Jump to content


Photo
- - - - -

Redirect of all search results


  • This topic is locked This topic is locked
23 replies to this topic

#1 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 15 March 2012 - 09:18 AM

I seem to be lucky in as much as it only interupts my search results. A direct typed address or a click on favorites not effected. I get redirected to an address with ip addresses like 63.209.69.107and then some bogus page. Have also seen the fake virus scanner but have clicked out in time i guess. I use Microsoft essentials. I have tryed malwarebytes to scan and it finds nothing. Also gmer shows no results. Thanks -Lucky but Frustrated.

#2 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 15 March 2012 - 09:45 AM

My Computer Info.

#3 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 15 March 2012 - 03:23 PM

Hi and welcome to Malwarebytes.


In the future, please post all logs directly into your reply instead of attaching them unless otherwise indicated. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt directly in your reply.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#4 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 15 March 2012 - 04:32 PM

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.15.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kenny :: KENNY-PC [administrator]
3/15/2012 4:21:14 PM
mbam-log-2012-03-15 (16-21-14).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 203847
Time elapsed: 2 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.15.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kenny :: KENNY-PC [administrator]
3/15/2012 4:21:14 PM
mbam-log-2012-03-15 (16-21-14).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 203847
Time elapsed: 2 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.15.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kenny :: KENNY-PC [administrator]
3/15/2012 4:21:14 PM
mbam-log-2012-03-15 (16-21-14).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 203847
Time elapsed: 2 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.15.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kenny :: KENNY-PC [administrator]
3/15/2012 4:21:14 PM
mbam-log-2012-03-15 (16-21-14).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 203847
Time elapsed: 2 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

Thank You For the help.



Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.15.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Kenny :: KENNY-PC [administrator]
3/15/2012 4:21:14 PM
mbam-log-2012-03-15 (16-21-14).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 203847
Time elapsed: 2 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Kenny at 16:23:03 on 2012-03-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4091.2355 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\SeaPort.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingApp.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingBar.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingSurrogate.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingSurrogate.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingSurrogate.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingSurrogate.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cbsnews.com/?ocid=MIE8MSNB/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Groove Folder Synchronization: {0f802439-432b-1c45-7cd3-59de607400c2} - C:\Windows\SysWOW64\KBDDCAN.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {1f16312e-19de-5861-0ba2-71716c621717} - C:\Windows\SysWOW64\fdPProxy.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
StartupFolder: C:\Users\Kenny\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{037AEAC4-C825-4164-8D9F-487EA929E4E3} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{23186FDD-D6B1-418E-8FCD-806ABA5FA22A} : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Groove Folder Synchronization: {0F802439-432B-1C45-7CD3-59DE607400C2} - C:\Windows\SysWOW64\KBDDCAN.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {1F16312E-19DE-5861-0BA2-71716C621717} - C:\Windows\SysWOW64\fdPProxy.dll
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll"
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB-X64: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\SeaPort.EXE [2012-1-21 240408]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2mdx64.sys --> C:\Windows\system32\DRIVERS\o2mdx64.sys [?]
R3 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sdx64.sys --> C:\Windows\system32\DRIVERS\o2sdx64.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BBSvc.EXE [2012-1-21 192792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 mbamchameleon;mbamchameleon;\??\C:\Windows\system32\drivers\mbamchameleon.sys --> C:\Windows\system32\drivers\mbamchameleon.sys [?]
S3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-15 13:44:11 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{10E6BF4B-E7CE-42EF-B3DB-CAC972780868}\offreg.dll
2012-03-15 13:43:23 8643640 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{10E6BF4B-E7CE-42EF-B3DB-CAC972780868}\mpengine.dll
2012-03-15 02:51:50 -------- d-----w- C:\Program Files (x86)\UnHackMe
2012-03-15 02:39:22 -------- d-----w- C:\Program Files\Oracle
2012-03-15 02:38:51 750488 ----a-w- C:\Windows\System32\npdeployJava1.dll
2012-03-15 02:38:51 660368 ----a-w- C:\Windows\System32\deployJava1.dll
2012-03-14 22:23:52 98816 ----a-w- C:\Windows\sed.exe
2012-03-14 22:23:52 518144 ----a-w- C:\Windows\SWREG.exe
2012-03-14 22:23:52 256000 ----a-w- C:\Windows\PEV.exe
2012-03-14 22:23:52 208896 ----a-w- C:\Windows\MBR.exe
2012-03-14 22:23:50 -------- d-s---w- C:\ComboFix
2012-03-14 14:45:43 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2012-03-14 13:28:34 -------- d-----w- C:\Users\Kenny\AppData\Roaming\SUPERAntiSpyware.com
2012-03-14 13:27:57 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-03-14 13:27:57 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-03-14 10:52:53 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-14 10:52:52 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-14 10:52:52 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-14 09:32:11 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 09:32:11 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 09:32:11 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 09:29:31 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 09:29:31 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 09:29:31 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 09:29:30 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 09:29:30 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-14 09:29:29 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-14 09:29:26 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-12 20:46:15 29808 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2012-03-12 20:42:29 -------- d-----w- C:\Users\Kenny\AppData\Roaming\Malwarebytes
2012-03-12 20:42:21 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-12 20:42:21 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-12 19:44:09 -------- d-----w- C:\sh4ldr
2012-03-12 19:44:09 -------- d-----w- C:\Program Files\Enigma Software Group
2012-03-12 19:43:10 -------- d-----w- C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-03-12 12:23:51 -------- d-----w- C:\Users\Kenny\AppData\Local\Threat Expert
2012-03-12 12:07:34 -------- d-----w- C:\Program Files (x86)\PC Tools
2012-03-12 12:05:17 230952 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys
2012-03-12 12:05:17 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-03-12 12:04:57 -------- d-----w- C:\ProgramData\PC Tools
2012-03-12 02:49:59 -------- d-----w- C:\Windows\Downloaded Installations
2012-03-11 23:07:42 8643640 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-11 22:33:43 -------- d-----w- C:\ProgramData\SpeedyPC Software
2012-03-11 22:04:33 39184 ----a-w- C:\Windows\System32\Partizan.exe
2012-03-11 21:55:36 2 --shatr- C:\Windows\winstart.bat
2012-03-11 19:33:04 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E3688C9F-6EBA-48AD-8376-27B33CC3ACB2}\gapaengine.dll
2012-03-11 19:32:00 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-03-11 19:31:58 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-03-11 18:24:27 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-03-11 04:29:48 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-11 04:09:38 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-10 18:17:16 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-03-10 18:17:16 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-03-10 18:17:16 6074176 ----a-w- C:\Windows\System32\nvcpl.dll
2012-03-10 18:17:16 3089728 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-03-10 18:17:16 2561856 ----a-w- C:\Windows\System32\nvsvcr.dll
2012-03-10 18:17:16 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-03-10 01:28:40 98 ---ha-w- C:\aaw7boot.cmd
2012-03-10 01:23:48 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{13BE0816-07C1-44AD-8B7A-734327D20984}\mpengine.dll
2012-03-09 14:11:03 -------- d-----w- C:\Windows\SysWow64\2055
2012-03-09 14:10:37 -------- d-----w- C:\Windows\SysWow64\2002
2012-03-08 03:52:35 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-03-08 03:37:58 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2012-03-05 03:29:54 -------- d-----w- C:\Users\Kenny\AppData\Roaming\Elephant Games
2012-03-05 03:27:25 -------- d-----w- C:\Program Files (x86)\Games
2012-02-26 17:38:42 72512 ----a-w- C:\Windows\System32\nvapo64v.dll
2012-02-26 17:38:42 1451840 ----a-w- C:\Windows\System32\nvhdagenco6420103.dll
2012-02-26 17:38:41 31040 ----a-w- C:\Windows\System32\nvhdap64.dll
2012-02-26 17:38:41 188224 ----a-w- C:\Windows\System32\drivers\nvhda64v.sys
2012-02-26 17:38:22 -------- d-----w- C:\Program Files\NVIDIA Corporation
2012-02-26 17:37:48 -------- d-----w- C:\NVIDIA
2012-02-24 12:07:10 86016 ----a-w- C:\Windows\unvise32qt.exe
2012-02-20 03:32:07 -------- d-----w- C:\ProgramData\Tages
2012-02-19 23:40:47 -------- d-----w- C:\Windows\en
2012-02-19 23:38:58 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-02-19 23:37:26 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\6fd86fea1ccef5f01\MeshBetaRemover.exe
2012-02-19 23:11:49 -------- d-----w- C:\Program Files\CCleaner
2012-02-17 12:23:06 -------- d-----w- C:\Program Files (x86)\Guild Wars
2012-02-15 11:52:43 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2012-02-15 11:52:43 634880 ----a-w- C:\Windows\System32\msvcrt.dll
2012-02-15 11:52:38 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-02-15 11:52:38 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-02-15 11:52:38 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-02-15 11:52:38 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-02-15 11:52:37 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
.
==================== Find3M ====================
.
2012-03-15 03:36:22 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 15:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-03 12:00:14 164992 ----a-w- C:\Windows\SysWow64\drivers\athsgt.sys
2012-02-03 12:00:11 12544 ----a-w- C:\Windows\SysWow64\drivers\limsgt.sys
2011-12-31 23:19:13 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-12-31 23:19:13 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-12-31 23:19:13 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-12-31 23:19:13 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-12-28 15:10:42 279616 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
.
============= FINISH: 16:23:45.18 ===============

#5 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 16 March 2012 - 05:25 PM

I guess you can't help me since i had a problem with your damn paste clipboard.

#6 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 17 March 2012 - 01:16 AM

I guess you can't help me since i had a problem with your damn paste clipboard.

What are you talking about? I can see your post fine. Please don't get angry.......



Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.


-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 17 March 2012 - 09:59 AM

Ok- Here they are:

ComboFix 12-03-16.03 - Kenny 03/17/2012 9:45.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4091.2779 [GMT -5:00]
Running from: c:\users\Kenny\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-17 to 2012-03-17 )))))))))))))))))))))))))))))))
.
.
2012-03-17 14:49 . 2012-03-17 14:49 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-03-17 14:49 . 2012-03-17 14:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-16 23:58 . 2012-02-08 04:14 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BB3AC9A4-B31E-4A41-B545-21E2C9DC3A78}\mpengine.dll
2012-03-16 22:06 . 2012-03-16 22:07 -------- d-----w- c:\programdata\SecTaskMan
2012-03-16 22:02 . 2012-03-16 22:05 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-03-16 22:01 . 2012-03-16 22:01 -------- d-----w- c:\users\Kenny\AppData\Local\PackageAware
2012-03-16 19:58 . 2012-03-16 19:58 -------- d-----w- c:\users\Kenny\AppData\Roaming\LucasArts
2012-03-16 16:23 . 2012-03-16 16:24 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-16 16:23 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-16 12:12 . 2012-03-16 12:12 -------- d-----w- c:\windows\SysWow64\3021
2012-03-15 02:39 . 2012-03-15 02:39 -------- d-----w- c:\program files\Oracle
2012-03-15 02:38 . 2012-01-10 18:28 750488 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-03-15 02:38 . 2012-01-10 18:28 660368 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-15 02:37 . 2012-03-15 02:38 -------- d-----w- c:\program files\Java
2012-03-14 10:52 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 10:52 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 10:52 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 09:32 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 09:32 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 09:32 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 09:29 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 09:29 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 09:29 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-14 09:29 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 09:29 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 09:29 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 09:29 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-12 20:42 . 2012-03-12 20:42 -------- d-----w- c:\users\Kenny\AppData\Roaming\Malwarebytes
2012-03-12 19:44 . 2012-03-12 19:44 -------- d-----w- c:\program files\Enigma Software Group
2012-03-12 19:43 . 2012-03-12 20:11 -------- d-----w- c:\windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-03-12 12:23 . 2012-03-12 12:23 -------- d-----w- c:\users\Kenny\AppData\Local\Threat Expert
2012-03-12 12:07 . 2012-03-12 12:07 -------- d-----w- c:\program files (x86)\PC Tools
2012-03-12 12:05 . 2012-03-12 20:24 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-03-12 12:05 . 2012-02-24 15:36 230952 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-03-12 12:04 . 2012-03-12 12:36 -------- d-----w- c:\programdata\PC Tools
2012-03-12 02:49 . 2012-03-12 02:49 -------- d-----w- c:\windows\Downloaded Installations
2012-03-11 23:07 . 2012-02-08 04:14 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-11 22:33 . 2012-03-11 22:43 -------- d-----w- c:\programdata\SpeedyPC Software
2012-03-11 22:04 . 2012-03-11 22:04 39184 ----a-w- c:\windows\system32\Partizan.exe
2012-03-11 21:55 . 2012-03-15 02:52 2 --shatr- c:\windows\winstart.bat
2012-03-11 19:33 . 2012-03-11 19:32 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3688C9F-6EBA-48AD-8376-27B33CC3ACB2}\gapaengine.dll
2012-03-11 19:32 . 2012-03-11 19:32 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-03-11 19:31 . 2012-03-11 19:32 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-11 18:24 . 2012-03-11 18:24 -------- d-----w- c:\program files (x86)\Trend Micro
2012-03-11 04:29 . 2012-03-11 04:29 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-11 04:09 . 2012-03-11 04:09 -------- d-----w- c:\programdata\Malwarebytes
2012-03-10 18:17 . 2012-03-10 18:17 -------- d-----w- c:\programdata\NVIDIA
2012-03-10 18:17 . 2012-02-10 03:14 6074176 ----a-w- c:\windows\system32\nvcpl.dll
2012-03-10 18:17 . 2012-02-10 03:14 3089728 ----a-w- c:\windows\system32\nvsvc64.dll
2012-03-10 18:17 . 2012-02-10 03:07 2561856 ----a-w- c:\windows\system32\nvsvcr.dll
2012-03-10 18:17 . 2012-02-10 03:07 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-03-10 18:17 . 2012-02-10 03:07 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-03-10 18:17 . 2012-02-10 03:07 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-03-10 01:23 . 2012-03-01 19:21 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13BE0816-07C1-44AD-8B7A-734327D20984}\mpengine.dll
2012-03-09 14:11 . 2012-03-16 12:12 -------- d-----w- c:\windows\SysWow64\2055
2012-03-09 14:10 . 2012-03-09 14:10 -------- d-----w- c:\windows\SysWow64\2002
2012-03-08 03:37 . 2012-03-08 03:37 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-05 03:29 . 2012-03-05 03:29 -------- d-----w- c:\users\Kenny\AppData\Roaming\Elephant Games
2012-03-05 03:27 . 2012-03-09 17:34 -------- d-----w- c:\program files (x86)\Games
2012-02-26 17:38 . 2012-01-17 12:45 72512 ----a-w- c:\windows\system32\nvapo64v.dll
2012-02-26 17:38 . 2012-01-17 12:45 1451840 ----a-w- c:\windows\system32\nvhdagenco6420103.dll
2012-02-26 17:38 . 2012-01-17 12:46 31040 ----a-w- c:\windows\system32\nvhdap64.dll
2012-02-26 17:38 . 2012-01-17 12:45 188224 ----a-w- c:\windows\system32\drivers\nvhda64v.sys
2012-02-26 17:38 . 2012-03-10 18:17 -------- d-----w- c:\program files\NVIDIA Corporation
2012-02-26 17:37 . 2012-02-26 17:37 -------- d-----w- C:\NVIDIA
2012-02-24 12:07 . 1999-11-10 18:05 86016 ----a-w- c:\windows\unvise32qt.exe
2012-02-20 03:32 . 2012-02-20 03:32 -------- d-----w- c:\programdata\Tages
2012-02-19 23:40 . 2012-02-19 23:40 -------- d-----w- c:\windows\en
2012-02-19 23:38 . 2012-02-19 23:38 -------- d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2012-02-19 23:38 . 2012-03-10 23:40 -------- dc----w- c:\windows\system32\DRVSTORE
2012-02-19 23:37 . 2012-02-19 23:37 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\6fd86fea1ccef5f01\MeshBetaRemover.exe
2012-02-19 23:25 . 2012-02-19 23:47 -------- d-----w- c:\program files\Windows Live
2012-02-19 23:11 . 2012-02-29 23:30 -------- d-----w- c:\program files\CCleaner
2012-02-19 23:09 . 2012-02-19 23:09 -------- d-----w- c:\program files\7-Zip
2012-02-17 12:23 . 2012-02-17 12:23 -------- d-----w- c:\program files (x86)\Guild Wars
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-15 03:36 . 2011-09-19 15:53 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 15:18 . 2011-09-19 16:00 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-03 12:00 . 2012-02-03 12:00 164992 ----a-w- c:\windows\SysWow64\drivers\athsgt.sys
2012-02-03 12:00 . 2012-02-03 12:00 12544 ----a-w- c:\windows\SysWow64\drivers\limsgt.sys
2012-01-04 10:44 . 2012-02-15 11:52 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-04 08:58 . 2012-02-15 11:52 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2011-12-31 23:19 . 2011-10-13 11:23 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-31 23:19 . 2011-10-13 11:23 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-12-31 23:19 . 2011-10-13 11:23 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-31 23:19 . 2011-10-13 11:23 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-12-30 06:26 . 2012-02-15 11:52 515584 ----a-w- c:\windows\system32\timedate.cpl
2011-12-30 05:27 . 2012-02-15 11:52 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2011-12-28 03:59 . 2012-02-15 11:52 498688 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0F802439-432B-1C45-7CD3-59DE607400C2}]
2009-07-14 01:11 73728 ----a-w- c:\windows\SysWOW64\KBDDCAN.DLL
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2E90012A-40C7-6932-71FF-6EB3583B4BEB}]
2011-06-11 07:58 73728 ----a-w- c:\windows\SysWOW64\mffc100enu.dll
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 1394hub;1394 Enabled Hub;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.352.0\SeaPort.exe [2012-01-21 240408]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 hexmagic;hexmagic;c:\windows\system32\drivers\hexmagic.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.352.0\BBSvc.exe [2012-01-21 192792]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [x]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-16 c:\windows\Tasks\At1.job
- c:\windows\SysWOW64\reeg.exe [2009-07-13 01:14]
.
2012-03-16 c:\windows\Tasks\At2.job
- c:\windows\SysWOW64\taasklist.exe [2009-07-13 01:14]
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.cbsnews.com/?ocid=MIE8MSNB/
mLocal Page = c:\windows\system32\blank.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-3974904213-1714037821-1548854753-1001)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-3974904213-1714037821-1548854753-1001)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:de,c3,8d,0f,b5,ef,fe,33,23,9c,d6,63,2d,f7,42,f2,bb,d6,3b,49,9a,ed,77,
84,dd,84,45,e8,ac,28,db,3f,96,8f,50,06,e6,d5,85,5a,61,d1,19,7f,24,e6,53,2a,\
"??"=hex:1b,5c,00,6c,19,29,b6,60,a7,81,26,f9,6d,5e,cb,bb
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\SecuROM\License information*]
"datasecu"=hex:30,d1,14,ac,0d,c6,af,15,6b,19,cf,47,74,9b,89,bf,19,50,34,0c,b4,
69,50,af,26,b1,00,c1,a4,17,00,89,ca,74,00,94,ce,ad,fb,7d,45,05,a0,6c,1f,f4,\
"rkeysecu"=hex:05,34,13,a2,22,06,63,9f,9d,7d,81,00,92,99,7c,60
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\09\05\17\0e\0b\06?"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-17 09:54:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-17 14:54
.
Pre-Run: 229,692,833,792 bytes free
Post-Run: 229,483,610,112 bytes free
.
- - End Of File - - B5DE878AB390CE3F35EA02A21708A856

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Kenny at 9:56:27 on 2012-03-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4091.2508 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BBSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Security Client\msseces.exe
c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\SeaPort.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingApp.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingBar.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingSurrogate.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingSurrogate.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingSurrogate.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingSurrogate.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cbsnews.com/?ocid=MIE8MSNB/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Groove Folder Synchronization: {0f802439-432b-1c45-7cd3-59de607400c2} - C:\Windows\SysWOW64\KBDDCAN.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Adobe PDF Link Helper: {2e90012a-40c7-6932-71ff-6eb3583b4beb} - C:\Windows\SysWow64\mffc100enu.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{037AEAC4-C825-4164-8D9F-487EA929E4E3} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{23186FDD-D6B1-418E-8FCD-806ABA5FA22A} : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Groove Folder Synchronization: {0F802439-432B-1C45-7CD3-59DE607400C2} - C:\Windows\SysWOW64\KBDDCAN.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Adobe PDF Link Helper: {2E90012A-40C7-6932-71FF-6EB3583B4BEB} - C:\Windows\SysWow64\mffc100enu.dll
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll"
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BBSvc.EXE [2012-1-21 192792]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-16 652360]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\SeaPort.EXE [2012-1-21 240408]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2mdx64.sys --> C:\Windows\system32\DRIVERS\o2mdx64.sys [?]
R3 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sdx64.sys --> C:\Windows\system32\DRIVERS\o2sdx64.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-17 14:50:33 -------- d-----w- C:\$RECYCLE.BIN
2012-03-16 23:58:40 8643640 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{BB3AC9A4-B31E-4A41-B545-21E2C9DC3A78}\mpengine.dll
2012-03-16 22:39:50 -------- d-----w- C:\Users\Kenny\AppData\Local\{08FC4607-8048-41AC-87AF-4AF33648EC89}
2012-03-16 22:39:28 -------- d-----w- C:\Users\Kenny\AppData\Local\{B693081E-7EEB-44C4-BF21-C7CEC08F0469}
2012-03-16 22:06:56 -------- d-----w- C:\ProgramData\SecTaskMan
2012-03-16 22:02:24 -------- dc-h--w- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-03-16 22:01:53 -------- d-----w- C:\Users\Kenny\AppData\Local\PackageAware
2012-03-16 19:58:03 -------- d-----w- C:\Users\Kenny\AppData\Roaming\LucasArts
2012-03-16 16:23:56 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-16 16:23:56 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-16 12:12:10 -------- d-----w- C:\Windows\SysWow64\3021
2012-03-16 01:11:10 -------- d-----w- C:\Users\Kenny\AppData\Local\{51899782-9439-4CB4-BE42-4A32F56CEF43}
2012-03-16 01:11:01 -------- d-----w- C:\Users\Kenny\AppData\Local\{64E5471A-D587-4525-93E3-1C85D93B4F39}
2012-03-15 02:39:22 -------- d-----w- C:\Program Files\Oracle
2012-03-15 02:38:51 750488 ----a-w- C:\Windows\System32\npdeployJava1.dll
2012-03-15 02:38:51 660368 ----a-w- C:\Windows\System32\deployJava1.dll
2012-03-14 22:23:52 98816 ----a-w- C:\Windows\sed.exe
2012-03-14 22:23:52 518144 ----a-w- C:\Windows\SWREG.exe
2012-03-14 22:23:52 256000 ----a-w- C:\Windows\PEV.exe
2012-03-14 22:23:52 208896 ----a-w- C:\Windows\MBR.exe
2012-03-14 10:52:53 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-14 10:52:52 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-14 10:52:52 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-14 09:32:11 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 09:32:11 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 09:32:11 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 09:29:31 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 09:29:31 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 09:29:31 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 09:29:30 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 09:29:30 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-14 09:29:29 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-14 09:29:26 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-12 20:42:29 -------- d-----w- C:\Users\Kenny\AppData\Roaming\Malwarebytes
2012-03-12 19:44:09 -------- d-----w- C:\Program Files\Enigma Software Group
2012-03-12 19:43:10 -------- d-----w- C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-03-12 12:23:51 -------- d-----w- C:\Users\Kenny\AppData\Local\Threat Expert
2012-03-12 12:07:34 -------- d-----w- C:\Program Files (x86)\PC Tools
2012-03-12 12:05:17 230952 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys
2012-03-12 12:05:17 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-03-12 12:04:57 -------- d-----w- C:\ProgramData\PC Tools
2012-03-12 02:49:59 -------- d-----w- C:\Windows\Downloaded Installations
2012-03-11 23:07:42 8643640 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-11 22:33:43 -------- d-----w- C:\ProgramData\SpeedyPC Software
2012-03-11 22:04:33 39184 ----a-w- C:\Windows\System32\Partizan.exe
2012-03-11 21:55:36 2 --shatr- C:\Windows\winstart.bat
2012-03-11 19:33:04 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E3688C9F-6EBA-48AD-8376-27B33CC3ACB2}\gapaengine.dll
2012-03-11 19:32:00 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-03-11 19:31:58 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-03-11 18:24:27 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-03-11 04:29:48 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-11 04:09:38 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-10 18:17:16 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-03-10 18:17:16 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-03-10 18:17:16 6074176 ----a-w- C:\Windows\System32\nvcpl.dll
2012-03-10 18:17:16 3089728 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-03-10 18:17:16 2561856 ----a-w- C:\Windows\System32\nvsvcr.dll
2012-03-10 18:17:16 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-03-10 01:23:48 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{13BE0816-07C1-44AD-8B7A-734327D20984}\mpengine.dll
2012-03-09 14:11:03 -------- d-----w- C:\Windows\SysWow64\2055
2012-03-09 14:10:37 -------- d-----w- C:\Windows\SysWow64\2002
2012-03-08 03:52:35 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-03-08 03:37:58 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2012-03-05 03:29:54 -------- d-----w- C:\Users\Kenny\AppData\Roaming\Elephant Games
2012-03-05 03:27:25 -------- d-----w- C:\Program Files (x86)\Games
2012-02-26 17:38:42 72512 ----a-w- C:\Windows\System32\nvapo64v.dll
2012-02-26 17:38:42 1451840 ----a-w- C:\Windows\System32\nvhdagenco6420103.dll
2012-02-26 17:38:41 31040 ----a-w- C:\Windows\System32\nvhdap64.dll
2012-02-26 17:38:41 188224 ----a-w- C:\Windows\System32\drivers\nvhda64v.sys
2012-02-26 17:38:22 -------- d-----w- C:\Program Files\NVIDIA Corporation
2012-02-26 17:37:48 -------- d-----w- C:\NVIDIA
2012-02-24 12:07:10 86016 ----a-w- C:\Windows\unvise32qt.exe
2012-02-20 03:32:07 -------- d-----w- C:\ProgramData\Tages
2012-02-19 23:40:47 -------- d-----w- C:\Windows\en
2012-02-19 23:38:58 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2012-02-19 23:37:26 15712 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\6fd86fea1ccef5f01\MeshBetaRemover.exe
2012-02-19 23:11:49 -------- d-----w- C:\Program Files\CCleaner
2012-02-17 12:23:06 -------- d-----w- C:\Program Files (x86)\Guild Wars
.
==================== Find3M ====================
.
2012-03-15 03:36:22 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 15:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-03 12:00:14 164992 ----a-w- C:\Windows\SysWow64\drivers\athsgt.sys
2012-02-03 12:00:11 12544 ----a-w- C:\Windows\SysWow64\drivers\limsgt.sys
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2011-12-31 23:19:13 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-12-31 23:19:13 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-12-31 23:19:13 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-12-31 23:19:13 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 9:56:52.96 ===============

#8 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 18 March 2012 - 07:22 PM

Please go to VirusTotal, and upload the following file(s) for analysis:
c:\windows\SysWOW64\taasklist.exe
c:\windows\SysWOW64\reeg.exe


Post the results in your reply.


Also zip up that file and attach it to your reply.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 18 March 2012 - 08:05 PM

Ok-Here they are:
SHA256: b4e4d63453ea5fbae38f3a44a325935a2575b0feb1607bc606414611d02d9344 SHA1: 323ef205076a82caaace9a19cf48b5e223350450 MD5: 371d2fcf751d9c2e3608a5e1c7c88828 File size: 44.0 KB ( 45056 bytes ) File name: C:\Windows\SysWOW64\taasklist.exe File type: Win32 EXE Detection ratio: 0 / 43 Analysis date: 2012-03-19 00:59:05 UTC ( 0 minutes ago )

https://chart.google...100,100&chd=t:0


0


0



Antivirus Result Update AhnLab-V3 - 20120318 AntiVir - 20120318 Antiy-AVL - 20120318 Avast - 20120317 AVG - 20120318 BitDefender - 20120318 ByteHero - 20120316 CAT-QuickHeal - 20120318 ClamAV - 20120318 Commtouch - 20120318 Comodo - 20120318 DrWeb - 20120319 Emsisoft - 20120319 eSafe - 20120315 eTrust-Vet - 20120316 F-Prot - 20120318 F-Secure - 20120318 Fortinet - 20120318 GData - 20120319 Ikarus - 20120318 Jiangmin - 20120318 K7AntiVirus - 20120316 Kaspersky - 20120319 McAfee - 20120318 McAfee-GW-Edition - 20120319 Microsoft - 20120318 NOD32 - 20120319 Norman - 20120318 nProtect - 20120318 Panda - 20120318 PCTools - 20120314 Prevx - 20120319 Rising - 20120316 Sophos - 20120318 SUPERAntiSpyware - 20120317 Symantec - 20120319 TheHacker - 20120318 TrendMicro - 20120318 TrendMicro-HouseCall - 20120318 VBA32 - 20120316 VIPRE - 20120318 ViRobot - 20120318 VirusBuster - 20120319
No comments

Posted Image
More comments

Leave your comment...
?
Rich Text Area
Toolbar Bold (Ctrl+B) Italic (Ctrl+I) Underline (Ctrl+U) Undo (Ctrl+Z) Redo (Ctrl+Y) StylesStyles ▼ Remove Formatting Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community

Posted Image
An error occurred

ssdeep
768:Cu+zWb2IHKZG8VF/ea0CL+3w02Z3DljL9GR1DT:j+LIeGkZexCL+3wXZ3TwDT
TrID
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)

ExifTool

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2012:01:16 22:16:36+01:00
FileType.................: Win32 EXE
PEType...................: PE32
CodeSize.................: 28672
LinkerVersion............: 7.1
EntryPoint...............: 0x2a19
InitializedDataSize......: 16384
SubsystemVersion.........: 4.0
ImageVersion.............: 0.0
OSVersion................: 4.0
UninitializedDataSize....: 0

Portable Executable structural information

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 28162 28672 6.57 ed27aeab3cd856e35f52e2a5f6f19dfd
.rdata 32768 6820 8192 4.36 6c31e8c3b3cdc5d14c9e1a8fd48be52b
.data 40960 4472 4096 1.54 edaa143f7fc53c8795b7839bcc912109

PE Imports....................:

ADVAPI32.dll
RegQueryValueExA, RegCloseKey, RegOpenKeyExA

KERNEL32.dll
LoadLibraryA, GetProcAddress, GetVersionExA, lstrlenA, GetLocalTime, FreeLibrary, RtlUnwind, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, HeapFree, TlsAlloc, SetLastError, GetCurrentThreadId, GetLastError, TlsFree, TlsSetValue, TlsGetValue, HeapAlloc, ExitProcess, TerminateProcess, GetCurrentProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapDestroy, HeapCreate, VirtualFree, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetACP, GetOEMCP, GetCPInfo, InterlockedExchange, VirtualQuery, InitializeCriticalSection, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, HeapSize, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualProtect, GetSystemInfo
First seen by VirusTotal
2012-01-21 20:49:02 UTC ( 1 month, 3 weeks ago )
Last seen by VirusTotal
2012-03-19 00:59:05 UTC ( 1 minute ago )
File names (max. 25)
  • C:\Windows\SysWOW64\taasklist.exe
  • C:\Windows\SysWOW64\reeg.exe
  • C:\Windows\SysWOW64\taasklist.exe
  • C:\Windows\SysWOW64\reeg.exe
  • WBADMIIN.EXE
  • WBADMIIN.EXE
  • DRIVEERQUERY.EXE
  • SCC.EXE
  • 2
  • file-3603596_exe
  • vercllsid.exe
  • conntrol.exe.org
  • SCC.EXE
  • NETSSH.EXE
  • DBFD5B6800987013B05A00C7FD7438003C0341A7.exe
  • MRINFFO.EXE

SHA256: b4e4d63453ea5fbae38f3a44a325935a2575b0feb1607bc606414611d02d9344 SHA1: 323ef205076a82caaace9a19cf48b5e223350450 MD5: 371d2fcf751d9c2e3608a5e1c7c88828 File size: 44.0 KB ( 45056 bytes ) File name: C:\Windows\SysWOW64\reeg.exe File type: Win32 EXE Detection ratio: 0 / 43 Analysis date: 2012-03-19 01:03:23 UTC ( 0 minutes ago )

https://chart.google...100,100&chd=t:0


0


0



Antivirus Result Update AhnLab-V3 - 20120318 AntiVir - 20120318 Antiy-AVL - 20120318 Avast - 20120317 AVG - 20120318 BitDefender - 20120318 ByteHero - 20120316 CAT-QuickHeal - 20120318 ClamAV - 20120318 Commtouch - 20120318 Comodo - 20120318 DrWeb - 20120319 Emsisoft - 20120319 eSafe - 20120315 eTrust-Vet - 20120316 F-Prot - 20120318 F-Secure - 20120318 Fortinet - 20120318 GData - 20120318 Ikarus - 20120318 Jiangmin - 20120318 K7AntiVirus - 20120316 Kaspersky - 20120319 McAfee - 20120318 McAfee-GW-Edition - 20120319 Microsoft - 20120318 NOD32 - 20120319 Norman - 20120318 nProtect - 20120318 Panda - 20120318 PCTools - 20120314 Prevx - 20120319 Rising - 20120316 Sophos - 20120319 SUPERAntiSpyware - 20120317 Symantec - 20120318 TheHacker - 20120318 TrendMicro - 20120318 TrendMicro-HouseCall - 20120318 VBA32 - 20120316 VIPRE - 20120318 ViRobot - 20120318 VirusBuster - 20120319

No comments

Posted Image
More comments

Leave your comment...
?
Rich Text Area
Toolbar Bold (Ctrl+B) Italic (Ctrl+I) Underline (Ctrl+U) Undo (Ctrl+Z) Redo (Ctrl+Y) StylesStyles ▼ Remove Formatting Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community

Posted Image
An error occurred

ssdeep
768:Cu+zWb2IHKZG8VF/ea0CL+3w02Z3DljL9GR1DT:j+LIeGkZexCL+3wXZ3TwDT
TrID
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)

ExifTool

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2012:01:16 22:16:36+01:00
FileType.................: Win32 EXE
PEType...................: PE32
CodeSize.................: 28672
LinkerVersion............: 7.1
EntryPoint...............: 0x2a19
InitializedDataSize......: 16384
SubsystemVersion.........: 4.0
ImageVersion.............: 0.0
OSVersion................: 4.0
UninitializedDataSize....: 0

Portable Executable structural information

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 28162 28672 6.57 ed27aeab3cd856e35f52e2a5f6f19dfd
.rdata 32768 6820 8192 4.36 6c31e8c3b3cdc5d14c9e1a8fd48be52b
.data 40960 4472 4096 1.54 edaa143f7fc53c8795b7839bcc912109

PE Imports....................:

ADVAPI32.dll
RegQueryValueExA, RegCloseKey, RegOpenKeyExA

KERNEL32.dll
LoadLibraryA, GetProcAddress, GetVersionExA, lstrlenA, GetLocalTime, FreeLibrary, RtlUnwind, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, HeapFree, TlsAlloc, SetLastError, GetCurrentThreadId, GetLastError, TlsFree, TlsSetValue, TlsGetValue, HeapAlloc, ExitProcess, TerminateProcess, GetCurrentProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapDestroy, HeapCreate, VirtualFree, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetACP, GetOEMCP, GetCPInfo, InterlockedExchange, VirtualQuery, InitializeCriticalSection, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, HeapSize, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualProtect, GetSystemInfo
First seen by VirusTotal
2012-01-21 20:49:02 UTC ( 1 month, 3 weeks ago )
Last seen by VirusTotal
2012-03-19 00:59:05 UTC ( 1 minute ago )
File names (max. 25)
  • C:\Windows\SysWOW64\taasklist.exe
  • C:\Windows\SysWOW64\reeg.exe
  • C:\Windows\SysWOW64\taasklist.exe
  • C:\Windows\SysWOW64\reeg.exe
  • WBADMIIN.EXE
  • WBADMIIN.EXE
  • DRIVEERQUERY.EXE
  • SCC.EXE
  • 2
  • file-3603596_exe
  • vercllsid.exe
  • conntrol.exe.org
  • SCC.EXE
  • NETSSH.EXE
  • DBFD5B6800987013B05A00C7FD7438003C0341A7.exe
  • MRINFFO.EXE

Attached Files



#10 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 21 March 2012 - 06:31 PM

Hi,

My apologies for the delay.

Please go to VirusTotal, and upload the following file(s) for analysis:
c:\windows\SysWOW64\KBDDCAN.DLL
c:\windows\SysWOW64\mffc100enu.dll


Post the results in your reply.


Also zip up that file and attach it to your reply.


Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the box below into Notepad:

AtJob::

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.


-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 21 March 2012 - 07:54 PM

Ok


SHA256:
13b94170474d864e31e803cb3e7a1e75508d33f665ad8f02a5462258c78f7297
SHA1:
96ca07dd648892a6e3c120776bafda0c741ac018
MD5:
8b53a5bd8af3c7eecc424cf2489cdfd1
File size:
72.0 KB ( 73728 bytes )
File name:
C:\Windows\SysWOW64\KBDDCAN.DLL
File type:
Win32 DLL
Detection ratio:
0 / 43
Analysis date:
2012-03-22 00:19:06 UTC ( 1 minute ago )



0

0

Antivirus
Result
Update
AhnLab-V3
-
20120321
AntiVir
-
20120321
Antiy-AVL
-
20120321
Avast
-
20120320
AVG
-
20120321
BitDefender
-
20120321
ByteHero
-
20120319
CAT-QuickHeal
-
20120321
ClamAV
-
20120321
Commtouch
-
20120321
Comodo
-
20120321
DrWeb
-
20120321
Emsisoft
-
20120321
eSafe
-
20120321
eTrust-Vet
-
20120321
F-Prot
-
20120321
F-Secure
-
20120322
Fortinet
-
20120321
GData
-
20120321
Ikarus
-
20120321
Jiangmin
-
20120321
K7AntiVirus
-
20120321
Kaspersky
-
20120322
McAfee
-
20120322
McAfee-GW-Edition
-
20120321
Microsoft
-
20120321
NOD32
-
20120321
Norman
-
20120321
nProtect
-
20120321
Panda
-
20120321
PCTools
-
20120319
Prevx
-
20120322
Rising
-
20120321
Sophos
-
20120321
SUPERAntiSpyware
-
20120322
Symantec
-
20120321
TheHacker
-
20120321
TrendMicro
-
20120321
TrendMicro-HouseCall
-
20120321
VBA32
-
20120321
VIPRE
-
20120321
ViRobot
-
20120321
VirusBuster
-
20120321


· Comments
· Additional information

No comments




More comments

Leave your comment...

?

Rich Text Area

Toolbar
Bold (Ctrl+B)
Italic (Ctrl+I)
Underline (Ctrl+U)
Undo (Ctrl+Z)
Redo (Ctrl+Y)
StylesStyles

Remove Formatting

Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

Sign in Join the community




An error occurred


ssdeep
1536:E+R6LhFN7lqbWj66P6nWq1rIrCoMDuOlAs:ECchX7kSY1MbOlAs
TrID
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)

ExifTool

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2012:01:16 22:13:19+01:00
FileType.................: Win32 DLL
PEType...................: PE32
CodeSize.................: 45056
LinkerVersion............: 7.1
EntryPoint...............: 0x4dbe
InitializedDataSize......: 45056
SubsystemVersion.........: 4.0
ImageVersion.............: 0.0
OSVersion................: 4.0
UninitializedDataSize....: 0
Portable Executable structural information

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 43494 45056 6.53 8379b61e95bea7d3f8f5702f16d15b3e
.rdata 49152 8656 12288 3.78 7fd87dcef8fcaec13020316203125bc0
.data 61440 23544 4096 3.53 687000e84ee4980d9071468282697f72
.reloc 86016 5284 8192 3.44 fcf1ebd3503d524de80de8f990001739

PE Imports....................:

ADVAPI32.dll
RegQueryValueExA, RegCloseKey, RegOpenKeyExA

KERNEL32.dll
GetVersionExA, MapViewOfFile, CreateFileMappingA, UnmapViewOfFile, FlushFileBuffers, InterlockedDecrement, WideCharToMultiByte, MultiByteToWideChar, LoadLibraryA, GetTickCount, GetLastError, LocalFree, GetProcAddress, FreeLibrary, lstrlenA, GetSystemInfo, VirtualProtect, GetCurrentProcessId, QueryPerformanceCounter, RtlUnwind, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCommandLineA, HeapFree, HeapAlloc, RaiseException, TlsAlloc, SetLastError, TlsFree, TlsSetValue, TlsGetValue, GetModuleHandleA, HeapReAlloc, ExitProcess, TerminateProcess, GetCurrentProcess, HeapSize, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, UnhandledExceptionFilter, WriteFile, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, IsBadWritePtr, InterlockedExchange, VirtualQuery, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetACP, GetOEMCP, GetCPInfo, InitializeCriticalSection, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW

OLEAUT32.dll
-, -, -


PE Exports....................:

D, l, l, C, a, n, U, n, l, o, a, d, N, o, w, ,, , D, l, l, G, e, t, C, l, a, s, s, O, b, j, e, c, t
First seen by VirusTotal
2012-01-21 20:48:22 UTC ( 2 months ago )
Last seen by VirusTotal
2012-03-22 00:07:53 UTC ( 12 minutes ago )
File names (max. 25)
1. C:\Windows\SysWOW64\mffc100enu.dll
2. C:\Windows\SysWOW64\KBDDCAN.DLL
3. IMMAGEHLP.DLL
4. NVWRSSFR.DLL
5. MIIGISOL.DLL
6. MIIGISOL.DLL
7. HTTPAPPI.DLL
8. CLBCATEEX.DLL
9. IASS.DLL
10. APPHELLP.DLL
11. 3
12. CSCAPPI.DLL
13. CSCAPPI.DLL
14. CSCAPPI.DLL
15. cmicryptinsttall.dll
16. SQQLWID.DLL
17. PKU22U.DLL
18. mfc100ddeu.dll
19. MQUUTIL.DLL
20. DRRT.DLL
21. KBDUUSR.DLL
22. 29E144CA00A02C49207B013EC693C300A60A0C1D.dll
23. ACTTXPRXY.DLL







SHA256:
13b94170474d864e31e803cb3e7a1e75508d33f665ad8f02a5462258c78f7297
SHA1:
96ca07dd648892a6e3c120776bafda0c741ac018
MD5:
8b53a5bd8af3c7eecc424cf2489cdfd1
File size:
72.0 KB ( 73728 bytes )
File name:
C:\Windows\SysWOW64\mffc100enu.dll
File type:
Win32 DLL
Detection ratio:
0 / 43
Analysis date:
2012-03-22 00:22:02 UTC ( 1 minute ago )



0

0

Antivirus
Result
Update
AhnLab-V3
-
20120321
AntiVir
-
20120321
Antiy-AVL
-
20120321
Avast
-
20120320
AVG
-
20120321
BitDefender
-
20120321
ByteHero
-
20120319
CAT-QuickHeal
-
20120321
ClamAV
-
20120321
Commtouch
-
20120321
Comodo
-
20120321
DrWeb
-
20120321
Emsisoft
-
20120321
eSafe
-
20120321
eTrust-Vet
-
20120321
F-Prot
-
20120321
F-Secure
-
20120322
Fortinet
-
20120321
GData
-
20120321
Ikarus
-
20120321
Jiangmin
-
20120321
K7AntiVirus
-
20120321
Kaspersky
-
20120322
McAfee
-
20120322
McAfee-GW-Edition
-
20120321
Microsoft
-
20120321
NOD32
-
20120321
Norman
-
20120321
nProtect
-
20120321
Panda
-
20120321
PCTools
-
20120319
Prevx
-
20120322
Rising
-
20120321
Sophos
-
20120321
SUPERAntiSpyware
-
20120322
Symantec
-
20120321
TheHacker
-
20120321
TrendMicro
-
20120321
TrendMicro-HouseCall
-
20120321
VBA32
-
20120321
VIPRE
-
20120321
ViRobot
-
20120321
VirusBuster
-
20120321


· Comments
· Additional information

No comments


More comments

Leave your comment...

?

Rich Text Area

Toolbar
Bold (Ctrl+B)
Italic (Ctrl+I)
Underline (Ctrl+U)
Undo (Ctrl+Z)
Redo (Ctrl+Y)
StylesStyles

Remove Formatting

Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

Sign in Join the community




An error occurred


ssdeep
1536:E+R6LhFN7lqbWj66P6nWq1rIrCoMDuOlAs:ECchX7kSY1MbOlAs
TrID
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)

ExifTool

MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2012:01:16 22:13:19+01:00
FileType.................: Win32 DLL
PEType...................: PE32
CodeSize.................: 45056
LinkerVersion............: 7.1
EntryPoint...............: 0x4dbe
InitializedDataSize......: 45056
SubsystemVersion.........: 4.0
ImageVersion.............: 0.0
OSVersion................: 4.0
UninitializedDataSize....: 0
Portable Executable structural information

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.text 4096 43494 45056 6.53 8379b61e95bea7d3f8f5702f16d15b3e
.rdata 49152 8656 12288 3.78 7fd87dcef8fcaec13020316203125bc0
.data 61440 23544 4096 3.53 687000e84ee4980d9071468282697f72
.reloc 86016 5284 8192 3.44 fcf1ebd3503d524de80de8f990001739

PE Imports....................:

ADVAPI32.dll
RegQueryValueExA, RegCloseKey, RegOpenKeyExA

KERNEL32.dll
GetVersionExA, MapViewOfFile, CreateFileMappingA, UnmapViewOfFile, FlushFileBuffers, InterlockedDecrement, WideCharToMultiByte, MultiByteToWideChar, LoadLibraryA, GetTickCount, GetLastError, LocalFree, GetProcAddress, FreeLibrary, lstrlenA, GetSystemInfo, VirtualProtect, GetCurrentProcessId, QueryPerformanceCounter, RtlUnwind, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCommandLineA, HeapFree, HeapAlloc, RaiseException, TlsAlloc, SetLastError, TlsFree, TlsSetValue, TlsGetValue, GetModuleHandleA, HeapReAlloc, ExitProcess, TerminateProcess, GetCurrentProcess, HeapSize, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, UnhandledExceptionFilter, WriteFile, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, IsBadWritePtr, InterlockedExchange, VirtualQuery, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetACP, GetOEMCP, GetCPInfo, InitializeCriticalSection, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW

OLEAUT32.dll
-, -, -


PE Exports....................:

D, l, l, C, a, n, U, n, l, o, a, d, N, o, w, ,, , D, l, l, G, e, t, C, l, a, s, s, O, b, j, e, c, t
First seen by VirusTotal
2012-01-21 20:48:22 UTC ( 2 months ago )
Last seen by VirusTotal
2012-03-22 00:07:53 UTC ( 12 minutes ago )
File names (max. 25)
1. C:\Windows\SysWOW64\mffc100enu.dll
2. C:\Windows\SysWOW64\KBDDCAN.DLL
3. IMMAGEHLP.DLL
4. NVWRSSFR.DLL
5. MIIGISOL.DLL
6. MIIGISOL.DLL
7. HTTPAPPI.DLL
8. [color=#404040]CLBCATEEX.DLL [/color]
[color=#404040]9. [/color][color=#404040]IASS.DLL [/color]
[color=#404040]10. [/color][color=#404040]APPHELLP.DLL [/color]
[color=#404040]11. [/color][color=#404040]3 [/color]
[color=#404040]12. [/color][color=#404040]CSCAPPI.DLL [/color]
[color=#404040]13. [/color][color=#404040]CSCAPPI.DLL [/color]
[color=#404040]14. [/color][color=#404040]CSCAPPI.DLL [/color]
[color=#404040]15. [/color][color=#404040]cmicryptinsttall.dll [/color]
[color=#404040]16. [/color][color=#404040]SQQLWID.DLL [/color]
[color=#404040]17. [/color][color=#404040]PKU22U.DLL [/color]
[color=#404040]18. [/color][color=#404040]mfc100ddeu.dll [/color]
[color=#404040]19. [/color][color=#404040]MQUUTIL.DLL [/color]
[color=#404040]20. [/color][color=#404040]DRRT.DLL [/color]
[color=#404040]21. [/color][color=#404040]KBDUUSR.DLL [/color]
[color=#404040]22. [/color][color=#404040]29E144CA00A02C49207B013EC693C300A60A0C1D.dll [/color]
[color=#404040]23. [/color][color=#404040]ACTTXPRXY.DLL [/color]

[color="#000000"]ComboFix 12-03-21.02 - Kenny 03/21/2012 19:32:41.5.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4091.2795 [GMT -5:00]
Running from: c:\users\Kenny\Desktop\ComboFix.exe
Command switches used :: c:\users\Kenny\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Kenny\AppData\Roaming\Local
c:\users\Kenny\AppData\Roaming\Local\FalloutNV\Fallout.ini
c:\users\Kenny\AppData\Roaming\Local\FalloutNV\FalloutPrefs.ini
c:\users\Kenny\AppData\Roaming\Local\FalloutNV\NVDLCList.txt
c:\users\Kenny\AppData\Roaming\Local\FalloutNV\plugins.txt
c:\users\Kenny\AppData\Roaming\Local\FalloutNV\RendererInfo.txt
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
.
.
((((((((((((((((((((((((( Files Created from 2012-02-22 to 2012-03-22 )))))))))))))))))))))))))))))))
.
.
2012-03-22 00:37 . 2012-03-22 00:37 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-03-22 00:37 . 2012-03-22 00:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-21 21:07 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5A915995-60EE-434B-9FE2-166526F59D79}\mpengine.dll
2012-03-21 20:52 . 2009-07-14 01:14 45056 ----a-w- c:\windows\SysWow64\taasklist.exe
2012-03-21 20:52 . 2009-07-14 01:14 45056 ----a-w- c:\windows\SysWow64\reeg.exe
2012-03-21 20:11 . 2012-03-21 20:11 -------- d-----w- c:\windows\CheckSur
2012-03-21 11:20 . 2012-03-21 13:35 -------- d-----w- c:\programdata\Lavasoft
2012-03-19 20:05 . 2012-03-19 20:30 -------- d-----w- c:\users\Kenny\AppData\Roaming\DAEMON Tools Lite
2012-03-19 20:05 . 2012-03-19 20:05 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-03-19 19:53 . 2012-03-19 19:53 -------- d-----w- c:\programdata\NVIDIA
2012-03-19 19:53 . 2012-02-29 20:59 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-03-19 19:53 . 2012-02-29 21:00 3089728 ----a-w- c:\windows\system32\nvsvc64.dll
2012-03-19 19:53 . 2012-02-29 21:00 6074176 ----a-w- c:\windows\system32\nvcpl.dll
2012-03-19 19:53 . 2012-02-29 20:59 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-03-19 19:53 . 2012-02-29 20:59 2561856 ----a-w- c:\windows\system32\nvsvcr.dll
2012-03-19 19:53 . 2012-02-29 20:59 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-03-19 19:52 . 2012-03-19 19:52 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-03-16 22:06 . 2012-03-16 22:07 -------- d-----w- c:\programdata\SecTaskMan
2012-03-16 16:23 . 2012-03-16 16:24 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-16 16:23 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-16 12:12 . 2012-03-16 12:12 -------- d-----w- c:\windows\SysWow64\3021
2012-03-15 02:39 . 2012-03-19 14:26 -------- d-----w- c:\program files\Oracle
2012-03-15 02:38 . 2012-01-10 18:28 750488 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-03-15 02:38 . 2012-01-10 18:28 660368 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-15 02:37 . 2012-03-15 02:38 -------- d-----w- c:\program files\Java
2012-03-14 10:52 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 10:52 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 10:52 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 09:32 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 09:32 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 09:32 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 09:29 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 09:29 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 09:29 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-14 09:29 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 09:29 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 09:29 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 09:29 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-12 20:42 . 2012-03-12 20:42 -------- d-----w- c:\users\Kenny\AppData\Roaming\Malwarebytes
2012-03-12 19:44 . 2012-03-12 19:44 -------- d-----w- c:\program files\Enigma Software Group
2012-03-12 19:43 . 2012-03-12 20:11 -------- d-----w- c:\windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-03-12 12:07 . 2012-03-12 12:07 -------- d-----w- c:\program files (x86)\PC Tools
2012-03-12 12:05 . 2012-03-12 20:24 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-03-12 12:05 . 2012-02-24 15:36 230952 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-03-12 12:04 . 2012-03-12 12:36 -------- d-----w- c:\programdata\PC Tools
2012-03-12 02:49 . 2012-03-12 02:49 -------- d-----w- c:\windows\Downloaded Installations
2012-03-11 23:07 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-11 22:04 . 2012-03-11 22:04 39184 ----a-w- c:\windows\system32\Partizan.exe
2012-03-11 21:55 . 2012-03-15 02:52 2 --shatr- c:\windows\winstart.bat
2012-03-11 19:33 . 2012-03-11 19:32 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3688C9F-6EBA-48AD-8376-27B33CC3ACB2}\gapaengine.dll
2012-03-11 19:32 . 2012-03-11 19:32 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-03-11 19:31 . 2012-03-11 19:32 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-11 18:24 . 2012-03-11 18:24 -------- d-----w- c:\program files (x86)\Trend Micro
2012-03-11 04:29 . 2012-03-11 04:29 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-11 04:09 . 2012-03-11 04:09 -------- d-----w- c:\programdata\Malwarebytes
2012-03-10 01:23 . 2012-03-01 19:21 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13BE0816-07C1-44AD-8B7A-734327D20984}\mpengine.dll
2012-03-09 14:11 . 2012-03-16 12:12 -------- d-----w- c:\windows\SysWow64\2055
2012-03-09 14:10 . 2012-03-09 14:10 -------- d-----w- c:\windows\SysWow64\2002
2012-03-08 03:37 . 2012-03-08 03:37 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-05 03:27 . 2012-03-09 17:34 -------- d-----w- c:\program files (x86)\Games
2012-02-26 17:38 . 2012-01-17 12:45 72512 ----a-w- c:\windows\system32\nvapo64v.dll
2012-02-26 17:38 . 2012-01-17 12:45 1451840 ----a-w- c:\windows\system32\nvhdagenco6420103.dll
2012-02-26 17:38 . 2012-01-17 12:46 31040 ----a-w- c:\windows\system32\nvhdap64.dll
2012-02-26 17:38 . 2012-01-17 12:45 188224 ----a-w- c:\windows\system32\drivers\nvhda64v.sys
2012-02-26 17:38 . 2012-03-19 19:53 -------- d-----w- c:\program files\NVIDIA Corporation
2012-02-26 17:37 . 2012-03-19 19:53 -------- d-----w- C:\NVIDIA
2012-02-24 12:07 . 1999-11-10 18:05 86016 ----a-w- c:\windows\unvise32qt.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-15 03:36 . 2011-09-19 15:53 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 15:18 . 2011-09-19 16:00 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-03 12:00 . 2012-02-03 12:00 164992 ----a-w- c:\windows\SysWow64\drivers\athsgt.sys
2012-02-03 12:00 . 2012-02-03 12:00 12544 ----a-w- c:\windows\SysWow64\drivers\limsgt.sys
2012-01-04 10:44 . 2012-02-15 11:52 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-04 08:58 . 2012-02-15 11:52 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2011-12-31 23:19 . 2011-10-13 11:23 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-31 23:19 . 2011-10-13 11:23 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-12-31 23:19 . 2011-10-13 11:23 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-31 23:19 . 2011-10-13 11:23 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-12-30 06:26 . 2012-02-15 11:52 515584 ----a-w- c:\windows\system32\timedate.cpl
2011-12-30 05:27 . 2012-02-15 11:52 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2011-12-28 03:59 . 2012-02-15 11:52 498688 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-17_14.50.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-03-10 18:16 . 2012-02-10 04:13 61248 c:\windows\SysWOW64\OpenCL.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 61248 c:\windows\SysWOW64\OpenCL.dll
+ 2009-07-14 04:54 . 2012-03-22 00:16 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-03-17 14:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-22 00:16 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-17 14:35 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-22 00:16 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-17 14:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-09-19 16:05 . 2012-03-21 20:56 43584 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-22 00:19 45812 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-09-19 15:51 . 2012-03-22 00:19 12714 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3974904213-1714037821-1548854753-1001_UserData.bin
- 2012-03-10 18:16 . 2012-02-10 04:13 68928 c:\windows\system32\OpenCL.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 68928 c:\windows\system32\OpenCL.dll
+ 2009-07-14 05:30 . 2012-03-19 20:29 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-03-15 22:08 86016 c:\windows\system32\DriverStore\infpub.dat
- 2012-03-10 18:16 . 2012-01-17 12:46 31040 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvhdap64.dll
+ 2012-03-19 19:51 . 2012-01-17 12:46 31040 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvhdap64.dll
+ 2012-03-19 19:51 . 2012-01-17 12:45 72512 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvapo64v.dll
- 2012-03-10 18:16 . 2012-01-17 12:45 72512 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvapo64v.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 68928 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\OpenCL64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 61248 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\OpenCL.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 28992 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvpciflt.sys
- 2011-09-19 15:24 . 2012-03-17 14:47 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-09-19 15:24 . 2012-03-21 23:58 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-09-19 15:24 . 2012-03-21 23:58 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-09-19 15:24 . 2012-03-17 14:47 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-21 23:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-17 14:47 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-18 23:17 . 2012-03-18 23:17 35328 c:\windows\Steam\steamapps\common\csi hard evidence\support\DirectX\DSETUP.dll
+ 2012-03-18 23:12 . 2012-03-18 23:12 41984 c:\windows\Steam\steamapps\common\csi hard evidence\support\DirectX\cfgmgr32.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 71464 c:\windows\Steam\GameOverlayUI.exe
+ 2011-05-05 12:16 . 2012-03-21 15:07 71464 c:\windows\Steam\GameOverlayUI.exe
- 2011-05-05 12:16 . 2012-03-16 13:57 86824 c:\windows\Steam\bin\x64launcher.exe
+ 2011-05-05 12:16 . 2012-03-21 15:07 86824 c:\windows\Steam\bin\x64launcher.exe
- 2009-07-14 04:46 . 2012-03-14 12:17 94368 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 04:46 . 2012-03-22 00:21 94368 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-03-20 14:08 . 2012-03-20 14:08 28160 c:\windows\Installer\b414a9.msi
+ 2012-03-16 12:12 . 2012-03-19 01:08 7086 c:\windows\SysWOW64\3021\inf3021.dat
+ 2012-03-19 19:51 . 2012-03-01 00:02 4096 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvdetx.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 4096 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvdet.dll
+ 2012-03-22 00:38 . 2012-03-22 00:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-17 14:50 . 2012-03-17 14:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-17 14:50 . 2012-03-17 14:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-22 00:38 . 2012-03-22 00:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-03-17 14:39 662446 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-22 00:20 662446 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-03-17 14:39 122242 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-03-22 00:20 122242 c:\windows\system32\perfc009.dat
+ 2012-03-15 02:38 . 2012-03-15 02:38 264584 c:\windows\system32\javaws.exe
- 2012-03-17 14:49 . 2012-03-17 14:50 318448 c:\windows\system32\FNTCACHE.DAT
+ 2012-03-22 00:15 . 2012-03-22 00:15 318448 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 05:30 . 2012-03-19 20:29 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-03-15 22:08 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-03-19 20:29 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:30 . 2012-03-15 22:08 143360 c:\windows\system32\DriverStore\infstor.dat
- 2012-03-10 18:16 . 2012-01-17 12:45 188224 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvhda64v.sys
+ 2012-03-19 19:51 . 2012-01-17 12:45 188224 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvhda64v.sys
+ 2012-03-19 19:51 . 2012-01-17 12:45 156480 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvhda64.sys
- 2012-03-10 18:16 . 2012-01-17 12:45 156480 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvhda64.sys
+ 2012-03-19 19:51 . 2012-03-01 00:02 962368 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvumdshimx.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 812352 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvumdshim.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 249152 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvkflt.sys
+ 2012-03-19 19:51 . 2012-03-01 00:02 260416 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvinitx.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 215360 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvinit.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 202752 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvdxgiwrapx.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 182080 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvdxgiwrap.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 325888 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvdrsdb.bin
+ 2012-03-19 19:51 . 2012-03-01 00:02 301376 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvdecodemft32.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 364352 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvdecodemft.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 261120 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\Nvd3d9wrapx.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 236352 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\Nvd3d9wrap.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 224064 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\dbInstaller.exe
+ 2009-07-14 05:12 . 2012-03-21 11:26 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 05:12 . 2012-03-17 14:47 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2011-05-05 12:16 . 2012-03-16 13:57 284456 c:\windows\Steam\WriteMiniDump.exe
+ 2011-05-05 12:16 . 2012-03-21 15:07 284456 c:\windows\Steam\WriteMiniDump.exe
+ 2011-05-05 12:16 . 2012-03-21 15:07 721192 c:\windows\Steam\vstdlib_s64.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 721192 c:\windows\Steam\vstdlib_s64.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 444200 c:\windows\Steam\vstdlib_s.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 444200 c:\windows\Steam\vstdlib_s.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 347944 c:\windows\Steam\tier0_s64.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 347944 c:\windows\Steam\tier0_s64.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 272168 c:\windows\Steam\tier0_s.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 272168 c:\windows\Steam\tier0_s.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 210728 c:\windows\Steam\steamerrorreporter.exe
+ 2011-05-05 12:16 . 2012-03-21 15:07 210728 c:\windows\Steam\steamerrorreporter.exe
+ 2012-03-18 23:21 . 2012-03-18 23:21 163840 c:\windows\Steam\steamapps\common\csi hard evidence\um.dll
+ 2012-03-18 23:07 . 2012-03-18 23:07 341264 c:\windows\Steam\steamapps\common\csi hard evidence\support\DirectX\setupapi.dll
+ 2012-03-18 23:07 . 2012-03-18 23:07 140288 c:\windows\Steam\steamapps\common\csi hard evidence\support\DirectX\dxsetup.exe
+ 2012-03-18 23:17 . 2012-03-18 23:17 962560 c:\windows\Steam\steamapps\common\csi hard evidence\Register\RegistrationReminder.exe
+ 2012-03-18 23:15 . 2012-03-18 23:15 193024 c:\windows\Steam\steamapps\common\csi hard evidence\binkw32.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 780584 c:\windows\Steam\GameOverlayRenderer64.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 780584 c:\windows\Steam\GameOverlayRenderer64.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 595752 c:\windows\Steam\GameOverlayRenderer.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 595752 c:\windows\Steam\GameOverlayRenderer.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 122864 c:\windows\Steam\CSERHelper.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 122864 c:\windows\Steam\CSERHelper.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 321320 c:\windows\Steam\crashhandler.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 321320 c:\windows\Steam\crashhandler.dll
- 2011-06-09 12:55 . 2012-03-16 13:57 669480 c:\windows\Steam\bin\vgui2_s.dll
+ 2011-06-09 12:55 . 2012-03-21 15:07 669480 c:\windows\Steam\bin\vgui2_s.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 198440 c:\windows\Steam\bin\vaudio_speex.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 198440 c:\windows\Steam\bin\vaudio_speex.dll
- 2011-03-16 15:42 . 2012-03-16 13:57 489256 c:\windows\Steam\bin\SteamService.exe
+ 2011-03-16 15:42 . 2012-03-21 15:07 489256 c:\windows\Steam\bin\SteamService.exe
- 2011-05-05 12:16 . 2012-03-16 13:57 179808 c:\windows\Steam\bin\nattypeprobe.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 179808 c:\windows\Steam\bin\nattypeprobe.dll
- 2011-06-09 12:55 . 2012-03-16 13:57 454952 c:\windows\Steam\bin\mss32.dll
+ 2011-06-09 12:55 . 2012-03-21 15:07 454952 c:\windows\Steam\bin\mss32.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 173864 c:\windows\Steam\bin\FileSystem_Steam.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 173864 c:\windows\Steam\bin\FileSystem_Steam.dll
- 2011-06-09 12:55 . 2012-03-16 13:57 907048 c:\windows\Steam\bin\chromehtml.dll
+ 2011-06-09 12:55 . 2012-03-21 15:07 907048 c:\windows\Steam\bin\chromehtml.dll
- 2012-03-16 13:57 . 2012-03-16 13:57 123192 c:\windows\Steam\bin\avutil-51.dll
+ 2012-03-16 13:57 . 2012-03-21 15:07 123192 c:\windows\Steam\bin\avutil-51.dll
+ 2012-03-16 13:57 . 2012-03-21 15:07 190776 c:\windows\Steam\bin\avformat-53.dll
- 2012-03-16 13:57 . 2012-03-16 13:57 190776 c:\windows\Steam\bin\avformat-53.dll
+ 2012-03-16 13:57 . 2012-03-21 15:07 123192 c:\windows\Steam\avutil-51.dll
- 2012-03-16 13:57 . 2012-03-16 13:57 123192 c:\windows\Steam\avutil-51.dll
- 2009-07-14 05:01 . 2012-03-17 14:49 291168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-22 00:37 291168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-03-19 19:51 . 2012-03-01 00:02 7713088 c:\windows\SysWOW64\nvwgf2um.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 7713088 c:\windows\SysWOW64\nvwgf2um.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2517312 c:\windows\SysWOW64\nvcuvid.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 2517312 c:\windows\SysWOW64\nvcuvid.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 2437440 c:\windows\SysWOW64\nvcuvenc.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2437440 c:\windows\SysWOW64\nvcuvenc.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 5892928 c:\windows\SysWOW64\nvcuda.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 5892928 c:\windows\SysWOW64\nvcuda.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2301248 c:\windows\SysWOW64\nvapi.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 2301248 c:\windows\SysWOW64\nvapi.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 9717568 c:\windows\system32\nvwgf2umx.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 9717568 c:\windows\system32\nvwgf2umx.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 1466176 c:\windows\system32\nvgenco64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 1466176 c:\windows\system32\nvgenco64.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 1737536 c:\windows\system32\nvdispco64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 1737536 c:\windows\system32\nvdispco64.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 2672448 c:\windows\system32\nvcuvid.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2672448 c:\windows\system32\nvcuvid.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2872640 c:\windows\system32\nvcuvenc.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 2872640 c:\windows\system32\nvcuvenc.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 8008000 c:\windows\system32\nvcuda.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 8008000 c:\windows\system32\nvcuda.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 2660160 c:\windows\system32\nvapi64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2660160 c:\windows\system32\nvapi64.dll
+ 2012-03-19 19:51 . 2012-01-17 12:45 1451840 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvgenco64.dll
- 2012-03-10 18:16 . 2012-01-17 12:45 1451840 c:\windows\system32\DriverStore\FileRepository\nvhda.inf_amd64_neutral_6c95c0b9e91efef4\nvgenco64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 9717568 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvwgf2umx.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 7713088 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvwgf2um.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 1466176 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvgenco64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 1737536 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvdispco64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2517312 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvcuvid32.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2672448 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvcuvid.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2872640 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvcuvenc64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2437440 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvcuvenc.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 5892928 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvcuda32.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 8008000 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvcuda.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2660160 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvapi64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 2301248 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvapi.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 3970856 c:\windows\Steam\SteamUI.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 8972072 c:\windows\Steam\steamclient64.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 6616872 c:\windows\Steam\steamclient.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 6616872 c:\windows\Steam\steamclient.dll
+ 2012-03-18 23:11 . 2012-03-18 23:11 1901056 c:\windows\Steam\steamapps\common\csi hard evidence\support\DirectX\dsetup32.dll
+ 2012-03-18 23:17 . 2012-03-18 23:17 1060864 c:\windows\Steam\steamapps\common\csi hard evidence\mfc71.dll
+ 2012-03-18 23:09 . 2012-03-18 23:09 6422528 c:\windows\Steam\steamapps\common\csi hard evidence\CSI4.exe
- 2011-05-05 12:16 . 2012-03-16 13:57 2975056 c:\windows\Steam\Steam.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 2975056 c:\windows\Steam\Steam.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 1039192 c:\windows\Steam\dbghelp.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 1039192 c:\windows\Steam\dbghelp.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 1910568 c:\windows\Steam\bin\SteamService.dll
- 2011-05-05 12:16 . 2012-03-16 13:57 1910568 c:\windows\Steam\bin\SteamService.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 1726248 c:\windows\Steam\bin\ServerBrowser.dll
- 2012-03-16 13:57 . 2012-03-16 13:57 9955112 c:\windows\Steam\bin\icudt.dll
+ 2012-03-16 13:57 . 2012-03-21 15:07 9955112 c:\windows\Steam\bin\icudt.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 2381608 c:\windows\Steam\bin\gameoverlayui.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 2316072 c:\windows\Steam\bin\friendsUI.dll
- 2012-03-16 13:57 . 2012-03-16 13:57 1099576 c:\windows\Steam\bin\avcodec-53.dll
+ 2012-03-16 13:57 . 2012-03-21 15:07 1099576 c:\windows\Steam\bin\avcodec-53.dll
+ 2009-07-14 04:45 . 2012-03-21 20:54 7149876 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-03-14 11:04 7149876 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2012-03-19 19:51 . 2012-03-01 00:02 19444544 c:\windows\SysWOW64\nvoglv32.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 15009600 c:\windows\SysWOW64\nvd3dum.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 15009600 c:\windows\SysWOW64\nvd3dum.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 17543488 c:\windows\SysWOW64\nvcompiler.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 17543488 c:\windows\SysWOW64\nvcompiler.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 25543488 c:\windows\system32\nvoglv64.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 17642816 c:\windows\system32\nvd3dumx.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 17642816 c:\windows\system32\nvd3dumx.dll
- 2012-03-10 18:16 . 2012-02-10 04:13 25222976 c:\windows\system32\nvcompiler.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 25222976 c:\windows\system32\nvcompiler.dll
+ 2011-09-19 16:48 . 2012-03-04 22:19 56297240 c:\windows\system32\MRT.exe
- 2011-09-19 16:48 . 2012-03-14 10:51 56297240 c:\windows\system32\MRT.exe
+ 2012-03-19 19:51 . 2012-03-01 00:02 25543488 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvoglv64.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 19444544 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvoglv32.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 13626688 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvlddmkm.sys
+ 2012-03-19 19:51 . 2012-03-01 00:02 17642816 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvd3dumx.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 15009600 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvd3dum.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 71582120 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\NvCplSetupInt.exe
+ 2012-03-19 19:51 . 2012-03-01 00:02 17543488 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvcompiler32.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 25222976 c:\windows\system32\DriverStore\FileRepository\nvac.inf_amd64_neutral_31d474b9f08813c8\nvcompiler.dll
+ 2012-03-19 19:51 . 2012-03-01 00:02 13626688 c:\windows\system32\drivers\nvlddmkm.sys
- 2011-05-05 12:16 . 2012-03-16 13:57 20297512 c:\windows\Steam\bin\libcef.dll
+ 2011-05-05 12:16 . 2012-03-21 15:07 20297512 c:\windows\Steam\bin\libcef.dll
+ 2011-09-19 17:13 . 2012-03-22 00:37 47435500 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3974904213-1714037821-1548854753-1001-12288.dat
+ 2012-03-19 11:28 . 2012-03-19 11:28 45882196 c:\windows\Installer\223121.msi
+ 2012-02-13 16:57 . 2012-02-13 16:57 30412800 c:\windows\Installer\1efdd16.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0F802439-432B-1C45-7CD3-59DE607400C2}]
2009-07-14 01:11 73728 ----a-w- c:\windows\SysWOW64\KBDDCAN.DLL
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2E90012A-40C7-6932-71FF-6EB3583B4BEB}]
2011-06-11 07:58 73728 ----a-w- c:\windows\SysWOW64\mffc100enu.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R3 1394hub;1394 Enabled Hub;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.352.0\SeaPort.exe [2012-01-21 240408]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 hexmagic;hexmagic;c:\windows\system32\drivers\hexmagic.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.352.0\BBSvc.exe [2012-01-21 192792]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [x]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.cbsnews.com/?ocid=MIE8MSNB/
mLocal Page = c:\windows\system32\blank.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-3974904213-1714037821-1548854753-1001)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-3974904213-1714037821-1548854753-1001)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:de,c3,8d,0f,b5,ef,fe,33,23,9c,d6,63,2d,f7,42,f2,bb,d6,3b,49,9a,ed,77,
84,dd,84,45,e8,ac,28,db,3f,96,8f,50,06,e6,d5,85,5a,61,d1,19,7f,24,e6,53,2a,\
"??"=hex:1b,5c,00,6c,19,29,b6,60,a7,81,26,f9,6d,5e,cb,bb
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\SecuROM\License information*]
"datasecu"=hex:30,d1,14,ac,0d,c6,af,15,6b,19,cf,47,74,9b,89,bf,19,50,34,0c,b4,
69,50,af,26,b1,00,c1,a4,17,00,89,ca,74,00,94,ce,ad,fb,7d,45,05,a0,6c,1f,f4,\
"rkeysecu"=hex:05,34,13,a2,22,06,63,9f,9d,7d,81,00,92,99,7c,60
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\09\05\17\0e\0b\06?"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-21 19:42:43 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-22 00:42
ComboFix2.txt 2012-03-17 14:54
.
Pre-Run: 240,714,702,848 bytes free
Post-Run: 240,691,445,760 bytes free
.
- - End Of File - - FE17843393DB8C9ED450CB30F0929F20[/color]

Attached Files



#12 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 21 March 2012 - 07:54 PM

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Kenny at 19:43:38 on 2012-03-21
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4091.2864 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BBSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cbsnews.com/?ocid=MIE8MSNB/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Groove Folder Synchronization: {0f802439-432b-1c45-7cd3-59de607400c2} - C:\Windows\SysWOW64\KBDDCAN.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Adobe PDF Link Helper: {2e90012a-40c7-6932-71ff-6eb3583b4beb} - C:\Windows\SysWow64\mffc100enu.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll"
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{037AEAC4-C825-4164-8D9F-487EA929E4E3} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{23186FDD-D6B1-418E-8FCD-806ABA5FA22A} : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Groove Folder Synchronization: {0F802439-432B-1C45-7CD3-59DE607400C2} - C:\Windows\SysWOW64\KBDDCAN.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Adobe PDF Link Helper: {2E90012A-40C7-6932-71FF-6EB3583B4BEB} - C:\Windows\SysWow64\mffc100enu.dll
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BingExt.dll"
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\BBSvc.EXE [2012-1-21 192792]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-16 652360]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 O2MDRDR;O2MDRDR;C:\Windows\system32\DRIVERS\o2mdx64.sys --> C:\Windows\system32\DRIVERS\o2mdx64.sys [?]
R3 O2SDRDR;O2SDRDR;C:\Windows\system32\DRIVERS\o2sdx64.sys --> C:\Windows\system32\DRIVERS\o2sdx64.sys [?]
R3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
R3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
R3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
S3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.352.0\SeaPort.EXE [2012-1-21 240408]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-22 00:38:59 -------- d-----w- C:\$RECYCLE.BIN
2012-03-22 00:31:10 98816 ----a-w- C:\Windows\sed.exe
2012-03-22 00:31:10 518144 ----a-w- C:\Windows\SWREG.exe
2012-03-22 00:31:10 256000 ----a-w- C:\Windows\PEV.exe
2012-03-22 00:31:10 208896 ----a-w- C:\Windows\MBR.exe
2012-03-21 21:07:50 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5A915995-60EE-434B-9FE2-166526F59D79}\mpengine.dll
2012-03-21 20:52:34 45056 ----a-w- C:\Windows\SysWow64\taasklist.exe
2012-03-21 20:52:16 45056 ----a-w- C:\Windows\SysWow64\reeg.exe
2012-03-21 20:11:11 -------- d-----w- C:\Windows\CheckSur
2012-03-19 20:05:38 -------- d-----w- C:\Users\Kenny\AppData\Roaming\DAEMON Tools Lite
2012-03-19 20:05:36 -------- d-----w- C:\ProgramData\DAEMON Tools Lite
2012-03-19 19:53:16 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-03-19 19:53:15 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-03-19 19:53:15 6074176 ----a-w- C:\Windows\System32\nvcpl.dll
2012-03-19 19:53:15 3089728 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-03-19 19:53:15 2561856 ----a-w- C:\Windows\System32\nvsvcr.dll
2012-03-19 19:53:15 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-03-19 19:52:37 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2012-03-16 22:06:56 -------- d-----w- C:\ProgramData\SecTaskMan
2012-03-16 16:23:56 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-16 16:23:56 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-16 12:12:10 -------- d-----w- C:\Windows\SysWow64\3021
2012-03-15 02:39:22 -------- d-----w- C:\Program Files\Oracle
2012-03-15 02:38:51 750488 ----a-w- C:\Windows\System32\npdeployJava1.dll
2012-03-15 02:38:51 660368 ----a-w- C:\Windows\System32\deployJava1.dll
2012-03-14 10:52:53 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-14 10:52:52 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-14 10:52:52 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-14 09:32:11 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 09:32:11 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 09:32:11 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 09:29:31 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 09:29:31 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 09:29:31 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 09:29:30 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 09:29:30 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-14 09:29:29 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-14 09:29:26 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-12 20:42:29 -------- d-----w- C:\Users\Kenny\AppData\Roaming\Malwarebytes
2012-03-12 19:44:09 -------- d-----w- C:\Program Files\Enigma Software Group
2012-03-12 19:43:10 -------- d-----w- C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-03-12 12:07:34 -------- d-----w- C:\Program Files (x86)\PC Tools
2012-03-12 12:05:17 230952 ----a-w- C:\Windows\System32\drivers\PCTSD64.sys
2012-03-12 12:05:17 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-03-12 12:04:57 -------- d-----w- C:\ProgramData\PC Tools
2012-03-12 02:49:59 -------- d-----w- C:\Windows\Downloaded Installations
2012-03-11 23:07:42 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-11 22:04:33 39184 ----a-w- C:\Windows\System32\Partizan.exe
2012-03-11 21:55:36 2 --shatr- C:\Windows\winstart.bat
2012-03-11 19:33:04 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E3688C9F-6EBA-48AD-8376-27B33CC3ACB2}\gapaengine.dll
2012-03-11 19:32:00 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-03-11 19:31:58 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-03-11 18:24:27 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-03-11 04:29:48 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-11 04:09:38 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-10 01:23:48 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{13BE0816-07C1-44AD-8B7A-734327D20984}\mpengine.dll
2012-03-09 14:11:03 -------- d-----w- C:\Windows\SysWow64\2055
2012-03-09 14:10:37 -------- d-----w- C:\Windows\SysWow64\2002
2012-03-08 03:52:35 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-03-08 03:37:58 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2012-03-05 03:27:25 -------- d-----w- C:\Program Files (x86)\Games
2012-02-26 17:38:42 72512 ----a-w- C:\Windows\System32\nvapo64v.dll
2012-02-26 17:38:42 1451840 ----a-w- C:\Windows\System32\nvhdagenco6420103.dll
2012-02-26 17:38:41 31040 ----a-w- C:\Windows\System32\nvhdap64.dll
2012-02-26 17:38:41 188224 ----a-w- C:\Windows\System32\drivers\nvhda64v.sys
2012-02-26 17:38:22 -------- d-----w- C:\Program Files\NVIDIA Corporation
2012-02-26 17:37:48 -------- d-----w- C:\NVIDIA
2012-02-24 12:07:10 86016 ----a-w- C:\Windows\unvise32qt.exe
.
==================== Find3M ====================
.
2012-03-15 03:36:22 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 15:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-03 12:00:14 164992 ----a-w- C:\Windows\SysWow64\drivers\athsgt.sys
2012-02-03 12:00:11 12544 ----a-w- C:\Windows\SysWow64\drivers\limsgt.sys
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2011-12-31 23:19:13 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-12-31 23:19:13 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-12-31 23:19:13 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-12-31 23:19:13 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 19:43:57.72 ===============

#13 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 22 March 2012 - 02:15 AM

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.


Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=107346
Collect::
c:\windows\SysWOW64\KBDDCAN.DLL
c:\windows\SysWOW64\mffc100enu.dll
c:\windows\SysWOW64\taasklist.exe
c:\windows\SysWOW64\reeg.exe
Registry::
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0F802439-432B-1C45-7CD3-59DE607400C2}]
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2E90012A-40C7-6932-71FF-6EB3583B4BEB}]

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 22 March 2012 - 10:59 AM

Files were submitted and received.


ComboFix 12-03-22.01 - Kenny 03/22/2012 10:33:04.6.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4091.2911 [GMT -5:00]
Running from: c:\users\Kenny\Desktop\ComboFix.exe
Command switches used :: c:\users\Kenny\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWOW64\KBDDCAN.DLL
c:\windows\SysWOW64\mffc100enu.dll
c:\windows\SysWOW64\reeg.exe
c:\windows\SysWOW64\taasklist.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-22 to 2012-03-22 )))))))))))))))))))))))))))))))
.
.
2012-03-22 15:36 . 2012-03-22 15:36 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-03-22 15:36 . 2012-03-22 15:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-21 21:07 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5A915995-60EE-434B-9FE2-166526F59D79}\mpengine.dll
2012-03-21 20:11 . 2012-03-21 20:11 -------- d-----w- c:\windows\CheckSur
2012-03-21 11:20 . 2012-03-21 13:35 -------- d-----w- c:\programdata\Lavasoft
2012-03-19 19:53 . 2012-03-19 19:53 -------- d-----w- c:\programdata\NVIDIA
2012-03-19 19:53 . 2012-02-29 20:59 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-03-19 19:53 . 2012-02-29 21:00 3089728 ----a-w- c:\windows\system32\nvsvc64.dll
2012-03-19 19:53 . 2012-02-29 21:00 6074176 ----a-w- c:\windows\system32\nvcpl.dll
2012-03-19 19:53 . 2012-02-29 20:59 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-03-19 19:53 . 2012-02-29 20:59 2561856 ----a-w- c:\windows\system32\nvsvcr.dll
2012-03-19 19:53 . 2012-02-29 20:59 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-03-19 19:52 . 2012-03-19 19:52 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-03-16 22:06 . 2012-03-16 22:07 -------- d-----w- c:\programdata\SecTaskMan
2012-03-16 16:23 . 2012-03-16 16:24 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-16 16:23 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-16 12:12 . 2012-03-16 12:12 -------- d-----w- c:\windows\SysWow64\3021
2012-03-15 02:39 . 2012-03-19 14:26 -------- d-----w- c:\program files\Oracle
2012-03-15 02:38 . 2012-01-10 18:28 750488 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-03-15 02:38 . 2012-01-10 18:28 660368 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-15 02:37 . 2012-03-15 02:38 -------- d-----w- c:\program files\Java
2012-03-14 10:52 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 10:52 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 10:52 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 09:32 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 09:32 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 09:32 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 09:29 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 09:29 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 09:29 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-14 09:29 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 09:29 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 09:29 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 09:29 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-12 20:42 . 2012-03-12 20:42 -------- d-----w- c:\users\Kenny\AppData\Roaming\Malwarebytes
2012-03-12 19:44 . 2012-03-12 19:44 -------- d-----w- c:\program files\Enigma Software Group
2012-03-12 19:43 . 2012-03-12 20:11 -------- d-----w- c:\windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-03-12 12:07 . 2012-03-12 12:07 -------- d-----w- c:\program files (x86)\PC Tools
2012-03-12 12:05 . 2012-03-12 20:24 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-03-12 12:05 . 2012-02-24 15:36 230952 ----a-w- c:\windows\system32\drivers\PCTSD64.sys
2012-03-12 12:04 . 2012-03-12 12:36 -------- d-----w- c:\programdata\PC Tools
2012-03-12 02:49 . 2012-03-12 02:49 -------- d-----w- c:\windows\Downloaded Installations
2012-03-11 23:07 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-11 22:04 . 2012-03-11 22:04 39184 ----a-w- c:\windows\system32\Partizan.exe
2012-03-11 21:55 . 2012-03-15 02:52 2 --shatr- c:\windows\winstart.bat
2012-03-11 19:33 . 2012-03-11 19:32 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3688C9F-6EBA-48AD-8376-27B33CC3ACB2}\gapaengine.dll
2012-03-11 19:32 . 2012-03-11 19:32 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-03-11 19:31 . 2012-03-11 19:32 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-11 18:24 . 2012-03-11 18:24 -------- d-----w- c:\program files (x86)\Trend Micro
2012-03-11 04:29 . 2012-03-11 04:29 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-11 04:09 . 2012-03-11 04:09 -------- d-----w- c:\programdata\Malwarebytes
2012-03-10 01:23 . 2012-03-01 19:21 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{13BE0816-07C1-44AD-8B7A-734327D20984}\mpengine.dll
2012-03-09 14:11 . 2012-03-16 12:12 -------- d-----w- c:\windows\SysWow64\2055
2012-03-09 14:10 . 2012-03-09 14:10 -------- d-----w- c:\windows\SysWow64\2002
2012-03-08 03:37 . 2012-03-08 03:37 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-05 03:27 . 2012-03-09 17:34 -------- d-----w- c:\program files (x86)\Games
2012-02-26 17:38 . 2012-01-17 12:45 72512 ----a-w- c:\windows\system32\nvapo64v.dll
2012-02-26 17:38 . 2012-01-17 12:45 1451840 ----a-w- c:\windows\system32\nvhdagenco6420103.dll
2012-02-26 17:38 . 2012-01-17 12:46 31040 ----a-w- c:\windows\system32\nvhdap64.dll
2012-02-26 17:38 . 2012-01-17 12:45 188224 ----a-w- c:\windows\system32\drivers\nvhda64v.sys
2012-02-26 17:38 . 2012-03-19 19:53 -------- d-----w- c:\program files\NVIDIA Corporation
2012-02-26 17:37 . 2012-03-19 19:53 -------- d-----w- C:\NVIDIA
2012-02-24 12:07 . 1999-11-10 18:05 86016 ----a-w- c:\windows\unvise32qt.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-15 03:36 . 2011-09-19 15:53 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 15:18 . 2011-09-19 16:00 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-03 12:00 . 2012-02-03 12:00 164992 ----a-w- c:\windows\SysWow64\drivers\athsgt.sys
2012-02-03 12:00 . 2012-02-03 12:00 12544 ----a-w- c:\windows\SysWow64\drivers\limsgt.sys
2012-01-04 10:44 . 2012-02-15 11:52 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-04 08:58 . 2012-02-15 11:52 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2011-12-31 23:19 . 2011-10-13 11:23 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-31 23:19 . 2011-10-13 11:23 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-12-31 23:19 . 2011-10-13 11:23 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2011-12-31 23:19 . 2011-10-13 11:23 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-12-30 06:26 . 2012-02-15 11:52 515584 ----a-w- c:\windows\system32\timedate.cpl
2011-12-30 05:27 . 2012-02-15 11:52 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2011-12-28 03:59 . 2012-02-15 11:52 498688 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2012-03-22_00.39.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-03-22 00:16 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-22 00:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-03-22 00:16 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-22 00:38 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-22 00:16 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-22 00:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-09-19 16:05 . 2012-03-22 14:43 43742 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-22 14:43 45844 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-09-19 15:51 . 2012-03-22 14:43 12814 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3974904213-1714037821-1548854753-1001_UserData.bin
+ 2011-09-19 15:24 . 2012-03-22 12:39 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-09-19 15:24 . 2012-03-21 23:58 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-09-19 15:24 . 2012-03-22 12:39 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-09-19 15:24 . 2012-03-21 23:58 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-22 12:39 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-21 23:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-22 15:37 . 2012-03-22 15:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-22 00:38 . 2012-03-22 00:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-22 15:37 . 2012-03-22 15:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-22 00:38 . 2012-03-22 00:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-03-22 00:20 662446 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-22 14:46 662446 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-22 14:46 122242 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-03-22 00:20 122242 c:\windows\system32\perfc009.dat
+ 2012-03-22 12:26 . 2012-03-22 12:26 318448 c:\windows\system32\FNTCACHE.DAT
- 2012-03-22 00:15 . 2012-03-22 00:15 318448 c:\windows\system32\FNTCACHE.DAT
- 2009-07-14 05:12 . 2012-03-21 11:26 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2012-03-22 03:56 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:01 . 2012-03-22 15:36 291168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-03-22 00:37 291168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-09-19 17:13 . 2012-03-22 15:36 47443522 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3974904213-1714037821-1548854753-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 1394hub;1394 Enabled Hub;c:\windows\System32\svchost.exe [2009-07-14 27136]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.352.0\SeaPort.exe [2012-01-21 240408]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 hexmagic;hexmagic;c:\windows\system32\drivers\hexmagic.sys [x]
R3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.352.0\BBSvc.exe [2012-01-21 192792]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2mdx64.sys [x]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sdx64.sys [x]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.cbsnews.com/?ocid=MIE8MSNB/
mLocal Page = c:\windows\system32\blank.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-3974904213-1714037821-1548854753-1001)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-3974904213-1714037821-1548854753-1001)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:de,c3,8d,0f,b5,ef,fe,33,23,9c,d6,63,2d,f7,42,f2,bb,d6,3b,49,9a,ed,77,
84,dd,84,45,e8,ac,28,db,3f,96,8f,50,06,e6,d5,85,5a,61,d1,19,7f,24,e6,53,2a,\
"??"=hex:1b,5c,00,6c,19,29,b6,60,a7,81,26,f9,6d,5e,cb,bb
.
[HKEY_USERS\S-1-5-21-3974904213-1714037821-1548854753-1001\Software\SecuROM\License information*]
"datasecu"=hex:30,d1,14,ac,0d,c6,af,15,6b,19,cf,47,74,9b,89,bf,19,50,34,0c,b4,
69,50,af,26,b1,00,c1,a4,17,00,89,ca,74,00,94,ce,ad,fb,7d,45,05,a0,6c,1f,f4,\
"rkeysecu"=hex:05,34,13,a2,22,06,63,9f,9d,7d,81,00,92,99,7c,60
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\09\05\17\0e\0b\06?"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-22 10:41:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-22 15:41
ComboFix2.txt 2012-03-22 00:42
ComboFix3.txt 2012-03-17 14:54
.
Pre-Run: 243,452,563,456 bytes free
Post-Run: 243,409,743,872 bytes free
.
- - End Of File - - 4EB3F626379BE2C9516A52711E0A786B

#15 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 22 March 2012 - 04:39 PM

Problem with Redirect seems to be corrected. No problems yet.

#16 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 23 March 2012 - 01:51 AM

Great!

Run TFC by OldTimer to clear temporary files:
  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Next, please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Next, download my Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 23 March 2012 - 07:33 AM

Thanks Alot for your help and putting up with my impatience.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=dc6c3ad59a89ee4ea946c8c501bbdd3a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-03-23 12:28:14
# local_time=2012-03-23 07:28:14 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 95128 84044380 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=121621
# found=0
# cleaned=0
# scan_time=4764


Antivirus/Firewall Check:[/b]
Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Reader X (10.1.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````

#18 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 24 March 2012 - 08:44 PM

Looks like the SecurityCheck log was cut off. Could you please post it in its entirety?
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#19 kennyf

kennyf

    New Member

  • Members
  • Pip
  • 14 posts

Posted 24 March 2012 - 08:58 PM

Results of screen317's Security Check version 0.99.32
Windows 7 x64 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Reader X (10.1.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````

#20 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 29 March 2012 - 06:52 PM

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Reboot. Let me know how things are running now. :)
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users