Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus creating new user accounts


  • This topic is locked This topic is locked
41 replies to this topic

#1 agrias7

agrias7

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 30 May 2013 - 09:55 PM

there is weird user named uanapxpywzrd

no mater how many i tried to delete it, it will back

its also change folder option to not show hidden files (its should be show) i still can access folder option, but its back to not show hidden files when i restart

 

what i have done so far :

send support ticket to eset, they want me to use combofix,so i used that already

but there is syntax error while in process "pevFind bla bla bla syntax error"

Malwarebyte anti-malware = no malware was found

Malwarebyte anti-rootkit = no rookit was found

and other system check you can see at my thread

http://www.bleepingcomputer.com/forums/t/496393/virus-creating-new-user-accounts/

 

EDIT : eset support contact me again this time they want me to use OTL just scan and send them log file

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.21.2
Run by TOSHIBA at 9:42:59 on 2013-05-31
Microsoft Windows 7 Starter   6.1.7601.1.932.81.1033.18.1916.569 [GMT 7:00]
.
AV: ESET Smart Security 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ================
.
.
============== Pseudo HJT Report ===============
.
uProxyServer = 88.85.106.146:8080
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [SMΔRT-Protection] c:\program files\smadav\SMΔRTP.exe rtp
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\toshiba\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: aeriagames.com
Trusted Zone: aeriagames.com
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F} : DHCPNameServer = 10.232.0.4 202.134.0.155
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F}\3545453502D20205D424 : DHCPNameServer = 10.0.0.1 8.8.8.8
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F}\3545453502D202C4130303 : DHCPNameServer = 10.0.0.1 8.8.8.8
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F}\64C616378602A5F6E656 : DHCPNameServer = 10.232.0.4 202.134.0.155
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F}\94E64696353686F6F6C60477966696E29646 : DHCPNameServer = 10.232.0.4 202.134.0.155
TCP: Interfaces\{F5BCC7C1-B7FD-42E9-B5A0-6323B9852F86} : NameServer = 8.8.8.8 8.8.4.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\toshiba\appdata\roaming\mozilla\firefox\profiles\ftrsxzjy.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\users\toshiba\appdata\local\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2012-12-21 47568]
R1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\drivers\cnnctfy2.sys [2012-11-13 27248]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2013-1-10 242240]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2012-12-21 171680]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2012-12-21 46056]
R2 Apache2.4;Apache2.4;e:\xampp\apache\bin\httpd.exe [2012-8-18 22016]
R2 BstHdDrv;BlueStacks Hypervisor;c:\program files\bluestacks\HD-Hypervisor-x86.sys [2013-5-13 63816]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2012-9-14 135168]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2012-12-21 1333424]
R2 persdwmsrv;Personalization Panel DWM controller;c:\program files\winaero.com\personalization panel dwm controller\persdwmsrv.exe [2012-4-7 8192]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\drivers\btfilter.sys [2010-10-18 33640]
R3 cmnsusbser;Prolink PCM100 EVDO Modem USB Device for Legacy Serial Communication;c:\windows\system32\drivers\cmnsusbser.sys [2010-9-3 105984]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2012-10-3 30312]
S3 apf003;apf003;c:\windows\system32\apf003.sys [2013-3-30 13232]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Connectify;Connectify;c:\program files\connectify\ConnectifyService.exe [2012-11-13 65536]
S3 GGSAFERDriver;GGSAFER Driver;c:\program files\garena plus\room\safedrv.sys [2013-4-10 22112]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-10-27 14848]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2012-10-3 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2012-10-3 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2012-10-3 121576]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2012-10-3 98152]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\drivers\taphss6.sys [2013-2-1 37064]
S3 Te.Service;Te.Service;c:\program files\windows kits\8.0\testing\runtimes\taef\Wex.Services.exe [2012-7-25 94208]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-10-27 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-10-27 27136]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2012-10-26 84312]
S4 BstHdAndroidSvc;BlueStacks Android Service;c:\program files\bluestacks\HD-Service.exe [2013-5-13 393032]
S4 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files\bluestacks\HD-LogRotatorService.exe [2013-5-13 384840]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2013-05-31 01:46:37 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-05-31 01:23:15 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-31 01:23:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-30 23:44:37 60872 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{439e50f8-6202-49b3-a298-60c1cb858fb4}\offreg.dll
2013-05-30 20:56:11 -------- d-sh--w- C:\$RECYCLE.BIN
2013-05-30 20:41:46 -------- d-----w- C:\ComboFix
2013-05-30 14:52:25 98816 ----a-w- c:\windows\sed.exe
2013-05-30 14:52:25 256000 ----a-w- c:\windows\PEV.exe
2013-05-30 14:52:25 208896 ----a-w- c:\windows\MBR.exe
2013-05-30 03:09:38 -------- d-----w- c:\users\toshiba\appdata\roaming\Gensokyo.org
2013-05-30 03:09:34 -------- d-----w- c:\users\toshiba\appdata\roaming\ShanghaiAlice
2013-05-30 03:05:07 -------- d--h--w- c:\windows\msdownld.tmp
2013-05-30 01:05:34 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-29 14:31:41 -------- d-----w- c:\programdata\RAT Scanner
2013-05-29 05:15:24 -------- d-----w- C:\[Smad-Cage]
2013-05-29 04:00:57 -------- d-----w- c:\users\toshiba\appdata\roaming\Malwarebytes
2013-05-29 04:00:49 -------- d-----w- c:\programdata\Malwarebytes
2013-05-28 14:34:54 7016152 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{439e50f8-6202-49b3-a298-60c1cb858fb4}\mpengine.dll
2013-05-27 08:42:07 -------- d-----w- c:\users\toshiba\appdata\roaming\Dragona
2013-05-27 08:25:17 -------- d-----w- c:\program files\Mobius Indonesia
2013-05-26 04:37:03 262552 ----a-w- c:\program files\mozilla firefox\browser\components\browsercomps.dll
2013-05-23 05:31:24 -------- d-----w- c:\users\toshiba\appdata\local\Temporary Projects
2013-05-21 06:30:36 -------- d-----w- c:\users\toshiba\appdata\local\Diagnostics
2013-05-20 09:27:30 -------- d-----w- c:\program files\BlueStacks
2013-05-20 09:26:34 -------- d-----w- c:\programdata\BlueStacksSetup
2013-05-20 09:26:32 -------- d-----w- c:\programdata\BlueStacks
2013-05-15 08:37:13 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 08:37:13 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-15 08:37:12 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-15 08:37:12 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-15 08:36:46 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 08:36:46 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-15 08:36:46 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-15 08:36:28 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-07 03:53:55 -------- d-----w- c:\program files\JDownloader
2013-05-01 06:15:44 -------- d-----w- c:\program files\Snail Games USA
2013-05-01 03:45:55 -------- d-----w- c:\users\toshiba\appdata\roaming\com.shirogames.evoland
2013-05-01 03:40:33 70656 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP9W.DLL
2013-05-01 03:40:33 27648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD9W.DLL
2013-05-01 03:40:08 303104 ----a-w- c:\windows\system32\CNC250L.dll
2013-05-01 03:40:08 110592 ----a-w- c:\windows\system32\CNC250I.dll
2013-05-01 03:40:07 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2013-05-01 03:40:07 1310720 ----a-w- c:\windows\system32\CNC250C.dll
2013-05-01 03:40:07 106496 ----a-w- c:\windows\system32\CNC250U.dll
2013-05-01 03:39:27 272384 ----a-w- c:\windows\system32\CNMLM9W.DLL
2013-05-01 03:39:17 90112 ----a-w- c:\windows\system32\CNC250O.dll
2013-05-01 03:39:17 178176 ----a-w- c:\windows\system32\CNMIU9W.DLL
2013-05-01 03:38:13 -------- d-----w- c:\program files\Canon
.
==================== Find3M  ====================
.
2013-05-30 01:05:21 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-05-30 01:05:21 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-16 10:31:44 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-16 10:31:44 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-01 19:06:08 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45:29 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-05 05:28:24 1767424 ----a-w- c:\windows\system32\wininet.dll
2013-04-05 05:26:26 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-04-05 05:26:21 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-04-05 05:26:21 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-04-05 04:29:45 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-04-05 03:38:25 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-03-29 21:15:11 16304 ------w- c:\windows\system32\apl003.sys
2013-03-29 21:15:11 13232 ------w- c:\windows\system32\apf003.sys
2013-03-19 05:04:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48:45 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49:16 69632 ----a-w- c:\windows\system32\smss.exe
.
============= FINISH:  9:44:09.81 ===============

Attached Files


Edited by agrias7, 31 May 2013 - 06:15 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,631 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 04 June 2013 - 10:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/496501 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 agrias7

agrias7
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 04 June 2013 - 10:41 PM

yes,i still need help please help me
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16576  BrowserJavaVersion: 10.21.2
Run by TOSHIBA at 10:35:22 on 2013-06-05
Microsoft Windows 7 Starter   6.1.7601.1.932.81.1033.18.1916.788 [GMT 7:00]
.
AV: ESET Smart Security 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ================
.
.
============== Pseudo HJT Report ===============
.
uProxyServer = 94.229.32.82:8088
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\toshiba\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: aeriagames.com
Trusted Zone: aeriagames.com
TCP: NameServer = 10.232.0.4 202.134.0.155
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F} : DHCPNameServer = 10.232.0.4 202.134.0.155
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F}\3545453502D20205D424 : DHCPNameServer = 10.0.0.1 8.8.8.8
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F}\3545453502D202C4130303 : DHCPNameServer = 10.0.0.1 8.8.8.8
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F}\64C616378602A5F6E656 : DHCPNameServer = 10.232.0.4 202.134.0.155
TCP: Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F}\94E64696353686F6F6C60477966696E29646 : DHCPNameServer = 10.232.0.4 202.134.0.155
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\toshiba\appdata\roaming\mozilla\firefox\profiles\ftrsxzjy.default\
FF - prefs.js: network.proxy.http - 94.229.32.82
FF - prefs.js: network.proxy.http_port - 8088
FF - prefs.js: network.proxy.ssl - 94.229.32.82
FF - prefs.js: network.proxy.ssl_port - 8088
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\users\toshiba\appdata\local\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2012-12-21 47568]
R1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\drivers\cnnctfy2.sys [2012-11-13 27248]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2013-1-10 242240]
R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2012-12-21 171680]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\drivers\EpfwLWF.sys [2012-12-21 46056]
R2 Apache2.4;Apache2.4;e:\xampp\apache\bin\httpd.exe [2012-8-18 22016]
R2 BstHdDrv;BlueStacks Hypervisor;c:\program files\bluestacks\HD-Hypervisor-x86.sys [2013-5-13 63816]
R2 Change Modem Device Service;Change Modem Device Service;c:\windows\system32\ChgService.exe [2012-9-14 135168]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2012-12-21 1333424]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-31 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-31 701512]
R2 persdwmsrv;Personalization Panel DWM controller;c:\program files\winaero.com\personalization panel dwm controller\persdwmsrv.exe [2012-4-7 8192]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\drivers\btfilter.sys [2010-10-18 33640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-31 22856]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2012-10-3 30312]
S3 apf003;apf003;c:\windows\system32\apf003.sys [2013-3-30 13232]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 cmnsusbser;Prolink PCM100 EVDO Modem USB Device for Legacy Serial Communication;c:\windows\system32\drivers\cmnsusbser.sys [2010-9-3 105984]
S3 Connectify;Connectify;c:\program files\connectify\ConnectifyService.exe [2012-11-13 65536]
S3 GGSAFERDriver;GGSAFER Driver;c:\program files\garena plus\room\safedrv.sys [2013-4-10 22112]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-10-27 14848]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2012-10-3 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2012-10-3 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2012-10-3 121576]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2012-10-3 98152]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\drivers\taphss6.sys [2013-2-1 37064]
S3 Te.Service;Te.Service;c:\program files\windows kits\8.0\testing\runtimes\taef\Wex.Services.exe [2012-7-25 94208]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-10-27 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-10-27 27136]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2012-10-26 84312]
S4 BstHdAndroidSvc;BlueStacks Android Service;c:\program files\bluestacks\HD-Service.exe [2013-5-13 393032]
S4 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files\bluestacks\HD-LogRotatorService.exe [2013-5-13 384840]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2013-06-05 02:07:59 7016152 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1c495d9c-db1f-46bb-b97e-006ca90ba2f9}\mpengine.dll
2013-06-02 13:29:18 -------- d-sh--w- C:\$RECYCLE.BIN
2013-05-31 01:46:37 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-05-31 01:23:15 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-31 01:23:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-30 20:41:46 -------- d-----w- C:\ComboFix
2013-05-30 14:52:25 98816 ----a-w- c:\windows\sed.exe
2013-05-30 14:52:25 256000 ----a-w- c:\windows\PEV.exe
2013-05-30 14:52:25 208896 ----a-w- c:\windows\MBR.exe
2013-05-30 03:09:38 -------- d-----w- c:\users\toshiba\appdata\roaming\Gensokyo.org
2013-05-30 03:09:34 -------- d-----w- c:\users\toshiba\appdata\roaming\ShanghaiAlice
2013-05-30 03:05:07 -------- d--h--w- c:\windows\msdownld.tmp
2013-05-30 01:05:34 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-29 14:31:41 -------- d-----w- c:\programdata\RAT Scanner
2013-05-29 05:15:24 -------- d-----w- C:\[Smad-Cage]
2013-05-29 04:00:57 -------- d-----w- c:\users\toshiba\appdata\roaming\Malwarebytes
2013-05-29 04:00:49 -------- d-----w- c:\programdata\Malwarebytes
2013-05-27 08:42:07 -------- d-----w- c:\users\toshiba\appdata\roaming\Dragona
2013-05-27 08:25:17 -------- d-----w- c:\program files\Mobius Indonesia
2013-05-26 04:37:03 262552 ----a-w- c:\program files\mozilla firefox\browser\components\browsercomps.dll
2013-05-23 05:31:24 -------- d-----w- c:\users\toshiba\appdata\local\Temporary Projects
2013-05-21 06:30:36 -------- d-----w- c:\users\toshiba\appdata\local\Diagnostics
2013-05-20 09:27:30 -------- d-----w- c:\program files\BlueStacks
2013-05-20 09:26:34 -------- d-----w- c:\programdata\BlueStacksSetup
2013-05-20 09:26:32 -------- d-----w- c:\programdata\BlueStacks
2013-05-15 08:37:13 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 08:37:13 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-15 08:37:12 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-15 08:37:12 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-15 08:36:46 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 08:36:46 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-15 08:36:46 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-15 08:36:28 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-07 03:53:55 -------- d-----w- c:\program files\JDownloader
.
==================== Find3M  ====================
.
2013-05-30 01:05:21 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-05-30 01:05:21 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-16 10:31:44 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-16 10:31:44 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-01 19:06:08 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45:29 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-05 05:28:24 1767424 ----a-w- c:\windows\system32\wininet.dll
2013-04-05 05:26:26 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-04-05 05:26:21 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-04-05 05:26:21 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-04-05 04:29:45 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-04-05 03:38:25 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-03-29 21:15:11 16304 ------w- c:\windows\system32\apl003.sys
2013-03-29 21:15:11 13232 ------w- c:\windows\system32\apf003.sys
2013-03-19 05:04:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04:10 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48:45 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49:16 69632 ----a-w- c:\windows\system32\smss.exe
.
============= FINISH: 10:37:07.98 ===============
 

 

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 PM

Posted 07 June 2013 - 08:10 AM

Hi,

 

sorry for the delay. Can you please update me on the steps you did with Eset?

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 agrias7

agrias7
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 07 June 2013 - 10:17 AM

hi thanks for reply

first eset sysinspector log, combo fix log, last is OTL log(scan only)



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 PM

Posted 07 June 2013 - 01:34 PM

Hi,

can you please show me the OTL log as well? When did you notice the additional user account?

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 agrias7

agrias7
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 07 June 2013 - 06:06 PM

i notice it last week, when log in there is unknown user
i just delete it at first but when restart its back so it definitely a malware
 
OTL logfile created on: 2013/05/31 10:09:55 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\TOSHIBA\Desktop
 Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16576)
Locale: 00000411 | Country: Japan | Language: JPN | Date Format: yyyy/MM/dd
 
1.87 Gb Total Physical Memory | 0.38 Gb Available Physical Memory | 20.29% Memory free
3.74 Gb Paging File | 1.72 Gb Available in Paging File | 45.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 102.44 Gb Total Space | 14.00 Gb Free Space | 13.67% Space Free | Partition Type: NTFS
Drive D: | 97.78 Gb Total Space | 0.61 Gb Free Space | 0.62% Space Free | Partition Type: NTFS
Drive E: | 97.78 Gb Total Space | 33.06 Gb Free Space | 33.82% Space Free | Partition Type: NTFS
Drive H: | 900.00 Mb Total Space | 848.94 Mb Free Space | 94.33% Space Free | Partition Type: NTFS
Drive J: | 195.31 Gb Total Space | 8.31 Gb Free Space | 4.25% Space Free | Partition Type: NTFS
Drive K: | 269.57 Gb Total Space | 5.65 Gb Free Space | 2.10% Space Free | Partition Type: NTFS
 
Computer Name: RAPHAELLA | User Name: TOSHIBA | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/05/31 10:09:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\TOSHIBA\Desktop\OTL.exe
PRC - [2013/05/12 15:24:11 | 001,413,120 | ---- | M] (z_o_o_m's corp.) -- C:\Users\TOSHIBA\Downloads\FileUploader.exe
PRC - [2013/05/11 14:25:41 | 001,568,768 | ---- | M] (Smadsoft) -- C:\Program Files\Smadav\SMΔRTP.exe
PRC - [2013/05/07 04:11:24 | 000,216,968 | ---- | M] (Google Inc.) -- C:\Users\TOSHIBA\AppData\Local\Google\Update\1.3.21.145\GoogleCrashHandler.exe
PRC - [2012/12/21 13:08:48 | 005,074,384 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2012/11/23 09:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2011/03/02 10:28:40 | 000,521,640 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
PRC - [2011/02/25 12:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/12/15 15:21:44 | 000,844,152 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013/05/29 10:05:35 | 000,053,248 | ---- | M] () -- C:\Users\TOSHIBA\AppData\Local\Temp\catchme.dll
MOD - [2013/05/23 12:44:07 | 000,393,168 | ---- | M] () -- C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll
MOD - [2013/05/23 12:44:06 | 013,136,336 | ---- | M] () -- C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll
MOD - [2013/05/23 12:43:59 | 004,051,408 | ---- | M] () -- C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\27.0.1453.94\pdf.dll
MOD - [2013/05/23 12:43:06 | 000,599,504 | ---- | M] () -- C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\27.0.1453.94\libglesv2.dll
MOD - [2013/05/23 12:43:05 | 000,124,368 | ---- | M] () -- C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\27.0.1453.94\libegl.dll
MOD - [2013/05/23 12:43:03 | 001,597,392 | ---- | M] () -- C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\27.0.1453.94\ffmpegsumo.dll
MOD - [2013/04/25 18:30:43 | 000,191,280 | ---- | M] () -- C:\Program Files\Garena Plus\ggspawn.dll
MOD - [2012/11/30 04:59:32 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2010/11/18 17:18:34 | 011,205,120 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\BlackPng.dll
MOD - [2010/03/03 14:14:58 | 000,016,184 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\Hotkey\FnF11.dll
MOD - [2010/03/03 14:14:56 | 000,016,184 | ---- | M] () -- C:\Program Files\TOSHIBA\FlashCards\Hotkey\FnF10.dll
MOD - [2009/11/04 07:14:04 | 000,054,272 | ---- | M] () -- C:\Program Files\Notepad++\NppShell_01.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2013/05/26 11:37:00 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/05/13 13:20:52 | 000,384,840 | ---- | M] (BlueStack Systems, Inc.) [Disabled | Stopped] -- C:\Program Files\BlueStacks\HD-LogRotatorService.exe -- (BstHdLogRotatorSvc)
SRV - [2013/05/13 13:20:32 | 000,393,032 | ---- | M] (BlueStack Systems, Inc.) [Disabled | Stopped] -- C:\Program Files\BlueStacks\HD-Service.exe -- (BstHdAndroidSvc)
SRV - [2013/05/10 14:57:22 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/12/21 13:08:56 | 001,333,424 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2012/10/26 01:34:30 | 000,065,536 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Connectify\ConnectifyService.exe -- (Connectify)
SRV - [2012/08/28 06:40:00 | 004,204,272 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2012/08/18 17:38:26 | 000,022,016 | ---- | M] (Apache Software Foundation) [Auto | Running] -- E:\xampp\apache\bin\httpd.exe -- (Apache2.4)
SRV - [2012/07/25 19:04:02 | 000,094,208 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe -- (Te.Service)
SRV - [2012/07/25 18:20:50 | 000,133,632 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Kits\8.0\App Certification Kit\fussvc.exe -- (fussvc)
SRV - [2012/07/21 01:08:04 | 008,186,368 | ---- | M] () [Auto | Running] -- E:\xampp\mysql\bin\mysqld.exe -- (mysql)
SRV - [2012/04/07 03:04:22 | 000,008,192 | ---- | M] (http://winaero.com/) [Auto | Running] -- C:\Program Files\winaero.com\Personalization Panel DWM Controller\persdwmsrv.exe -- (persdwmsrv)
SRV - [2010/12/09 17:43:20 | 000,468,392 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2010/09/03 16:22:44 | 000,135,168 | ---- | M] () [Auto | Running] -- C:\Windows\System32\ChgService.exe -- (Change Modem Device Service)
SRV - [2010/04/12 10:46:00 | 000,152,944 | ---- | M] (TOSHIBA CORPORATION) [On_Demand | Running] -- C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/07/14 08:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\CT_ZTEMT_U_USBSER.sys -- (ztemtusbser)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Windows\system32\XDva401.sys -- (XDva401)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva400.sys -- (XDva400)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\TOSHIBA\AppData\Local\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\clwvd.sys -- (clwvd)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Users\TOSHIBA\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2013/05/13 13:20:38 | 000,063,816 | ---- | M] (BlueStack Systems) [Kernel | Auto | Running] -- C:\Program Files\BlueStacks\HD-Hypervisor-x86.sys -- (BstHdDrv)
DRV - [2013/04/10 10:46:28 | 000,022,112 | -HS- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Garena Plus\Room\safedrv.sys -- (GGSAFERDriver)
DRV - [2013/03/30 04:15:11 | 000,013,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\apf003.sys -- (apf003)
DRV - [2013/02/01 06:57:50 | 000,037,064 | ---- | M] (Anchorfree Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\taphss6.sys -- (taphss6)
DRV - [2013/01/10 16:05:58 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\System32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2012/12/21 13:09:18 | 000,047,568 | ---- | M] (ESET) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\epfwwfp.sys -- (epfwwfp)
DRV - [2012/12/21 13:09:14 | 000,150,080 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfw.sys -- (epfw)
DRV - [2012/12/21 13:09:14 | 000,046,056 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\EpfwLWF.sys -- (EpfwLWF)
DRV - [2012/12/21 13:08:54 | 000,122,240 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2012/12/21 13:08:16 | 000,171,680 | ---- | M] (ESET) [File_System | System | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm)
DRV - [2012/11/13 16:52:21 | 000,027,248 | ---- | M] (Connectify) [Kernel | System | Running] -- C:\Windows\System32\drivers\cnnctfy2.sys -- (cnnctfy2)
DRV - [2012/10/26 20:03:22 | 000,187,736 | ---- | M] (Oracle Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\VBoxDrv.sys -- (VBoxDrv)
DRV - [2012/10/26 20:03:06 | 000,104,280 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV - [2012/10/26 20:02:10 | 000,115,544 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VBoxNetFlt.sys -- (VBoxNetFlt)
DRV - [2012/10/26 20:02:10 | 000,094,040 | ---- | M] (Oracle Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\VBoxUSBMon.sys -- (VBoxUSBMon)
DRV - [2012/10/26 20:02:10 | 000,084,312 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VBoxUSB.sys -- (VBoxUSB)
DRV - [2012/08/23 21:44:32 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2012/08/23 21:41:34 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2012/08/23 21:40:25 | 000,049,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2012/07/25 03:11:50 | 000,033,512 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\taphss.sys -- (taphss)
DRV - [2012/07/13 16:13:16 | 000,055,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio 11.0\Team Tools\Performance Tools\VSPerfDrv110.sys -- (VSPerfDrv110)
DRV - [2011/02/23 11:03:04 | 000,235,824 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfbd.sys -- (tosrfbd)
DRV - [2011/01/27 15:26:16 | 000,056,888 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2010/12/17 19:44:24 | 002,129,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2010/11/29 11:47:00 | 000,070,448 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2010/11/21 04:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/11 10:26:00 | 000,042,672 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfbnp.sys -- (tosrfbnp)
DRV - [2010/10/18 14:13:58 | 000,033,640 | ---- | M] (Atheros) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\btfilter.sys -- (BtFilter)
DRV - [2010/09/03 16:57:00 | 000,105,984 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cmnsusbser.sys -- (cmnsusbser)
DRV - [2010/08/30 10:48:00 | 000,080,064 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Tosrfhid.sys -- (Tosrfhid)
DRV - [2010/06/18 16:44:00 | 000,015,160 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2010/05/25 14:59:24 | 000,121,576 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadmdm.sys -- (ssadmdm)
DRV - [2010/05/25 14:59:24 | 000,098,152 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadserd.sys -- (ssadserd)
DRV - [2010/05/25 14:59:24 | 000,096,488 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadbus.sys -- (ssadbus)
DRV - [2010/05/25 14:59:24 | 000,030,312 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadadb.sys -- (androidusb)
DRV - [2010/05/25 14:59:24 | 000,012,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ssadmdfl.sys -- (ssadmdfl)
DRV - [2010/04/27 09:25:20 | 000,132,424 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdm.sys -- (sscdmdm)
DRV - [2010/04/27 09:25:20 | 000,104,648 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdbus.sys -- (sscdbus)
DRV - [2010/04/27 09:25:20 | 000,014,920 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sscdmdfl.sys -- (sscdmdfl)
DRV - [2010/04/26 11:48:00 | 000,053,760 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TosRfSnd.sys -- (TosRfSnd)
DRV - [2009/07/24 11:31:00 | 000,021,608 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2009/07/14 15:28:42 | 000,023,512 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2009/07/14 06:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/06/17 11:59:00 | 000,046,984 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosporte.sys -- (tosporte)
DRV - [2009/03/30 03:09:28 | 000,239,336 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\System32\drivers\RsFx0103.sys -- (RsFx0103)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,DefaultNetworkProfile = 13857291
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = ja-JP
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B8 F8 E2 B6 CB 35 CE 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 88.85.106.146:8080
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledAddons: eliteproxyswitcher%40my-proxy.com:1.2.0.2
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:21.0
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKCU\Software\MozillaPlugins\@fancyguo.com/FancyGame,version=1.0.0.1: C:\Users\TOSHIBA\AppData\Local\Fancy\npfancygame.dll File not found
FF - HKCU\Software\MozillaPlugins\@leeuu.com/npgboxruner;version=: C:\Users\TOSHIBA\AppData\Roaming\gbox\npgboxruner.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\TOSHIBA\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\TOSHIBA\AppData\Local\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2013/02/12 18:27:22 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins
 
[2012/09/13 14:44:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\TOSHIBA\AppData\Roaming\mozilla\Extensions
[2013/05/09 07:05:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\TOSHIBA\AppData\Roaming\mozilla\Firefox\Profiles\ftrsxzjy.default\extensions
[2012/12/18 05:31:26 | 000,000,000 | ---D | M] (Free Download Manager plugin) -- C:\Users\TOSHIBA\AppData\Roaming\mozilla\Firefox\Profiles\ftrsxzjy.default\extensions\fdm_ffext@freedownloadmanager.org
[2012/10/15 11:18:50 | 000,016,275 | ---- | M] () (No name found) -- C:\Users\TOSHIBA\AppData\Roaming\mozilla\firefox\profiles\ftrsxzjy.default\extensions\eliteproxyswitcher@my-proxy.com.xpi
[2013/05/09 07:05:02 | 000,870,680 | ---- | M] () (No name found) -- C:\Users\TOSHIBA\AppData\Roaming\mozilla\firefox\profiles\ftrsxzjy.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013/05/30 08:04:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/05/26 11:37:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/05/26 11:37:03 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: about:blank
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\27.0.1453.94\pdf.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\hokdglbhghcebcopdbanieangmcamaak\1.0_0\np-mswmp.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Free Download Manager Click Catcher Plug-In for Netscape, Opera, Mozilla (Enabled) = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\Application\plugins\npfdm.dll
CHR - plugin: Garena Talk Plugin (Enabled) = C:\Program Files\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll
CHR - plugin: Java™ Platform SE 7 U7 (Enabled) = C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: fancy3d (Enabled) = C:\Users\TOSHIBA\AppData\Local\Fancy\npfancygame.dll
CHR - plugin: Google Update (Enabled) = C:\Users\TOSHIBA\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll
CHR - plugin: Java Deployment Toolkit 7.0.70.11 (Enabled) = C:\Windows\system32\npDeployJava1.dll
CHR - Extension: YouTube = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Firebug Lite for Google Chrome™ = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmagokdooijbeehmkpknfglimnifench\1.4.0.11967_0\
CHR - Extension: Adblock Plus = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.4.1_0\
CHR - Extension: Google Search = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: HV Random Encounter Notification = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\gadcmjbmoaljdkkhmepghnmbnbgiinlg\1.2.0_0\
CHR - Extension: Windows Media Player Extension for HTML5 = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\hokdglbhghcebcopdbanieangmcamaak\1.0_0\
CHR - Extension: Stealthy = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\ieaebnkibonmpbhdaanjkmedikadnoje\3.0.1_0\
CHR - Extension: Google Mail Checker = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\4.4.0_0\
CHR - Extension: Late Night = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgbdhkpacgdhfabeceekiafonfkipohm\1.0_0\
CHR - Extension: Gmail = C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2013/05/29 10:17:13 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin File not found
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [SMΔRT-Protection] C:\Program Files\Smadav\SMΔRTP.exe (Smadsoft)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O15 - HKCU\..Trusted Domains: aeriagames.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: aeriagames.com ([]https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8DB0A920-20CD-4501-A4A8-7FDB6114898F}: DhcpNameServer = 10.232.0.4 202.134.0.155
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F5BCC7C1-B7FD-42E9-B5A0-6323B9852F86}: NameServer = 8.8.8.8 8.8.4.4
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 04:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/06/11 04:42:20 | 000,000,024 | ---- | M] () - J:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/05/31 10:09:25 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\TOSHIBA\Desktop\OTL.exe
[2013/05/31 09:42:40 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\TOSHIBA\Desktop\dds.com
[2013/05/31 09:05:45 | 001,797,248 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\TOSHIBA\Desktop\rkill.exe
[2013/05/31 08:46:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2013/05/31 08:44:19 | 000,000,000 | ---D | C] -- C:\Users\TOSHIBA\Desktop\mbar
[2013/05/31 08:23:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/05/31 08:23:15 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2013/05/31 08:23:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/05/31 08:21:19 | 000,760,723 | ---- | C] (Farbar) -- C:\Users\TOSHIBA\Desktop\MiniToolBox.exe
[2013/05/31 08:19:54 | 000,354,297 | ---- | C] (Farbar) -- C:\Users\TOSHIBA\Desktop\FSS.exe
[2013/05/31 03:56:11 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/05/31 03:53:31 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/05/31 03:41:46 | 000,000,000 | ---D | C] -- C:\ComboFix
[2013/05/30 21:52:25 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/05/30 21:52:25 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/05/30 21:52:25 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/05/30 21:52:14 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/05/30 21:50:41 | 005,074,935 | R--- | C] (Swearware) -- C:\Users\TOSHIBA\Desktop\ComboFix.exe
[2013/05/30 10:09:38 | 000,000,000 | ---D | C] -- C:\Users\TOSHIBA\AppData\Roaming\Gensokyo.org
[2013/05/30 10:09:34 | 000,000,000 | ---D | C] -- C:\Users\TOSHIBA\AppData\Roaming\ShanghaiAlice
[2013/05/30 08:07:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013/05/30 08:05:47 | 000,263,584 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/05/30 08:05:34 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/05/30 08:05:34 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/05/30 08:05:34 | 000,094,112 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/05/30 08:05:18 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2013/05/29 21:31:41 | 000,000,000 | ---D | C] -- C:\ProgramData\RAT Scanner
[2013/05/29 12:15:24 | 000,000,000 | ---D | C] -- C:\[Smad-Cage]
[2013/05/29 11:00:57 | 000,000,000 | ---D | C] -- C:\Users\TOSHIBA\AppData\Roaming\Malwarebytes
[2013/05/29 11:00:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013/05/29 10:02:21 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/05/27 15:42:07 | 000,000,000 | ---D | C] -- C:\Users\TOSHIBA\AppData\Roaming\Dragona
[2013/05/27 15:25:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mobius Indonesia
[2013/05/27 15:25:17 | 000,000,000 | ---D | C] -- C:\Program Files\Mobius Indonesia
[2013/05/27 15:25:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dragona Online
[2013/05/26 11:36:28 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/05/23 12:31:24 | 000,000,000 | ---D | C] -- C:\Users\TOSHIBA\AppData\Local\Temporary Projects
[2013/05/21 13:30:36 | 000,000,000 | ---D | C] -- C:\Users\TOSHIBA\AppData\Local\Diagnostics
[2013/05/20 16:27:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlueStacks
[2013/05/20 16:27:30 | 000,000,000 | ---D | C] -- C:\Program Files\BlueStacks
[2013/05/20 16:26:34 | 000,000,000 | ---D | C] -- C:\ProgramData\BlueStacksSetup
[2013/05/20 16:26:32 | 000,000,000 | ---D | C] -- C:\ProgramData\BlueStacks
[2013/05/15 15:57:44 | 002,706,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/05/15 15:57:43 | 002,877,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/05/15 15:57:42 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/05/15 15:57:42 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2013/05/15 15:57:42 | 000,039,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/05/15 15:57:41 | 000,493,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/05/15 15:57:41 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2013/05/15 15:57:41 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2013/05/15 15:57:41 | 000,042,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2013/05/15 15:57:41 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2013/05/15 15:37:13 | 000,218,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\dxgmms1.sys
[2013/05/15 15:37:12 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wwanprotdim.dll
[2013/05/15 15:36:46 | 001,796,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\authui.dll
[2013/05/15 15:36:46 | 000,101,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\consent.exe
[2013/05/15 15:36:28 | 002,347,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/05/07 10:53:55 | 000,000,000 | ---D | C] -- C:\Program Files\JDownloader
[2013/05/01 13:15:44 | 000,000,000 | ---D | C] -- C:\Program Files\Snail Games USA
[2013/05/01 10:45:55 | 000,000,000 | ---D | C] -- C:\Users\TOSHIBA\AppData\Roaming\com.shirogames.evoland
[2013/05/01 10:41:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
[2013/05/01 10:40:51 | 000,000,000 | -H-D | C] -- C:\ProgramData\CanonBJ
[2013/05/01 10:40:17 | 000,000,000 | -H-D | C] -- C:\Windows\System32\CanonIJ Uninstaller Information
[2013/05/01 10:40:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MP250 series
[2013/05/01 10:40:08 | 000,303,104 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNC250L.dll
[2013/05/01 10:40:08 | 000,110,592 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNC250I.dll
[2013/05/01 10:40:07 | 001,310,720 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNC250C.dll
[2013/05/01 10:40:07 | 000,106,496 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNC250U.dll
[2013/05/01 10:40:07 | 000,015,872 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNHMCA.dll
[2013/05/01 10:39:27 | 000,272,384 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNMLM9W.DLL
[2013/05/01 10:39:17 | 000,178,176 | ---- | C] (CANON INC.) -- C:\Windows\System32\CNMIU9W.DLL
[2013/05/01 10:39:17 | 000,090,112 | ---- | C] (Canon Inc.) -- C:\Windows\System32\CNC250O.dll
[2013/05/01 10:39:08 | 000,000,000 | -H-D | C] -- C:\Program Files\CanonBJ
[2013/05/01 10:38:13 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/05/31 10:09:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\TOSHIBA\Desktop\OTL.exe
[2013/05/31 09:40:46 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\TOSHIBA\Desktop\dds.com
[2013/05/31 09:23:00 | 000,273,922 | ---- | M] () -- C:\Users\TOSHIBA\Desktop\n0836.mp4_thumbs_[2013.05.31_09.22.53].jpg
[2013/05/31 09:16:01 | 000,000,708 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-897761353-3930260701-24219697-1000UA1ce4a9e558acb36.job
[2013/05/31 09:14:58 | 000,643,361 | ---- | M] () -- C:\Users\TOSHIBA\Desktop\29321700_002.jpg
[2013/05/31 08:39:13 | 001,797,248 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\TOSHIBA\Desktop\rkill.exe
[2013/05/31 08:16:52 | 000,760,723 | ---- | M] (Farbar) -- C:\Users\TOSHIBA\Desktop\MiniToolBox.exe
[2013/05/31 08:16:18 | 000,354,297 | ---- | M] (Farbar) -- C:\Users\TOSHIBA\Desktop\FSS.exe
[2013/05/31 04:28:53 | 000,000,656 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-897761353-3930260701-24219697-1000Core.job
[2013/05/31 03:39:14 | 005,074,935 | R--- | M] (Swearware) -- C:\Users\TOSHIBA\Desktop\ComboFix.exe
[2013/05/31 03:06:16 | 000,890,839 | ---- | M] () -- C:\Users\TOSHIBA\Desktop\SecurityCheck.exe
[2013/05/31 03:00:56 | 000,719,776 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/05/31 03:00:56 | 000,146,738 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/05/30 15:35:36 | 000,017,520 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/05/30 15:35:36 | 000,017,520 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/05/30 15:26:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/05/30 15:26:45 | 1506,779,136 | -HS- | M] () -- C:\hiberfil.sys
[2013/05/30 08:05:30 | 000,094,112 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2013/05/30 08:05:23 | 000,263,584 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2013/05/30 08:05:23 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2013/05/30 08:05:23 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2013/05/30 08:05:21 | 000,866,720 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\npDeployJava1.dll
[2013/05/30 08:05:21 | 000,788,896 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\deployJava1.dll
[2013/05/29 18:52:09 | 000,316,349 | ---- | M] () -- C:\Users\TOSHIBA\Desktop\error2.jpg
[2013/05/29 18:51:35 | 000,330,749 | ---- | M] () -- C:\Users\TOSHIBA\Desktop\error.jpg
[2013/05/29 12:14:33 | 000,406,216 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/05/29 11:02:01 | 000,002,052 | ---- | M] () -- C:\Windows\epplauncher.mif
[2013/05/29 10:17:13 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/05/16 17:31:44 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/05/16 17:31:44 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/05/02 02:06:08 | 000,238,872 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2013/05/01 10:24:59 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/05/31 09:22:56 | 000,273,922 | ---- | C] () -- C:\Users\TOSHIBA\Desktop\n0836.mp4_thumbs_[2013.05.31_09.22.53].jpg
[2013/05/31 09:14:56 | 000,643,361 | ---- | C] () -- C:\Users\TOSHIBA\Desktop\29321700_002.jpg
[2013/05/31 03:06:55 | 000,890,839 | ---- | C] () -- C:\Users\TOSHIBA\Desktop\SecurityCheck.exe
[2013/05/30 21:52:25 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/05/30 21:52:25 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/05/30 21:52:25 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/05/30 21:52:25 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/05/30 21:52:25 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/05/29 18:52:09 | 000,316,349 | ---- | C] () -- C:\Users\TOSHIBA\Desktop\error2.jpg
[2013/05/29 18:51:34 | 000,330,749 | ---- | C] () -- C:\Users\TOSHIBA\Desktop\error.jpg
[2013/05/29 11:02:01 | 000,002,052 | ---- | C] () -- C:\Windows\epplauncher.mif
[2013/05/07 10:55:05 | 000,001,949 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JDownloader.lnk
[2013/05/07 10:55:05 | 000,001,893 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JDownloader Uninstaller.lnk
[2013/05/07 10:55:05 | 000,001,872 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\JDownloader Update.lnk
[2013/05/07 04:11:54 | 000,000,708 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-897761353-3930260701-24219697-1000UA1ce4a9e558acb36.job
[2013/05/01 10:40:08 | 000,012,288 | ---- | C] () -- C:\Windows\System32\CNC173AD.TBL
[2013/05/01 10:24:59 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2013/03/30 04:15:11 | 000,016,304 | ---- | C] () -- C:\Windows\System32\apl003.sys
[2013/03/30 04:15:11 | 000,013,232 | ---- | C] () -- C:\Windows\System32\apf003.sys
[2013/03/07 15:36:26 | 000,045,270 | ---- | C] () -- C:\Users\TOSHIBA\AppData\Roaming\room_v3.dat
[2012/12/28 11:00:43 | 000,293,889 | ---- | C] () -- C:\Windows\System32\drivers\RTAIODAT.DAT
[2012/09/21 21:19:57 | 000,007,605 | ---- | C] () -- C:\Users\TOSHIBA\AppData\Local\resmon.resmoncfg
[2012/09/14 12:49:31 | 000,135,168 | ---- | C] () -- C:\Windows\System32\ChgService.exe
[2012/09/13 14:25:38 | 000,178,688 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2011/06/10 06:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
 
========== ZeroAccess Check ==========
 
[2009/07/14 11:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 11:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/21 04:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 08:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
< End of report >


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 PM

Posted 08 June 2013 - 03:26 AM

Hi agrias,

I have a couple more questions:
The recreated username has the same name or has the name changed?
Do you have more than one operating system installed on the Machine? What is on Partition J:?
Please also post the ComboFix log, they asked you to run.

Then please do the following:
  • Open Notepad and copy/paste the code box below into a new text file.

    @echo off
    net user>"%userprofile%\desktop\log.txt"
    net user uanapxpywzrd>>"%userprofile%\desktop\log.txt"
    start notepad "%userprofile%\desktop\log.txt"
  • Save the file as query.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "query.bat" and double-click on it to run.
  • It will open a text file, please copy the content in your next reply.
Please also run a scan with aswMBR:
  • Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 agrias7

agrias7
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 08 June 2013 - 05:37 AM

- username always same "uanapxpywzrd"

- no its a external HDD before it was my old laptop HDD

 

ComboFix 13-05-30.02 - TOSHIBA 2013/05/31   3:42.6.2 - x86
Microsoft Windows 7 Starter   6.1.7601.1.932.81.1033.18.1916.879 [GMT 7:00]
Running from: c:\users\TOSHIBA\Desktop\ComboFix.exe
AV: ESET Smart Security 6.0 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 6.0 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-28 to 2013-05-30  )))))))))))))))))))))))))))))))
.
.
2013-05-30 20:51 . 2013-05-30 20:51 -------- d-----w- c:\users\John\AppData\Local\temp
2013-05-30 20:51 . 2013-05-30 20:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-30 03:09 . 2013-05-30 03:09 -------- d-----w- c:\users\TOSHIBA\AppData\Roaming\Gensokyo.org
2013-05-30 03:09 . 2013-05-30 03:09 -------- d-----w- c:\users\TOSHIBA\AppData\Roaming\ShanghaiAlice
2013-05-30 03:05 . 2013-05-30 03:05 -------- d--h--w- c:\windows\msdownld.tmp
2013-05-30 01:07 . 2013-05-30 01:07 -------- d-----w- c:\program files\Common Files\Java
2013-05-30 01:05 . 2013-05-30 01:05 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-30 01:05 . 2013-05-30 01:05 -------- d-----w- c:\program files\Java
2013-05-29 14:31 . 2013-05-29 14:31 -------- d-----w- c:\programdata\RAT Scanner
2013-05-29 05:15 . 2013-05-29 05:15 -------- d-----w- C:\[Smad-Cage]
2013-05-29 04:00 . 2013-05-29 04:00 -------- d-----w- c:\users\TOSHIBA\AppData\Roaming\Malwarebytes
2013-05-29 04:00 . 2013-05-29 04:00 -------- d-----w- c:\programdata\Malwarebytes
2013-05-28 14:34 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{439E50F8-6202-49B3-A298-60C1CB858FB4}\mpengine.dll
2013-05-27 08:42 . 2013-05-27 10:07 -------- d-----w- c:\users\TOSHIBA\AppData\Roaming\Dragona
2013-05-27 08:25 . 2013-05-27 08:25 -------- d-----w- c:\program files\Mobius Indonesia
2013-05-23 05:31 . 2013-05-23 05:43 -------- d-----w- c:\users\TOSHIBA\AppData\Local\Temporary Projects
2013-05-21 06:30 . 2013-05-21 06:30 -------- d-----w- c:\users\TOSHIBA\AppData\Local\Diagnostics
2013-05-20 09:27 . 2013-05-20 09:27 -------- d-----w- c:\program files\BlueStacks
2013-05-20 09:26 . 2013-05-20 09:27 -------- d-----w- c:\programdata\BlueStacks
2013-05-15 08:37 . 2013-04-10 05:18 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-05-15 08:37 . 2013-04-10 05:18 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-05-15 08:37 . 2013-03-19 04:53 186368 ----a-w- c:\windows\system32\wwansvc.dll
2013-05-15 08:37 . 2013-03-19 03:33 40960 ----a-w- c:\windows\system32\wwanprotdim.dll
2013-05-15 08:36 . 2013-02-27 05:05 101720 ----a-w- c:\windows\system32\consent.exe
2013-05-15 08:36 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\system32\authui.dll
2013-05-15 08:36 . 2013-02-27 04:49 47104 ----a-w- c:\windows\system32\appinfo.dll
2013-05-15 08:36 . 2013-04-10 03:14 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-07 03:53 . 2013-05-25 04:47 -------- d-----w- c:\program files\JDownloader
2013-05-01 06:15 . 2013-05-01 06:15 -------- d-----w- c:\program files\Snail Games USA
2013-05-01 03:45 . 2013-05-01 03:45 -------- d-----w- c:\users\TOSHIBA\AppData\Roaming\com.shirogames.evoland
2013-05-01 03:40 . 2013-05-01 03:40 -------- d--h--w- c:\programdata\CanonBJ
2013-05-01 03:40 . 2010-02-03 22:00 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP9W.DLL
2013-05-01 03:40 . 2010-02-03 22:00 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD9W.DLL
2013-05-01 03:40 . 2013-05-01 03:40 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2013-05-01 03:40 . 2009-04-03 08:59 110592 ----a-w- c:\windows\system32\CNC250I.dll
2013-05-01 03:40 . 2009-03-11 04:34 303104 ----a-w- c:\windows\system32\CNC250L.dll
2013-05-01 03:40 . 2009-04-03 09:00 1310720 ----a-w- c:\windows\system32\CNC250C.dll
2013-05-01 03:40 . 2009-04-03 08:57 106496 ----a-w- c:\windows\system32\CNC250U.dll
2013-05-01 03:40 . 2008-08-25 11:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2013-05-01 03:39 . 2010-02-03 22:00 272384 ----a-w- c:\windows\system32\CNMLM9W.DLL
2013-05-01 03:39 . 2009-03-18 09:09 178176 ----a-w- c:\windows\system32\CNMIU9W.DLL
2013-05-01 03:39 . 2009-02-04 13:17 90112 ----a-w- c:\windows\system32\CNC250O.dll
2013-05-01 03:38 . 2013-05-01 03:41 -------- d-----w- c:\program files\Canon
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-30 01:05 . 2012-09-19 14:55 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-05-30 01:05 . 2012-09-19 14:55 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-16 10:31 . 2012-09-26 16:32 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-16 10:31 . 2012-09-26 16:32 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-01 19:06 . 2012-09-15 15:15 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45 . 2013-05-15 08:36 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 08:36 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45 . 2013-04-24 12:30 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-01 16:53 . 2013-01-18 05:19 2549088 ----a-w- c:\programdata\Microsoft\VisualStudio\11.0\1033\ResourceCache.dll
2013-03-29 21:15 . 2013-03-29 21:15 16304 ------w- c:\windows\system32\apl003.sys
2013-03-29 21:15 . 2013-03-29 21:15 13232 ------w- c:\windows\system32\apf003.sys
2013-03-19 05:04 . 2013-04-10 22:03 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-19 05:04 . 2013-04-10 22:03 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-19 04:48 . 2013-04-10 22:03 38912 ----a-w- c:\windows\system32\csrsrv.dll
2013-03-19 02:49 . 2013-04-10 22:03 69632 ----a-w- c:\windows\system32\smss.exe
2013-03-14 04:06 . 2013-03-14 04:06 745472 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-03-14 04:06 . 2013-03-14 04:06 185344 ----a-w- c:\windows\system32\elshyph.dll
2013-03-14 04:06 . 2013-03-14 04:06 158720 ----a-w- c:\windows\system32\msls31.dll
2013-03-14 04:06 . 2013-03-14 04:06 523264 ----a-w- c:\windows\system32\vbscript.dll
2013-03-14 04:06 . 2013-03-14 04:06 150528 ----a-w- c:\windows\system32\iexpress.exe
2013-03-14 04:06 . 2013-03-14 04:06 138752 ----a-w- c:\windows\system32\wextract.exe
2013-03-14 04:06 . 2013-03-14 04:06 137216 ----a-w- c:\windows\system32\ieUnatt.exe
2013-03-14 04:06 . 2013-03-14 04:06 38400 ----a-w- c:\windows\system32\imgutil.dll
2013-03-14 04:06 . 2013-03-14 04:06 12800 ----a-w- c:\windows\system32\mshta.exe
2013-03-14 04:06 . 2013-03-14 04:06 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-03-14 04:06 . 2013-03-14 04:06 73728 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-03-14 04:06 . 2013-03-14 04:06 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-03-14 04:06 . 2013-03-14 04:06 61952 ----a-w- c:\windows\system32\tdc.ocx
2013-03-14 04:06 . 2013-03-14 04:06 361984 ----a-w- c:\windows\system32\html.iec
2013-03-14 04:06 . 2013-03-14 04:06 719360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-03-14 04:06 . 2013-03-14 04:06 23040 ----a-w- c:\windows\system32\licmgr10.dll
2013-03-14 04:06 . 2013-03-14 04:06 1441280 ----a-w- c:\windows\system32\inetcpl.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMΔRT-Protection"="c:\program files\Smadav\SMΔRTP.exe" [2013-05-11 1568768]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-11-06 3673728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-17 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-17 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-17 167960]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2011-03-02 521640]
"TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2010-12-15 844152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2012-06-11 10996368]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-12-21 5074384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\users\TOSHIBA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2011-3-2 2745760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^TOSHIBA^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Rainmeter.lnk]
path=c:\users\TOSHIBA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rainmeter.lnk
backup=c:\windows\pss\Rainmeter.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlueStacks Agent]
2013-05-13 06:21 601928 ----a-w- c:\program files\BlueStacks\HD-Agent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-10-19 02:12 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Connectify]
2012-10-25 18:34 4010856 ----a-w- c:\program files\Connectify\Connectify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GarenaPlus]
2013-05-09 04:38 9829680 ----a-w- c:\program files\Garena Plus\GarenaMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-09-19 13:30 116648 ----atw- c:\users\TOSHIBA\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ITSecMng]
2009-07-22 06:40 83336 ----a-w- c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 03:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
.
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [x]
R3 apf003;apf003;c:\windows\system32\apf003.sys [x]
R3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
R3 Connectify;Connectify;c:\program files\Connectify\ConnectifyService.exe [x]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena Plus\Room\safedrv.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys [x]
R3 Te.Service;Te.Service;c:\program files\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys [x]
R3 XDva400;XDva400;c:\windows\system32\XDva400.sys [x]
R3 ztemtusbser;PROLiNK PCM100 Legacy Serial Communication;c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [x]
R4 BstHdAndroidSvc;BlueStacks Android Service;c:\program files\BlueStacks\HD-Service.exe BstHdAndroidSvc Android [x]
R4 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files\BlueStacks\HD-LogRotatorService.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [x]
S1 cnnctfy2;Connectify LightWeight Filter;c:\windows\system32\DRIVERS\cnnctfy2.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [x]
S2 Apache2.4;Apache2.4;e:\xampp\apache\bin\httpd.exe [x]
S2 BstHdDrv;BlueStacks Hypervisor;c:\program files\BlueStacks\HD-Hypervisor-x86.sys [x]
S2 Change Modem Device Service;Change Modem Device Service;c:\windows\System32\ChgService.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [x]
S2 persdwmsrv;Personalization Panel DWM controller;c:\program files\winaero.com\Personalization Panel DWM Controller\persdwmsrv.exe [x]
S3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys [x]
S3 cmnsusbser;Prolink PCM100 EVDO Modem USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmnsusbser.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
S3 XDva401;XDva401;c:\windows\system32\XDva401.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc
GPSvcGroup REG_MULTI_SZ   GPSvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-897761353-3930260701-24219697-1000Core.job
- c:\users\TOSHIBA\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-19 13:30]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-897761353-3930260701-24219697-1000UA1ce4a9e558acb36.job
- c:\users\TOSHIBA\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-19 13:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 88.85.106.146:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aeriagames.com
FF - ProfilePath - c:\users\TOSHIBA\AppData\Roaming\Mozilla\Firefox\Profiles\ftrsxzjy.default\
FF - prefs.js: network.proxy.http - 89.33.1.125
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - 89.33.1.125
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.EXE'(1748)
c:\program files\7-Zip\7-zip.dll
c:\windows\system32\igfxrJPN.lrc
c:\program files\Smadav\SmadExtc.dll
c:\program files\Toshiba\Bluetooth Toshiba Stack\sys\TosBtShell.dll
c:\program files\TextPad 5\System\shellext32.dll
c:\program files\Notepad++\NppShell_01.dll
c:\users\TOSHIBA\AppData\Local\Temp\catchme.dll
.
Completion time: 2013-05-31  03:53:29
ComboFix-quarantined-files.txt  2013-05-30 20:53
ComboFix2.txt  2013-05-30 15:05
.
Pre-Run: 16,343,019,520 bytes free
Post-Run: 16,281,145,344 bytes free
.
- - End Of File - - 20C73AFCCB88113A90E0D95E2E154CA7
 
 
User accounts for \\RAPHAELLA
 
-------------------------------------------------------------------------------
Administrator            Guest                    John                     
TOSHIBA                  uanapxpywzrd             
The command completed successfully.
 
User name                    uanapxpywzrd
Full Name                    uanapxpywzrd
Comment                      
User's comment               
Country code                 000 (System Default)
Account active               Yes
Account expires              Never
 
Password last set            2013/06/07 12:54:34
Password expires             Never
Password changeable          2013/06/07 12:54:34
Password required            Yes
User may change password     No
 
Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never
 
Logon hours allowed          All
 
Local Group Memberships      *Users                
Global Group memberships     *None                 
The command completed successfully.
 
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-08 17:34:38
-----------------------------
17:34:38.418    OS Version: Windows 6.1.7601 Service Pack 1
17:34:38.418    Number of processors: 2 586 0x170A
17:34:38.421    ComputerName: RAPHAELLA  UserName: TOSHIBA
17:34:40.641    Initialize success
17:34:53.484    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
17:34:53.487    Disk 0 Vendor: TOSHIBA_MK3275GSX GT001M Size: 305245MB BusType: 11
17:34:53.603    Disk 0 MBR read successfully
17:34:53.610    Disk 0 MBR scan
17:34:53.616    Disk 0 Windows 7 default MBR code
17:34:53.634    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
17:34:53.656    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       104899 MB offset 206848
17:34:53.680    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       100122 MB offset 215040000
17:34:53.702    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS       100122 MB offset 420089856
17:34:53.714    Disk 0 scanning sectors +625139712
17:34:53.890    Disk 0 scanning C:\Windows\system32\drivers
17:35:02.212    Service scanning
17:35:34.173    Modules scanning
17:35:54.915    Disk 0 trace - called modules:
17:35:54.928    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys 
17:35:54.929    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85dab030]
17:35:54.929    3 CLASSPNP.SYS[88dae59e] -> nt!IofCallDriver -> [0x85cd7020]
17:35:54.929    5 ACPI.sys[888d53d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x84f4d908]
17:35:54.929    Scan finished successfully
17:36:40.852    Disk 0 MBR has been saved successfully to "C:\Users\TOSHIBA\Desktop\MBR.dat"
17:36:40.884    The log file has been saved successfully to "C:\Users\TOSHIBA\Desktop\aswMBR.txt"


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 PM

Posted 08 June 2013 - 05:54 AM

Hi,

well there are some good news there: a) The account does not have administrator rights. B) it seems nobody ever used the account to log onto your PC. That being said, it is still a very odd thing to happen.

Did you grant anybody remote access to your account? Had ESET logged into your PC when troubleshooting (or possibly also prior to that?)

Can you go to C:\users and check if there's a folder called uanapxpywzrd
regards
myrti

Edited by myrti, 08 June 2013 - 05:55 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 agrias7

agrias7
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 08 June 2013 - 06:47 AM

no, i never give remote access to anyone

i believe eset cant and never log in to my laptop

there is no folder named uanapxpywzrd in C:\users


Edited by agrias7, 08 June 2013 - 06:58 AM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 PM

Posted 09 June 2013 - 05:09 AM

Hi,

ok. The lack of the folder means also that the folder was never fully initialised.


Please download Profiles by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply.
Have you installed any new programs recently? How did you delete the account?

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 agrias7

agrias7
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 09 June 2013 - 05:23 AM

im not install any programs since last week
i delete it from control panel
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath    REG_EXPAND_SZ    %systemroot%\system32\config\systemprofile
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath    REG_EXPAND_SZ    C:\Windows\ServiceProfiles\LocalService
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath    REG_EXPAND_SZ    C:\Windows\ServiceProfiles\NetworkService
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-897761353-3930260701-24219697-1000
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\TOSHIBA
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-897761353-3930260701-24219697-1006
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\John
 
    SystemRoot    REG_SZ    C:\Windows


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:03:52 PM

Posted 09 June 2013 - 10:31 AM

Hi,

ok, let's try deleting it again, please:

Go to start, then all programs followed by Accessories, right-click Command Prompt, and then click Run as administrator.

This will open an elevated command prompt.

Into that window please type:

net user uanapxpywzrd /delete and hit enter.
The empty spaces are important, please copy the line as is.

Post back the line that is displayed afterwards.

Then log out and check if the accounts appears on the login page. And if it doesn't please reboot and let me know if it comes back.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 agrias7

agrias7
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 09 June 2013 - 02:31 PM

its still comes back :(






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users