Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 doveman

doveman

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 21 May 2013 - 02:40 PM

I noticed in the System log "The CrystalSysInfo service failed to start due to the following error: 

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source." which I didn't recognise and a google search suggests it might be malware.
 
I'm also seeing this now "The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly." and I don't recognise that either. Nor do I see anything in services.msc that matches either of these.
 
I've not actually seen any warnings from Avira or any other problems that aren't probably just down to hardware (I had some games BSOD on me but I seem to have fixed that by cancelling the GPU overclock and some services weren't starting at boot properly but increasing the ServicesPipeTimeout to 120000 seems to have fixed that, so I guess there's just a lot loading at boot and it takes longer than usual).
 
EDIT: Sorry, just read I should have posted the DDS output. I'm afraid I've already run TDSSKiller, ComboFix and aswMBR as well before reading that I shouldn't, so I thought I might as well include their log files in the attached zip along with Attach.txt. Obviously I'll run them again if asked.
 
I'm rather suspicious of sed.exe, MBR.exe and PEV.exe in C:\Windows but nothing I've scanned them with so far (including Jotti online scan) has identified them as malware.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.21.2
Run by Del at 23:06:44 on 2013-05-21
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.44.1033.18.16348.10748 [GMT 1:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\atieclxx.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bitvise SSH Server\BvSshServer.exe
C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
C:\Program Files (x86)\MPExtended\Service\MPExtended.ServiceHosts.CoreService.exe
C:\Program Files (x86)\MPExtended\WebMediaPortal\MPExtended.ServiceHosts.WebMediaPortal.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\PhenomMsrTweaker\PhenomMsrTweakerService.exe
C:\Program Files\nfsd\pmapd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bitvise SSH Server\BssCtrl.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\IObit\Game Booster 3\gbtray.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files (x86)\RadeonPro\RadeonProSupport.exe
C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Team MediaPortal\MediaPortal TV Server\TVService.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Classic Shell\ClassicStartMenu.exe
D:\Games\Xpadder\Xpadder.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Users\Del\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\Jitsi\Jitsi.exe
C:\Program Files (x86)\RadeonPro\RadeonPro.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe
C:\Program Files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsCenter.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsCenter64.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\nfsd\nfsd.exe
C:\Program Files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsShellCenter64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\RadeonPro\RadeonPro64.exe
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
E:\Portable Apps\HwInfo64\HWiNFO64.exe
C:\Program Files (x86)\Unigine\Valley Benchmark 1.0\bin\browser_x86.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Reader.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
E:\Portable Apps\IronPortable\Iron\Iron.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://startpage.com/uk/
BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Xpadder] "D:\Games\Xpadder\Xpadder.exe" /m
uRun: [MPExtended Configurator] C:\Program Files (x86)\MPExtended\Service\MPExtended.Applications.ServiceConfigurator.exe /OnBoot
uRun: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
uRun: [Spotify Web Helper] "C:\Users\Del\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [Jitsi] C:\Program Files\Jitsi\Jitsi.exe
uRun: [RadeonPro] "C:\Program Files (x86)\RadeonPro\RadeonPro.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Bitvise SSH Server Activation State Checker] "C:\Program Files\Bitvise SSH Server\BssActStateCheck.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Del\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVENTG~1.LNK - C:\Program Files (x86)\EventGhost\EventGhost.exe
StartupFolder: C:\Users\Del\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PHENOM~1.LNK - C:\Program Files\PhenomMsrTweaker\PhenomMsrTweaker.exe
StartupFolder: C:\Users\Del\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\VAC(MA~1.LNK - C:\Program Files (x86)\VAC System\VACSystem.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ACTUAL~1.LNK - C:\Program Files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsCenter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: LastPass - C:\Users\Del\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - C:\Users\Del\AppData\LocalLow\LastPass\context.html?cmd=fillforms
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
IE: {64964764-1101-4bbd-8891-B56B1A53B9B3} - {553891B7-A0D5-4526-BE18-D3CE461D6310}
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=972
TCP: Interfaces\{2729F1F0-D062-41B1-AE0F-F2F371BD23AB} : NameServer = 8.8.8.8
TCP: Interfaces\{BAF14AD3-FD4B-4CC5-8470-7FB943D1B432} : NameServer = 178.21.23.150,205.204.88.60
AppInit_DLLs= C:\Windows\SysWOW64\guard32.dll
SSODL: WebCheck - <orphaned>
x64-BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [RAMDiskForWorkstations] "C:\Program Files\SoftPerfect RAM Disk\RAMDiskWS.exe" /hide
x64-Run: [THXCfg64] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64
x64-Run: [Classic Start Menu] C:\Program Files\Classic Shell\ClassicStartMenu.exe
x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-IE: {64964764-1101-4bbd-8891-B56B1A53B9B3} - {553891B7-A0D5-4526-BE18-D3CE461D6310}
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2012-10-16 82560]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2012-10-16 42624]
R0 FancyCcV;FancyCache Driver For Volume;C:\Windows\System32\drivers\rxfcv.sys [2013-2-19 129984]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2012-4-27 27760]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdGuard.sys [2012-3-11 584056]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2012-3-11 38144]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2009-1-1 283200]
R1 vvramd;vvramd;C:\Program Files\SoftPerfect RAM Disk\vv.sys [2013-1-7 253432]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-2-26 240640]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-2-26 361984]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-4-27 86224]
R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-4-27 110032]
R2 AODDriver4.2;AODDriver4.2;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-4-9 57472]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2012-4-27 98848]
R2 BvSshServer;Bitvise SSH Server;C:\Program Files\Bitvise SSH Server\BvSshServer.exe [2013-2-17 10813632]
R2 Dokan;Dokan;C:\Windows\System32\drivers\dokan.sys [2010-7-6 106888]
R2 DokanMounter;DokanMounter;C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe [2010-7-5 11776]
R2 ImDisk;ImDisk Virtual Disk Driver;C:\Windows\System32\drivers\imdisk.sys [2012-10-9 38416]
R2 MPExtended Service;MPExtended Service;C:\Program Files (x86)\MPExtended\Service\MPExtended.ServiceHosts.CoreService.exe [2013-1-27 6144]
R2 MPExtended WebMediaPortal;MPExtended WebMediaPortal;C:\Program Files (x86)\MPExtended\WebMediaPortal\MPExtended.ServiceHosts.WebMediaPortal.exe [2013-1-27 14848]
R2 NFSserver;NFS Server;C:\Program Files\nfsd\nfsd.exe [2013-2-21 224256]
R2 PhenomMsrTweaker;PhenomMsrTweaker service;C:\Program Files\PhenomMsrTweaker\PhenomMsrTweakerService.exe [2010-6-3 188416]
R2 PMAPDaemon;SunRPC Portmap Daemon;C:\Program Files\nfsd\pmapd.exe [2013-2-21 124416]
R2 RadeonPro Support Service;RadeonPro Support Service;C:\Program Files (x86)\RadeonPro\RadeonProSupport.exe [2013-5-3 20608]
R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [2009-12-23 370688]
R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-5-11 3574624]
R2 TVService;TVService;C:\Program Files (x86)\Team MediaPortal\MediaPortal TV Server\TvService.exe [2013-5-14 241664]
R3 dvdfab;dvdfab;C:\Windows\System32\drivers\dvdfab.sys [2012-4-28 79232]
R3 MBfilt;MBfilt;C:\Windows\System32\drivers\MBfilt64.sys [2012-12-22 32344]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-2-10 82432]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-2-10 181760]
R3 RAMDiskVE;RAMDiskVE;C:\Windows\System32\drivers\RAMDiskVE.sys [2012-4-29 73000]
R3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2013-1-23 13368]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-9-7 565352]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-12-16 202632]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);C:\Windows\System32\drivers\tap0901t.sys [2009-1-1 31232]
R3 teamviewervpn;TeamViewer VPN Adapter;C:\Windows\System32\drivers\teamviewervpn.sys [2013-5-11 35112]
R3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files\PhenomMsrTweaker\WinRing0x64.sys [2010-6-3 14544]
S1 SecDisc;SecDisc Driver;C:\Windows\System32\drivers\secdisc64.sys [2012-10-8 273408]
S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [2012-1-5 75624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2012-4-26 46136]
S3 AWEAlloc;AWE Memory Allocation Driver;C:\Windows\System32\drivers\awealloc.sys [2012-10-9 18384]
S3 BEService;BattlEye Service;C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [2013-2-8 49152]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);C:\Windows\System32\drivers\MAudioDelta.sys [2009-7-27 392712]
S3 HCW99BDA;Hauppauge Nova-DT Dual DVB-T Tuner;C:\Windows\System32\drivers\hcw99bda.sys [2007-3-23 216064]
S3 hcw99rc;Hauppauge Nova-DT IR Driver;C:\Windows\System32\drivers\hcw99rc.sys [2007-3-23 38528]
S3 ImDskSvc;ImDisk Virtual Disk Driver Helper;C:\Windows\System32\imdsksvc.exe [2012-10-9 11264]
S3 IT9135BDA;IT9135 BDA Devices;C:\Windows\System32\drivers\IT9135BDA.sys [2012-9-3 116480]
S3 PPJoyBus;Parallel Port Joystick Bus Enumerator;C:\Windows\System32\drivers\PPJoyBus64.sys [2010-2-20 20024]
S3 PPortJoystick;Parallel Port Joystick Device Driver;C:\Windows\System32\drivers\PPortJoy64.sys [2010-2-20 39992]
S3 pwdrvio;pwdrvio;C:\Windows\System32\pwdrvio.sys [2013-3-25 19032]
S3 pwdspio;pwdspio;C:\Windows\System32\pwdspio.sys [2013-3-25 9584]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-10-26 19456]
S3 rspLLL;rspLLL;C:\Windows\System32\drivers\rspLLL64.sys [2012-9-7 24672]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-26 57856]
S3 TunngleService;TunngleService;C:\Program Files (x86)\Tunngle\TnglCtrl.exe [2009-1-1 746392]
S3 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2012-12-19 106408]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-9-7 1255736]
S4 ArgusTVMessenger;ARGUS TV Messenger;C:\Program Files (x86)\ARGUS TV\Messenger\ArgusTV.Messenger.exe [2012-11-20 72704]
S4 ArgusTVRecorder;ARGUS TV Recorder;C:\Program Files (x86)\ARGUS TV\Recorder\ArgusTV.Recorder.exe [2012-11-20 69632]
S4 ArgusTVScheduler;ARGUS TV Scheduler;C:\Program Files (x86)\ARGUS TV\Scheduler\ArgusTV.Scheduler.exe [2012-11-20 74752]
S4 Dyn Updater;Dyn Updater;C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe [2011-11-15 95608]
S4 HDParmService;HDParm Service;C:\Program Files\hdparm\bin\hdparmservice.exe [2013-1-16 20480]
S4 tvnserver;TightVNC Server;C:\Program Files\TightVNC\tvnserver.exe [2012-4-26 1633296]
S4 UltiDev Web Server Pro;UltiDev Web Server Pro;C:\Program Files (x86)\UltiDev\Web Server\UltiDev.WebServer.Monitor.exe [2012-9-29 64512]
S4 UWS HiPriv Services;UWS HiPriv Services;C:\Program Files (x86)\UltiDev\Web Server\UWS.HighPrivilegeUtilities.exe [2012-9-29 48128]
S4 UWS LoPriv Services;UWS LoPriv Services;C:\Program Files (x86)\UltiDev\Web Server\UWS.LowPrivilegeUtilities.exe [2012-9-29 44032]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .ini: Notepad++_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1"
.
=============== Created Last 30 ================
.
2013-05-21 20:25:01 -------- d-----w- C:\Users\Del\Valley
2013-05-21 20:22:20 -------- d-----w- C:\Program Files (x86)\Unigine
2013-05-21 18:33:13 -------- d-----w- C:\Users\Del\AppData\Local\temp
2013-05-21 18:16:13 98816 ----a-w- C:\Windows\sed.exe
2013-05-21 18:16:13 256000 ----a-w- C:\Windows\PEV.exe
2013-05-21 18:16:13 208896 ----a-w- C:\Windows\MBR.exe
2013-05-21 17:45:33 -------- d-----w- C:\Program Files (x86)\MSI Kombustor 2.5
2013-05-14 22:59:36 -------- d-----w- C:\ProgramData\Vitalwerks
2013-05-14 22:57:42 -------- d-----w- C:\Users\Del\AppData\Local\Vitalwerks
2013-05-14 22:57:40 -------- d-----w- C:\Program Files (x86)\No-IP
2013-05-14 06:24:21 -------- d-----w- C:\Program Files (x86)\LastPass
2013-05-11 13:25:48 35112 ----a-w- C:\Windows\System32\drivers\teamviewervpn.sys
2013-05-11 13:25:47 -------- d-----w- C:\Program Files (x86)\TeamViewer
2013-05-03 12:05:57 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-05-02 16:31:58 -------- d-----w- C:\Users\Del\AppData\Local\Ubisoft
2013-05-02 16:24:40 -------- d-----w- C:\Windows\SysWow64\_CIConfig
2013-05-02 16:24:30 -------- d-----w- C:\Users\Del\AppData\Local\SCRiN
2013-05-02 16:24:30 -------- d-----w- C:\Users\Del\AppData\Local\Local
.
==================== Find3M  ====================
.
2013-05-20 23:00:31 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2013-05-20 23:00:31 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2013-05-20 19:44:56 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2013-05-15 19:22:05 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-15 19:22:05 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-14 06:24:40 14880256 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe
2013-04-20 19:00:55 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-20 19:00:54 866720 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-04-20 19:00:54 788896 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
2013-03-17 16:42:04 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2013-03-07 13:37:54 19032 ------w- C:\Windows\System32\pwdrvio.sys
2013-03-07 13:37:32 9584 ------w- C:\Windows\System32\pwdspio.sys
2013-03-07 13:37:32 3074240 ----a-w- C:\Windows\System32\pwNative.exe
2013-02-27 06:02:44 111448 ----a-w- C:\Windows\System32\consent.exe
2013-02-27 05:48:00 1930752 ----a-w- C:\Windows\System32\authui.dll
2013-02-27 05:47:10 70144 ----a-w- C:\Windows\System32\appinfo.dll
2013-02-27 04:49:24 1796096 ----a-w- C:\Windows\SysWow64\authui.dll
2013-02-26 19:19:54 6036160 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2013-02-26 19:19:50 5035000 ----a-w- C:\Windows\System32\atiumd6a.dll
2013-02-26 19:19:48 7040928 ----a-w- C:\Windows\System32\atiumd64.dll
2013-02-26 19:17:50 11613184 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2013-02-26 18:54:12 23581184 ----a-w- C:\Windows\System32\atio6axx.dll
2013-02-26 18:49:52 77312 ----a-w- C:\Windows\System32\coinst_12.10.17.dll
2013-02-26 18:48:14 163840 ----a-w- C:\Windows\System32\atiapfxx.exe
2013-02-26 18:45:52 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2013-02-26 18:45:50 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2013-02-26 18:45:44 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2013-02-26 18:45:42 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2013-02-26 18:45:30 16082944 ----a-w- C:\Windows\System32\aticaldd64.dll
2013-02-26 18:41:24 13703168 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2013-02-26 18:37:46 19755520 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2013-02-26 18:25:42 442368 ----a-w- C:\Windows\System32\atidemgy.dll
2013-02-26 18:25:32 561152 ----a-w- C:\Windows\System32\atieclxx.exe
2013-02-26 18:24:44 240640 ----a-w- C:\Windows\System32\atiesrxx.exe
2013-02-26 18:23:24 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2013-02-26 18:23:12 25600 ----a-w- C:\Windows\System32\atimuixx.dll
2013-02-26 18:23:06 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2013-02-26 18:23:02 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2013-02-26 17:58:54 630272 ----a-w- C:\Windows\System32\atiadlxx.dll
2013-02-26 17:58:44 425984 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2013-02-26 17:58:28 17920 ----a-w- C:\Windows\System32\atig6pxx.dll
2013-02-26 17:58:26 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2013-02-26 17:58:26 14848 ----a-w- C:\Windows\System32\atiglpxx.dll
2013-02-26 17:58:22 44032 ----a-w- C:\Windows\System32\atig6txx.dll
2013-02-26 17:58:14 34816 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2013-02-26 17:58:04 576000 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2013-02-26 17:55:50 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2013-02-26 14:05:38 222720 ----a-w- C:\Windows\System32\clinfo.exe
2013-02-26 14:05:20 76288 ----a-w- C:\Windows\System32\OpenVideo64.dll
2013-02-26 14:05:16 65536 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2013-02-26 14:05:10 64000 ----a-w- C:\Windows\System32\OVDecode64.dll
2013-02-26 14:05:08 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2013-02-26 14:04:58 29149696 ----a-w- C:\Windows\System32\amdocl64.dll
2013-02-26 14:03:04 23810048 ----a-w- C:\Windows\SysWow64\amdocl.dll
2013-02-26 14:01:22 54784 ----a-w- C:\Windows\System32\OpenCL.dll
2013-02-26 14:01:20 50176 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2013-02-26 13:54:44 5067264 ----a-w- C:\Windows\System32\amdsc64.dll
2013-02-26 13:54:40 4083200 ----a-w- C:\Windows\SysWow64\amdsc.dll
.
============= FINISH: 23:06:51.30 ===============
 

 

 

Attached Files


Edited by doveman, 21 May 2013 - 05:28 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 PM

Posted 26 May 2013 - 02:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/495348 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 doveman

doveman
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 29 May 2013 - 12:04 PM

Hi
 
Here's the new dds logs.
 
As per my previous post, I can't say I'm having any particular problems, although quite often IE fails to open the homepage (or any other page) and I have to close it and then it works when i reopen it. I've had some BSODs lately but they appear to have been related to my GPU overclock, although it used to work fine it may be that a couple of games I've been playing lately have been pushing the card harder than before.
 
So it's mainly the unusual looking services in the log and those .exe files in Windows that look dodgy that I'm concerned about.
 
I do have my Windows DVD to hand if needed.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16576 BrowserJavaVersion: 10.21.2
Run by Del at 17:57:33 on 2013-05-29
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.16348.9318 [GMT 1:00]
.
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\atieclxx.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bitvise SSH Server\BvSshServer.exe
C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\FileZilla Server\FileZilla Server.exe
C:\Program Files (x86)\MPExtended\Service\MPExtended.ServiceHosts.CoreService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files (x86)\MPExtended\WebMediaPortal\MPExtended.ServiceHosts.WebMediaPortal.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\PhenomMsrTweaker\PhenomMsrTweakerService.exe
C:\Program Files\nfsd\pmapd.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\RadeonPro\RadeonProSupport.exe
C:\Program Files (x86)\IIS Express\iisexpress.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Classic Shell\ClassicStartMenu.exe
C:\Users\Del\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\RadeonPro\RadeonPro.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\PhenomMsrTweaker\PhenomMsrTweaker.exe
C:\Program Files (x86)\Team MediaPortal\MediaPortal TV Server\TVService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\RadeonPro\RadeonPro64.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskhost.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Reader.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
E:\Portable Apps\IronPortable2\Iron\Iron.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://startpage.com/uk/
BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
uRun: [Xpadder] "D:\Games\Xpadder\Xpadder.exe" /m
uRun: [Spotify Web Helper] "C:\Users\Del\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [RadeonPro] "C:\Program Files (x86)\RadeonPro\RadeonPro.exe"
uRun: [Jitsi] C:\Program Files\Jitsi\Jitsi.exe
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Bitvise SSH Server Activation State Checker] "C:\Program Files\Bitvise SSH Server\BssActStateCheck.exe"
mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Del\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVENTG~1.LNK - C:\Program Files (x86)\EventGhost\EventGhost.exe
StartupFolder: C:\Users\Del\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PHENOM~1.LNK - C:\Program Files\PhenomMsrTweaker\PhenomMsrTweaker.exe
StartupFolder: C:\Users\Del\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\VAC(MA~1.LNK - C:\Program Files (x86)\VAC System\VACSystem.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ACTUAL~1.LNK - C:\Program Files (x86)\Actual Multiple Monitors\ActualMultipleMonitorsCenter.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Un-Overclock.bat
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: LastPass - C:\Users\Del\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - C:\Users\Del\AppData\LocalLow\LastPass\context.html?cmd=fillforms
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
IE: {64964764-1101-4bbd-8891-B56B1A53B9B3} - {553891B7-A0D5-4526-BE18-D3CE461D6310}
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1369834631227
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15102/CTSUEng.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=972
TCP: Interfaces\{2729F1F0-D062-41B1-AE0F-F2F371BD23AB} : NameServer = 8.8.8.8
TCP: Interfaces\{BAF14AD3-FD4B-4CC5-8470-7FB943D1B432} : NameServer = 178.21.23.150,205.204.88.60
AppInit_DLLs= C:\Windows\SysWOW64\guard32.dll
SSODL: WebCheck - <orphaned>
x64-BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [RAMDiskForWorkstations] "C:\Program Files\SoftPerfect RAM Disk\RAMDiskWS.exe" /hide
x64-Run: [THXCfg64] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64
x64-Run: [Classic Start Menu] C:\Program Files\Classic Shell\ClassicStartMenu.exe
x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-IE: {64964764-1101-4bbd-8891-B56B1A53B9B3} - {553891B7-A0D5-4526-BE18-D3CE461D6310}
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2012-10-16 82560]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2012-10-16 42624]
R0 FancyCcV;FancyCache Driver For Volume;C:\Windows\System32\drivers\rxfcv.sys [2013-2-19 129984]
R1 avkmgr;avkmgr;C:\Windows\System32\drivers\avkmgr.sys [2012-4-27 27760]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdGuard.sys [2012-3-11 584056]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2012-3-11 38144]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2009-1-1 283200]
R1 vvramd;vvramd;C:\Program Files\SoftPerfect RAM Disk\vv.sys [2013-1-7 253432]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-2-26 240640]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2013-2-26 361984]
R2 AntiVirSchedulerService;Avira Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2012-4-27 86224]
R2 AntiVirService;Avira Realtime Protection;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2012-4-27 110032]
R2 AODDriver4.2;AODDriver4.2;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-4-9 57472]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2012-4-27 98848]
R2 BvSshServer;Bitvise SSH Server;C:\Program Files\Bitvise SSH Server\BvSshServer.exe [2013-2-17 10813632]
R2 Dokan;Dokan;C:\Windows\System32\drivers\dokan.sys [2010-7-6 106888]
R2 DokanMounter;DokanMounter;C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe [2010-7-5 11776]
R2 ImDisk;ImDisk Virtual Disk Driver;C:\Windows\System32\drivers\imdisk.sys [2012-10-9 38416]
R2 MPExtended Service;MPExtended Service;C:\Program Files (x86)\MPExtended\Service\MPExtended.ServiceHosts.CoreService.exe [2013-1-27 6144]
R2 MPExtended WebMediaPortal;MPExtended WebMediaPortal;C:\Program Files (x86)\MPExtended\WebMediaPortal\MPExtended.ServiceHosts.WebMediaPortal.exe [2013-1-27 14848]
R2 PhenomMsrTweaker;PhenomMsrTweaker service;C:\Program Files\PhenomMsrTweaker\PhenomMsrTweakerService.exe [2010-6-3 188416]
R2 PMAPDaemon;SunRPC Portmap Daemon;C:\Program Files\nfsd\pmapd.exe [2013-2-21 124416]
R2 RadeonPro Support Service;RadeonPro Support Service;C:\Program Files (x86)\RadeonPro\RadeonProSupport.exe [2013-5-3 20608]
R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe [2009-12-23 370688]
R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-5-11 3574624]
R2 TVService;TVService;C:\Program Files (x86)\Team MediaPortal\MediaPortal TV Server\TvService.exe [2013-5-14 241664]
R3 dvdfab;dvdfab;C:\Windows\System32\drivers\dvdfab.sys [2012-4-28 79232]
R3 MBfilt;MBfilt;C:\Windows\System32\drivers\MBfilt64.sys [2012-12-22 32344]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2011-2-10 82432]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2011-2-10 181760]
R3 RAMDiskVE;RAMDiskVE;C:\Windows\System32\drivers\RAMDiskVE.sys [2012-4-29 73000]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-9-7 565352]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-12-16 202632]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);C:\Windows\System32\drivers\tap0901t.sys [2009-1-1 31232]
R3 teamviewervpn;TeamViewer VPN Adapter;C:\Windows\System32\drivers\teamviewervpn.sys [2013-5-11 35112]
R3 WinRing0_1_2_0;WinRing0_1_2_0;C:\Program Files\PhenomMsrTweaker\WinRing0x64.sys [2010-6-3 14544]
S1 SecDisc;SecDisc Driver;C:\Windows\System32\drivers\secdisc64.sys [2012-10-8 273408]
S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [2012-1-5 75624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S2 NFSserver;NFS Server;C:\Program Files\nfsd\nfsd.exe [2013-2-21 224256]
S3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2012-4-26 46136]
S3 AWEAlloc;AWE Memory Allocation Driver;C:\Windows\System32\drivers\awealloc.sys [2012-10-9 18384]
S3 BEService;BattlEye Service;C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [2013-2-8 53248]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);C:\Windows\System32\drivers\MAudioDelta.sys [2009-7-27 392712]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2013-5-22 137336]
S3 HCW99BDA;Hauppauge Nova-DT Dual DVB-T Tuner;C:\Windows\System32\drivers\hcw99bda.sys [2007-3-23 216064]
S3 hcw99rc;Hauppauge Nova-DT IR Driver;C:\Windows\System32\drivers\hcw99rc.sys [2007-3-23 38528]
S3 ImDskSvc;ImDisk Virtual Disk Driver Helper;C:\Windows\System32\imdsksvc.exe [2012-10-9 11264]
S3 IT9135BDA;IT9135 BDA Devices;C:\Windows\System32\drivers\IT9135BDA.sys [2012-9-3 116480]
S3 PPJoyBus;Parallel Port Joystick Bus Enumerator;C:\Windows\System32\drivers\PPJoyBus64.sys [2010-2-20 20024]
S3 PPortJoystick;Parallel Port Joystick Device Driver;C:\Windows\System32\drivers\PPortJoy64.sys [2010-2-20 39992]
S3 pwdrvio;pwdrvio;C:\Windows\System32\pwdrvio.sys [2013-3-25 19032]
S3 pwdspio;pwdspio;C:\Windows\System32\pwdspio.sys [2013-3-25 9584]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-10-26 19456]
S3 rspLLL;rspLLL;C:\Windows\System32\drivers\rspLLL64.sys [2012-9-7 24672]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-26 57856]
S3 TunngleService;TunngleService;C:\Program Files (x86)\Tunngle\TnglCtrl.exe [2009-1-1 746392]
S3 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2012-12-19 106408]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-9-7 1255736]
S4 ArgusTVMessenger;ARGUS TV Messenger;C:\Program Files (x86)\ARGUS TV\Messenger\ArgusTV.Messenger.exe [2012-11-20 72704]
S4 ArgusTVRecorder;ARGUS TV Recorder;C:\Program Files (x86)\ARGUS TV\Recorder\ArgusTV.Recorder.exe [2012-11-20 69632]
S4 ArgusTVScheduler;ARGUS TV Scheduler;C:\Program Files (x86)\ARGUS TV\Scheduler\ArgusTV.Scheduler.exe [2012-11-20 74752]
S4 Dyn Updater;Dyn Updater;C:\Program Files (x86)\Dyn Updater\DynUpSvc.exe [2011-11-15 95608]
S4 HDParmService;HDParm Service;C:\Program Files\hdparm\bin\hdparmservice.exe [2013-1-16 20480]
S4 tvnserver;TightVNC Server;C:\Program Files\TightVNC\tvnserver.exe [2012-4-26 1633296]
S4 UltiDev Web Server Pro;UltiDev Web Server Pro;C:\Program Files (x86)\UltiDev\Web Server\UltiDev.WebServer.Monitor.exe [2012-9-29 64512]
S4 UWS HiPriv Services;UWS HiPriv Services;C:\Program Files (x86)\UltiDev\Web Server\UWS.HighPrivilegeUtilities.exe [2012-9-29 48128]
S4 UWS LoPriv Services;UWS LoPriv Services;C:\Program Files (x86)\UltiDev\Web Server\UWS.LowPrivilegeUtilities.exe [2012-9-29 44032]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
FileExt: .ini: Notepad++_file="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1"
.
=============== Created Last 30 ================
.
2013-05-29 12:06:47 -------- d-----w- C:\Users\Del\AppData\Local\ElevatedDiagnostics
2013-05-28 08:10:20 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{26451B02-4F55-40F2-85BD-EDF7BC51BB29}\mpengine.dll
2013-05-24 13:58:31 -------- d-----w- C:\Users\Del\AppData\Local\Arma 3 Alpha Lite
2013-05-24 13:58:30 -------- d-----w- C:\ProgramData\Bohemia Interactive
2013-05-24 13:03:32 -------- d-----w- C:\Users\Del\AppData\Local\Deployment
2013-05-24 13:03:32 -------- d-----w- C:\Users\Del\AppData\Local\Apps
2013-05-23 21:45:36 -------- d-----w- C:\Users\Del\AppData\Roaming\foobar2000
2013-05-23 21:45:32 -------- d-----w- C:\Program Files (x86)\foobar2000
2013-05-23 13:21:32 -------- d-----w- C:\Users\Del\AppData\Local\SIX Updater
2013-05-22 12:00:53 -------- d-----w- C:\Users\Del\AppData\Local\Futuremark
2013-05-22 11:59:34 -------- d-----w- C:\Program Files (x86)\Futuremark
2013-05-22 11:58:35 -------- d-----w- C:\Program Files\Futuremark
2013-05-22 09:37:11 122 ----a-w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Un-Overclock.bat
2013-05-21 20:25:01 -------- d-----w- C:\Users\Del\Valley
2013-05-21 20:22:20 -------- d-----w- C:\Program Files (x86)\Unigine
2013-05-21 18:33:13 -------- d-----w- C:\Users\Del\AppData\Local\temp
2013-05-21 18:16:13 98816 ----a-w- C:\Windows\sed.exe
2013-05-21 18:16:13 256000 ----a-w- C:\Windows\PEV.exe
2013-05-21 18:16:13 208896 ----a-w- C:\Windows\MBR.exe
2013-05-21 17:45:33 -------- d-----w- C:\Program Files (x86)\MSI Kombustor 2.5
2013-05-14 22:59:36 -------- d-----w- C:\ProgramData\Vitalwerks
2013-05-14 22:57:42 -------- d-----w- C:\Users\Del\AppData\Local\Vitalwerks
2013-05-14 22:57:40 -------- d-----w- C:\Program Files (x86)\No-IP
2013-05-14 06:24:21 -------- d-----w- C:\Program Files (x86)\LastPass
2013-05-11 13:25:48 35112 ----a-w- C:\Windows\System32\drivers\teamviewervpn.sys
2013-05-11 13:25:47 -------- d-----w- C:\Program Files (x86)\TeamViewer
2013-05-03 12:05:57 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-05-02 16:24:40 -------- d-----w- C:\Windows\SysWow64\_CIConfig
2013-05-02 16:24:30 -------- d-----w- C:\Users\Del\AppData\Local\Local
.
==================== Find3M ====================
.
2013-05-20 23:00:31 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2013-05-20 23:00:31 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2013-05-20 19:44:56 281688 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2013-05-15 19:22:05 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-15 19:22:05 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-14 06:24:40 14880256 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe
2013-05-02 01:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-04-20 19:00:55 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-04-20 19:00:54 866720 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-04-20 19:00:54 788896 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2013-04-10 06:01:53 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll
2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll
2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe
2013-03-17 16:42:04 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2013-03-07 13:37:54 19032 ------w- C:\Windows\System32\pwdrvio.sys
2013-03-07 13:37:32 9584 ------w- C:\Windows\System32\pwdspio.sys
2013-03-07 13:37:32 3074240 ----a-w- C:\Windows\System32\pwNative.exe
.
============= FINISH: 17:57:40.95 ===============

Attached Files


Edited by Oh My, 29 May 2013 - 06:42 PM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,030 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:44 AM

Posted 29 May 2013 - 06:39 PM

Greetings doveman and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,030 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:44 AM

Posted 29 May 2013 - 07:44 PM

Greetings,

I do not see any evidence of malicious software on your computer. sed.exe, mbr.exe, and pev.exe are all associated with Combofix. Also CrystalSysInfo appears to be related to the monitoring of registry, Running Processes, Startup, BHO, Toolbar, Service, Task scheduler, Activex and Uninstall Entries.

If you would like you can do the following.

===================================================

Malwarebytes

--------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download. You can also right click on the link and select Save Link As
  • Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
    • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
      For instructions with screenshots, please refer to this Guide.
    • When the installation begins, follow the prompts and do not make any changes to default settings except to uncheck any offer for a free Pro trial version .
    • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself. Press the OK button and continue.
    • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
    • Click on the Scan button.
    • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked and then click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
    • Exit Malwarebytes when done.
  • Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not be presented with a log.
  • Click the Back button.
  • Click the Finish button.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • MBAM results
  • ESET results

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 doveman

doveman
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 30 May 2013 - 06:23 PM

Hi Gary and thanks for offering to assist me. Please feel free to call me Derek.

 

Thanks for explaining that those three .exes are associated with Combofix, as I guess is PEVSystemStart. I'm still a bit confused about where CrystalSysInfo comes from but it doesn't appear to be malacious thankfully.

 

I've posted the MBAM results below, which didn't find anything untoward. I only scanned my C: partition with ESET and didn't check the "Remove found threats" option as I know I have programs that are falsely identified as malware and didn't want ESET deleting stuff. As you can see, it's identified parts of Avira Antivir as malware and would have removed them. I'm not sure about PPJoyMouse so scanned it with Jotti, which showed that 8 out of 20 scanners identified it as malware

 

http://virusscan.jotti.org/en/scanresult/80f347f89d8e1478d1fbce28a332e518f898b3df/cc6e4d5572f3ec185b625ee044558754ba81880b

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.29.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16576
Del :: X4 [administrator]

30/05/2013 03:59:56
mbam-log-2013-05-30 (03-59-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 323920
Time elapsed: 7 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

C:\Program Files (x86)\Avira\AntiVir Desktop\apnic.dll	a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\Avira\AntiVir Desktop\apntoolbarinstaller.exe	a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\PPJoy Joystick Driver\PPJoyMouse.exe	probably a variant of Win32/TrojanDownloader.Agent.OZNHGF trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ApnIC[1].0	a variant of Win32/Bundled.Toolbar.Ask application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5\ApnIC[1].0	a variant of Win32/Bundled.Toolbar.Ask application



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,030 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:44 AM

Posted 30 May 2013 - 08:22 PM

Hi Derek,

Regarding CrystalSysInfo here is the abbreviated trail I followed:
 
Service Name : CrystalSysInfo

Display Name : Euq_monitor
 
----------
 
Regarding PPJoyMouse
 
This file generally appears to be legitimate.  I always temper Jotti results by factoring in which antivirus company (some are major companies and some are minor) identifies it as malware.  Sometimes it is a judgment call. As you see ESET identifies it as "Probably".  It is your decision to keep or delete this file, as well as the other identified files.

Please let me know what you decide.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,030 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:44 AM

Posted 03 June 2013 - 09:20 AM

Hi Derek,

===================================================

3 Day Bump

It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Hi Derek,

 

How are we doing?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 doveman

doveman
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 03 June 2013 - 12:20 PM

Sorry for the delay in getting back to you Gary.
 
What I've done is uninstall the CrystalSysInfo service using

sc delete "CrystalSysInfo"

 

as I wasn't entirely sure where it came from and didn't appear to be loading anyway from the errors in the logs.

 

As for PPJoyMouse, I'm not currently using it so may delete it. I think I was using it to modify my joystick input for a game that wasn't working properly with direct input. I may have multiple versions of it that I've downloaded and stored, so I'll check through those to see if there's a version that isn't identified as malware but as you say, it's probably a false positive anyway considering that a lot of good AV engines don't flag it.

 

As for the Ask toolbar parts of Avira, they're probably not causing any harm and I don't believe I installed the toolbar anyway. I could delete them but they'll probably just reappear when Avira updates anyway so it's probably not worth it.

 

So it appears we have determined that there's no real nasties on my PC, which is reassuring. Thanks very much for your help and I'll let you move on to the next person who needs your help now :)

 

Cheers.



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,030 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:44 AM

Posted 03 June 2013 - 12:24 PM

My pleasure.

I am not sure the Ask Toolbar is an automatic download. They sneak it in by making you deselect it.

Since we are all good I am going to close this topic. Here is a little bit of information in case you are interested.

===================================================

Keeping Your Computer Safe

Please read the following in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • Outbound firewall.
    • If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • AntiVirus Software
    • It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • Anti-Spyware program
    • Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
    • A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    • I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    • Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    • Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine
    • The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
    • In order to provide an example of these vulnerabilities it would be well worth your time to read an article and view a short video by Sophos Lab detailing how Adobe Acrobat can be compromised. This information provides a window into the complex nature of malicious software and the efforts to combat it. Your part is simply installing the hard work done by others to try to keep your computer clean.
Some more links you might find of interest:Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,030 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:44 AM

Posted 04 June 2013 - 08:16 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users