Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible hijack


  • This topic is locked This topic is locked
27 replies to this topic

#1 herbman

herbman

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 28 April 2013 - 10:16 PM

Hello everyone, my  computer came up with the PUM.Hijack HO virus or whatever it is and my cddvd burner starts for no reason even when i'm away from my computer.  CPU usage is also always very busy so i ran Hijack this, can someone tell me if i have anything that looks bad.
 
 
 
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:14:55 PM, on 4/28/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16537)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\LG Mouse Scanner\LG_Smart_Scan.exe
C:\Program Files (x86)\LG Mouse Scanner\System_APP_Monitoring.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bing.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [E0ABF7B610234825E9A5FF9F9C93951EF1F88DFB._service_run] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=service
O4 - Startup: LG Mouse Scanner.lnk = ?
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{139C85FD-14B8-477B-AACA-7119AF95FB96}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Integrated Clock Controller Service - Intel® ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 8109 bytes

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 herbman

herbman
  • Topic Starter

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 29 April 2013 - 05:11 PM

Hello everyone, my  computer came up with the PUM.Hijack HO virus or whatever it is and my cddvd burner starts for no reason even when i'm away from my computer.  CPU usage is also always very busy so i ran Hijack this, can someone tell me if i have anything that looks bad.
 
 
 
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:14:55 PM, on 4/28/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v10.0 (10.00.9200.16537)
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\LG Mouse Scanner\LG_Smart_Scan.exe
C:\Program Files (x86)\LG Mouse Scanner\System_APP_Monitoring.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bing.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [E0ABF7B610234825E9A5FF9F9C93951EF1F88DFB._service_run] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=service
O4 - Startup: LG Mouse Scanner.lnk = ?
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{139C85FD-14B8-477B-AACA-7119AF95FB96}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Integrated Clock Controller Service - Intel® ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 8109 bytes

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum. ~ Animal

 

 

Can you fill me in to what appropriate means, thanks



#3 herbman

herbman
  • Topic Starter

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 29 April 2013 - 05:13 PM

Can you fill me in to where you put my post.  Thanks



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:36 AM

Posted 01 May 2013 - 09:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
  • Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

    Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ===

    Third party programs if not up to date can be the cause of infiltration an infection.

    Please run this security check for my review.

    Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  • ===

    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • Please paste the logs in your next reply DO NOT ATTACH THEM.
    ===

    HijackThis doesn't handle Windows 7 well. In your case I need to see a final DDS Log.
    You should remove HijackThis using the Add/Remove Programs list.

    Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

    Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.

    1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
    2: DDS.pif
    3: DDS.COM

    Double click on the DDS icon, allow it to run.
    A small box will open, with an explanation about the tool. No input is needed, the scan is running.
    Notepad will open with the results.
    Follow the instructions that pop up for posting the results.[/list]Please note: You may have to disable any script protection running if the scan fails to run.

    dds_scr.gif

    Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

    Let me know what problem persists.


#5 herbman

herbman
  • Topic Starter

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 03 May 2013 - 04:10 PM

Nasdaq,  apologies for being late but i want to let you know i have a inquiry about a (incorrect image path problem) and am currently awaiting help with it.  Boop me said it looked like a MBR infection and not to do anything .

 

I did leave the DDS logs as requested by Boopme, i am unsure what to do now.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:36 AM

Posted 04 May 2013 - 07:20 AM

This is boopme's last post
 

Hello to all..... this appears to be a possible MBR infection and should be removed carefully.
Each should start a new topic ...

Please follow this Preparation Guide and post in a new topic.

Let me know if all went well.


You did well in starting a new topic here.

I will try to help you from now on.

Please run the tools I suggested and post the logs here for my review.

#7 herbman

herbman
  • Topic Starter

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 04 May 2013 - 10:40 PM

OK, i will run those tools but i posted on two separate issues, one was (wrong image path ) and one was( Pum Hijack ho) hopefully we can correct both.



#8 herbman

herbman
  • Topic Starter

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 04 May 2013 - 11:35 PM

ComboFix 13-05-04.01 - al 05/04/2013  23:54:28.2.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6049.3559 [GMT -4:00]
Running from: c:\users\al\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-05 to 2013-05-05  )))))))))))))))))))))))))))))))
.
.
2013-05-05 03:57 . 2013-05-05 03:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-03 22:19 . 2013-05-03 22:19 -------- d-----w- c:\windows\ERUNT
2013-05-03 22:19 . 2013-05-03 22:19 -------- d-----w- C:\JRT
2013-05-03 02:23 . 2013-05-03 02:23 -------- d-----w- c:\program files (x86)\AmIcoSingLun
2013-05-03 02:23 . 2013-05-03 02:23 -------- d-----w- c:\programdata\AmUStor
2013-05-02 05:38 . 2013-05-02 05:38 -------- d-----w- c:\program files (x86)\ESET
2013-05-02 01:21 . 2013-05-02 01:21 -------- d-----w- c:\programdata\VS Revo Group
2013-05-02 01:21 . 2009-12-30 15:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2013-05-02 01:21 . 2013-05-02 01:21 -------- d-----w- c:\program files\VS Revo Group
2013-05-02 01:19 . 2013-05-02 01:22 -------- d-----w- c:\program files (x86)\VS Revo Group
2013-05-01 19:54 . 2013-05-01 20:03 -------- d-----w- c:\program files (x86)\LG Smart Scan
2013-05-01 19:41 . 2013-05-01 20:13 -------- d-----w- c:\programdata\ABBYY
2013-05-01 19:36 . 2013-05-01 19:36 -------- d-----w- c:\users\Public\ABBYY
2013-05-01 11:40 . 2013-05-01 11:40 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2013-05-01 11:40 . 2013-05-01 11:40 -------- d--h--w- c:\programdata\CanonBJ
2013-05-01 11:40 . 2012-03-14 09:00 99840 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPPAA.DLL
2013-05-01 11:40 . 2012-03-14 09:00 30208 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPDAA.DLL
2013-05-01 11:40 . 2012-03-14 09:00 385024 ----a-w- c:\windows\system32\CNMLMAA.DLL
2013-05-01 11:40 . 2010-03-18 23:26 348672 ----a-w- c:\windows\system32\CNC280L.dll
2013-05-01 11:40 . 2010-03-18 23:25 307200 ----a-w- c:\windows\SysWow64\CNC280L.dll
2013-05-01 11:40 . 2010-03-18 21:13 112128 ----a-w- c:\windows\system32\CNC280I.dll
2013-05-01 11:40 . 2010-03-18 21:11 106496 ----a-w- c:\windows\SysWow64\CNC280U.dll
2013-05-01 11:40 . 2008-08-25 22:02 15872 ----a-w- c:\windows\SysWow64\CNHMCA.dll
2013-05-01 11:40 . 2010-03-18 21:13 1354240 ----a-w- c:\windows\system32\CNC280C.dll
2013-05-01 11:40 . 2008-08-25 22:02 17920 ----a-w- c:\windows\system32\CNHMCA6.dll
2013-05-01 11:29 . 2013-05-01 11:29 -------- d-----w- c:\program files (x86)\Secunia
2013-05-01 11:18 . 2013-05-01 11:18 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-01 10:37 . 2013-05-01 10:34 -------- d-----w- c:\windows\Panther
2013-05-01 10:37 . 2013-05-01 10:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-05-01 10:37 . 2013-05-01 10:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-05-01 10:33 . 2013-05-01 10:33 -------- d-----w- c:\programdata\Licenses
2013-05-01 10:33 . 2011-11-04 09:13 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2013-05-01 10:33 . 2009-03-24 16:52 129872 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2013-05-01 10:33 . 2013-05-04 01:52 -------- d-----w- c:\program files (x86)\SpywareBlaster
2013-05-01 10:32 . 2013-05-01 10:32 -------- d-----w- c:\program files\CCleaner
2013-05-01 10:31 . 2013-05-01 10:31 -------- d-----w- c:\programdata\Malwarebytes
2013-05-01 10:31 . 2013-05-01 10:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-05-01 10:31 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-01 10:08 . 2012-05-15 11:13 144896 ----a-w- c:\windows\system32\IntelOpenCL64.dll
2013-05-01 10:08 . 2012-05-15 11:13 20992 ----a-w- c:\windows\system32\OpenCL.dll
2013-05-01 10:08 . 2012-05-15 10:20 104448 ----a-w- c:\windows\SysWow64\IntelOpenCL32.dll
2013-05-01 10:08 . 2012-05-15 10:20 17920 ----a-w- c:\windows\SysWow64\OpenCL.dll
2013-05-01 10:07 . 2000-01-01 00:00 342528 ----a-w- c:\windows\system32\drivers\IntcDAud.sys
2013-05-01 10:07 . 2000-01-01 00:00 16896 ----a-w- c:\windows\system32\IntcDAuC.dll
2013-05-01 10:03 . 2013-05-01 10:03 -------- d-----w- c:\programdata\SonicFocus
2013-05-01 09:59 . 2013-05-01 09:59 -------- d-----w- c:\program files (x86)\ASM104xUSB3
2013-05-01 09:58 . 2013-05-04 23:05 16152 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2013-05-01 09:58 . 2013-05-01 09:58 -------- d-----w- c:\program files (x86)\SlimDrivers
2013-05-01 09:10 . 2013-05-01 09:10 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-05-01 09:02 . 2013-05-01 09:02 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-05-01 08:55 . 2013-05-01 08:55 -------- d-----w- c:\windows\SysWow64\Wat
2013-05-01 08:55 . 2013-05-01 08:55 -------- d-----w- c:\windows\system32\Wat
2013-05-01 08:51 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-05-01 08:50 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-05-01 08:50 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys
2013-05-01 08:50 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll
2013-05-01 08:50 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2013-05-01 08:50 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll
2013-05-01 08:50 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2013-05-01 08:50 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2013-05-01 08:50 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2013-05-01 08:50 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2013-05-01 08:33 . 2013-04-01 23:58 72702784 ----a-w- c:\windows\system32\MRT.exe
2013-05-01 08:29 . 2013-05-01 08:29 -------- d-----w- c:\program files (x86)\AVAST Software
2013-05-01 08:27 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-05-01 08:27 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-05-01 08:27 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-05-01 08:27 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-05-01 08:22 . 2013-04-17 10:31 9317456 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C892A82F-52FE-43F2-B43F-E5FA95899755}\mpengine.dll
2013-05-01 08:14 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll
2013-05-01 08:14 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll
2013-05-01 08:14 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2013-05-01 08:14 . 2010-09-30 10:41 100864 ----a-w- c:\windows\system32\fontsub.dll
2013-05-01 08:14 . 2010-09-30 06:47 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2013-05-01 08:14 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2013-05-01 08:13 . 2013-05-01 08:13 -------- d-----w- c:\program files\Google
2013-05-01 08:13 . 2012-07-26 03:08 229888 ----a-w- c:\windows\system32\WUDFHost.exe
2013-05-01 08:13 . 2012-07-26 03:08 84992 ----a-w- c:\windows\system32\WUDFSvc.dll
2013-05-01 08:13 . 2012-07-26 03:08 744448 ----a-w- c:\windows\system32\WUDFx.dll
2013-05-01 08:13 . 2012-07-26 03:08 45056 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2013-05-01 08:13 . 2012-07-26 03:08 194048 ----a-w- c:\windows\system32\WUDFPlatform.dll
2013-05-01 08:13 . 2012-07-26 02:26 87040 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2013-05-01 08:13 . 2012-07-26 02:26 198656 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2013-05-01 08:10 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-05-01 08:10 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2013-05-01 08:10 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2013-05-01 08:10 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-05-01 08:10 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-05-01 08:07 . 2012-10-09 18:17 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2013-05-01 08:06 . 2012-10-03 17:44 70656 ----a-w- c:\windows\system32\nlaapi.dll
2013-05-01 08:05 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2013-05-01 08:04 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll
2013-05-01 08:03 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe
2013-05-01 08:03 . 2013-03-06 22:32 41664 ----a-w- c:\windows\avastSS.scr
2013-05-01 08:03 . 2013-05-01 08:03 -------- d-----w- c:\program files\AVAST Software
2013-05-01 08:02 . 2013-05-01 08:03 -------- d-----w- c:\programdata\AVAST Software
2013-05-01 08:01 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-01 08:01 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2013-05-01 08:01 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll
2013-05-01 08:01 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2013-05-01 08:01 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
2013-05-01 08:01 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe
2013-05-01 08:00 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2013-05-01 08:00 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2013-05-01 07:59 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2013-05-01 07:59 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2013-05-01 07:54 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2013-05-01 07:54 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2013-05-01 07:49 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2013-05-01 07:49 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2013-05-01 07:49 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2013-05-01 07:49 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2013-05-01 07:49 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2013-05-01 07:49 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2013-05-01 07:49 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2013-05-01 07:48 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2013-05-01 07:48 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2013-05-01 07:44 . 2013-05-01 07:44 -------- d-----w- C:\eSupport
2013-05-01 07:22 . 2013-05-03 02:23 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2013-05-01 07:21 . 2013-05-01 10:08 -------- d-----w- c:\program files (x86)\Intel
2013-05-01 07:21 . 2000-01-01 00:00 53248 ----a-w- c:\windows\SysWow64\CSVer.dll
2013-05-01 07:21 . 2013-05-01 10:07 -------- d-----w- C:\Intel
2013-05-01 07:17 . 2013-05-01 07:17 -------- d--h--w- c:\windows\system32\WLANProfiles
2013-05-01 07:16 . 2013-05-01 07:16 -------- d-----w- c:\users\Public\Roaming
2013-05-01 07:15 . 2013-05-01 07:16 -------- d-----w- c:\users\Default\Roaming
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-12 05:10 . 2010-11-21 03:27 282744 ------w- c:\windows\system32\MpSigStub.exe
2013-02-12 05:45 . 2013-05-01 08:06 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-05-01 08:06 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-05-01 08:06 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-05-01 08:06 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-05-01 08:06 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-05-01 08:06 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-07 12:15 . 2013-02-07 12:15 18456 ----a-w- c:\windows\system32\drivers\psi_mf_amd64.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-11-01 5629312]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-05-01 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
.
c:\users\al\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LG Smart Scan.lnk - c:\program files (x86)\LG Smart Scan\Scanner Mouse.exe [2013-4-9 37797992]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2013-2-7 575000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2000-01-01 46592]
R3 aswVmm;aswVmm; [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 31800]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [2013-05-04 16152]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-05-01 1255736]
S0 aswRvrt;aswRvrt; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2013-02-07 1223704]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-11-03 130536]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-11-03 395752]
S3 bpenum;Intel® Centrino® WiMAX Enumerator;c:\windows\system32\DRIVERS\bpenum.sys [2011-05-19 84480]
S3 bpmp;Intel® Centrino® WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys [2011-05-19 182272]
S3 bpusb;Intel® Centrino® WiMAX 6050 Series Function Driver;c:\windows\system32\Drivers\bpusb.sys [2011-05-19 83968]
S3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2012-04-24 169752]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2000-01-01 342528]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2011-04-20 169584]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_amd64.sys [2013-02-07 18456]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-01 08:10 1642448 ----a-w- c:\program files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-05-01 08:05]
.
2013-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-05-01 08:05]
.
2013-05-04 c:\windows\Tasks\SlimDrivers Startup.job
- c:\program files (x86)\SlimDrivers\SlimDrivers.exe [2013-03-29 20:22]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 22:32 133840 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2000-01-01 12503184]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2000-01-01 1212560]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 172144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 399984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 441968]
"IntelWirelessWiMAX"="c:\program files\Intel\WiMAX\Bin\WiMAXCU.exe" [2011-06-02 1622016]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2000-01-01 323584]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-01293321.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-05-04  23:58:57
ComboFix-quarantined-files.txt  2013-05-05 03:58
ComboFix2.txt  2013-05-01 11:11
.
Pre-Run: 601,298,399,232 bytes free
Post-Run: 601,002,508,288 bytes free
.
- - End Of File - - 7F479E340E8E746D67E9D21F823FAB54
 

 

Security check below

 

 

 

 

 

 

 

 Results of screen317's Security Check version 0.99.63  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0    
 Secunia PSI (3.0.0.6005)   
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Google Chrome 26.0.1410.64  
````````Process Check: objlist.exe by Laurent````````
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log``````````````````````
 
 
Adwcleaner info
 

Results of screen317's Security Check version 0.99.63  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0    
 Secunia PSI (3.0.0.6005)   
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Google Chrome 26.0.1410.64  
````````Process Check: objlist.exe by Laurent````````
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log``````````````````````
 

 

DDS info
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16537
Run by al at 0:28:53 on 2013-05-05
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6049.3777 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe
C:\Program Files (x86)\LG Smart Scan\Scanner Mouse.exe
C:\Program Files (x86)\LG Smart Scan\Scanner Mouse Monitoring.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k defragsvc
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
BHO: avast! Ad Blocker: {FFCB3198-32F3-4E8B-9539-4324694ED663} - C:\Program Files (x86)\AVAST Software\avast! Ad Blocker IE\Adblocker32.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\Users\al\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LGSMAR~1.LNK - C:\Program Files (x86)\LG Smart Scan\Scanner Mouse.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{AFCD7447-5FAF-437A-BDD2-35DB0F72926C} : DHCPNameServer = 192.168.1.1
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll
x64-BHO: avast! Ad Blocker: {FFCB3198-32F3-4E8B-9539-4324694ED663} - C:\Program Files (x86)\AVAST Software\avast! Ad Blocker IE\Adblocker64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SF3 
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [IntelWirelessWiMAX] "C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe" /tasktray /nosplash
x64-Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;aswRvrt;C:\Windows\System32\drivers\aswRvrt.sys [2013-5-1 65336]
R0 aswVmm;aswVmm;C:\Windows\System32\drivers\aswVmm.sys [2013-5-1 189936]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2013-5-1 1025808]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2013-5-1 378432]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2013-5-1 33400]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-5-1 80816]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2013-5-5 46808]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-5-1 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-5-1 701512]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2013-2-7 1223704]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-11-3 130536]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-11-3 395752]
R3 bpenum;Intel® Centrino® WiMAX Enumerator;C:\Windows\System32\drivers\bpenum.sys [2011-5-19 84480]
R3 bpmp;Intel® Centrino® WiMAX 6050 Series;C:\Windows\System32\drivers\bpmp.sys [2011-5-19 182272]
R3 bpusb;Intel® Centrino® WiMAX 6050 Series Function Driver;C:\Windows\System32\drivers\bpusb.sys [2011-5-19 83968]
R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2013-5-1 169752]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-5-1 342528]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-4-20 169584]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-5-1 25928]
R3 PSI;PSI;C:\Windows\System32\drivers\psi_mf_amd64.sys [2013-2-7 18456]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\System32\drivers\AmUStor.sys [1999-12-31 46592]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-5-1 19456]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2013-5-1 31800]
S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2013-5-1 16152]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-5-1 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2013-5-1 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-5-1 1255736]
.
=============== Created Last 30 ================
.
2013-05-05 04:09:22 -------- d-sh--w- C:\$RECYCLE.BIN
2013-05-05 03:53:51 -------- d-----w- C:\ComboFix
2013-05-03 22:19:51 -------- d-----w- C:\Windows\ERUNT
2013-05-03 22:19:45 -------- d-----w- C:\JRT
2013-05-03 02:23:07 -------- d-----w- C:\ProgramData\AmUStor
2013-05-03 02:23:07 -------- d-----w- C:\Program Files (x86)\AmIcoSingLun
2013-05-02 22:08:16 -------- d-----w- C:\Users\al\AppData\Local\Apps
2013-05-02 05:38:55 -------- d-----w- C:\Program Files (x86)\ESET
2013-05-02 01:22:00 -------- d-----w- C:\Users\al\AppData\Local\VS Revo Group
2013-05-02 01:21:55 -------- d-----w- C:\ProgramData\VS Revo Group
2013-05-02 01:21:54 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys
2013-05-02 01:21:53 -------- d-----w- C:\Program Files\VS Revo Group
2013-05-02 01:19:58 -------- d-----w- C:\Program Files (x86)\VS Revo Group
2013-05-01 20:03:46 -------- d-----w- C:\Users\al\AppData\Local\Scanner Mouse
2013-05-01 19:55:11 -------- d-----w- C:\Users\al\AppData\Local\LG Electronics
2013-05-01 19:54:45 -------- d-----w- C:\Program Files (x86)\LG Smart Scan
2013-05-01 19:41:03 -------- d-----w- C:\ProgramData\ABBYY
2013-05-01 19:36:04 -------- d-----w- C:\Users\al\AppData\Roaming\ABBYY
2013-05-01 19:36:04 -------- d-----w- C:\Users\al\AppData\Local\ABBYY
2013-05-01 11:40:32 99840 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPPAA.DLL
2013-05-01 11:40:32 30208 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\CNMPDAA.DLL
2013-05-01 11:40:18 385024 ----a-w- C:\Windows\System32\CNMLMAA.DLL
2013-05-01 11:40:07 348672 ----a-w- C:\Windows\System32\CNC280L.dll
2013-05-01 11:40:07 307200 ----a-w- C:\Windows\SysWow64\CNC280L.dll
2013-05-01 11:40:07 15872 ----a-w- C:\Windows\SysWow64\CNHMCA.dll
2013-05-01 11:40:07 112128 ----a-w- C:\Windows\System32\CNC280I.dll
2013-05-01 11:40:07 106496 ----a-w- C:\Windows\SysWow64\CNC280U.dll
2013-05-01 11:40:06 17920 ----a-w- C:\Windows\System32\CNHMCA6.dll
2013-05-01 11:40:06 1354240 ----a-w- C:\Windows\System32\CNC280C.dll
2013-05-01 11:29:33 -------- d-----w- C:\Users\al\AppData\Local\Secunia PSI
2013-05-01 11:29:19 -------- d-----w- C:\Program Files (x86)\Secunia
2013-05-01 11:18:39 -------- d-----w- C:\TDSSKiller_Quarantine
2013-05-01 11:05:07 98816 ----a-w- C:\Windows\sed.exe
2013-05-01 11:05:07 256000 ----a-w- C:\Windows\PEV.exe
2013-05-01 11:05:07 208896 ----a-w- C:\Windows\MBR.exe
2013-05-01 10:37:50 -------- d-----w- C:\Users\al\AppData\Roaming\SUPERAntiSpyware.com
2013-05-01 10:37:37 -------- d-----w- C:\Windows\Panther
2013-05-01 10:37:30 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2013-05-01 10:37:30 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2013-05-01 10:33:25 -------- d-----w- C:\ProgramData\Licenses
2013-05-01 10:33:21 129872 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL
2013-05-01 10:33:21 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2013-05-01 10:33:20 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2013-05-01 10:32:40 -------- d-----w- C:\Program Files\CCleaner
2013-05-01 10:31:19 -------- d-----w- C:\Users\al\AppData\Roaming\Malwarebytes
2013-05-01 10:31:16 -------- d-----w- C:\ProgramData\Malwarebytes
2013-05-01 10:31:14 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-05-01 10:31:14 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-01 10:31:05 -------- d-----w- C:\Users\al\AppData\Local\Programs
2013-05-01 10:08:08 20992 ----a-w- C:\Windows\System32\OpenCL.dll
2013-05-01 10:08:08 144896 ----a-w- C:\Windows\System32\IntelOpenCL64.dll
2013-05-01 10:08:06 17920 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2013-05-01 10:08:06 104448 ----a-w- C:\Windows\SysWow64\IntelOpenCL32.dll
2013-05-01 10:07:16 342528 ----a-w- C:\Windows\System32\drivers\IntcDAud.sys
2013-05-01 10:07:14 16896 ----a-w- C:\Windows\System32\IntcDAuC.dll
2013-05-01 10:03:01 -------- d-----w- C:\ProgramData\SonicFocus
2013-05-01 09:59:45 -------- d-----w- C:\Program Files (x86)\ASM104xUSB3
2013-05-01 09:58:15 16152 ----a-w- C:\Windows\System32\drivers\SWDUMon.sys
2013-05-01 09:58:12 -------- d-----w- C:\Users\al\AppData\Local\SlimWare Utilities Inc
2013-05-01 09:58:06 -------- d-----w- C:\Program Files (x86)\SlimDrivers
2013-05-01 08:55:08 -------- d-----w- C:\Windows\SysWow64\Wat
2013-05-01 08:55:08 -------- d-----w- C:\Windows\System32\Wat
2013-05-01 08:51:32 2776576 ----a-w- C:\Windows\System32\msmpeg2vdec.dll
2013-05-01 08:50:55 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2013-05-01 08:50:55 340992 ----a-w- C:\Windows\System32\schannel.dll
2013-05-01 08:50:55 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-05-01 08:50:55 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2013-05-01 08:50:54 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2013-05-01 08:50:54 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2013-05-01 08:50:54 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2013-05-01 08:50:52 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2013-05-01 08:50:52 366592 ----a-w- C:\Windows\System32\qdvd.dll
2013-05-01 08:29:33 -------- d-----w- C:\Program Files (x86)\AVAST Software
2013-05-01 08:27:24 9728 ----a-w- C:\Windows\System32\Wdfres.dll
2013-05-01 08:27:24 785512 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2013-05-01 08:27:24 54376 ----a-w- C:\Windows\System32\drivers\WdfLdr.sys
2013-05-01 08:27:24 2560 ----a-w- C:\Windows\System32\drivers\en-US\wdf01000.sys.mui
2013-05-01 08:22:05 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-05-01 08:22:01 9317456 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C892A82F-52FE-43F2-B43F-E5FA95899755}\mpengine.dll
2013-05-01 08:14:36 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2013-05-01 08:14:36 46080 ----a-w- C:\Windows\System32\atmlib.dll
2013-05-01 08:14:36 367616 ----a-w- C:\Windows\System32\atmfd.dll
2013-05-01 08:14:36 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2013-05-01 08:14:36 100864 ----a-w- C:\Windows\System32\fontsub.dll
2013-05-01 08:14:35 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2013-05-01 08:13:37 87040 ----a-w- C:\Windows\System32\drivers\WUDFPf.sys
2013-05-01 08:13:37 84992 ----a-w- C:\Windows\System32\WUDFSvc.dll
2013-05-01 08:13:37 744448 ----a-w- C:\Windows\System32\WUDFx.dll
2013-05-01 08:13:37 45056 ----a-w- C:\Windows\System32\WUDFCoinstaller.dll
2013-05-01 08:13:37 229888 ----a-w- C:\Windows\System32\WUDFHost.exe
2013-05-01 08:13:37 198656 ----a-w- C:\Windows\System32\drivers\WUDFRd.sys
2013-05-01 08:13:37 194048 ----a-w- C:\Windows\System32\WUDFPlatform.dll
2013-05-01 08:10:55 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2013-05-01 08:10:55 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-05-01 08:10:55 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-05-01 08:10:55 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-05-01 08:10:55 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-05-01 08:07:48 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
2013-05-01 08:06:56 70656 ----a-w- C:\Windows\System32\nlaapi.dll
2013-05-01 08:05:58 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2013-05-01 08:04:59 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-05-01 08:03:59 68608 ----a-w- C:\Windows\System32\taskhost.exe
2013-05-01 08:03:23 41664 ----a-w- C:\Windows\avastSS.scr
2013-05-01 08:03:05 -------- d-----w- C:\Program Files\AVAST Software
2013-05-01 08:02:07 -------- d-----w- C:\ProgramData\AVAST Software
2013-05-01 08:01:51 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-05-01 08:01:51 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-05-01 08:01:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-05-01 08:01:50 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-05-01 08:01:50 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-05-01 08:01:50 112640 ----a-w- C:\Windows\System32\smss.exe
2013-05-01 08:00:04 67072 ----a-w- C:\Windows\splwow64.exe
2013-05-01 08:00:04 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2013-05-01 07:59:41 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2013-05-01 07:59:41 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-05-01 07:54:31 77312 ----a-w- C:\Windows\System32\packager.dll
2013-05-01 07:54:31 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2013-05-01 07:49:18 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-05-01 07:49:10 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-05-01 07:48:55 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-05-01 07:48:55 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-05-01 07:47:51 -------- d-----w- C:\Users\al\AppData\Local\Diagnostics
2013-05-01 07:44:04 -------- d-----w- C:\eSupport
2013-05-01 07:38:07 -------- d-----w- C:\Users\al\AppData\Local\ElevatedDiagnostics
2013-05-01 07:21:10 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2013-05-01 07:21:08 -------- d-----w- C:\Intel
2013-05-01 07:17:22 -------- d--h--w- C:\Windows\System32\WLANProfiles
2013-05-01 07:16:10 -------- d-----w- C:\Users\al\AppData\Roaming\Intel
2013-05-01 07:15:59 -------- d-----w- C:\Users\al\Roaming
2013-05-01 07:14:41 -------- d-sh--w- C:\Windows\Installer
.
==================== Find3M  ====================
.
2013-05-02 15:44:28 189936 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2013-05-01 23:34:06 72016 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2013-05-01 23:34:06 65336 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2013-05-01 23:34:06 1025808 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2013-05-01 23:34:05 80816 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-03-12 05:10:56 282744 ------w- C:\Windows\System32\MpSigStub.exe
2013-03-01 03:36:04 3153408 ----a-w- C:\Windows\System32\win32k.sys
2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-02-12 04:12:05 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
2013-02-07 12:15:22 18456 ----a-w- C:\Windows\System32\drivers\psi_mf_amd64.sys
.
============= FINISH:  0:29:10.53 ===============
 

 

 

 

 

 

 

I did not specifically post because i was having problems, i posted because of a (wrong image path)  situation that has yet to be corrected.  The wrong image path issue i originally posted about on April 4th is still there, nothing has corrected it.  Boop me said it looks like an MBR infection and needs special help.

 

The other issue i asked for help with was the PUM Hijack HO i kept repeatedly getting when i scanned with Malwarebytes.  The highlighted entry on the combofix log is the one that keeps coming up as wrong image path. The other highlighted parts are just suspicious looking but i can't tell if they are or not, your the expert.

 

Thank you very very much for the help

Attached Files


Edited by herbman, 05 May 2013 - 07:42 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:36 AM

Posted 05 May 2013 - 08:11 AM

2013-05-01 08:22:05 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-05-01 08:22:01 9317456 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C892A82F-52FE-43F2-B43F-E5FA95899755}\mpengine.dll

This folder name is a unique name that is set by the installation program and is different for each user.
{C892A82F-52FE-43F2-B43F-E5FA95899755}
===

If Windows Defender is the culprit then we can disable it.

How To.
http://www.howtogeek.com/howto/15788/how-to-uninstall-disable-and-remove-windows-defender.-also-how-turn-it-off/

But before we disable it I would like to have a look at some settings.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===
 

The other issue i asked for help with was the PUM Hijack HO i kept repeatedly getting when i scanned with Malwarebytes.

Please post a Malwarebytes log so I can see what is being identified.

#10 herbman

herbman
  • Topic Starter

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 05 May 2013 - 09:38 AM

Farbar Service Scanner Version: 14-04-2013
Ran by al (administrator) on 05-05-2013 at 10:37:07
Running from "C:\Users\al\Downloads"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****
 
 
 
 
 
 
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.05.01.03
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16540
al :: AL-PC [administrator]
 
Protection: Enabled
 
5/1/2013 6:32:21 AM
mbam-log-2013-05-01 (06-32-21).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 300759
Time elapsed: 25 minute(s), 37 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 1
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\control panel|Homepage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
 
Nasdaq, i'm not sure if the (incorrect image path issue is fixed) because every few days it seems that PUM Hijack ho thing comes back.
 

 


Edited by herbman, 05 May 2013 - 09:45 AM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:36 AM

Posted 05 May 2013 - 10:40 AM

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
  • Let me know if Windows defender is still an issue.


#12 herbman

herbman
  • Topic Starter

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 05 May 2013 - 12:48 PM

RogueKiller V8.5.4 _x64_ [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : al [Admin rights]
Mode : Remove -- Date : 05/05/2013 13:46:23
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {59031A47-3F72-44A7-89C5-5595FE6B30EE} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD6400BPVT-80HXZT3 ATA Device +++++
--- User ---
[MBR] ef8d4f31926369e4d7bb9bb87da9e88c
[BSP] 943d3c2a959f9dba84794a7edcbb181a : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 610378 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: USB Disk +++++
--- User ---
[MBR] 8a4a3f84a9eda68451f8bdccda84c484
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7576 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[2]_D_05052013_02d1346.txt >>
RKreport[1]_S_05052013_02d1345.txt ; RKreport[2]_D_05052013_02d1346.txt


#13 herbman

herbman
  • Topic Starter

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 05 May 2013 - 12:54 PM

* FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImageP

 

 

 

This is what has showed ,  i also notice lots and lots of google internet cache files every time i use CC cleaner.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:36 AM

Posted 05 May 2013 - 01:19 PM

Lets find out if this svchost key is damaged.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost /sub
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#15 herbman

herbman
  • Topic Starter

  • Members
  • 416 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 05 May 2013 - 01:45 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 14:41 on 05/05/2013 by al
Administrator - Elevation successful
 
========== reg ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"RPCSS"="RpcEptMapper RpcSs"
"defragsvc"="defragsvc"
"LocalSystemNetworkRestricted"="UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc IPBusEnum hidserv dot3svc irmon sysmain PcaSvc homegrouplistener WPDBusEnum wlansvc TabletInputService"
"LocalService"="nsi WdiServiceHost w32time EventSystem RemoteRegistry WinHttpAutoProxySvc sppuinotify THREADORDER netprofm lltdsvc fdphost SstpSvc WebClient FontCache"
"netsvcs"="AeLookupSvc CertPropSvc SCPolicySvc lanmanserver gpsvc IKEEXT AudioSrv FastUserSwitchingCompatibility Ias Irmon Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess SENS Sharedaccess SRService Tapisrv Wmi WmdmPmSp TermService wuauserv BITS ShellHWDetection LogonHours PCAudit helpsvc uploadmgr iphlpsvc seclogon AppInfo msiscsi MMCSS winmgmt SessionEnv browser EapHost schedule hkmsvc wercplsupport ProfSvc Themes BDESVC"
"WerSvcGroup"="wersvc"
"LocalServiceNoNetwork"="DPS PLA BFE mpssvc WwanSvc"
"termsvcs"="TermService"
"swprv"="swprv"
"LocalServiceNetworkRestricted"="DHCP eventlog AudioSrv BthHFSrv LmHosts wscsvc homegroupprovider WPCSvc"
"LocalServicePeerNet"="PNRPSvc p2pimsvc p2psvc PnrpAutoReg"
"NetworkServiceAndNoImpersonation"="KtmRm"
"regsvc"="RemoteRegistry"
"LocalServiceAndNoImpersonation"="SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc"
"DcomLaunch"="Power PlugPlay DcomLaunch"
"NetworkServiceNetworkRestricted"="PolicyAgent"
"NetworkService"="CryptSvc DHCP TermService DNSCache lanmanworkstation NapAgent nlasvc WinRM WECSVC Tapisrv"
"sdrsvc"="sdrsvc"
"WbioSvcGroup"="WbioSrvc"
"imgsvc"="StiSvc"
"wcssvc"="WcsPlugInService"
"AxInstSVGroup"="AxInstSV"
"secsvcs"="WinDefend"
"bthsvcs"="bthserv"
"GPSvcGroup"="GPSvc"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\AxInstSVGroup]
"ImpersonationLevel"= 0x0000000003 (3)
"CoInitializeSecurityParam"= 0x0000000000 (0)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\defragsvc]
"CoInitializeSecurityParam"= 0x0000000000 (0)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\GPSvcGroup]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalService]
"AuthenticationCapabilities"= 0x0000002000 (8192)
"CoInitializeSecurityParam"= 0x0000000001 (1)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalServiceAndNoImpersonation]
"AuthenticationCapabilities"= 0x0000002000 (8192)
"CoInitializeSecurityParam"= 0x0000000001 (1)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalServiceNetworkRestricted]
"DefaultRpcStackSize"= 0x0000000040 (64)
"CoInitializeSecurityParam"= 0x0000000001 (1)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalServiceNoNetwork]
"CoInitializeSecurityParam"= 0x0000000001 (1)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalSystemNetworkRestricted]
"CoInitializeSecurityParam"= 0x0000000001 (1)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x000000001c (28)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkServiceRemoteDesktopHyperVAgent]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"AuthenticationCapabilities"= 0x0000002000 (8192)
"AuthenticationLevel"= 0x0000000006 (6)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkServiceRemoteDesktopPublishing]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"AuthenticationCapabilities"= 0x0000002000 (8192)
"AuthenticationLevel"= 0x0000000006 (6)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\SDRSVC]
"CoInitializeSecurityParam"= 0x0000000000 (0)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\swprv]
 
 
 
Nasdaq, i am still noticing massive amounts of chrome cache files like i have never seen before, but we will leave that for another time.  One thing at a time.

Edited by herbman, 06 May 2013 - 01:06 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users