Advertisement
Advertisement
 Search | |
| |
18-Jul-2012, 09:16 AM
#1 | ||||||
 System32\service.exe infected | Help please!! I've seen this around the forums as a common problem but I wanted to do this one on one so I don't mess up my computer more than I already have. > .< Especially since I should "NOT RUN ComboFix unless requested to." As titles states my system32\service.exe file is infected. [image here] The problem started sometime around yesterday. I also do not know how to, er, generate a log. I also have another problem. I'm not sure what to call it but a problem with "doubleclick(.net/.com)" Hopefully I can solve this problem along with my first. My first being the most important. Many thanks, Trums  |
18-Jul-2012, 02:30 PM
#2 | |||||||
| Hi and welcome,
Please download aswMBR to your desktop.
 Click the image to enlarge it ----------
__________________ -Jeff- Proud graduate of WTT Classroom. -- Member of ASAP and UNITE. -- If I am working with you and not responded in 2 days, please PM me. |
18-Jul-2012, 11:36 PM
#3 | ||||||
| Thank you very much for your reply and I apologize for my late one. Here are the logs you requested. ~Trums Quote:
Quote:
Quote:
|
19-Jul-2012, 08:29 AM
#4 | |||||||
| Hi, No need to put your logs that are created in code/quote boxes.  ---------- **WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again. Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection. If you would like to format and reinstall your Operating System please let me know and we can assist you with that. If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. ---------- Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator. ---------- If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run. To disable Malwarebytes
 Once complete continue with the instructions... ---------- Run OTL.exe
Download Combofix from the link below, and save it to your desktop. Link **Note: It is important that it is saved directly to your desktop** If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer. -------------------------------------------------------------------- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here -------------------------------------------------------------------- Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
In your next reply please post the logs made by OTL and ComboFix.
__________________ -Jeff- Proud graduate of WTT Classroom. -- Member of ASAP and UNITE. -- If I am working with you and not responded in 2 days, please PM me. |
19-Jul-2012, 09:22 AM
#5 | ||||||
| I'll remember that next time Here are OTL and ComboFix.OTL: All processes killed ========== SERVICES/DRIVERS ========== ========== FILES ========== C:\Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3}\U folder moved successfully. C:\Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3}\L folder moved successfully. C:\Windows\Installer\{c1d4325d-1fb2-7345-30c4-1b90493abfb3} folder moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Chateau ->Temp folder emptied: 131447 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->FireFox cache emptied: 7197055 bytes ->Flash cache emptied: 56478 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 56478 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Guest ->Temp folder emptied: 50254 bytes ->Temporary Internet Files folder emptied: 742894 bytes ->Flash cache emptied: 41620 bytes User: Ming-Ti ->Temp folder emptied: 80155747 bytes ->Temporary Internet Files folder emptied: 69020134 bytes ->Java cache emptied: 6929606 bytes ->FireFox cache emptied: 9212968 bytes ->Google Chrome cache emptied: 383466136 bytes ->Flash cache emptied: 126531 bytes User: Public User: Steven %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 4643302 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows \Temporary Internet Files folder emptied: 36028370 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 570.00 mb OTL by OldTimer - Version 3.2.54.0 log created on 07192012_053916 Files\Folders moved on Reboot... C:\Users\Ming-Ti\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully. File\Folder C:\Windows\temp\fla144.tmp not found! C:\Windows\temp\master33691 moved successfully. PendingFileRenameOperations files... File C:\Users\Ming-Ti\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found! File C:\Windows\temp\fla144.tmp not found! File C:\Windows\temp\master33691 not found! Registry entries deleted on Reboot... ---------- ComboFix: ComboFix 12-07-19.01 - Ming-Ti 07/19/2012 5:54.1.8 - x64 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4087.2614 [GMT -7:00] Running from: c:\users\Ming-Ti\Desktop\ComboFix.exe AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\install.exe c:\program files (x86)\Brand Affinity Technologies c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\ChromeInstaller.dll c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\ChromeInstaller.InstallState c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\fantapper_w3i20110531.crx c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\fantapper_w3i20110531.xpi c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FantapperUpdateService.exe c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FantapperUpdateService.InstallState c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FirefoxInstaller.dll c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FirefoxInstaller.InstallState c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FT_Enabled.ico c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\FT_Plugin_Installer.jpg c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\IEInstaller.dll c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\OpenIE.dll c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\OpenIE.InstallState c:\program files (x86)\Brand Affinity Technologies\Fantapper Player\update.msi c:\program files (x86)\DealBulldog Toolbar c:\program files (x86)\DealBulldog Toolbar\affid.dat c:\program files (x86)\DealBulldog Toolbar\alert_plugin.dll c:\program files (x86)\DealBulldog Toolbar\basis.xml c:\program files (x86)\DealBulldog Toolbar\icons.bmp c:\program files (x86)\DealBulldog Toolbar\info.txt c:\program files (x86)\DealBulldog Toolbar\install.ico c:\program files (x86)\DealBulldog Toolbar\MacroParserPlugin.dll c:\program files (x86)\DealBulldog Toolbar\mbback.bmp c:\program files (x86)\DealBulldog Toolbar\mbbigopen.bmp c:\program files (x86)\DealBulldog Toolbar\mbclose.bmp c:\program files (x86)\DealBulldog Toolbar\mbfwd.bmp c:\program files (x86)\DealBulldog Toolbar\mbsep.bmp c:\program files (x86)\DealBulldog Toolbar\nav1c.bmp c:\program files (x86)\DealBulldog Toolbar\somoto.dll c:\program files (x86)\DealBulldog Toolbar\TbCommonUtils.dll c:\program files (x86)\DealBulldog Toolbar\tbcore3.dll c:\program files (x86)\DealBulldog Toolbar\tbcore3.inf c:\program files (x86)\DealBulldog Toolbar\tbhelper.dll c:\program files (x86)\DealBulldog Toolbar\TbHelper2.exe c:\program files (x86)\DealBulldog Toolbar\uninstall.exe c:\program files (x86)\DealBulldog Toolbar\UninstallToolbar.exe c:\program files (x86)\DealBulldog Toolbar\update.exe c:\program files (x86)\DealBulldog Toolbar\version.txt c:\program files (x86)\Shop to Win c:\program files (x86)\Shop to Win\InstallNotifier.exe c:\program files (x86)\Shop to Win\ShopToWin.exe c:\program files (x86)\Shop to Win\TestFeeds\DisableStatus.xml c:\program files (x86)\Shop to Win\TestFeeds\DisableStatusDirection.xml c:\program files (x86)\Shop to Win\TestFeeds\GenericPopup.xml c:\program files (x86)\Shop to Win\TestFeeds\MainStatus.xml c:\program files (x86)\Shop to Win\TestFeeds\ShoppingConfirmation.xml c:\program files (x86)\Shop to Win\unins000.dat c:\program files (x86)\Shop to Win\unins000.exe c:\program files (x86)\StartNow Toolbar c:\program files (x86)\StartNow Toolbar\ReactivateFF.exe c:\program files (x86)\StartNow Toolbar\ReactivateIE.exe c:\program files (x86)\StartNow Toolbar\Resources\images\engine_images.png c:\program files (x86)\StartNow Toolbar\Resources\images\engine_maps.png c:\program files (x86)\StartNow Toolbar\Resources\images\engine_news.png c:\program files (x86)\StartNow Toolbar\Resources\images\engine_videos.png c:\program files (x86)\StartNow Toolbar\Resources\images\engine_web.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_amazon.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_ebay.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_facebook.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_games.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_msn.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_shopping.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_travel.png c:\program files (x86)\StartNow Toolbar\Resources\images\icon_twitter.png c:\program files (x86)\StartNow Toolbar\Resources\images\startnow_logo.png c:\program files (x86)\StartNow Toolbar\Resources\installer.xml c:\program files (x86)\StartNow Toolbar\Resources\skin\chevron_button.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_hover.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_button_normal.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_background.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_left.png c:\program files (x86)\StartNow Toolbar\Resources\skin\searchbox_input_middle.png c:\program files (x86)\StartNow Toolbar\Resources\skin\separator.png c:\program files (x86)\StartNow Toolbar\Resources\skin\splitter.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png c:\program files (x86)\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png c:\program files (x86)\StartNow Toolbar\Resources\toolbar.xml c:\program files (x86)\StartNow Toolbar\Resources\update.xml c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe c:\program files (x86)\StartNow Toolbar\Toolbar32.dll c:\program files (x86)\StartNow Toolbar\ToolbarBroker.exe c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe c:\program files (x86)\StartNow Toolbar\uninstall.dat c:\program files (x86)\VooMuu c:\program files (x86)\VooMuu\bin\1.0.36.0\copyright.txt c:\program files (x86)\VooMuu\bin\1.0.36.0\VooMuuSA.exe c:\program files (x86)\VooMuu\bin\1.0.36.0\VooMuuSAHook.dll c:\program files (x86)\VooMuu\bin\1.0.36.0\VooMuuUninstaller.exe c:\programdata\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 c:\programdata\VooMuuSA c:\programdata\VooMuuSA\VooMuuSA.dat c:\programdata\VooMuuSA\VooMuuSA_kyf.dat c:\programdata\VooMuuSA\VooMuuSAau.dat c:\users\Ming-Ti\98da2a1f9690730917d54170cefd2439.jpg c:\users\Ming-Ti\AppData\Local\assembly\tmp c:\users\Ming-Ti\Documents\ShopToWin . Infected copy of c:\windows\system32\Services.exe was found and disinfected Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\ser vices.exe . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_MyWebSearchService -------\Service_FTSvc -------\Service_Updater Service for StartNow Toolbar -------\Service_FTSvc -------\Service_Updater Service for StartNow Toolbar . . ((((((((((((((((((((((((( Files Created from 2012-06-19 to 2012-07-19 ))))))))))))))))))))))))))))))) . . 2012-07-19 13:06 . 2012-07-19 13:06 -------- d-----w- c:\users\Guest\AppData\Local\temp 2012-07-19 13:06 . 2012-07-19 13:06 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-19 12:39 . 2012-07-19 12:39 -------- d-----w- C:\_OTL 2012-07-19 12:36 . 2012-07-19 12:36 -------- d-----w- c:\program files (x86)\ERUNT 2012-07-18 12:00 . 2012-07-18 12:00 -------- d-----w- c:\users\Guest\AppData\Roaming\AVG2012 2012-07-18 06:16 . 2012-07-18 06:16 -------- d-----w- c:\programdata\Malwarebytes 2012-07-18 06:16 . 2012-07-18 10:43 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-07-18 03:56 . 2012-07-18 12:01 -------- d-----w- c:\programdata\AVG2012 2012-07-17 15:35 . 2012-07-18 10:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA% 2012-07-17 15:22 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\Anna 2012-07-17 13:03 . 2012-07-17 13:03 -------- d-----w- c:\program files (x86)\Common Files\DAZ 2012-07-17 12:58 . 2012-07-18 10:46 -------- d-----w- c:\programdata\DAZ 3D 2012-07-17 12:46 . 2012-07-18 10:46 -------- d-----w- c:\program files\DAZ 3D 2012-07-16 06:01 . 2012-07-18 10:49 -------- d-----w- c:\programdata\McAfee Security Scan 2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\McAfee Security Scan 2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Java 2012-07-16 05:59 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Oracle 2012-07-16 05:59 . 2012-07-06 05:06 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-07-16 05:56 . 2012-07-16 05:56 -------- d-----w- c:\programdata\McAfee 2012-07-16 01:40 . 2012-07-18 14:50 -------- d-----w- c:\program files (x86)\4game 2012-07-14 01:48 . 2012-07-18 10:45 -------- d-----w- c:\program files (x86)\Audition Online 2012-07-13 12:04 . 2012-07-14 01:03 -------- d-----w- c:\program files (x86)\1ClickDownload 2012-07-12 06:41 . 2012-07-18 14:47 -------- d-----w- c:\program files (x86)\medit 2012-07-09 20:23 . 2012-07-18 10:49 -------- d-----w- c:\users\Chateau 2012-07-07 02:58 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\NCsoft 2012-07-04 18:22 . 2012-07-18 10:46 -------- d-----w- c:\users\Steven 2012-07-04 03:36 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\beanfun! 2012-07-03 19:25 . 2012-07-19 13:05 -------- d-----w- c:\users\Ming-Ti 2012-07-03 18:52 . 2012-07-18 10:46 -------- d-----w- c:\windows\system32\%LocalAppData% 2012-07-03 18:30 . 2012-02-23 21:24 24408 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe 2012-07-03 17:47 . 2012-07-18 10:46 -------- d-----w- c:\program files\SmartPCFixer 2012-07-03 17:22 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Uniblue 2012-07-03 17:22 . 2012-07-03 17:22 -------- dc-h--w- c:\programdata\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46} 2012-07-03 16:52 . 2012-07-18 10:46 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\programdata\AVG Secure Search 2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search 2012-07-02 18:51 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\AVG Secure Search 2012-07-02 17:38 . 2012-07-02 19:11 -------- d-----w- C:\e012b0bfc282bb9dec1ac0c1cd7087bb 2012-07-02 17:37 . 2012-05-21 07:20 333216 ----a-w- c:\windows\SysWow64\MMInstaller.dll 2012-07-02 17:35 . 2012-07-18 10:46 -------- d-----w- c:\program files\Tencent 2012-07-02 17:34 . 2012-07-02 17:37 -------- d-----w- c:\programdata\Tencent 2012-07-02 17:34 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Tencent 2012-07-02 17:34 . 2012-07-18 14:52 -------- d-----w- c:\program files (x86)\Tencent 2012-07-02 17:33 . 2012-07-02 18:53 18760 ----a-w- c:\windows\SysWow64\QQVistaHelper.dll 2012-06-25 15:09 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-25 15:09 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-25 15:09 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-25 15:09 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-25 15:08 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-25 15:08 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-25 15:08 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-25 15:08 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-25 15:08 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-12 16:09 . 2012-04-14 19:43 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-07-12 16:09 . 2011-12-02 03:01 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-06 05:06 . 2011-12-03 06:47 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll 2012-07-01 18:26 . 2011-05-24 03:56 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microso ft.MediaCenter.Sports.UI.dll 2012-07-01 18:26 . 2011-11-30 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll 2012-07-01 18:26 . 2011-05-24 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll 2012-07-01 18:26 . 2011-05-24 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\Spotlight Resources.dll 2012-06-25 22:35 . 2010-03-18 16:15 770384 ----a-w- c:\windows\SysWow64\MSVCR100.dll 2012-06-25 22:35 . 2010-03-18 16:15 421200 ----a-w- c:\windows\SysWow64\MSVCP100.dll 2012-06-18 10:32 . 2012-06-18 10:32 1409 ----a-w- c:\windows\Fonts\fsex2p00_public.fot 2012-06-16 06:36 . 2011-11-30 03:57 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll 2012-06-16 06:36 . 2011-05-24 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup .dll 2012-06-16 06:35 . 2011-11-30 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll 2012-06-16 06:35 . 2011-11-30 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll 2012-05-18 02:47 . 2012-06-15 13:42 17807360 ----a-w- c:\windows\system32\mshtml.dll 2012-05-18 02:16 . 2012-06-15 13:42 10924032 ----a-w- c:\windows\system32\ieframe.dll 2012-05-18 02:06 . 2012-06-15 13:42 2311680 ----a-w- c:\windows\system32\jscript9.dll 2012-05-18 01:59 . 2012-06-15 13:42 1346048 ----a-w- c:\windows\system32\urlmon.dll 2012-05-18 01:59 . 2012-06-15 13:42 1392128 ----a-w- c:\windows\system32\wininet.dll 2012-05-18 01:58 . 2012-06-15 13:42 1494528 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-18 01:58 . 2012-06-15 13:42 237056 ----a-w- c:\windows\system32\url.dll 2012-05-18 01:56 . 2012-06-15 13:42 85504 ----a-w- c:\windows\system32\jsproxy.dll 2012-05-18 01:55 . 2012-06-15 13:42 173056 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-18 01:55 . 2012-06-15 13:42 818688 ----a-w- c:\windows\system32\jscript.dll 2012-05-18 01:54 . 2012-06-15 13:42 2144768 ----a-w- c:\windows\system32\iertutil.dll 2012-05-18 01:51 . 2012-06-15 13:42 96768 ----a-w- c:\windows\system32\mshtmled.dll 2012-05-18 01:51 . 2012-06-15 13:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-05-18 01:47 . 2012-06-15 13:42 248320 ----a-w- c:\windows\system32\ieui.dll 2012-05-17 22:45 . 2012-06-15 13:42 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll 2012-05-17 22:35 . 2012-06-15 13:42 1129472 ----a-w- c:\windows\SysWow64\wininet.dll 2012-05-17 22:35 . 2012-06-15 13:42 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl 2012-05-17 22:29 . 2012-06-15 13:42 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe 2012-05-17 22:24 . 2012-06-15 13:42 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2012-05-15 01:32 . 2012-06-15 09:38 3144192 ----a-w- c:\windows\system32\win32k.sys 2012-05-13 22:28 . 2011-12-28 22:56 121416 ----a-w- c:\windows\system32\drivers\MijXfilt.sys 2012-05-04 10:52 . 2012-06-15 09:38 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 10:08 . 2012-06-15 09:38 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-05-04 10:08 . 2012-06-15 09:38 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll 2012-05-03 02:54 . 2012-05-03 02:54 28056 ----a-w- c:\windows\system32\xfcodec64.dll 2012-05-02 05:32 . 2012-06-15 09:38 208896 ----a-w- c:\windows\system32\profsvc.dll 2012-04-28 03:50 . 2012-06-15 09:38 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-28 00:28 . 2012-04-28 01:12 258352 ----a-w- c:\windows\SysWow64\unicows.dll 2012-04-26 05:34 . 2012-06-15 09:38 76288 ----a-w- c:\windows\system32\rdpwsx.dll 2012-04-26 05:34 . 2012-06-15 09:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-04-26 05:28 . 2012-06-15 09:38 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-04-24 05:59 . 2012-06-15 09:37 1460224 ----a-w- c:\windows\system32\crypt32.dll 2012-04-24 05:59 . 2012-06-15 09:37 182272 ----a-w- c:\windows\system32\cryptsvc.dll 2012-04-24 05:59 . 2012-06-15 09:37 140288 ----a-w- c:\windows\system32\cryptnet.dll 2012-04-24 04:47 . 2012-06-15 09:37 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2012-04-24 04:47 . 2012-06-15 09:37 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll 2012-04-24 04:47 . 2012-06-15 09:37 1156608 ----a-w- c:\windows\SysWow64\crypt32.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2010-11-20 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\a md64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll [7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll [-] 2012-01-28 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll . [-] 2012-01-28 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll [7] 2010-11-20 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\w ow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll [7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~2\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}] 2009-11-25 19:47 297808 ----a-w- c:\windows\System32\mscoree.dll . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{46F9BE77-3DD9-0ECB-98F9-1793D13B9886}] 2012-06-27 23:25 1404320 ----a-w- c:\program files\Tencent\SSPlus\SAddr.dll . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{90b49673-5506-483e-b92b-ca0265bd9ca8}] 2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\IMVU_Inc\prxtbIMVU.dll . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}] 2012-07-02 18:52 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar] "{90b49673-5506-483e-b92b-ca0265bd9ca8}"= "c:\program files (x86)\IMVU_Inc\prxtbIMVU.dll" [2011-05-09 176936] "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-02 2074208] . [HKEY_CLASSES_ROOT\clsid\{90b49673-5506-483e-b92b-ca0265bd9ca8}] . [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-06-16 2736128] "Advanced SystemCare 5"="c:\program files (x86)\IObit\Advanced SystemCare 5\ASCTray.exe" [2012-03-07 574296] "QQIntl"="c:\program files (x86)\Tencent\QQIntl\Bin\QQ.exe" [2012-07-02 128416] "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-05 17344176] "Steam"="c:\program files (x86)\Steam\steam.exe" [2011-12-03 1242448] "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-07-13 895376] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n] "QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640] "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432] "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008] "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040] "BambooCore"="c:\program files (x86)\Bamboo Dock\BambooCore.exe" [2011-09-27 646232] "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-02 1107552] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296] . c:\users\Ming-Ti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912] MSPANotify - Shortcut.lnk - c:\users\Ming-Ti\Downloads\MSPANotify-0.4.1\MSPANotify.exe [2012-7-16 410112] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-2 255536] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys] @="Driver" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056] R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [x] R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x] R3 iscFlash;iscFlash;c:\users\Steven\AppData\Local\Temp\7zSB6F0.tmp\iscflashx6 4.sys [x] R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [2012-01-11 34304] R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [2012-02-22 28160] R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232] R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2012-05-13 121416] R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x] R3 qkm;qkm;c:\koramgame\GDOnline\mqkwy64.sys [2012-02-04 48048] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-10-24 291328] R3 sj;sj;c:\aeriagames\EdenEternal\sjcs64.sys [2011-12-09 47224] R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-03 51712] R3 usj;usj;c:\aeriagames\EdenEternal\avital\ussjcs64.sys [2012-07-06 89560] R3 vtany;vtany;c:\windows\vtany.sys [x] R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2011-09-09 13312] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-21 1255736] R3 X6va005;X6va005;c:\users\Steven\AppData\Local\Temp\0057DA7.tmp [x] R3 X6va006;X6va006;c:\users\Steven\AppData\Local\Temp\006F845.tmp [x] R3 X6va008;X6va008;c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp [x] R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184] S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480] S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-03-04 55856] S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872] S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696] S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-03-19 383808] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files (x86)\IObit\Advanced SystemCare 5\ASCService.exe [2012-03-15 913752] S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_ne utral_70dacb64382a61a7\AESTSr64.exe [2009-03-03 89600] S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-07-05 5160568] S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288] S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-14 30520] S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2011-09-09 6583160] S2 TBUpdate;Tencent Toolbar Update Service;c:\program files\Tencent\barupdate\TBUpdate.exe [2012-07-03 197536] S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-23 2886528] S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2011-09-09 528760] S2 UpdaterService;WhiteSmoke Updater Service;c:\programdata\UpdaterService\wsupdsvc.exe [2012-04-29 549744] S2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [2012-07-02 935008] S2 WajamUpdater;WajamUpdater;c:\program files\Wajam\Updater\WajamUpdater.exe [2012-03-09 109064] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776] S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-14 32880] S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408] S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 70656] S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-07-20 140712] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2009-08-22 84512] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2010-06-16 20:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder . 2012-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 16:09] . 2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004Core.job - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51] . 2012-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004UA.job - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51] . 2012-07-16 c:\windows\Tasks\Norton Security Scan for Steven.job - c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2011-12-23 09:45] . 2012-07-19 c:\windows\Tasks\RegistryBooster.job - c:\program files (x86)\Uniblue\RegistryBooster\rbmonitor.exe [2012-07-03 18:56] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}] 2009-11-25 19:47 444752 ----a-w- c:\windows\System32\mscoree.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-24 487424] "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-29 16395880] "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "combofix"="c:\combofix\CF14418.3XE" [2009-07-14 344576] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3007394 mStart Page = hxxp://search.my-tools-app.com/?babsrc=home&s=web&as=0&isid=9852 mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Steven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk Trusted Zone: qq.com\cache.tv Trusted Zone: qq.com\qqlivecaption Trusted Zone: qq.com\qqlivehabit Trusted Zone: qq.com\qqlivesearch Trusted Zone: qq.com\video_1 TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11 TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}: NameServer = 4.2.2.1 TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}\46C696E6B6: NameServer = 4.2.2.1 Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll DPF: {12193C65-F0E1-4DD1-AD4E-DB73C6911011} - file:///D:/activeX/DCP.cab DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://sslpx-ccas01.edmc.edu/auth/taweb.cab DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD} - file:///D:/activeX/aplugLiteDL.cab FF - ProfilePath - c:\users\Ming-Ti\AppData\Roaming\Mozilla\Firefox\Profiles\4fiohuq8.default\ FF - prefs.js: browser.search.selectedEngine - AVG Secure Search FF - prefs.js: browser.startup.homepage - hxxp://isearch.avg.com/?cid={D1E1E66B-09C0-42E2-9FAC-CAB67704104F}&mid=4d27b50357d247d68b6f1a671b6c1e32-ec7a1d4c2e9b3a9a0ad0219ec7c4e08c4f2893c9&lang=en&ds=yu012&pr=sa&d=2012-07-02 11:52&v=11.1.0.12&sap=hp . - - - - ORPHANS REMOVED - - - - . BHO-{127AD70F-B2B7-4f6a-ACD9-C7B1FE48C8C0} - (no file) Wow6432Node-HKCU-Run-PlayNC Launcher - (no file) Wow6432Node-HKCU-Run-Akamai NetSession Interface - c:\users\Ming-Ti\AppData\Local\Akamai\netsession_win.exe WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file) HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe AddRemove-DealBulldog Toolbar - c:\program files (x86)\DealBulldog Toolbar\UninstallToolbar.exe AddRemove-StartNow Toolbar - c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe AddRemove-VooMuuSA - c:\program files (x86)\VooMuu\bin\1.0.36.0\VooMuuUninstaller.exe AddRemove-{92A196AE-9B4D-499C-94D4-18FA2061B3CE}_is1 - c:\program files (x86)\Shop To Win\unins000.exe . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005] "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\0057DA7.tmp" . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va006] "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\006F845.tmp" . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va008] "ImagePath"="\??\c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp" . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\xsherlock] "ImagePath"="c:\windows\system32\xsherlock.xem" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_ 3_300_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX .exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\{47BF077C-44C6-42B1-8F88-ADE2585DD2ED}*] @=hex:21,08,4a,87,32,1f,cc,01 . [HKEY_LOCAL_MACHINE\software\Classes\{97A98033-9FA1-4E80-A339-59787B43CC89}*] @=hex:ed,b8,9e,87,32,1f,cc,01 . [HKEY_LOCAL_MACHINE\software\Classes\{A82EB336-567D-4F41-A63E-8113AD8B6903}*] @=hex:56,b0,46,84,32,1f,cc,01 . [HKEY_LOCAL_MACHINE\software\Classes\{C4B20040-7D5A-4558-9E19-B7DF94366F97}*] @=hex:22,6d,17,88,32,1f,cc,01 . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*] "value"="?\05\02\1f\15\05\19?" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}] @Denied: (A) (Everyone) "Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane\0] "Key"="ActionsPane" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe . ************************************************************************** . Completion time: 2012-07-19 06:16:55 - machine was rebooted ComboFix-quarantined-files.txt 2012-07-19 13:16 . Pre-Run: 80,174,125,056 bytes free Post-Run: 79,650,013,184 bytes free . - - End Of File - - 776E5CDADF44DC75D8E521E4A26A5F1A |
20-Jul-2012, 09:10 AM
#6 | |||||||
| Hi,
----------
__________________ -Jeff- Proud graduate of WTT Classroom. -- Member of ASAP and UNITE. -- If I am working with you and not responded in 2 days, please PM me. |
20-Jul-2012, 11:38 AM
#8 | |||||||
|
__________________ -Jeff- Proud graduate of WTT Classroom. -- Member of ASAP and UNITE. -- If I am working with you and not responded in 2 days, please PM me. |
21-Jul-2012, 10:06 PM
#10 | |||||||
| Hi, Please run Malwarebytes again and remove all the entries that are found and post the new log. -------------
---------- Download Security Check by screen317 from here or here.
In your next reply please post the logs made by Malwarebytes, ComboFix and Security Check. Also let me know how your system is running.
__________________ -Jeff- Proud graduate of WTT Classroom. -- Member of ASAP and UNITE. -- If I am working with you and not responded in 2 days, please PM me. |
22-Jul-2012, 07:39 AM
#11 | ||||||
| My computer's been running great since the first scan/fix! When I did the second one I didn't realize there were so many other problems. n n; Thanks for your help by the way.  ComboFix: ComboFix 12-07-21.01 - Ming-Ti 07/22/2012 4:09.3.8 - x64 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4087.2447 [GMT -7:00] Running from: c:\users\Ming-Ti\Desktop\ComboFix.exe Command switches used :: c:\users\Ming-Ti\Desktop\CFScript.txt AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . FILE :: "c:\program files (x86)\WhiteSmokeTranslator\html\english\dictClientDic\index.html" "c:\program files (x86)\WhiteSmokeTranslator\WSRegistrationDictMode.exe" "c:\programdata\UpdaterService\wsupdsvc.exe" "c:\users\All Users\UpdaterService\wsupdsvc.exe" "c:\users\Ming-Ti\AppData\LocalLow\Toolbar4\{338B4DFE-2E2C-4338-9E41-E176D497299E}\UninstallToolbar.exe" "c:\users\Ming-Ti\Downloads\CheatEngine61.exe" "c:\users\Ming-Ti\Downloads\WhiteSmokeWriter8940_en.exe" . . ((((((((((((((((((((((((( Files Created from 2012-06-22 to 2012-07-22 ))))))))))))))))))))))))))))))) . . 2012-07-22 11:21 . 2012-07-22 11:21 -------- d-----w- c:\users\Guest\AppData\Local\temp 2012-07-22 11:21 . 2012-07-22 11:21 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-07-21 17:52 . 2012-07-21 17:52 -------- d-----w- c:\program files (x86)\SplitMediaLabs 2012-07-21 17:52 . 2012-07-21 17:52 -------- d-----w- c:\programdata\SplitMediaLabs 2012-07-21 04:12 . 2012-07-21 04:12 -------- d-----w- c:\program files (x86)\ESET 2012-07-21 03:56 . 2012-07-03 20:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-07-20 10:07 . 2012-06-12 03:02 3147264 ----a-w- c:\windows\system32\win32k.sys 2012-07-19 12:39 . 2012-07-19 12:39 -------- d-----w- C:\_OTL 2012-07-19 12:36 . 2012-07-19 12:36 -------- d-----w- c:\program files (x86)\ERUNT 2012-07-18 12:00 . 2012-07-18 12:00 -------- d-----w- c:\users\Guest\AppData\Roaming\AVG2012 2012-07-18 06:16 . 2012-07-18 06:16 -------- d-----w- c:\programdata\Malwarebytes 2012-07-18 06:16 . 2012-07-21 03:56 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-07-18 03:56 . 2012-07-18 12:01 -------- d-----w- c:\programdata\AVG2012 2012-07-17 15:35 . 2012-07-18 10:49 -------- d-sh--w- c:\windows\SysWow64\%APPDATA% 2012-07-17 15:22 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\Anna 2012-07-17 13:03 . 2012-07-17 13:03 -------- d-----w- c:\program files (x86)\Common Files\DAZ 2012-07-17 12:58 . 2012-07-18 10:46 -------- d-----w- c:\programdata\DAZ 3D 2012-07-17 12:46 . 2012-07-18 10:46 -------- d-----w- c:\program files\DAZ 3D 2012-07-16 06:01 . 2012-07-18 10:49 -------- d-----w- c:\programdata\McAfee Security Scan 2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\McAfee Security Scan 2012-07-16 06:00 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Java 2012-07-16 05:59 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Oracle 2012-07-16 05:59 . 2012-07-06 05:06 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2012-07-16 05:56 . 2012-07-16 05:56 -------- d-----w- c:\programdata\McAfee 2012-07-16 01:40 . 2012-07-18 14:50 -------- d-----w- c:\program files (x86)\4game 2012-07-14 01:48 . 2012-07-18 10:45 -------- d-----w- c:\program files (x86)\Audition Online 2012-07-13 12:04 . 2012-07-14 01:03 -------- d-----w- c:\program files (x86)\1ClickDownload 2012-07-12 06:41 . 2012-07-18 14:47 -------- d-----w- c:\program files (x86)\medit 2012-07-09 20:23 . 2012-07-18 10:49 -------- d-----w- c:\users\Chateau 2012-07-07 02:58 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\NCsoft 2012-07-04 18:22 . 2012-07-18 10:46 -------- d-----w- c:\users\Steven 2012-07-04 03:36 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\beanfun! 2012-07-03 19:25 . 2012-07-19 13:05 -------- d-----w- c:\users\Ming-Ti 2012-07-03 18:52 . 2012-07-18 10:46 -------- d-----w- c:\windows\system32\%LocalAppData% 2012-07-03 18:30 . 2012-02-23 21:24 24408 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe 2012-07-03 17:47 . 2012-07-18 10:46 -------- d-----w- c:\program files\SmartPCFixer 2012-07-03 17:22 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Uniblue 2012-07-03 17:22 . 2012-07-03 17:22 -------- dc-h--w- c:\programdata\{6AD8E59C-250C-4201-B5BA-56ADEF76FF46} 2012-07-03 16:52 . 2012-07-18 10:46 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\programdata\AVG Secure Search 2012-07-02 18:52 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search 2012-07-02 18:51 . 2012-07-18 10:49 -------- d-----w- c:\program files (x86)\AVG Secure Search 2012-07-02 17:38 . 2012-07-02 19:11 -------- d-----w- C:\e012b0bfc282bb9dec1ac0c1cd7087bb 2012-07-02 17:37 . 2012-05-21 07:20 333216 ----a-w- c:\windows\SysWow64\MMInstaller.dll 2012-07-02 17:35 . 2012-07-18 10:46 -------- d-----w- c:\program files\Tencent 2012-07-02 17:34 . 2012-07-02 17:37 -------- d-----w- c:\programdata\Tencent 2012-07-02 17:34 . 2012-07-18 10:46 -------- d-----w- c:\program files (x86)\Common Files\Tencent 2012-07-02 17:34 . 2012-07-18 14:52 -------- d-----w- c:\program files (x86)\Tencent 2012-07-02 17:33 . 2012-07-02 18:53 18760 ----a-w- c:\windows\SysWow64\QQVistaHelper.dll 2012-06-25 15:09 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-25 15:09 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-25 15:09 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll 2012-06-25 15:09 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll 2012-06-25 15:08 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll 2012-06-25 15:08 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll 2012-06-25 15:08 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll 2012-06-25 15:08 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-25 15:08 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-07-12 16:09 . 2012-04-14 19:43 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-07-12 16:09 . 2011-12-02 03:01 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-07-06 05:06 . 2011-12-03 06:47 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll 2012-07-01 18:26 . 2011-05-24 03:56 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microso ft.MediaCenter.Sports.UI.dll 2012-07-01 18:26 . 2011-11-30 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll 2012-07-01 18:26 . 2011-05-24 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll 2012-07-01 18:26 . 2011-05-24 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\Spotlight Resources.dll 2012-06-25 22:35 . 2010-03-18 16:15 770384 ----a-w- c:\windows\SysWow64\MSVCR100.dll 2012-06-25 22:35 . 2010-03-18 16:15 421200 ----a-w- c:\windows\SysWow64\MSVCP100.dll 2012-06-18 10:32 . 2012-06-18 10:32 1409 ----a-w- c:\windows\Fonts\fsex2p00_public.fot 2012-06-16 06:36 . 2011-11-30 03:57 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll 2012-06-16 06:36 . 2011-05-24 03:56 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup .dll 2012-06-16 06:35 . 2011-11-30 03:56 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll 2012-06-16 06:35 . 2011-11-30 03:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll 2012-05-13 22:28 . 2011-12-28 22:56 121416 ----a-w- c:\windows\system32\drivers\MijXfilt.sys 2012-05-04 10:52 . 2012-06-15 09:38 5505392 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-05-04 10:08 . 2012-06-15 09:38 3958128 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2012-05-04 10:08 . 2012-06-15 09:38 3902320 ----a-w- c:\windows\SysWow64\ntoskrnl.exe 2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll 2012-05-03 02:54 . 2012-05-03 02:54 28056 ----a-w- c:\windows\system32\xfcodec64.dll 2012-05-02 05:32 . 2012-06-15 09:38 208896 ----a-w- c:\windows\system32\profsvc.dll 2012-04-28 03:50 . 2012-06-15 09:38 204800 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-04-28 00:28 . 2012-04-28 01:12 258352 ----a-w- c:\windows\SysWow64\unicows.dll 2012-04-26 05:34 . 2012-06-15 09:38 76288 ----a-w- c:\windows\system32\rdpwsx.dll 2012-04-26 05:34 . 2012-06-15 09:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-04-26 05:28 . 2012-06-15 09:38 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-04-24 05:59 . 2012-06-15 09:37 1460224 ----a-w- c:\windows\system32\crypt32.dll 2012-04-24 05:59 . 2012-06-15 09:37 182272 ----a-w- c:\windows\system32\cryptsvc.dll 2012-04-24 05:59 . 2012-06-15 09:37 140288 ----a-w- c:\windows\system32\cryptnet.dll 2012-04-24 04:47 . 2012-06-15 09:37 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll 2012-04-24 04:47 . 2012-06-15 09:37 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll 2012-04-24 04:47 . 2012-06-15 09:37 1156608 ----a-w- c:\windows\SysWow64\crypt32.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2010-11-20 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\SoftwareDistribution\Download\488053cdbca3231eeb2c2af7236d09ed\a md64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll [7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll [-] 2012-01-28 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll . ((((((((((((((((((((((((((((( SnapShot_2012-07-20_13.45.37 ))))))))))))))))))))))))))))))))))))))))) . + 2011-04-08 10:35 . 2012-07-22 10:44 65292 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin + 2009-07-14 05:10 . 2012-07-22 10:44 37296 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin + 2012-04-08 07:05 . 2012-07-22 10:41 54594 c:\windows\system32\config\systemprofile\AppData\Roaming\WTablet\Pen_Tablet .dat - 2012-04-08 07:05 . 2012-07-20 13:44 54594 c:\windows\system32\config\systemprofile\AppData\Roaming\WTablet\Pen_Tablet .dat - 2011-04-08 09:29 . 2012-07-20 10:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat + 2011-04-08 09:29 . 2012-07-22 10:48 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat - 2012-07-19 12:48 . 2012-07-20 10:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat + 2012-07-19 12:48 . 2012-07-22 10:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat + 2009-07-14 04:54 . 2012-07-22 10:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat - 2009-07-14 04:54 . 2012-07-20 10:47 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat + 2012-07-21 17:52 . 2012-07-21 17:52 14534 c:\windows\Installer\{15C49338-59E5-472E-94F7-D5AE15EE23C9}\SystemFolder_msiexec.exe + 2012-07-04 18:25 . 2012-07-22 10:44 6252 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4068807989-813300523-3891819274-1004_UserData.bin + 2012-07-22 10:40 . 2012-07-22 10:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-07-20 13:44 . 2012-07-20 13:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-07-20 13:44 . 2012-07-20 13:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2012-07-22 10:40 . 2012-07-22 10:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2012-07-21 17:52 . 2012-07-21 17:52 9662 c:\windows\Installer\{15C49338-59E5-472E-94F7-D5AE15EE23C9}\XSplit.Core.exe + 2009-07-14 04:54 . 2012-07-22 10:40 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat - 2009-07-14 04:54 . 2012-07-20 11:26 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat - 2009-07-14 05:01 . 2012-07-20 13:43 485976 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2009-07-14 05:01 . 2012-07-21 20:26 485976 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat + 2012-06-02 01:13 . 2012-06-02 01:13 886272 c:\windows\Installer\30a6634.msi + 2012-07-22 10:42 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\7-22-2012\ERDNT.EXE + 2009-07-14 04:54 . 2012-07-22 10:40 2048000 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat - 2009-07-14 04:54 . 2012-07-20 11:26 2048000 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat + 2012-07-04 08:45 . 2012-07-21 20:26 5325852 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4068807989-813300523-3891819274-1004-12288.dat + 2012-07-22 10:42 . 2012-07-22 10:42 2527232 c:\windows\ERDNT\AutoBackup\7-22-2012\Users\00000002\UsrClass.dat + 2012-07-22 10:42 . 2012-07-22 10:42 2654208 c:\windows\ERDNT\AutoBackup\7-22-2012\Users\00000001\ntuser.dat - 2009-07-14 04:54 . 2012-07-20 11:26 11304960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat + 2009-07-14 04:54 . 2012-07-22 10:40 11304960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat - 2009-07-14 02:34 . 2012-07-20 10:26 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat + 2009-07-14 02:34 . 2012-07-22 10:56 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~2\Yahoo!\Companion\Installs\cpn0\yt.dll" [2011-10-06 2015544] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}] 2009-11-25 19:47 297808 ----a-w- c:\windows\System32\mscoree.dll . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{46F9BE77-3DD9-0ECB-98F9-1793D13B9886}] 2012-06-27 23:25 1404320 ----a-w- c:\program files\Tencent\SSPlus\SAddr.dll . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}] 2012-07-02 18:52 2074208 ----a-w- c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar] "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll" [2012-07-02 2074208] . [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-06-16 2736128] "QQIntl"="c:\program files (x86)\Tencent\QQIntl\Bin\QQ.exe" [2012-07-02 128416] "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-06-05 17344176] "Steam"="c:\program files (x86)\Steam\steam.exe" [2011-12-03 1242448] "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-07-13 895376] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n] "QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640] "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432] "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008] "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040] "BambooCore"="c:\program files (x86)\Bamboo Dock\BambooCore.exe" [2011-09-27 646232] "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-07-02 1107552] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296] "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920] . c:\users\Ming-Ti\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912] MSPANotify - Shortcut.lnk - c:\users\Ming-Ti\Downloads\MSPANotify-0.4.1\MSPANotify.exe [2012-7-16 410112] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.1.121\SSScheduler.exe [2010-9-2 255536] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys] @="Driver" . R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-07-05 5160568] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-05 160944] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-12 250056] R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [x] R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x] R3 iscFlash;iscFlash;c:\users\Steven\AppData\Local\Temp\7zSB6F0.tmp\iscflashx6 4.sys [x] R3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [2012-01-11 34304] R3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [2012-02-22 28160] R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.1.121\McCHSvc.exe [2010-09-03 227232] R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys [2012-05-13 121416] R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x] R3 qkm;qkm;c:\koramgame\GDOnline\mqkwy64.sys [2012-02-04 48048] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-10-24 291328] R3 sj;sj;c:\aeriagames\EdenEternal\sjcs64.sys [2011-12-09 47224] R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096] R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-03 51712] R3 usj;usj;c:\aeriagames\EdenEternal\avital\ussjcs64.sys [2012-07-06 89560] R3 vtany;vtany;c:\windows\vtany.sys [x] R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2011-09-09 13312] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-21 1255736] R3 X6va005;X6va005;c:\users\Steven\AppData\Local\Temp\0057DA7.tmp [x] R3 X6va006;X6va006;c:\users\Steven\AppData\Local\Temp\006F845.tmp [x] R3 X6va008;X6va008;c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp [x] R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184] S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480] S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-03-04 55856] S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872] S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696] S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-03-19 383808] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_ne utral_70dacb64382a61a7\AESTSr64.exe [2009-03-03 89600] S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288] S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-14 30520] S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944] S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2011-09-09 6583160] S2 TBUpdate;Tencent Toolbar Update Service;c:\program files\Tencent\barupdate\TBUpdate.exe [2012-07-03 197536] S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-02-23 2886528] S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2011-09-09 528760] S2 UpdaterService;WhiteSmoke Updater Service;c:\programdata\UpdaterService\wsupdsvc.exe [2012-04-29 549744] S2 vToolbarUpdater11.2.0;vToolbarUpdater11.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [2012-07-02 935008] S2 WajamUpdater;WajamUpdater;c:\program files\Wajam\Updater\WajamUpdater.exe [2012-03-09 109064] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776] S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [2010-07-14 32880] S3 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408] S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 70656] S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-07-20 140712] S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2009-08-22 84512] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MBAMPROTECTOR . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2010-06-16 20:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe . Contents of the 'Scheduled Tasks' folder . 2012-07-22 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 16:09] . 2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004Core.job - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51] . 2012-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4068807989-813300523-3891819274-1004UA.job - c:\users\Ming-Ti\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-03 19:51] . 2012-07-20 c:\windows\Tasks\Norton Security Scan for Steven.job - c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2011-12-23 09:45] . 2012-07-22 c:\windows\Tasks\RegistryBooster.job - c:\program files (x86)\Uniblue\RegistryBooster\rbmonitor.exe [2012-07-03 18:56] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}] 2009-11-25 19:47 444752 ----a-w- c:\windows\System32\mscoree.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-24 487424] "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU] "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-10-13 186904] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-29 16395880] "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000 IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Steven\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11 TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}: NameServer = 4.2.2.1 TCP: Interfaces\{CB0B424B-A1EC-4E14-9608-4D23B7C425F2}\46C696E6B6: NameServer = 4.2.2.1 Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll DPF: {12193C65-F0E1-4DD1-AD4E-DB73C6911011} - file:///D:/activeX/DCP.cab DPF: {4D2D3A17-9B46-483C-A5F4-1DC471080009} - hxxps://sslpx-ccas01.edmc.edu/auth/taweb.cab DPF: {7191F0AC-D686-46A8-BFCC-EA61778C74DD} - file:///D:/activeX/aplugLiteDL.cab FF - ProfilePath - c:\users\Ming-Ti\AppData\Roaming\Mozilla\Firefox\Profiles\4fiohuq8.default\ FF - prefs.js: browser.search.selectedEngine - AVG Secure Search FF - prefs.js: browser.startup.homepage - hxxp://isearch.avg.com/?cid={D1E1E66B-09C0-42E2-9FAC-CAB67704104F}&mid=4d27b50357d247d68b6f1a671b6c1e32-ec7a1d4c2e9b3a9a0ad0219ec7c4e08c4f2893c9&lang=en&ds=yu012&pr=sa&d=2012-07-02 11:52&v=11.1.0.12&sap=hp . - - - - ORPHANS REMOVED - - - - . BHO-{127AD70F-B2B7-4f6a-ACD9-C7B1FE48C8C0} - (no file) . . . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005] "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\0057DA7.tmp" . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va006] "ImagePath"="\??\c:\users\Steven\AppData\Local\Temp\006F845.tmp" . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va008] "ImagePath"="\??\c:\users\Ming-Ti\AppData\Local\Temp\008F846.tmp" . [HKEY_LOCAL_MACHINE\system\ControlSet001\services\xsherlock] "ImagePath"="c:\windows\system32\xsherlock.xem" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-4068807989-813300523-3891819274-1004\Software\SecuROM\License information*] "datasecu"=hex:34,ba,59,bc,fe,c5,16,38,e7,50,e2,eb,4e,5b,05,28,4e,f3,5f,61, b2, 93,63,8b,db,e0,ba,e4,ae,f4,ee,df,af,12,79,23,db,7a,cc,12,db,41,bc,b4,c4,eb, \ "rkeysecu"=hex:3a,d6,8d,b9,70,08,bc,18,cb,d3,05,7d,1d,91,ec,a8 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_ 3_300_265_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX .exe" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Classes\{47BF077C-44C6-42B1-8F88-ADE2585DD2ED}*] @=hex:21,08,4a,87,32,1f,cc,01 . [HKEY_LOCAL_MACHINE\software\Classes\{97A98033-9FA1-4E80-A339-59787B43CC89}*] @=hex:ed,b8,9e,87,32,1f,cc,01 . [HKEY_LOCAL_MACHINE\software\Classes\{A82EB336-567D-4F41-A63E-8113AD8B6903}*] @=hex:56,b0,46,84,32,1f,cc,01 . [HKEY_LOCAL_MACHINE\software\Classes\{C4B20040-7D5A-4558-9E19-B7DF94366F97}*] @=hex:22,6d,17,88,32,1f,cc,01 . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*] "value"="?\05\02\1f\15\05\19?" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}] @Denied: (A) (Everyone) "Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}" . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane\0] "Key"="ActionsPane" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd" . [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-07-22 04:25:45 ComboFix-quarantined-files.txt 2012-07-22 11:25 ComboFix2.txt 2012-07-20 13:52 ComboFix3.txt 2012-07-19 13:16 . Pre-Run: 85,097,787,392 bytes free Post-Run: 84,810,027,008 bytes free . - - End Of File - - 04E70C137A1E247A40F5956D52D5C351 ------ SecurityCheck: Results of screen317's Security Check version 0.99.43 Windows 7 x64 (UAC is disabled!) Out of date service pack!! Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! AVG Anti-Virus Free Edition 2012 Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.62.0.1300 JavaFX 2.1.1 Java(TM) 6 Update 31 Java(TM) 7 Update 5 Mozilla Firefox (8.0.1) Google Chrome 20.0.1132.47 Google Chrome 20.0.1132.57 Google Chrome Plugins... ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe AVG avgwdsvc.exe AVG avgtray.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 3% ````````````````````End of Log`````````````````````` ------ Malwarebytes: Malwarebytes Anti-Malware (Trial) 1.62.0.1300 www.malwarebytes.org Database version: v2012.07.21.02 Windows 7 x64 NTFS Internet Explorer 9.0.8112.16421 Ming-Ti :: STEVENPC [administrator] Protection: Enabled 7/22/2012 4:31:33 AM mbam-log-2012-07-22 (04-35-15).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 249022 Time elapsed: 3 minute(s), 13 second(s) Memory Processes Detected: 2 C:\ProgramData\UpdaterService\wsupdsvc.exe (PUP.BundleInstaller.IB) -> 896 -> No action taken. C:\ProgramData\UpdaterService\wsupdsvc.exe (PUP.BundleInstaller.IB) -> 5208 -> No action taken. Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 12 HKLM\SYSTEM\CurrentControlSet\Services\UpdaterService (PUP.BundleInstaller.IB) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke Updater Service (PUP.BundleInstaller.IB) -> No action taken. HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (PUP.MyWebSearch) -> No action taken. HKCR\Typelib\{B1A7C2CF-BF40-4597-8142-7615D74D0CC3} (Trojan.Agent) -> No action taken. HKCR\Interface\{3084BC3D-C0D6-4A28-A8A4-5857165886EE} (Trojan.Agent) -> No action taken. HKCR\CLSID\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> No action taken. HKLM\SOFTWARE\VooMuu (Adware.HotBar.VM) -> No action taken. HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> No action taken. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VooMuuSA (Adware.HotBar.VM) -> No action taken. Registry Values Detected: 2 HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{29CF293A-1E7D-4069-9E11-E39698D0AF95} (Trojan.Agent) -> Data: SOSO工具栏 -> No action taken. HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (PUP.MyWebSearch) -> Data: C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 5 C:\ProgramData\UpdaterService\wsupdsvc.exe (PUP.BundleInstaller.IB) -> No action taken. C:\Program Files\Tencent\QQToolbar\IEBar.dll (Trojan.Agent) -> No action taken. C:\Users\Ming-Ti\Downloads\SoftonicDownloader_for_speaker.exe (PUP.ToolbarDownloader) -> No action taken. C:\Users\Ming-Ti\Downloads\SoftonicDownloader_for_sumotori-dreams.exe (PUP.ToolbarDownloader) -> No action taken. C:\Users\Ming-Ti\Downloads\WhiteSmokeWriter8940_en.exe (Trojan.Downloader) -> No action taken. (end) |
Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.
If you're not already familiar with forums, watch our Welcome Guide to get started.
| Tags |
| doubleclick, service.exe |
| |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
