Solved: Java driveby possible infection

jazzysasquatch · 11-Jul-2012, 06:22 PM #1

I accidentally clicked on a java driveby link yesterday and didn't know that these existed, so yeah, a problem began. As soon as I realized what it was I shut off Java, uninstalled Java, and did a system restore to about a half hour earlier when my last system update was.

I thought I was safe but my computer has shut off my firewall, my audio driver stopped working for a few minutes, and I noticed that all my recent wordpad document icons have become the Yahoo.com icon.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:10:35 PM, on 7/11/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16446)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Razer\Naga\RazerNagaSysTray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\AIM\aim.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Users\Cinderwild\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Razer Naga Driver] C:\Program Files (x86)\Razer\Naga\RazerNagaSysTray.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [WindowsDefender] C:\Users\Cinderwild\AppData\Roaming\windefender.exe
O4 - Startup: Dropbox.lnk = Cinderwild\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BitComet Disk Boost Service (BITCOMET_HELPER_SERVICE) - www.BitComet.com - C:\Program Files\BitComet\tools\BitCometService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Hi-Rez Studios Authenticate and Update Service (HiPatchService) - Hi-Rez Studios - C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12582 bytes

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Cinderwild at 18:14:18 on 2012-07-11
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8191.4850 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Razer\Naga\RazerNagaSysTray.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\AIM\aim.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Cinderwild\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Cinderwild\Desktop\HijackThis.exe
C:\Users\Cinderwild\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [WindowsDefender] C:\Users\Cinderwild\AppData\Roaming\windefender.exe
mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Razer Naga Driver] C:\Program Files (x86)\Razer\Naga\RazerNagaSysTray.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
StartupFolder: C:\Users\CINDER~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startu p\Dropbox.lnk - C:\Users\Cinderwild\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll/206
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 74.128.17.114 74.128.19.102
TCP: Interfaces\{D1987474-5F1D-4ED3-88B1-30EE314227CA} : DhcpNameServer = 74.128.17.114 74.128.19.102
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll
BHO-X64: BitComet ClickCapture - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Razer Naga Driver] C:\Program Files (x86)\Razer\Naga\RazerNagaSysTray.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
IE-X64: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.5.4.11.dll/206
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Cinderwild\AppData\Roaming\Mozilla\Firefox\Profiles\vc457ufs.defau lt\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\BYOND\bin\npbyond.dll
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\id Software\QuakeLive\npquakezero.dll
FF - plugin: C:\Users\Cinderwild\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3. dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-6-29 8704]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-11-26 2253120]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-10-21 1153368]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-6-19 3048136]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\system32\DRIVERS\ManyCam_x64.sys --> C:\Windows\system32\DRIVERS\ManyCam_x64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 RzSynapse;Razer Driver;C:\Windows\system32\DRIVERS\RzSynapse.sys --> C:\Windows\system32\DRIVERS\RzSynapse.sys [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-22 253600]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\system32\Drivers\ssadadb.sys --> C:\Windows\system32\Drivers\ssadadb.sys [?]
S3 BITCOMET_HELPER_SERVICE;BitComet Disk Boost Service;C:\Program Files\BitComet\tools\BitCometService.exe -service --> C:\Program Files\BitComet\tools\BitCometService.exe -service [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-29 113120]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);C:\Windows\system32\DRIVERS\ssadserd.sys --> C:\Windows\system32\DRIVERS\ssadserd.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-07-11 08:01:17 232838 ----a-w- C:\Users\Cinderwild\AppData\Roaming\poclbm120327GeForce GTS 450gv1w256l4.bin
2012-07-10 09:41:59 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9E99E73A-9BCD-4169-8EC7-12EEBDC99BE6}\offreg.dll
2012-07-10 09:41:12 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9E99E73A-9BCD-4169-8EC7-12EEBDC99BE6}\mpengine.dll
2012-07-07 04:12:31 -------- d-----w- C:\Program Files (x86)\Microsoft Chart Controls
2012-07-05 16:26:04 -------- d-----w- C:\Users\Cinderwild\AppData\Local\{74B1A889-C315-455B-998B-084B6B9D8D71}
2012-07-05 16:25:53 -------- d-----w- C:\Users\Cinderwild\AppData\Local\{20935A00-2972-4B53-86EE-4C857D7353A8}
2012-07-05 16:25:53 -------- d-----w- C:\Users\Cinderwild\AppData\Local\{0539806E-76C5-4BD7-81C4-E12A80A80E24}
2012-07-05 05:48:18 -------- d-----w- C:\Users\Cinderwild\AppData\Roaming\BANDISOFT
2012-07-05 05:48:12 -------- d-----w- C:\Program Files (x86)\Bandicam
2012-07-05 05:48:11 -------- d-----w- C:\Program Files (x86)\BandiMPEG1
2012-07-05 03:00:06 -------- d-----w- C:\Users\Cinderwild\AppData\Roaming\fltk.org
2012-07-05 03:00:06 -------- d-----w- C:\ProgramData\fltk.org
2012-07-03 06:10:38 3130440 ----a-w- C:\Windows\SysWow64\pbsvc_blr.exe
2012-07-03 06:10:36 -------- d-----w- C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2012-06-28 09:32:36 -------- d-----w- C:\Users\Cinderwild\AppData\Local\{09B1CD26-5D23-444B-AFC4-2C7988EFB890}
2012-06-28 09:32:12 -------- d-----w- C:\Users\Cinderwild\AppData\Local\{8E696E60-B332-41EF-844B-789B0D699F49}
2012-06-28 09:27:27 -------- d-----w- C:\Windows\en
2012-06-28 09:26:21 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-06-28 09:22:56 89944 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\99927e7c1cd550f0a\DSETUP.dll
2012-06-28 09:22:56 537432 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\99927e7c1cd550f0a\DXSETUP.exe
2012-06-28 09:22:56 1801048 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\99927e7c1cd550f0a\dsetup32.dll
2012-06-28 09:22:49 94040 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\95155acc1cd550f09\DSETUP.dll
2012-06-28 09:22:49 525656 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\95155acc1cd550f09\DXSETUP.exe
2012-06-28 09:22:49 1691480 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\95155acc1cd550f09\dsetup32.dll
2012-06-28 09:21:21 -------- d-----w- C:\Users\Cinderwild\AppData\Local\Windows Live
2012-06-28 09:21:20 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2012-06-28 07:02:59 -------- d-----w- C:\Fraps
2012-06-28 06:55:12 -------- d-----w- C:\Program Files (x86)\RichFLV
2012-06-28 05:13:44 -------- d-----w- C:\Users\Cinderwild\AppData\Local\SplitMediaLabs
2012-06-27 00:05:30 -------- d-----w- C:\Users\Cinderwild\AppData\Roaming\TS3Client
2012-06-24 07:19:25 356352 ----a-w- C:\Users\Cinderwild\AppData\Roaming\tTRCuA.exe
2012-06-24 07:19:21 356352 ----a-w- C:\Users\Cinderwild\BpSyhhSxqR.exe
2012-06-21 09:00:26 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-21 09:00:03 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-21 08:59:47 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-21 08:59:47 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-21 04:43:27 -------- d-----w- C:\Users\Cinderwild\AppData\Roaming\six-updater
2012-06-21 04:43:26 -------- d-----w- C:\Users\Cinderwild\AppData\Roaming\six-zsync
2012-06-21 04:42:35 -------- d-----w- C:\Program Files (x86)\SIX Projects
2012-06-21 04:39:21 -------- d-----w- C:\Users\Cinderwild\AppData\Local\ArmA 2 OA
2012-06-21 04:36:06 -------- d-----w- C:\Users\Cinderwild\AppData\Local\ArmA 2
2012-06-19 07:03:47 40960 ----a-r- C:\Users\Cinderwild\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2012-06-19 07:03:47 40960 ----a-r- C:\Users\Cinderwild\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2012-06-19 07:03:47 -------- d-----w- C:\Program Files (x86)\Project64 1.6
2012-06-16 14:34:48 -------- d-sh--w- C:\ProgramData\SecuROM
2012-06-14 03:34:12 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-06-14 03:34:12 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-06-14 03:34:12 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-06-14 03:34:06 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-06-14 03:34:03 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-06-14 03:34:00 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-06-14 03:33:59 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-14 03:33:59 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-14 03:33:54 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-06-14 03:33:54 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-14 03:33:53 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-06-14 03:33:53 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-14 03:33:53 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-06-14 03:33:53 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-06-14 03:33:49 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-06-14 03:33:49 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-14 03:33:48 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-06-14 03:33:48 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
.
==================== Find3M ====================
.
2012-07-09 03:57:01 298016 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-07-09 03:57:01 298016 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-07-08 19:12:47 298016 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-07-03 06:21:51 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-06-04 04:04:37 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-06-04 04:04:37 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-06-04 04:04:37 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-06-04 04:04:37 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-05-30 06:17:46 71680 ----a-w- C:\Windows\System32\frapsv64.dll
2012-05-30 06:17:44 65536 ----a-w- C:\Windows\SysWow64\frapsvid.dll
2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-04-22 12:58:34 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-22 12:58:34 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 18:14:36.47 ===============

I am on a 64-bit system so I cannot run GMER.

jazzysasquatch · 02:36 AM

To add to my previous post, it seems like some basic functions (Like right-click > Screen Resolution) have been turned off. It shows an error message for explorer.exe.

When attempting to access Windows Firewall I am given the following error, " MMC cannot open the file C:\Windows\system32\WF.msc."

kevinf80 · 17-Jul-2012, 03:05 AM #3

Hello jazzysasquatch and welcome to TSG,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin. Go Here and follow the instructions specific for your operating system.

Please proceed as follows :-

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
Close any open browsers and any other programs you might have running
Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
Instructions for running Combofix available Here if required.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

jazzysasquatch · 17-Jul-2012, 04:27 AM #4

I failed to mention I am on a 64-bit version of Windows. That version of ComboFix won't run on my computer.

kevinf80 · 17-Jul-2012, 06:41 AM #5

Why ever not, I`ve just ran it on a 64 bit system here.... http://forums.techguy.org/virus-othe...ric_c-mmi.html worked absolutely fine????

jazzysasquatch · 03:01 PM

Alright I downloaded it from the second link and it worked.

As an aside, Microsoft Management Console seems to have been completely disabled. I can't access a lot of stuff like device manager, etc.

ComboFix 12-07-16.01 - Cinderwild 07/17/2012 12:01:46.1.3 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8191.5794 [GMT -4:00]
Running from: c:\users\Cinderwild\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Cinderwild\AppData\Roaming\.#
c:\users\Cinderwild\AppData\Roaming\tTRCuA.exe
c:\users\Cinderwild\BpSyhhSxqR.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-17 to 2012-07-17 )))))))))))))))))))))))))))))))
.
.
2012-07-17 08:18 . 2012-07-17 08:18 -------- dc----w- c:\users\Cinderwild\AppData\Local\MigWiz
2012-07-17 07:39 . 2012-07-17 07:39 -------- d-----w- C:\temp
2012-07-17 07:08 . 2012-07-17 07:52 -------- d-----w- C:\inetpub
2012-07-17 06:17 . 2012-07-17 06:17 -------- d-----w- c:\program files (x86)\Rockstar Games
2012-07-15 00:22 . 2012-07-15 00:22 -------- d-----w- c:\users\Cinderwild\AppData\Roaming\Trine2
2012-07-11 08:01 . 2012-07-11 08:01 232838 ----a-w- c:\users\Cinderwild\AppData\Roaming\poclbm120327GeForce GTS 450gv1w256l4.bin
2012-07-10 09:41 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9E99E73A-9BCD-4169-8EC7-12EEBDC99BE6}\mpengine.dll
2012-07-07 04:12 . 2012-07-07 04:12 -------- d-----w- c:\program files (x86)\Microsoft Chart Controls
2012-07-05 05:48 . 2012-07-05 05:48 -------- d-----w- c:\users\Cinderwild\AppData\Roaming\BANDISOFT
2012-07-05 05:48 . 2012-07-05 05:48 -------- d-----w- c:\program files (x86)\Bandicam
2012-07-05 05:48 . 2012-07-05 05:48 -------- d-----w- c:\program files (x86)\BandiMPEG1
2012-07-05 03:00 . 2012-07-05 03:00 -------- d-----w- c:\users\Cinderwild\AppData\Roaming\fltk.org
2012-07-05 03:00 . 2012-07-05 03:00 -------- d-----w- c:\programdata\fltk.org
2012-07-03 06:10 . 2012-07-03 04:33 3130440 ----a-w- c:\windows\SysWow64\pbsvc_blr.exe
2012-07-03 06:10 . 2012-07-03 06:10 -------- d-----w- c:\windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
2012-06-29 15:17 . 2012-06-29 15:17 -------- d-----w- c:\users\Cinderwild\AppData\Local\Mozilla
2012-06-29 15:17 . 2012-06-29 15:17 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-06-28 09:27 . 2012-06-28 09:27 -------- d-----w- c:\windows\en
2012-06-28 09:26 . 2012-06-28 09:26 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-06-28 09:25 . 2012-06-28 09:26 -------- d-----w- c:\program files (x86)\Windows Live
2012-06-28 09:21 . 2012-07-05 16:26 -------- d-----w- c:\users\Cinderwild\AppData\Local\Windows Live
2012-06-28 09:21 . 2012-06-28 09:21 -------- d-----w- c:\program files (x86)\Common Files\Windows Live
2012-06-28 07:02 . 2012-06-28 07:04 -------- d-----w- C:\Fraps
2012-06-28 06:55 . 2012-06-28 06:55 -------- d-----w- c:\program files (x86)\RichFLV
2012-06-28 05:13 . 2012-06-28 05:13 -------- d-----w- c:\users\Cinderwild\AppData\Local\SplitMediaLabs
2012-06-27 00:05 . 2012-06-27 00:13 -------- d-----w- c:\users\Cinderwild\AppData\Roaming\TS3Client
2012-06-21 09:00 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 09:00 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 09:00 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 09:00 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 09:00 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 09:00 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 09:00 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 08:59 . 2012-06-02 19:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 08:59 . 2012-06-02 19:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-21 04:43 . 2012-06-21 10:17 -------- d-----w- c:\users\Cinderwild\AppData\Roaming\six-updater
2012-06-21 04:43 . 2012-06-21 04:43 -------- d-----w- c:\users\Cinderwild\AppData\Roaming\six-zsync
2012-06-21 04:42 . 2012-06-21 04:42 -------- d-----w- c:\program files (x86)\SIX Projects
2012-06-21 04:39 . 2012-06-27 04:51 -------- d-----w- c:\users\Cinderwild\AppData\Local\ArmA 2 OA
2012-06-21 04:36 . 2012-06-21 04:36 -------- d-----w- c:\users\Cinderwild\AppData\Local\ArmA 2
2012-06-19 07:03 . 2012-06-19 07:04 -------- d-----w- c:\program files (x86)\Project64 1.6
2012-06-19 07:03 . 2012-06-19 07:03 40960 ----a-r- c:\users\Cinderwild\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2012-06-19 07:03 . 2012-06-19 07:03 40960 ----a-r- c:\users\Cinderwild\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-17 16:07 . 2011-03-28 22:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-07-09 03:57 . 2012-01-29 17:30 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2012-07-09 03:57 . 2012-01-29 17:29 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-07-08 19:12 . 2012-01-29 17:29 298016 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2012-07-03 06:21 . 2012-01-29 17:29 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-06-04 04:04 . 2011-12-31 20:42 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2012-06-04 04:04 . 2011-12-31 20:42 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2012-06-04 04:04 . 2011-12-31 20:42 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2012-06-04 04:04 . 2011-12-31 20:42 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2012-06-01 11:56 . 2012-06-01 11:56 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-30 06:17 . 2012-05-30 06:17 71680 ----a-w- c:\windows\system32\frapsv64.dll
2012-05-30 06:17 . 2012-05-30 06:17 65536 ----a-w- c:\windows\SysWow64\frapsvid.dll
2012-05-18 02:06 . 2012-06-14 07:00 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-05-18 01:59 . 2012-06-14 07:00 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-05-18 01:58 . 2012-06-14 07:00 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-18 01:55 . 2012-06-14 07:00 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-18 01:51 . 2012-06-14 07:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-17 22:45 . 2012-06-14 07:00 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-05-17 22:35 . 2012-06-14 07:00 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-17 22:35 . 2012-06-14 07:00 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-05-17 22:29 . 2012-06-14 07:00 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-05-17 22:24 . 2012-06-14 07:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-05-15 01:32 . 2012-06-14 03:34 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-05-04 11:06 . 2012-06-14 03:34 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-14 03:33 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-14 03:33 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40 . 2012-06-14 03:34 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 05:32 . 2012-06-14 03:33 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-28 03:55 . 2012-06-14 03:33 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 05:41 . 2012-06-14 03:34 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 05:41 . 2012-06-14 03:34 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 05:34 . 2012-06-14 03:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 05:37 . 2012-06-14 03:33 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 05:37 . 2012-06-14 03:33 140288 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-24 05:37 . 2012-06-14 03:33 1462272 ----a-w- c:\windows\system32\crypt32.dll
2012-04-24 04:36 . 2012-06-14 03:33 1158656 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-04-24 04:36 . 2012-06-14 03:33 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2012-04-24 04:36 . 2012-06-14 03:33 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-04-22 12:58 . 2012-04-22 12:58 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-22 12:58 . 2011-10-19 23:41 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\ex plorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Cinderwild\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\ex plorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Cinderwild\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\ex plorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Cinderwild\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2010-05-24 2439072]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Razer Naga Driver"="c:\program files (x86)\Razer\Naga\RazerNagaSysTray.exe" [2011-04-12 953232]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
.
c:\users\Cinderwild\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Cinderwild\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 253600]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2011-05-13 36328]
R3 BITCOMET_HELPER_SERVICE;BitComet Disk Boost Service;c:\program files\BitComet\tools\BitCometService.exe [2010-12-28 1296728]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-14 113120]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-05-13 157672]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-05-13 16872]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-05-13 177640]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [2011-05-13 146920]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-21 1255736]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files (x86)\Hi-Rez Studios\HiPatchService.exe [2012-07-12 8704]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-06-19 3048136]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam_x64.sys [2008-03-13 27136]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2011-07-07 174184]
S3 RzSynapse;Razer Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [2011-03-31 126464]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-05-15 1327520]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 12:58]
.
2012-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-240952129-1750565755-1264736866-1000Core.job
- c:\users\Cinderwild\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-21 01:30]
.
2012-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-240952129-1750565755-1264736866-1000UA.job
- c:\users\Cinderwild\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-21 01:30]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Cinderwild\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Cinderwild\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Cinderwild\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Cinderwild\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-08-13 415752]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-08-13 4195848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 74.128.17.114 74.128.19.102
FF - ProfilePath - c:\users\Cinderwild\AppData\Roaming\Mozilla\Firefox\Profiles\vc457ufs.defau lt\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-BattlEye for A2 - c:\program files (x86)\steam\steamapps\common\arma 2BattlEye\UnInstallBE.exe
AddRemove-BattlEye for OA - c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowheadExpansion\BattlEye\UnInstallBE.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-240952129-1750565755-1264736866-1000\Software\SecuROM\License information*]
"datasecu"=hex:fc,f3,71,83,a4,69,35,32,4e,b4,75,cc,c7,be,80,4f,25,50,92,a5, 3f,
fa,96,e3,59,e7,6f,83,65,48,96,a0,a9,80,28,43,8e,f2,e6,a1,7b,3d,f8,42,04,db, \
"rkeysecu"=hex:a1,3c,99,a6,08,78,d4,67,a3,44,d8,68,c2,c0,14,e1
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_ 2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX .exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
.
**************************************************************************
.
Completion time: 2012-07-17 12:13:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-17 16:13
.
Pre-Run: 67,740,499,968 bytes free
Post-Run: 67,954,008,064 bytes free
.
- - End Of File - - 3C59E9B5ED58358D0711775E4EB166DE

kevinf80 · 17-Jul-2012, 03:57 PM #7

Run the following:

Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 2

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

Check
Click the button.
Accept any security warnings from your browser.
Check
Leave the tick out of remove found threats
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Post both logs in next reply, also give update on current issues/concerns

jazzysasquatch · 17-Jul-2012, 07:28 PM #8

ComboFix found nothing, log here for completion:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.17.13

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Cinderwild :: CINDERWILD-PC [administrator]

7/17/2012 4:32:16 PM
mbam-log-2012-07-17 (16-32-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235305
Time elapsed: 1 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET

C:\Program Files (x86)\1ClickDownload\uninst.exe Win32/Adware.1ClickDownload application
C:\Qoobox\Quarantine\C\Users\Cinderwild\BpSyhhSxqR.exe.vir a variant of MSIL/Injector.AGL trojan
C:\Qoobox\Quarantine\C\Users\Cinderwild\AppData\Roaming\tTRCuA.exe.vir a variant of MSIL/Injector.AGL trojan
C:\Users\Cinderwild\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\28edf c14-4111f76e a variant of Win32/Injector.TTZ trojan

kevinf80 · 17-Jul-2012, 07:57 PM #9

Uninstall this program 1ClickDownload

Next,

Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....

Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
```
:Files
ipconfig /flushdns /c
C:\Program Files (x86)\1ClickDownload
:Commands
[Reset Hosts]
[EmptyTemp]
```
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Post that log, let me know how your system is responding, also what issues or concerns remain....

Kevin

jazzysasquatch · 17-Jul-2012, 09:31 PM **#10**

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Cinderwild\Desktop\cmd.bat deleted successfully.
C:\Users\Cinderwild\Desktop\cmd.txt deleted successfully.
C:\Program Files (x86)\1ClickDownload\Log folder moved successfully.
C:\Program Files (x86)\1ClickDownload folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Cinderwild
->Temp folder emptied: 89987 bytes
->Temporary Internet Files folder emptied: 146013492 bytes
->Java cache emptied: 13525035 bytes
->FireFox cache emptied: 66933185 bytes
->Google Chrome cache emptied: 660608501 bytes
->Flash cache emptied: 252687 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56475 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 557056 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 26207376 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\ Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deploy ment folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows \Temporary Internet Files folder emptied: 50333 bytes
RecycleBin emptied: 2013 bytes

Total Files Cleaned = 872.00 mb

OTM by OldTimer - Version 3.1.21.0 log created on 07172012_212202

Files moved on Reboot...
C:\Users\Cinderwild\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

kevinf80 · 18-Jul-2012, 03:27 AM **#11**

How is your system responding? do you have any remaining issues or concerns?

jazzysasquatch · 18-Jul-2012, 03:33 AM **#12**

Yes, my computer appears to be missing Microsoft Management Console, which has disallowed me from using a large number of system features. For example, I cannot access my firewall, device manager, or even Right-Click Computer > Properties to navigate my system specs.

I have also been attempting to install some new software (.NET Framework 3, uninstalling .NET Framework 4 in the process) in order to get a buggy video game to work, but the process will not finish and I think it may have something to do with this, although I'm unsure.

The exact error I receive from attempting to access my Firewall is:

MMC cannot open the file C:\Windows\system32\WF.msc

This may be because the file does not exist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient access rights to the file.

I checked, the file is in the folder at that location.

kevinf80 · 18-Jul-2012, 04:00 AM **#13**

Run the following see if it makes any difference:

Close all windows, Select > start icon > all programs > accessories > Right click on "command prompt" > select > Run as administrator > ok any alerts > at the command prompt type or copy and paste sfc /scannow > then enter. Type exit when its finished and re-boot your PC.

The log will be here > C:\Windows\Logs\CBS\Cbs.log

jazzysasquatch · 18-Jul-2012, 04:21 PM **#14**

2012-07-18 08:09:36, Info CBS Starting TrustedInstaller initialization.
2012-07-18 08:09:36, Info CBS Loaded Servicing Stack v6.1.7601.17592 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_672ce6c3de2cb17f\cbscor e.dll
2012-07-18 08:09:37, Info CSI 00000001@2012/7/18:12:09:37.715 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fef0d5f0ad @0x7fef1019849 @0x7fef0fe34e3 @0xff22e97c @0xff22d799 @0xff22db2f)
2012-07-18 08:09:37, Info CSI 00000002@2012/7/18:12:09:37.721 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fef0d5f0ad @0x7fef1066816 @0x7fef1032aac @0x7fef0fe35b9 @0xff22e97c @0xff22d799)
2012-07-18 08:09:37, Info CSI 00000003@2012/7/18:12:09:37.722 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7fef0d5f0ad @0x7fef4258738 @0x7fef4258866 @0xff22e474 @0xff22d7de @0xff22db2f)
2012-07-18 08:09:37, Info CBS Ending TrustedInstaller initialization.
2012-07-18 08:09:37, Info CBS Starting the TrustedInstaller main loop.
2012-07-18 08:09:37, Info CBS TrustedInstaller service starts successfully.
2012-07-18 08:09:37, Info CBS SQM: Initializing online with Windows opt-in: True
2012-07-18 08:09:37, Info CBS SQM: Cleaning up report files older than 10 days.
2012-07-18 08:09:37, Info CBS SQM: Requesting upload of all unsent reports.
2012-07-18 08:09:37, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2
2012-07-18 08:09:37, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6
2012-07-18 08:09:37, Info CBS No startup processing required, TrustedInstaller service was not set as autostart, or else a reboot is still pending.
2012-07-18 08:09:37, Info CBS NonStart: Checking to ensure startup processing was not required.
2012-07-18 08:09:37, Info CSI 00000004 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x122fcc0
2012-07-18 08:09:37, Info CSI 00000005 Creating NT transaction (seq 1), objectname [6]"(null)"
2012-07-18 08:09:37, Info CSI 00000006 Created NT transaction (seq 1) result 0x00000000, handle @0x200
2012-07-18 08:09:37, Info CSI 00000007@2012/7/18:12:09:37.835 CSI perf trace:
CSIPERF:TXCOMMIT;91439
2012-07-18 08:09:37, Info CBS NonStart: Success, startup processing not required as expected.
2012-07-18 08:09:37, Info CBS Startup processing thread terminated normally
2012-07-18 08:09:37, Info CBS Loading offline registry hive: SOFTWARE, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/SOFTWARE' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SO FTWARE'.
2012-07-18 08:09:37, Info CBS Loading offline registry hive: SYSTEM, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/SYSTEM' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SY STEM'.
2012-07-18 08:09:37, Info CBS Loading offline registry hive: SECURITY, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/SECURITY' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SE CURITY'.
2012-07-18 08:09:37, Info CBS Loading offline registry hive: SAM, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/SAM' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SA M'.
2012-07-18 08:09:37, Info CBS Loading offline registry hive: COMPONENTS, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/COMPONENTS' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\CO MPONENTS'.
2012-07-18 08:09:37, Info CBS Loading offline registry hive: DEFAULT, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/DEFAULT' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\DE FAULT'.
2012-07-18 08:09:37, Info CBS Loading offline registry hive: ntuser.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat'.
2012-07-18 08:09:38, Info CBS Loading offline registry hive: schema.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/system32/smi/store/Machine/schema.dat' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\system32\smi\store \Machine\schema.dat'.
2012-07-18 08:09:38, Info CBS Offline image is: read-only
2012-07-18 08:09:38, Info CBS Disabling manifest caching, because the image is not writeable.
2012-07-18 08:09:38, Info CSI 00000008 CSI Store 4453472 (0x000000000043f460) initialized
2012-07-18 08:09:38, Info CBS Session: 3376_3058290 initialized by client SPP.
2012-07-18 08:09:42, Info CBS Archived backup log: C:\Windows\Logs\CBS\CbsPersist_20120718120936.cab.
2012-07-18 08:10:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/SOFTWARE
2012-07-18 08:10:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/SYSTEM
2012-07-18 08:10:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/SECURITY
2012-07-18 08:10:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/SAM
2012-07-18 08:10:06, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/COMPONENTS
2012-07-18 08:10:07, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/DEFAULT
2012-07-18 08:10:07, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat
2012-07-18 08:10:07, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/system32/smi/store/Machine/schema.dat
2012-07-18 08:20:07, Info CBS Reboot mark refs incremented to: 1
2012-07-18 08:20:07, Info CBS Scavenge: Starts
2012-07-18 08:20:07, Info CSI 00000009 CSI Store 4315904 (0x000000000041db00) initialized
2012-07-18 08:20:07, Info CSI 0000000a@2012/7/18:12:20:07.463 CSI Transaction @0x41fc20 initialized for deployment engine {d16d444c-56d8-11d5-882d-0080c847b195} with flags 00000002 and client id [10]"TI6.0_0:0/"

2012-07-18 08:20:07, Info CBS Scavenge: Begin CSI Store
2012-07-18 08:20:07, Info CSI 0000000b Performing 1 operations; 1 are not lock/unlock and follow:
Scavenge (8): flags: 00000017
2012-07-18 08:20:07, Info CSI 0000000c Store coherency cookie matches last scavenge cookie, skipping scavenge.
2012-07-18 08:20:07, Info CSI 0000000d ICSITransaction::Commit calling IStorePendingTransaction::Apply - coldpatching=FALSE applyflags=7
2012-07-18 08:20:07, Info CSI 0000000e Creating NT transaction (seq 2), objectname [6]"(null)"
2012-07-18 08:20:07, Info CSI 0000000f Created NT transaction (seq 2) result 0x00000000, handle @0x240
2012-07-18 08:20:08, Info CSI 00000010@2012/7/18:12:20:08.095 CSI perf trace:
CSIPERF:TXCOMMIT;409340
2012-07-18 08:20:08, Info CBS Scavenge: Completed, disposition: 0X1
2012-07-18 08:20:08, Info CSI 00000011@2012/7/18:12:20:08.096 CSI Transaction @0x41fc20 destroyed
2012-07-18 08:20:08, Info CBS Reboot mark refs: 0
2012-07-18 08:20:08, Info CBS Idle processing thread terminated normally
2012-07-18 08:20:08, Info CBS Ending the TrustedInstaller main loop.
2012-07-18 08:20:08, Info CBS Starting TrustedInstaller finalization.
2012-07-18 08:20:08, Info CBS Ending TrustedInstaller finalization.

kevinf80 · 18-Jul-2012, 05:43 PM **#15**

Any improvement?

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Solved: Java driveby possible infection

Find the solution to your computer problem!

Find the solution to your
computer problem!