.dll
2012-08-23 03:12 . 2012-08-23 03:12 409600 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-08-23 03:12 . 2012-08-23 03:12 136192 ----a-w- c:\windows\system32\OpenAL32.dll
2012-08-23 03:12 . 2012-08-23 03:12 114688 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-08-23 03:12 . 2012-08-23 03:12 -------- d-----w- c:\program files (x86)\OpenAL
2012-08-23 02:58 . 2012-08-23 02:58 -------- d-----w- c:\program files (x86)\Paradox Interactive
2012-08-21 13:39 . 2012-08-21 13:39 -------- d-sh--w- c:\programdata\System Restore
2012-08-21 05:35 . 2012-08-21 05:36 -------- d-----w- c:\users\Student\AppData\Local\ManyCam
2012-08-21 05:35 . 2012-08-21 05:35 -------- d-----w- c:\programdata\ManyCam
2012-08-21 05:35 . 2012-08-21 05:36 -------- d-----w- c:\users\Student\AppData\Roaming\ManyCam
2012-08-21 05:34 . 2012-08-21 05:35 -------- d-----w- c:\program files (x86)\ManyCam
2012-08-21 00:16 . 2012-08-23 17:26 -------- d-----w- C:\Temp
2012-08-21 00:16 . 2012-08-21 00:16 -------- d-----w- c:\users\Student\AppData\Roaming\Motorola
2012-08-19 01:13 . 2012-08-19 01:13 -------- d-----w- c:\users\Student\AppData\Roaming\Xilisoft
2012-08-19 01:11 . 2012-08-19 01:11 -------- d-----w- c:\programdata\Xilisoft
2012-08-19 01:11 . 2012-08-19 01:11 -------- d-----w- c:\program files (x86)\Xilisoft
2012-08-18 11:49 . 2012-08-18 11:57 -------- d-----w- c:\program files (x86)\Amnesia - The Dark Descent
2012-08-11 20:22 . 2012-08-11 20:34 -------- d-----w- c:\users\Student\AppData\Roaming\Charles
2012-08-11 20:21 . 2012-08-11 20:21 -------- d-----w- c:\program files\Charles
2012-08-11 11:21 . 2012-08-11 11:23 -------- d-----w- c:\users\Student\AppData\Roaming\TrueCrypt
2012-08-11 11:20 . 2012-08-11 11:20 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-08-11 11:20 . 2012-08-11 11:20 -------- d-----w- c:\program files\TrueCrypt
2012-08-10 17:01 . 2012-08-10 17:01 -------- d-----w- c:\program files (x86)\Geeks3D
2012-08-08 23:00 . 2012-08-08 23:00 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-08-08 02:45 . 2012-08-08 02:57 -------- d-----w- c:\users\Administrator
2012-08-07 18:05 . 2012-08-07 18:05 -------- d-----w- c:\users\Student\AppData\Local\TechSmith
2012-08-07 18:04 . 2010-03-04 21:27 411480 ----a-w- c:\windows\SysWow64\tsccvid.dll
2012-08-07 18:04 . 2012-08-07 18:04 -------- d-----w- c:\windows\SysWow64\QuickTime
2012-08-07 18:03 . 2012-08-07 18:03 -------- d-----w- c:\program files (x86)\Common Files\TechSmith Shared
2012-08-07 18:03 . 2012-08-07 18:04 -------- d-----w- c:\programdata\TechSmith
2012-08-07 18:03 . 2012-08-07 18:03 -------- d-----w- c:\program files (x86)\TechSmith
2012-08-07 17:45 . 2012-08-07 17:45 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-07 13:19 . 2012-08-07 13:19 -------- d-----w- c:\users\Student\AppData\Local\DDMSettings
2012-08-07 03:20 . 2012-08-07 03:23 -------- d-----w- c:\users\Student\AppData\Roaming\Fighters
2012-08-07 03:20 . 2012-08-07 03:23 -------- d-----w- c:\programdata\Fighters
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-26 00:33 . 2012-06-28 23:17 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-26 00:33 . 2012-06-28 23:17 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-07 17:40 . 2012-03-30 15:41 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-07 17:40 . 2011-08-27 12:06 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-01 00:01 . 2010-08-06 02:10 249856 ------w- c:\windows\Setup1.exe
2012-08-01 00:00 . 2010-08-06 02:10 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-07-03 07:19 . 2010-05-05 17:00 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-12 03:02 . 2012-07-12 07:11 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:30 . 2012-07-10 20:19 14165504 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 05:50 . 2012-07-10 20:19 2003968 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:50 . 2012-07-10 20:19 1880064 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:09 . 2012-07-10 20:19 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:09 . 2012-07-10 20:19 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-02 22:19 . 2012-06-27 20:21 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-27 20:21 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-27 20:21 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-27 20:21 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-27 20:21 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-27 20:21 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-27 20:21 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-27 20:20 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-27 20:20 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 12:49 . 2012-07-12 07:01 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:17 . 2012-07-12 07:01 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:12 . 2012-07-12 07:01 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-12 07:02 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-12 07:02 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-12 07:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-12 07:02 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-12 07:02 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-12 07:02 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-12 07:01 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-12 07:02 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-12 07:02 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-12 07:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-12 07:02 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-12 07:01 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-12 07:02 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-12 07:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-12 07:02 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-12 07:02 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 05:38 . 2012-07-10 20:19 95088 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:38 . 2012-07-10 20:19 152432 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:37 . 2012-07-10 20:19 459216 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:27 . 2012-07-10 20:19 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:27 . 2012-07-10 20:19 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:48 . 2012-07-10 20:19 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:48 . 2012-07-10 20:19 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:47 . 2012-07-10 20:19 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:42 . 2012-07-10 20:19 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-08-23_17.09.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-08-08 20:15 . 2012-08-22 17:27 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-08-08 20:15 . 2012-08-29 22:23 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-08-26 00:36 . 2012-08-29 22:23 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-05 16:59 . 2012-08-29 22:24 79580 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-29 22:24 42936 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-07-27 16:23 . 2012-08-29 16:44 16570 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1199237575-1499867286-3957390923-1000_UserData.bin
- 2009-07-14 05:30 . 2012-08-23 17:09 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2009-07-14 05:30 . 2012-08-29 22:24 86016 c:\windows\system32\DriverStore\infpub.dat
- 2010-05-05 16:28 . 2012-08-23 16:44 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-05 16:28 . 2012-08-29 14:05 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-05 16:28 . 2012-08-23 16:44 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-05 16:28 . 2012-08-29 14:05 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-29 14:05 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-23 16:44 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-05 15:35 . 2012-05-25 19:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-05 15:35 . 2012-08-29 12:48 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-08-24 22:47 71448 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-05-05 15:35 . 2012-08-29 12:48 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-05 15:35 . 2012-05-25 19:21 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-05 15:35 . 2012-05-25 19:21 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-05 15:35 . 2012-08-29 12:48 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-29 18:29 . 2012-08-29 18:29 9560 c:\windows\system32\NetworkList\Icons\{EC1D492C-B1AD-4A49-B23D-024D680D1E1E}_48.bin
+ 2012-08-29 18:29 . 2012-08-29 18:29 4280 c:\windows\system32\NetworkList\Icons\{EC1D492C-B1AD-4A49-B23D-024D680D1E1E}_32.bin
+ 2012-08-29 18:29 . 2012-08-29 18:29 2456 c:\windows\system32\NetworkList\Icons\{EC1D492C-B1AD-4A49-B23D-024D680D1E1E}_24.bin
+ 2012-08-29 07:02 . 2012-08-29 07:02 9560 c:\windows\system32\NetworkList\Icons\{95F71425-7031-47D0-9134-59D1174CD2F0}_48.bin
+ 2012-08-29 07:02 . 2012-08-29 07:02 4280 c:\windows\system32\NetworkList\Icons\{95F71425-7031-47D0-9134-59D1174CD2F0}_32.bin
+ 2012-08-29 07:02 . 2012-08-29 07:02 2456 c:\windows\system32\NetworkList\Icons\{95F71425-7031-47D0-9134-59D1174CD2F0}_24.bin
+ 2012-08-28 19:15 . 2012-08-28 19:15 9560 c:\windows\system32\NetworkList\Icons\{48527A3D-29C5-417E-9C8C-FCFE430FD551}_48.bin
+ 2012-08-28 19:15 . 2012-08-28 19:15 4280 c:\windows\system32\NetworkList\Icons\{48527A3D-29C5-417E-9C8C-FCFE430FD551}_32.bin
+ 2012-08-28 19:15 . 2012-08-28 19:15 2456 c:\windows\system32\NetworkList\Icons\{48527A3D-29C5-417E-9C8C-FCFE430FD551}_24.bin
- 2012-08-23 17:08 . 2012-08-23 17:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-29 22:22 . 2012-08-29 22:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-29 22:22 . 2012-08-29 22:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-23 17:08 . 2012-08-23 17:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-07-27 19:57 . 2012-08-28 17:14 651404 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-08-29 22:30 672218 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-08-19 05:25 672218 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-29 22:30 126312 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-08-19 05:25 126312 c:\windows\system32\perfc009.dat
- 2009-07-14 04:45 . 2012-07-12 11:30 421776 c:\windows\system32\FNTCACHE.DAT
+ 2012-08-24 01:22 . 2012-08-24 01:22 421776 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 05:30 . 2012-08-29 22:24 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-08-23 17:09 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-08-29 22:24 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:30 . 2012-08-23 17:09 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2012-08-25 22:05 . 2012-08-29 22:20 395176 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-08-23 16:40 395176 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-08-25 22:05 . 2012-08-28 19:53 516009 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1199237575-1499867286-3957390923-500-12288.dat
+ 2012-08-28 17:16 . 2012-08-29 15:39 395944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1199237575-1499867286-3957390923-1000-4096.dat
+ 2012-08-29 15:39 . 2012-08-29 15:39 395944 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1199237575-1499867286-3957390923-1000-12288.dat
+ 2012-08-26 00:31 . 2012-08-26 00:31 902144 c:\windows\Installer\444b4.msi
- 2009-07-14 04:54 . 2012-08-22 17:27 7323648 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-29 22:23 7323648 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 02:34 . 2012-08-28 13:21 11010048 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2012-08-23 05:23 11010048 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2012-08-25 22:05 . 2012-08-29 22:20 14736108 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1199237575-1499867286-3957390923-1000-8192.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HLBackupScheduler"="c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe" [2010-12-08 5247624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2012-05-31 336992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\NCsoft\Lineage II\system\GameGuard\dump_wmimmc.sys [x]
R3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-07 30304]
R3 LVUVC64;Logitech Webcam 120(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-07-07 6465632]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-23 77104]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [2009-12-01 38992]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1255736]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
R4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-07 257224]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe [2009-03-03 89600]
R4 Giraffic;Veoh Giraffic Video Accelerator;c:\program files (x86)\Giraffic\Veoh_GirafficWatchdog.exe [2012-07-02 2232504]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 136176]
R4 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2009-10-23 19720]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-06 834544]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-12-17 1039776]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-12-17 31136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-23 79504]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [x]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2010-03-01 81408]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-04-15 2533400]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-11-03 38440]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2009-12-10 294064]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [2012-01-11 34304]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [2012-02-22 28160]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2011-05-10 174184]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-26 21504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:40]
.
2012-08-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-1000Core.job
- c:\users\Student\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-30 22:43]
.
2012-08-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-1000UA.job
- c:\users\Student\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-30 22:43]
.
2012-08-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-500Core.job
- c:\users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-23 00:11]
.
2012-08-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-500UA.job
- c:\users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-23 00:11]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 15:42]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 15:42]
.
2012-08-29 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2012-08-23 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-10 487424]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-02-17 375808]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-08-03 335976]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1692264]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\SHAREA~1\MediaBar\Datamngr\x64\IEBHO.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785
mLocal Page = c:\windows\SYSTEM32\blank.htm
uInternet Settings,ProxyOverride = 192.168.*.*;*.local;127.0.0.1:9421;<local>
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 204.111.1.210 204.111.1.195 192.168.1.1
FF - ProfilePath - c:\users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\da8crj8s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - uTorrentControl2 Customized Web Search
FF - prefs.js: browser.search.selectedengine - search the web
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-NCsoft - (no file)
Wow6432Node-HKLM-Run-Malwarebytes' Anti-Malware - c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - (no file)
WebBrowser-{DE404F4C-3CDE-4D74-A6FB-052D099C104C} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
AddRemove-FireShot for Firefox - c:\users\Student\AppData\Roaming\FireShot\uninstall-fireshot-fx.exe
AddRemove-ExpressFiles - c:\program files (x86)\ExpressFiles\uninstall.exe
AddRemove-SOE-DC Universe Online Live - c:\users\Student\Desktop\DC Universe\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\06\05\1d\155\0a?"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-29 18:40:13
ComboFix-quarantined-files.txt 2012-08-29 22:40
ComboFix2.txt 2012-08-25 23:09
ComboFix3.txt 2012-08-23 17:16
ComboFix4.txt 2012-08-08 03:40
.
Pre-Run: 261,017,206,784 bytes free
Post-Run: 260,932,755,456 bytes free
.
- - End Of File - - 8726490877ABA488DC8B87F54301C821

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 PM

Posted 29 August 2012 - 05:57 PM

Yes, I will have some recommendations for you when we are done, but we have a little more work to do, please do the following:

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DDS::
uInternet Settings,ProxyOverride = 192.168.*.*;*.local;127.0.0.1:9421;<local>
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785

FireFox::
FF - ProfilePath - c:\users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\da8crj8s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 MisterSeek

MisterSeek
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 29 August 2012 - 06:20 PM

Alright, I have ran combofix with the script and malwarebytes(no hits)-Even before you mentioned that and made the script I found that "ProxyOverride" string very disarming, considering I have not been able to get on the router setup page until recently. Anyway, ESET is running now and I will have those report logs to you momentarily. While watching this thread it seems it also quite popular to Anonymous Users and guests. I hope it is helping someone!

Edited by MisterSeek, 29 August 2012 - 06:21 PM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 PM

Posted 29 August 2012 - 06:30 PM

:thumbup2:

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 MisterSeek

MisterSeek
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 29 August 2012 - 06:40 PM

Progress is slow, ESET still only at 58% and already 6 Trojans. More Sirefefs, Conedex, etc... -_-; Sorry for the delays.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 PM

Posted 29 August 2012 - 06:44 PM

no problem, hopefully most of those detections will already be in quarantine

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 MisterSeek

MisterSeek
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 29 August 2012 - 06:45 PM

Well, for about 7-8 minutes now it has been on this one Target. Stuck at 17256 Files scanned... Time is ticking away.

Edited by MisterSeek, 29 August 2012 - 06:48 PM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 PM

Posted 29 August 2012 - 06:50 PM

it can take hours, so put your feet up Posted Image

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 MisterSeek

MisterSeek
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 29 August 2012 - 06:54 PM

Roger that! :workout:

#14 MisterSeek

MisterSeek
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 29 August 2012 - 09:04 PM

EVERYTHING IS COMPLETE! HERE ARE THE LOGS!

COMBOFIX LOG

ComboFix 12-08-29.03 - Student 08/29/2012 19:04:05.5.8 - x64
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.8182.6370 [GMT -4:00]
Running from: c:\users\Student\Desktop\ComboFix.exe
Command switches used :: c:\users\Student\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-29 )))))))))))))))))))))))))))))))
.
.
2012-08-29 23:08 . 2012-08-29 23:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-29 22:24 . 2012-08-29 22:24 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DDA5E471-5885-41F5-BCBF-86BB2B1E7F81}\offreg.dll
2012-08-29 14:38 . 2012-08-29 14:38 -------- d-----w- c:\program files (x86)\K-Lite Codec Pack
2012-08-29 14:38 . 2012-08-29 14:38 -------- d-----w- c:\users\Student\AppData\Local\Abelssoft
2012-08-29 14:38 . 2012-08-29 14:38 -------- d-----w- c:\program files (x86)\YouTube Song Downloader
2012-08-29 14:05 . 2012-08-29 14:15 -------- d-----w- c:\users\Student\AppData\Local\BearShare
2012-08-29 08:33 . 2012-08-29 08:33 -------- d-----w- c:\users\Student\AppData\Local\MediaMonkey
2012-08-29 08:33 . 2012-08-29 15:42 -------- d-----w- c:\users\Student\AppData\Roaming\MediaMonkey
2012-08-29 08:33 . 2012-08-29 08:33 -------- d-----w- c:\programdata\MediaMonkey
2012-08-29 08:33 . 2012-08-29 08:33 -------- d-----w- c:\program files (x86)\MediaMonkey
2012-08-28 12:05 . 2012-08-20 05:53 9309624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DDA5E471-5885-41F5-BCBF-86BB2B1E7F81}\mpengine.dll
2012-08-26 02:47 . 2012-08-26 02:47 -------- d-----w- C:\FRST
2012-08-26 00:33 . 2012-08-26 00:33 289768 ----a-w- c:\windows\system32\javaws.exe
2012-08-26 00:33 . 2012-08-26 00:33 189416 ----a-w- c:\windows\system32\javaw.exe
2012-08-26 00:33 . 2012-08-26 00:33 188904 ----a-w- c:\windows\system32\java.exe
2012-08-26 00:33 . 2012-08-26 00:33 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2012-08-26 00:33 . 2012-08-26 00:33 -------- d-----w- c:\program files\Java
2012-08-25 23:46 . 2012-08-25 23:46 -------- d-----w- C:\_OTL
2012-08-25 23:09 . 2012-08-29 23:06 -------- d-----w- c:\users\Student\AppData\Local\temp
2012-08-25 17:22 . 2012-08-25 17:22 -------- d-----w- c:\program files (x86)\HydraIRC
2012-08-24 01:31 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-23 22:29 . 2012-08-23 22:29 -------- d-----w- c:\program files (x86)\ESET
2012-08-23 04:24 . 2012-08-23 04:24 -------- d-----w- c:\program files (x86)\Trend Micro
2012-08-23 03:12 . 2012-08-23 03:12 431104 ----a-w- c:\windows\system32\wrap_oal.dll
2012-08-23 03:12 . 2012-08-23 03:12 409600 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-08-23 03:12 . 2012-08-23 03:12 136192 ----a-w- c:\windows\system32\OpenAL32.dll
2012-08-23 03:12 . 2012-08-23 03:12 114688 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-08-23 03:12 . 2012-08-23 03:12 -------- d-----w- c:\program files (x86)\OpenAL
2012-08-23 02:58 . 2012-08-23 02:58 -------- d-----w- c:\program files (x86)\Paradox Interactive
2012-08-21 13:39 . 2012-08-21 13:39 -------- d-sh--w- c:\programdata\System Restore
2012-08-21 05:35 . 2012-08-21 05:36 -------- d-----w- c:\users\Student\AppData\Local\ManyCam
2012-08-21 05:35 . 2012-08-21 05:35 -------- d-----w- c:\programdata\ManyCam
2012-08-21 05:35 . 2012-08-21 05:36 -------- d-----w- c:\users\Student\AppData\Roaming\ManyCam
2012-08-21 05:34 . 2012-08-21 05:35 -------- d-----w- c:\program files (x86)\ManyCam
2012-08-21 00:16 . 2012-08-23 17:26 -------- d-----w- C:\Temp
2012-08-21 00:16 . 2012-08-21 00:16 -------- d-----w- c:\users\Student\AppData\Roaming\Motorola
2012-08-19 01:13 . 2012-08-19 01:13 -------- d-----w- c:\users\Student\AppData\Roaming\Xilisoft
2012-08-19 01:11 . 2012-08-19 01:11 -------- d-----w- c:\programdata\Xilisoft
2012-08-19 01:11 . 2012-08-19 01:11 -------- d-----w- c:\program files (x86)\Xilisoft
2012-08-18 11:49 . 2012-08-18 11:57 -------- d-----w- c:\program files (x86)\Amnesia - The Dark Descent
2012-08-11 20:22 . 2012-08-11 20:34 -------- d-----w- c:\users\Student\AppData\Roaming\Charles
2012-08-11 20:21 . 2012-08-11 20:21 -------- d-----w- c:\program files\Charles
2012-08-11 11:21 . 2012-08-11 11:23 -------- d-----w- c:\users\Student\AppData\Roaming\TrueCrypt
2012-08-11 11:20 . 2012-08-11 11:20 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-08-11 11:20 . 2012-08-11 11:20 -------- d-----w- c:\program files\TrueCrypt
2012-08-10 17:01 . 2012-08-10 17:01 -------- d-----w- c:\program files (x86)\Geeks3D
2012-08-08 23:00 . 2012-08-08 23:00 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-08-08 02:45 . 2012-08-08 02:57 -------- d-----w- c:\users\Administrator
2012-08-07 18:05 . 2012-08-07 18:05 -------- d-----w- c:\users\Student\AppData\Local\TechSmith
2012-08-07 18:04 . 2010-03-04 21:27 411480 ----a-w- c:\windows\SysWow64\tsccvid.dll
2012-08-07 18:04 . 2012-08-07 18:04 -------- d-----w- c:\windows\SysWow64\QuickTime
2012-08-07 18:03 . 2012-08-07 18:03 -------- d-----w- c:\program files (x86)\Common Files\TechSmith Shared
2012-08-07 18:03 . 2012-08-07 18:04 -------- d-----w- c:\programdata\TechSmith
2012-08-07 18:03 . 2012-08-07 18:03 -------- d-----w- c:\program files (x86)\TechSmith
2012-08-07 17:45 . 2012-08-07 17:45 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-08-07 13:19 . 2012-08-07 13:19 -------- d-----w- c:\users\Student\AppData\Local\DDMSettings
2012-08-07 03:20 . 2012-08-07 03:23 -------- d-----w- c:\users\Student\AppData\Roaming\Fighters
2012-08-07 03:20 . 2012-08-07 03:23 -------- d-----w- c:\programdata\Fighters
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-26 00:33 . 2012-06-28 23:17 916456 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-26 00:33 . 2012-06-28 23:17 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-07 17:40 . 2012-03-30 15:41 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-07 17:40 . 2011-08-27 12:06 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-08-01 00:01 . 2010-08-06 02:10 249856 ------w- c:\windows\Setup1.exe
2012-08-01 00:00 . 2010-08-06 02:10 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-07-03 07:19 . 2010-05-05 17:00 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-12 03:02 . 2012-07-12 07:11 3147264 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:30 . 2012-07-10 20:19 14165504 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 05:50 . 2012-07-10 20:19 2003968 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:50 . 2012-07-10 20:19 1880064 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:09 . 2012-07-10 20:19 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:09 . 2012-07-10 20:19 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-02 22:19 . 2012-06-27 20:21 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-27 20:21 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-27 20:21 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-27 20:21 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-27 20:21 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-27 20:21 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-27 20:21 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-27 20:20 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-27 20:20 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 12:49 . 2012-07-12 07:01 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:17 . 2012-07-12 07:01 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:12 . 2012-07-12 07:01 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-12 07:02 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-12 07:02 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-12 07:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-12 07:02 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-12 07:02 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-12 07:02 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-12 07:01 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-12 07:02 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-12 07:02 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-12 07:02 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-12 07:02 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-12 07:01 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-12 07:02 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-12 07:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-12 07:02 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-12 07:02 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 05:38 . 2012-07-10 20:19 95088 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:38 . 2012-07-10 20:19 152432 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:37 . 2012-07-10 20:19 459216 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:27 . 2012-07-10 20:19 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:27 . 2012-07-10 20:19 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:48 . 2012-07-10 20:19 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:48 . 2012-07-10 20:19 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:47 . 2012-07-10 20:19 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:42 . 2012-07-10 20:19 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\prxtbVuz0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HLBackupScheduler"="c:\program files\Verizon V CAST Media Manager\V CAST Backup Scheduler.exe" [2010-12-08 5247624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2012-05-31 336992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\NCsoft\Lineage II\system\GameGuard\dump_wmimmc.sys [x]
R3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2010-05-07 30304]
R3 LVUVC64;Logitech Webcam 120(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2010-07-07 6465632]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-23 77104]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-14 113120]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [2009-12-01 38992]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-05 1255736]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
R4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-07 257224]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe [2009-03-03 89600]
R4 Giraffic;Veoh Giraffic Video Accelerator;c:\program files (x86)\Giraffic\Veoh_GirafficWatchdog.exe [2012-07-02 2232504]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 136176]
R4 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2009-10-23 19720]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-06 834544]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-12-17 1039776]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-12-17 31136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-23 79504]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [x]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [2010-03-01 81408]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-04-15 2533400]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-11-03 38440]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 47616]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2009-12-10 294064]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [2012-01-11 34304]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [2012-02-22 28160]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2011-05-10 174184]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [2008-12-26 21504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:40]
.
2012-08-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-1000Core.job
- c:\users\Student\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-30 22:43]
.
2012-08-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-1000UA.job
- c:\users\Student\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-30 22:43]
.
2012-08-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-500Core.job
- c:\users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-23 00:11]
.
2012-08-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1199237575-1499867286-3957390923-500UA.job
- c:\users\Administrator\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-23 00:11]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 15:42]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-03-30 15:42]
.
2012-08-29 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2012-08-23 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files (x86)\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-10 487424]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-02-17 375808]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2011-08-03 335976]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1692264]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\SHAREA~1\MediaBar\Datamngr\x64\IEBHO.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SYSTEM32\blank.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 204.111.1.210 204.111.1.195 192.168.1.1
FF - ProfilePath - c:\users\Student\AppData\Roaming\Mozilla\Firefox\Profiles\da8crj8s.default\
FF - prefs.js: browser.search.selectedEngine - uTorrentControl2 Customized Web Search
FF - prefs.js: browser.search.selectedengine - search the web
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{C2DB4FE6-8409-45CE-8010-189A7B5CCE86} - (no file)
WebBrowser-{DE404F4C-3CDE-4D74-A6FB-052D099C104C} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\06\05\1d\155\0a?"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-29 19:10:53
ComboFix-quarantined-files.txt 2012-08-29 23:10
ComboFix2.txt 2012-08-29 22:40
ComboFix3.txt 2012-08-25 23:09
ComboFix4.txt 2012-08-23 17:16
ComboFix5.txt 2012-08-29 23:02
.
Pre-Run: 261,017,935,872 bytes free
Post-Run: 260,936,671,232 bytes free
.
- - End Of File - - B3565A7FDF3F6A1ADFD24A1458C032D7


MBAM LOG

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.29.10

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Student :: LUG2QLTM1 [administrator]

8/29/2012 7:12:47 PM
mbam-log-2012-08-29 (19-12-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227669
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


ESET RESULTS IN ESETSCAN :x

C:\FRST\Quarantine\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\n Win64/Sirefef.W trojan
C:\FRST\Quarantine\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\00000008.@ Win64/Agent.BA trojan
C:\FRST\Quarantine\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\000000cb.@ Win64/Conedex.B trojan
C:\FRST\Quarantine\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\80000000.@ Win64/Sirefef.AP trojan
C:\FRST\Quarantine\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\80000032.@ a variant of Win32/Sirefef.FD trojan
C:\FRST\Quarantine\{181d7f9b-a1b0-bed2-d5e6-1304811f3574}\U\80000064.@ Win64/Sirefef.AN trojan
C:\Program Files (x86)\Cheat Engine 6.2\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB application
C:\Program Files (x86)\Cheat Engine 6.2\standalonephase1.dat a variant of Win32/HackTool.CheatEngine.AF application
C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\OCSetupHlp.dll Win32/OpenCandy application
C:\Program Files (x86)\Vuze\.install4j\i4j_extf_27_5p83tu.dll a variant of Win32/Bunndle application
C:\Users\Student\AppData\Roaming\OpenCandy\OpenCandy_8DD30D1385BF4303BC312EAF0A9CE36F\DLMgr_3_1.6.87.exe Win32/OpenCandy application
C:\Users\Student\Downloads\FreemakeVideoConverter_3.0.2.15.exe Win32/OpenCandy application


Thank you Lovely!

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:02:46 PM

Posted 29 August 2012 - 09:13 PM

Those detections are just to inform that those installer files are bundled with adware, (the type that will install a toolbar if you are not careful to opt out during installation) so if you no longer need them they can be deleted. (the other detections are already in quarantine)


NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click on "Do I have Java"
  • It will check your current version and then offer to update to the latest version


NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT


Please advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users