Poorsoul

Honorary Members

View Profile See their activity

Posts
32
Joined
May 17, 2012
Last visited
February 22, 2014

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by Poorsoul

Requesting help with my infected PC

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Noticible difference once you got MBAR running, no more popups on reboot, I can d/l with firefox now and it looks like I might have permissions restored as well. Thanks! Here are some log files: --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1009 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7600 Windows 7 x64 Account is Administrative Internet Explorer version: 8.0.7600.16385 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 3.013000 GHz Memory total: 4292923392, free: 2510106624 Downloaded database version: v2014.02.22.01 Downloaded database version: v2014.02.20.01 ======================================= Initializing... ------------ Kernel report ------------ 02/21/2014 21:40:20 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_AuthenticAMD.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\System32\Drivers\spoa.sys \SystemRoot\System32\Drivers\WMILIB.SYS \SystemRoot\System32\Drivers\SCSIPORT.SYS \SystemRoot\system32\DRIVERS\ACPI.sys \SystemRoot\system32\DRIVERS\msisadrv.sys \SystemRoot\system32\DRIVERS\vdrvroot.sys \SystemRoot\system32\DRIVERS\pci.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\DRIVERS\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\system32\DRIVERS\pciide.sys \SystemRoot\system32\DRIVERS\PCIIDEX.SYS \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\DRIVERS\atapi.sys \SystemRoot\system32\DRIVERS\ataport.SYS \SystemRoot\system32\DRIVERS\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\DRIVERS\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\DRIVERS\disk.sys \SystemRoot\system32\DRIVERS\CLASSPNP.SYS \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\system32\drivers\ws2ifsl.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\serial.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\termdd.sys \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\amdppm.sys \SystemRoot\system32\DRIVERS\nvlddmkm.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\Rt64win7.sys \SystemRoot\system32\DRIVERS\usbohci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\ASACPI.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\serenum.sys \SystemRoot\System32\Drivers\a3y6iww9.SYS \SystemRoot\system32\DRIVERS\wmiacpi.sys \SystemRoot\system32\DRIVERS\CompositeBus.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\nvhda64v.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\drivers\HdAudio.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_dumpata.sys \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\drivers\usbaudio.sys \SystemRoot\System32\cdd.dll \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\drivers\WudfPf.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\atksgt.sys \SystemRoot\system32\DRIVERS\lirsgt.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\system32\DRIVERS\asyncmac.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\shell32.dll \Windows\System32\imm32.dll \Windows\System32\msctf.dll \Windows\System32\lpk.dll \Windows\System32\urlmon.dll \Windows\System32\Wldap32.dll \Windows\System32\nsi.dll \Windows\System32\clbcatq.dll \Windows\System32\user32.dll \Windows\System32\psapi.dll \Windows\System32\setupapi.dll \Windows\System32\gdi32.dll \Windows\System32\shlwapi.dll \Windows\System32\oleaut32.dll \Windows\System32\iertutil.dll \Windows\System32\difxapi.dll \Windows\System32\rpcrt4.dll \Windows\System32\ole32.dll \Windows\System32\ws2_32.dll \Windows\System32\kernel32.dll \Windows\System32\msvcrt.dll \Windows\System32\wininet.dll \Windows\System32\imagehlp.dll \Windows\System32\advapi32.dll \Windows\System32\usp10.dll \Windows\System32\normaliz.dll \Windows\System32\comdlg32.dll \Windows\System32\sechost.dll \Windows\System32\cfgmgr32.dll \Windows\System32\KernelBase.dll \Windows\System32\wintrust.dll \Windows\System32\devobj.dll \Windows\System32\comctl32.dll \Windows\System32\crypt32.dll \Windows\System32\msasn1.dll \Windows\SysWOW64\normaliz.dll ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8004acb060 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\ Lower Device Object: 0xfffffa800484f060 Lower Device Driver Name: \Driver\atapi\ IRP handler 0 of \Driver\atapi points to an unknown module Unhooking enabled. <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8004acb060 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\ Lower Device Object: 0xfffffa800484f060 Lower Device Driver Name: \Driver\atapi\ Driver name found: atapi Initialization returned 0x0 Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0) Load Function returned 0x0 <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa8004acb060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa8004acbb90, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8004acb060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa800484d520, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xfffffa800484f060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0xfffff8a009e504e0, 0xfffffa8004acb060, 0xfffffa8005057790 Lower DeviceData: 0xfffff8a003a07300, 0xfffffa800484f060, 0xfffffa8004db8430 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020) Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: D2A1CA1E Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 204800 Partition file system is NTFS Partition is bootable Partition 1 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 206848 Numsec = 976564224 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107862016 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)... Done! Infected: C:\ProgramData\737923934.exe --> [Trojan.Agent] Infected: C:\Users\Dook\AppData\Local\Temp\phatk121016.cl --> [Trojan.BitcoinMiner] Infected: C:\Users\Dook\AppData\Local\Temp\scrypt130511.cl --> [Trojan.BitcoinMiner] Infected: C:\Users\Dook\AppData\Local\Temp\diablo130302.cl --> [Trojan.BitcoinMiner] Infected: C:\Users\Dook\AppData\Local\Temp\poclbm130302.cl --> [Trojan.BitcoinMiner] Infected: C:\Users\Dook\AppData\Local\Temp\diakgcn121016.cl --> [Trojan.BitcoinMiner] Infected: C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.ini.url --> [Trojan.Agent] Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load --> [Trojan.Agent] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERAntiSpyware.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BDAGENT.EXE|Debugger --> [security.Hijack] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avcenter.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avguard.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ccuac.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\hijackthis.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\mbam.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\spybotsd.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERAntiSpyware.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE|Debugger --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVP.EXE --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BDAGENT.EXE|Debugger --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EGUI.EXE|Debugger --> [security.Hijack] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Configuration --> [Trojan.Agent] Infected: C:\{$5812-5333-4513-5757-7153$} --> [Trojan.Agent.BCM] Infected: C:\{$5812-5333-4513-5757-7153$}\737923934 --> [Trojan.Agent.BCM] Infected: C:\{$5812-5333-4513-5757-7153$}\nacl64.exe --> [Trojan.Agent.BCM] Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NACL64.EXE --> [Trojan.Agent.BCM] Infected: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NACL64.EXE --> [Trojan.Agent.BCM] Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load --> [Trojan.Agent.BCM] Infected: C:\{$5812-5333-4513-5757-7153$}\nacl64.exe --> [Trojan.Agent.BCM] Scan finished Creating System Restore point... Cleaning up... Removal scheduling successful. System shutdown needed. System shutdown occurred ======================================= --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1009 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7600 Windows 7 x64 Account is Administrative Internet Explorer version: 8.0.7600.16385 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 3.013000 GHz Memory total: 4292923392, free: 2946220032 ======================================= Initializing... ------------ Kernel report ------------ 02/21/2014 22:09:31 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_AuthenticAMD.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\System32\drivers\imofugc.sys \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\System32\Drivers\spkw.sys \SystemRoot\System32\Drivers\WMILIB.SYS \SystemRoot\System32\Drivers\SCSIPORT.SYS \SystemRoot\system32\DRIVERS\ACPI.sys \SystemRoot\system32\DRIVERS\msisadrv.sys \SystemRoot\system32\DRIVERS\vdrvroot.sys \SystemRoot\system32\DRIVERS\pci.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\DRIVERS\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\system32\DRIVERS\pciide.sys \SystemRoot\system32\DRIVERS\PCIIDEX.SYS \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\DRIVERS\atapi.sys \SystemRoot\system32\DRIVERS\ataport.SYS \SystemRoot\system32\DRIVERS\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\DRIVERS\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\DRIVERS\disk.sys \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\system32\drivers\ws2ifsl.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\serial.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\termdd.sys \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\amdppm.sys \SystemRoot\system32\DRIVERS\nvlddmkm.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\Rt64win7.sys \SystemRoot\system32\DRIVERS\usbohci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\ASACPI.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\serenum.sys \SystemRoot\System32\Drivers\akpvt71p.SYS \SystemRoot\system32\DRIVERS\wmiacpi.sys \SystemRoot\system32\DRIVERS\CompositeBus.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\nvhda64v.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\drivers\HdAudio.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_dumpata.sys \SystemRoot\System32\Drivers\dump_atapi.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\drivers\usbaudio.sys \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\drivers\WudfPf.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\atksgt.sys \SystemRoot\system32\DRIVERS\lirsgt.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\system32\DRIVERS\asyncmac.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\setupapi.dll \Windows\System32\ole32.dll \Windows\System32\gdi32.dll \Windows\System32\iertutil.dll \Windows\System32\msctf.dll \Windows\System32\clbcatq.dll \Windows\System32\imm32.dll \Windows\System32\nsi.dll \Windows\System32\urlmon.dll \Windows\System32\psapi.dll \Windows\System32\user32.dll \Windows\System32\normaliz.dll \Windows\System32\wininet.dll \Windows\System32\advapi32.dll \Windows\System32\rpcrt4.dll \Windows\System32\sechost.dll \Windows\System32\shlwapi.dll \Windows\System32\lpk.dll \Windows\System32\imagehlp.dll \Windows\System32\kernel32.dll \Windows\System32\usp10.dll \Windows\System32\shell32.dll \Windows\System32\difxapi.dll \Windows\System32\msvcrt.dll \Windows\System32\Wldap32.dll \Windows\System32\oleaut32.dll \Windows\System32\comdlg32.dll \Windows\System32\ws2_32.dll \Windows\System32\crypt32.dll \Windows\System32\cfgmgr32.dll \Windows\System32\KernelBase.dll \Windows\System32\comctl32.dll \Windows\System32\wintrust.dll \Windows\System32\devobj.dll \Windows\System32\msasn1.dll \Windows\SysWOW64\normaliz.dll ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8004abe060 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\ Lower Device Object: 0xfffffa8004841060 Lower Device Driver Name: \Driver\atapi\ IRP handler 0 of \Driver\atapi points to an unknown module Unhooking enabled. <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa8004abe060 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\ Lower Device Object: 0xfffffa8004841060 Lower Device Driver Name: \Driver\atapi\ Driver name found: atapi Initialization returned 0x0 Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0) Load Function returned 0x0 <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa8004abe060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa80049468c0, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa8004abe060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa8004858520, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xfffffa8004841060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0xfffff8a00bd27590, 0xfffffa8004abe060, 0xfffffa80045d0790 Lower DeviceData: 0xfffff8a00bce57f0, 0xfffffa8004841060, 0xfffffa800452de40 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020) Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: D2A1CA1E Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 204800 Partition file system is NTFS Partition is bootable Partition 1 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 206848 Numsec = 976564224 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107862016 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)... Done! Infected: C:\Users\Dook\AppData\Local\Temp\svchost.exe --> [Trojan.BitCoinMiner] Infected: C:\Users\Dook\AppData\Local\Temp\phatk121016.cl --> [Trojan.BitcoinMiner] Infected: C:\Users\Dook\AppData\Local\Temp\scrypt130511.cl --> [Trojan.BitcoinMiner] Infected: C:\Users\Dook\AppData\Local\Temp\diablo130302.cl --> [Trojan.BitcoinMiner] Infected: C:\Users\Dook\AppData\Local\Temp\poclbm130302.cl --> [Trojan.BitcoinMiner] Infected: C:\Users\Dook\AppData\Local\Temp\diakgcn121016.cl --> [Trojan.BitcoinMiner] Scan finished Creating System Restore point... Cleaning up... Removal scheduling successful. System shutdown needed. System shutdown occurred ======================================= Removal queue found; removal started Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam... Removal finished RKreport did not generate an "RKreport(2).txt" file, but here is a file it generated RogueKiller V8.8.8 _x64_ [Feb 19 2014] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User : Dook [Admin rights] Mode : Scan -- Date : 02/21/2014 22:29:07 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 0 ¤¤¤ ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Browser Addons : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HDS721050CLA362 ATA Device +++++ --- User --- [MBR] 79afe5bcbfc5f257e57928f6acf34914 [bSP] 1f84320b928eeee4fd2e6532c395516f : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_02212014_222907.txt >> RKreport[0]_D_02212014_220541.txt;RKreport[0]_S_02212014_220257.txt
- February 22, 2014
- 15 replies
Requesting help with my infected PC

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

The system is still infected. I can tell because a process called nacl64.exe running during a normal windows session (although it still doesn't run in safe mode there are still symptoms showing, none as clear as this one though)
- February 21, 2014
- 15 replies
Requesting help with my infected PC

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Initially Combofix would not run at all, not even in safe mode. I got the following error when I attempt to execute the file (even as administrator): "Windows cannot find 'c:\users\dook\desktop\combofix.exe' Make sure you typed the name correctly and try again." I then changed the name of combofix.exe to 1combofix.exe and it launched and generated a log file. I will reboot and see how things are and then come back, I just didn't want to lose this log file somehow. Combofix log: ------------------------------ ComboFix 14-02-20.01 - Dook 02/21/2014 16:21:37.3.4 - x64 NETWORK Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4094.3410 [GMT -5:00] Running from: c:\users\Dook\Desktop\1ComboFix.exe SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\install.exe c:\programdata\737923934.exe c:\temp\svchost.exe c:\users\Dook\AppData\Local\Temp\_uninstall\_uninstall1168 c:\users\Dook\AppData\Local\Temp\{66031825-925D-4D02-B668-6AB0FF28F704}\setup.isn c:\users\Dook\AppData\Local\Temp\2eahvb1p.tl2\Menu_Select11.wav c:\users\Dook\AppData\Local\Temp\a5iqfonu.uv3\Menu_Select03.wav c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Cookies\index.dat c:\users\Dook\AppData\Local\Temp\acro_rd_dir\fla6B97.tmp c:\users\Dook\AppData\Local\Temp\acro_rd_dir\fla73EE.tmp c:\users\Dook\AppData\Local\Temp\acro_rd_dir\fla7866.tmp c:\users\Dook\AppData\Local\Temp\acro_rd_dir\fla8C07.tmp c:\users\Dook\AppData\Local\Temp\acro_rd_dir\flaF002.tmp c:\users\Dook\AppData\Local\Temp\acro_rd_dir\History\History.IE5\desktop.ini c:\users\Dook\AppData\Local\Temp\acro_rd_dir\History\History.IE5\index.dat c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\5ZNCVVK2\desktop.ini c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\9UJ2HIS7\desktop.ini c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\desktop.ini c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\index.dat c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\VT7NPY2J\desktop.ini c:\users\Dook\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5\W83NXTXS\desktop.ini c:\users\Dook\AppData\Local\Temp\be29e7f1-71ae-4703-50cb-1d52be512f51\twapi-be29e7f1-71ae-4703-50cb-1d52be512f51.dll c:\users\Dook\AppData\Local\Temp\Cookies\index.dat c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2005_d3dx9_25_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2005_d3dx9_25_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_d3dx9_30_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_d3dx9_30_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_MDX1_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_MDX1_x86_Archive.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_xinput_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Apr2006_xinput_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_d3dx10_33_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_d3dx10_33_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_d3dx9_33_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_d3dx9_33_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_xinput_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\APR2007_xinput_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Aug2005_d3dx9_27_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Aug2005_d3dx9_27_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2006_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2006_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2006_xinput_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2006_xinput_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_d3dx10_35_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_d3dx10_35_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_d3dx9_35_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_d3dx9_35_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\AUG2007_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\BDANT.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\BDAXP.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Coupon.xps c:\users\Dook\AppData\Local\Temp\DXREDIST\Dec2005_d3dx9_28_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Dec2005_d3dx9_28_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_d3dx10_00_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_d3dx10_00_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_d3dx9_32_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_d3dx9_32_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\DEC2006_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\DSETUP.dll c:\users\Dook\AppData\Local\Temp\DXREDIST\dsetup32.dll c:\users\Dook\AppData\Local\Temp\DXREDIST\dxdllreg_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\dxnt.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\DXSETUP.exe c:\users\Dook\AppData\Local\Temp\DXREDIST\dxupdate.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2005_d3dx9_24_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2005_d3dx9_24_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2006_d3dx9_29_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2006_d3dx9_29_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2006_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Feb2006_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\FEB2007_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\FEB2007_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2005_d3dx9_26_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2005_d3dx9_26_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2006_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2006_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_d3dx10_34_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_d3dx10_34_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_d3dx9_34_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_d3dx9_34_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\JUN2007_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_d3dx10_38_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_d3dx10_38_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_d3dx9_38_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_d3dx9_38_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_X3DAudio_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_X3DAudio_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_XAudio_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Jun2008_XAudio_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_d3dx10_37_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_d3dx10_37_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_d3dx9_37_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_d3dx9_37_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_X3DAudio_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_X3DAudio_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_XAudio_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Mar2008_XAudio_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_d3dx10_36_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_d3dx10_36_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_d3dx9_36_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_d3dx9_36_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_X3DAudio_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_X3DAudio_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\NOV2007_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Oct2005_xinput_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\Oct2005_xinput_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\OCT2006_d3dx9_31_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\OCT2006_d3dx9_31_x86.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\OCT2006_XACT_x64.cab c:\users\Dook\AppData\Local\Temp\DXREDIST\OCT2006_XACT_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Binaries\InstallData\eula.rtf c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Binaries\UnSetup.exe c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\AMD\amdcpusetup.exe c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\Binaries\InstallData\eula.rtf c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\Binaries\UnSetup.exe c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\APR2007_xinput_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\APR2007_xinput_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\DSETUP.dll c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\dsetup32.dll c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\dxdllreg_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\DXSETUP.exe c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\dxupdate.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Feb2010_X3DAudio_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Feb2010_X3DAudio_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_XAudio_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\DXRedistCutdown\Jun2010_XAudio_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\vcredist_x64_vs2010sp1.exe c:\users\Dook\AppData\Local\Temp\Epic-0540425a-ad2d-4e0a-833a-bd95cb819025\Redist\vcredist_x86_vs2010sp1.exe c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Binaries\InstallData\eula.rtf c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Binaries\UnSetup.exe c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\AMD\amdcpusetup.exe c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\Binaries\InstallData\eula.rtf c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\Binaries\UnSetup.exe c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\APR2007_xinput_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\APR2007_xinput_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\DSETUP.dll c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\dsetup32.dll c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\dxdllreg_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\DXSETUP.exe c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\dxupdate.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Feb2010_X3DAudio_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Feb2010_X3DAudio_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_XAudio_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\DXRedistCutdown\Jun2010_XAudio_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\vcredist_x64_vs2010sp1.exe c:\users\Dook\AppData\Local\Temp\Epic-06cf5ecc-82df-4106-b304-8b44f8515bda\Redist\vcredist_x86_vs2010sp1.exe c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Binaries\InstallData\eula.rtf c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Binaries\UnSetup.exe c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\AMD\amdcpusetup.exe c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\Binaries\InstallData\eula.rtf c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\Binaries\UnSetup.exe c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\APR2007_xinput_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\APR2007_xinput_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\DSETUP.dll c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\dsetup32.dll c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\dxdllreg_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\DXSETUP.exe c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\dxupdate.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Feb2010_X3DAudio_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Feb2010_X3DAudio_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_XAudio_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\DXRedistCutdown\Jun2010_XAudio_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\vcredist_x64_vs2010sp1.exe c:\users\Dook\AppData\Local\Temp\Epic-2dca062f-82df-48e1-986e-139f794f5ea8\Redist\vcredist_x86_vs2010sp1.exe c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Binaries\InstallData\eula.rtf c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Binaries\UnSetup.exe c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\AMD\amdcpusetup.exe c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\Binaries\InstallData\eula.rtf c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\Binaries\UnSetup.exe c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\APR2007_xinput_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\APR2007_xinput_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\DSETUP.dll c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\dsetup32.dll c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\dxdllreg_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\DXSETUP.exe c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\dxupdate.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Feb2010_X3DAudio_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Feb2010_X3DAudio_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_D3DCompiler_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_d3dx11_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_d3dx9_43_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_XAudio_x64.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\DXRedistCutdown\Jun2010_XAudio_x86.cab c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\vcredist_x64_vs2010sp1.exe c:\users\Dook\AppData\Local\Temp\Epic-448af87d-84b3-4a95-b17b-213f6018bf36\Redist\vcredist_x86_vs2010sp1.exe c:\users\Dook\AppData\Local\Temp\foido0n3.qdj\Menu_Select03.wav c:\users\Dook\AppData\Local\Temp\G4WL\dotnetfx3.exe c:\users\Dook\AppData\Local\Temp\G4WL\dotnetfx3_x64.exe c:\users\Dook\AppData\Local\Temp\G4WL\msiexec.exe c:\users\Dook\AppData\Local\Temp\G4WL\vcredist_x86.exe c:\users\Dook\AppData\Local\Temp\G4WL\XLiveRedist01.02.0241.00.msi c:\users\Dook\AppData\Local\Temp\History\History.IE5\desktop.ini c:\users\Dook\AppData\Local\Temp\History\History.IE5\index.dat c:\users\Dook\AppData\Local\Temp\i1ruykcp.hzh\Menu_Select03.wav c:\users\Dook\AppData\Local\Temp\is-0A355.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-0A355.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-0A355.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-0FSDA.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-0FSDA.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-0FSDA.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-0K59K.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-0K59K.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-0K59K.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-10U1N.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-10U1N.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-10U1N.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-18CO4.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-18CO4.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-18CO4.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-1I329.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-1I329.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-1I329.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-27FA1.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-27FA1.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-27FA1.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-4KEFH.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-4KEFH.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-4KEFH.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-4NGAQ.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-4NGAQ.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-4NGAQ.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-4V0GO.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-4V0GO.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-4V0GO.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-6EQUJ.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-6EQUJ.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-6EQUJ.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-6N0NP.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-6N0NP.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-6N0NP.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-73829.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-73829.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-73829.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-778HJ.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-778HJ.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-778HJ.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-7RNOJ.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-7RNOJ.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-7RNOJ.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-7U2EU.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-7U2EU.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-7U2EU.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-7VHBG.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-7VHBG.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-7VHBG.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-8E9U7.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-8E9U7.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-8E9U7.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-9PBD9.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-9PBD9.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-9PBD9.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-9Q167.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-9Q167.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-9Q167.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-B2TJU.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-B2TJU.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-B2TJU.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-DG0D5.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-DG0D5.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-DG0D5.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-DPHD0.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-DPHD0.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-DPHD0.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-EQOGK.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-EQOGK.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-EQOGK.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-FH8EU.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-FH8EU.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-FH8EU.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-GVNDU.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-GVNDU.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-GVNDU.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-JSILQ.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-JSILQ.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-JSILQ.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-KKHKH.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-KKHKH.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-KKHKH.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-LAOK4.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-LAOK4.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-LAOK4.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-LLIGF.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-LLIGF.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-LLIGF.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-LRSAS.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-LRSAS.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-LRSAS.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-LTHBL.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-LTHBL.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-LTHBL.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-N771U.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-N771U.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-N771U.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-N9UBV.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-N9UBV.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-N9UBV.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-NIE2P.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-NIE2P.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-NIE2P.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-PT6QV.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-PT6QV.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-PT6QV.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-RKOUP.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-RKOUP.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-RKOUP.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-S0IFS.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-S0IFS.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-S0IFS.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-S651D.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-S651D.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-S651D.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-S96MM.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-S96MM.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-S96MM.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-TBPV3.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-TBPV3.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-TBPV3.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-U96MK.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-U96MK.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-U96MK.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\is-UEA4M.tmp\_isetup\_setup64.tmp c:\users\Dook\AppData\Local\Temp\is-UEA4M.tmp\_isetup\_shfoldr.dll c:\users\Dook\AppData\Local\Temp\is-UEA4M.tmp\bassmusic.dll c:\users\Dook\AppData\Local\Temp\jghrf2uq.yfw\Menu_Select11.wav c:\users\Dook\AppData\Local\Temp\jrt\APPID_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\APPID_files.dat c:\users\Dook\AppData\Local\Temp\jrt\APPPATHS.dat c:\users\Dook\AppData\Local\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\ask.bat c:\users\Dook\AppData\Local\Temp\jrt\askCLSID.dat c:\users\Dook\AppData\Local\Temp\jrt\askregkey_x64.dat c:\users\Dook\AppData\Local\Temp\jrt\askregkey_x86.dat c:\users\Dook\AppData\Local\Temp\jrt\askregvalue_x64.dat c:\users\Dook\AppData\Local\Temp\jrt\askregvalue_x86.dat c:\users\Dook\AppData\Local\Temp\jrt\askservices.dat c:\users\Dook\AppData\Local\Temp\jrt\badAPPINIT.dat c:\users\Dook\AppData\Local\Temp\jrt\badFOLDERS.cfg c:\users\Dook\AppData\Local\Temp\jrt\badFOLDERScom.cfg c:\users\Dook\AppData\Local\Temp\jrt\badFOLDERSstart.cfg c:\users\Dook\AppData\Local\Temp\jrt\badLNK.cfg c:\users\Dook\AppData\Local\Temp\jrt\badvalues.cfg c:\users\Dook\AppData\Local\Temp\jrt\BHO_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\BHO_name.dat c:\users\Dook\AppData\Local\Temp\jrt\browsermngr_keys.cfg c:\users\Dook\AppData\Local\Temp\jrt\browsermngr_values.cfg c:\users\Dook\AppData\Local\Temp\jrt\CHOICE.DAT c:\users\Dook\AppData\Local\Temp\jrt\CHR_extensions.cfg c:\users\Dook\AppData\Local\Temp\jrt\chrome.bat c:\users\Dook\AppData\Local\Temp\jrt\CHRregkey_x64.cfg c:\users\Dook\AppData\Local\Temp\jrt\CHRregkey_x86.cfg c:\users\Dook\AppData\Local\Temp\jrt\CLSID_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\currentmd5.txt c:\users\Dook\AppData\Local\Temp\jrt\CUT.DAT c:\users\Dook\AppData\Local\Temp\jrt\defaultscope.cfg c:\users\Dook\AppData\Local\Temp\jrt\delfolders.bat c:\users\Dook\AppData\Local\Temp\jrt\delorphans.bat c:\users\Dook\AppData\Local\Temp\jrt\ELEVATIONPOLICY_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERDNT.E_E c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERDNTDOS.LOC c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERDNTWIN.LOC c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERUNT.EXE.manifest c:\users\Dook\AppData\Local\Temp\jrt\erunt\ERUNT.LOC c:\users\Dook\AppData\Local\Temp\jrt\erunt\README.TXT c:\users\Dook\AppData\Local\Temp\jrt\ev_clear.bat c:\users\Dook\AppData\Local\Temp\jrt\EXT.dat c:\users\Dook\AppData\Local\Temp\jrt\FFbrowsermngr.dat c:\users\Dook\AppData\Local\Temp\jrt\FFextensions.dat c:\users\Dook\AppData\Local\Temp\jrt\FFpluginREG.dat c:\users\Dook\AppData\Local\Temp\jrt\FFplugins.dat c:\users\Dook\AppData\Local\Temp\jrt\FFprefs.dat c:\users\Dook\AppData\Local\Temp\jrt\FFregkey_x64.dat c:\users\Dook\AppData\Local\Temp\jrt\FFregkey_x86.dat c:\users\Dook\AppData\Local\Temp\jrt\FFwhtlist.cfg c:\users\Dook\AppData\Local\Temp\jrt\FFXML.dat c:\users\Dook\AppData\Local\Temp\jrt\FFXPI.dat c:\users\Dook\AppData\Local\Temp\jrt\firefox.bat c:\users\Dook\AppData\Local\Temp\jrt\FWCLSID.dat c:\users\Dook\AppData\Local\Temp\jrt\IEwhtlst.cfg c:\users\Dook\AppData\Local\Temp\jrt\IFEO.dat c:\users\Dook\AppData\Local\Temp\jrt\INTERFACE_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\MENUEXT.dat c:\users\Dook\AppData\Local\Temp\jrt\misc.bat c:\users\Dook\AppData\Local\Temp\jrt\modules.dat c:\users\Dook\AppData\Local\Temp\jrt\moduleservices.dat c:\users\Dook\AppData\Local\Temp\jrt\newmd5.txt c:\users\Dook\AppData\Local\Temp\jrt\NIRCMD.DAT c:\users\Dook\AppData\Local\Temp\jrt\NOTIFY.dat c:\users\Dook\AppData\Local\Temp\jrt\PREAPPROVED_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\PRODUCTS.dat c:\users\Dook\AppData\Local\Temp\jrt\REGhcr.cfg c:\users\Dook\AppData\Local\Temp\jrt\REGhkcu_and_hklm_allow.cfg c:\users\Dook\AppData\Local\Temp\jrt\REGhkcu_and_hklm_software.cfg c:\users\Dook\AppData\Local\Temp\jrt\REGhkcu_software_appdatalow.cfg c:\users\Dook\AppData\Local\Temp\jrt\REGhkcu_software_microsoft.cfg c:\users\Dook\AppData\Local\Temp\jrt\REGhklm_software_classes.cfg c:\users\Dook\AppData\Local\Temp\jrt\REGISTRYUSERSID.cfg c:\users\Dook\AppData\Local\Temp\jrt\runvalues_x64.cfg c:\users\Dook\AppData\Local\Temp\jrt\runvalues_x86.cfg c:\users\Dook\AppData\Local\Temp\jrt\S1518COMPONENTS.dat c:\users\Dook\AppData\Local\Temp\jrt\SED.DAT c:\users\Dook\AppData\Local\Temp\jrt\sednewline.txt c:\users\Dook\AppData\Local\Temp\jrt\services.dat c:\users\Dook\AppData\Local\Temp\jrt\serviceseventlog.cfg c:\users\Dook\AppData\Local\Temp\jrt\SETTINGS_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\SHORTCUT.DAT c:\users\Dook\AppData\Local\Temp\jrt\STATS_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\temp\null.txt c:\users\Dook\AppData\Local\Temp\jrt\TRACING.dat c:\users\Dook\AppData\Local\Temp\jrt\TYPELIB_clsid.dat c:\users\Dook\AppData\Local\Temp\jrt\UNINSTALL.dat c:\users\Dook\AppData\Local\Temp\jrt\UpgradeCodes.dat c:\users\Dook\AppData\Local\Temp\jrt\WGET.DAT c:\users\Dook\AppData\Local\Temp\jrt\WOW6432NODE.dat c:\users\Dook\AppData\Local\Temp\pk52pezg.wuf\Menu_Select11.wav c:\users\Dook\AppData\Local\Temp\SUPERSetup\languages.txt c:\users\Dook\AppData\Local\Temp\SUPERSetup\setup.db3 c:\users\Dook\AppData\Local\Temp\SUPERSetup\setup.dll c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\772GECJO\desktop.ini c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\9B32K8FB\desktop.ini c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\BJUZKIIV\desktop.ini c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\desktop.ini c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat c:\users\Dook\AppData\Local\Temp\Temporary Internet Files\Content.IE5\KRFKNLOU\desktop.ini c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-107c-12f0-28e7ca6c.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-132c-dfc-2dd6b4d6.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-13b0-12d4-3da21e3d.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-190-137c-2113e38f.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-1b0-d1c-1633dcee.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-22f4-28d0-659838c2.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-2e8-668-cc1c40.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-438-1160-27bc453a.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-464-f7c-274a9749.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-51c-9f8-2a2d2.~lk\4.mdd c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-cc8-dd4-bbfb9fa.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\~swd1.dat c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\~swd1.swf c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\0.mdd c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\1.mdd c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\2.mdd c:\users\Dook\AppData\Local\Temp\wrd-fa8-1b50-29f78be2.~lk\3.mdd c:\users\Dook\AppData\Local\Temp\z3izla2e.o5q\Menu_Select11.wav c:\users\Dook\AppData\Roaming\AB4D2F.dat c:\users\Dook\AppData\Roaming\log.txt . . ((((((((((((((((((((((((( Files Created from 2014-01-21 to 2014-02-21 ))))))))))))))))))))))))))))))) . . 2014-02-21 21:29 . 2014-02-21 21:29 -------- d-----w- c:\users\Public\AppData\Local\temp 2014-02-21 21:29 . 2014-02-21 21:29 -------- d-----w- c:\users\hedev\AppData\Local\temp 2014-02-21 21:29 . 2014-02-21 21:29 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-02-21 18:19 . 2014-02-21 18:24 -------- d-----w- C:\AdwCleaner 2014-02-21 14:33 . 2014-02-21 17:28 -------- d-----w- C:\FRST 2014-02-21 12:55 . 2014-02-21 12:55 421704 ----a-w- c:\windows\system32\drivers\pxzsvitd.sys 2014-02-21 12:54 . 2014-02-21 12:54 421704 ----a-w- c:\windows\system32\drivers\alskvflw.sys 2014-02-21 12:52 . 2014-02-21 12:52 421704 ----a-w- c:\windows\system32\drivers\lrkxzijc.sys 2014-02-21 12:52 . 2014-02-21 12:52 181064 ----a-w- c:\windows\PSEXESVC.EXE 2014-02-21 12:41 . 2014-02-21 12:41 421704 ----a-w- c:\windows\system32\drivers\ggkphcrz.sys 2014-02-21 12:32 . 2014-02-21 12:32 421704 ----a-w- c:\windows\system32\drivers\zmavmbuo.sys 2014-02-21 11:48 . 2014-02-21 11:48 -------- d-----w- c:\users\Dook\AppData\Roaming\SUPERAntiSpyware.com 2014-02-21 11:48 . 2014-02-21 17:30 -------- d-----w- c:\program files\SUPERAntiSpyware 2014-02-21 11:48 . 2014-02-21 11:48 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2014-02-21 01:58 . 2014-02-21 01:59 -------- d-----w- c:\users\Dook\AppData\Roaming\QuickScan 2014-02-21 01:08 . 2014-02-21 01:08 943777 ----a-w- c:\windows\SysWow64\scrypt130511GeForce GTX 460glg2tc1472w64l4.bin 2014-02-21 01:04 . 2014-02-21 01:04 -------- d-----w- c:\users\Dook\AppData\Local\Microsoft Corporation 2014-02-21 01:04 . 2014-02-21 01:04 -------- d-----w- c:\programdata\Microsoft Corporation 2014-02-21 00:29 . 2014-02-21 00:29 -------- d-s---w- c:\windows\SysWow64\Microsoft 2014-02-20 11:42 . 2014-02-20 11:42 -------- d-----w- c:\users\Dook\AppData\Roaming\Basilisk Games 2014-02-20 11:13 . 2014-02-21 11:42 -------- d-----w- C:\{$5812-5333-4513-5757-7153$} 2014-02-04 01:43 . 2014-02-04 01:43 -------- d-----w- c:\users\Dook\AppData\Local\Octodad Dadliest Catch 2014-02-04 01:43 . 2014-02-04 01:43 -------- d-----w- c:\programdata\CODEX . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2014-01-06 6563608] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736] "Adobe"="c:\users\Dook\AppData\Roaming\Microsoft\Windows\Recent.vbe" [2013-01-20 15550] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816] "Windows Configuration"="c:\{$5812-5333-4513-5757-7153$}\nacl64.exe" [2014-02-19 1199104] . c:\users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ msconfig.ini.url [2014-2-20 54] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HideSCAHealth"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "mixer9"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys;c:\windows\SYSNATIVE\Drivers\sptd.sys [x] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x] R3 PSEXESVC;PsExec;c:\windows\PSEXESVC.EXE;c:\windows\PSEXESVC.EXE [x] R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSB64.sys;c:\windows\SYSNATIVE\DRIVERS\9kdUSB64.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] . . . --------- X64 Entries ----------- . . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = https://ixquick.com/ mLocal Page = c:\windows\SysWOW64\blank.htm Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\ FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . SafeBoot-35300461.sys SafeBoot-47847442.sys ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file) AddRemove-GOGPACKPAPERSPLEASE_is1 - c:\games\Papers AddRemove-UnityWebPlayer - c:\users\Dook\AppData\Local\Unity\WebPlayer\Uninstall.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2980796359-892880252-2195086714-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) "??"=hex:7d,cf,5b,34,ec,48,56,42,4e,88,81,b0,58,70,a2,9c,53,42,fb,dd,c7,30,71, 2b,c2,8e,5d,7b,e5,2c,20,76,49,a3,73,c8,75,c3,43,87,85,a3,71,31,ca,c2,89,09,\ "??"=hex:e2,bf,e6,2a,68,02,e7,0c,52,ce,22,c1,42,12,59,53 . [HKEY_USERS\S-1-5-21-2980796359-892880252-2195086714-1000\Software\SecuROM\License information*] "datasecu"=hex:3c,a9,11,c3,79,9f,72,00,7d,67,71,ff,bc,ee,af,78,a2,74,45,58,80, 1a,0e,82,c7,b5,b9,b9,1e,c7,28,41,16,66,87,aa,ca,e5,71,03,93,5c,e5,b9,af,0d,\ "rkeysecu"=hex:20,5c,10,af,cd,f4,aa,f1,13,38,db,b1,20,73,47,4f . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2014-02-21 16:31:43 ComboFix-quarantined-files.txt 2014-02-21 21:31 . Pre-Run: 6,396,448,768 bytes free Post-Run: 7,458,119,680 bytes free . - - End Of File - - E784641523815399F56707B12A31C67A A36C5E4F47E84449FF07ED3517B43A31
- February 21, 2014
- 15 replies
Requesting help with my infected PC

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

There is no improvement. I am running all of these in safemode still. Outside of safemode, those processes keep coming back and I still cannot even run lots of things including malwarebytes, unfortunately. JRT.exe will not run for some reason, it gives a "7-zip internal error code 105". I can manually extract the files but I do not know which program to run and dont want to experiment. Here is the ADW cleaner log: -------------------------------------- # AdwCleaner v3.019 - Report created 21/02/2014 at 13:24:55 # Updated 17/02/2014 by Xplode # Operating System : Windows 7 Home Premium (64 bits) # Username : Dook - DOOK-PC # Running from : C:\Users\Dook\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\ProgramData\Trymedia Folder Deleted : C:\ProgramData\AlawarEntertainment Folder Deleted : C:\ProgramData\AlawarWrapper Folder Deleted : C:\Users\Dook\AppData\Local\Conduit Folder Deleted : C:\Users\Dook\AppData\LocalLow\Conduit Folder Deleted : C:\Users\Dook\AppData\Roaming\AlawarEntertainment Folder Deleted : C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions\{51114877-d928-5d13-4e22-53a228937a5c} ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS Key Deleted : HKLM\SOFTWARE\14919ea49a8f3b4aa3cf1058d9a64cec Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2737658 Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Adobe Updater] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785} Key Deleted : HKCU\Software\Conduit Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\Software\Trymedia Systems ***** [ Browsers ] ***** -\\ Internet Explorer v8.0.7600.16800 -\\ Mozilla Firefox v19.0.2 (en-US) [ File : C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\prefs.js ] -\\ Google Chrome v [ File : C:\Users\Dook\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [2820 octets] - [21/02/2014 13:19:12] AdwCleaner[s0].txt - [2624 octets] - [21/02/2014 13:24:55] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2684 octets] ##########
- February 21, 2014
- 15 replies
Requesting help with my infected PC

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Here you go: FIXLOG.txt __________ Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 20-02-2014 Ran by Dook at 2014-02-21 11:04:42 Run:1 Running from C:\Users\Dook\Desktop Boot Mode: Safe Mode (with Networking) ============================================== Content of fixlist: ***************** HKU\S-1-5-21-2980796359-892880252-2195086714-1000\...\CurrentVersion\Windows: [Load] C:\{$5812-5333-4513-5757-7153$}\nacl64.exe <===== ATTENTION Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll" Winsock: Catalog5-x64 02 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll" C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80} C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80}\@ C:\ProgramData\737923934.exe C:\Users\Dook\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe C:\Users\Dook\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe C:\Users\Dook\AppData\Local\Temp\libusb-1.0.dll C:\Users\Dook\AppData\Local\Temp\setup.exe C:\Users\Dook\AppData\Local\Temp\ShellLink.dll C:\Users\Dook\AppData\Local\Temp\steam1r.exe C:\Users\Dook\AppData\Local\Temp\swt-win32-3448.dll C:\Users\Dook\AppData\Local\Temp\ubi3B87.tmp.exe C:\Users\Dook\AppData\Local\Temp\ubi5A4E.tmp.exe C:\Users\Dook\AppData\Local\Temp\Uninstall.exe ***************** HKU\S-1-5-21-2980796359-892880252-2195086714-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Value was restored successfully. Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll Winsock: Catalog5 entry 000000000003\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll Winsock: Catalog5-x64 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll Winsock: Catalog5-x64 entry 000000000002\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80} => Moved successfully. "C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80}\@" => File/Directory not found. C:\ProgramData\737923934.exe => Moved successfully. C:\Users\Dook\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe => Moved successfully. C:\Users\Dook\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully. C:\Users\Dook\AppData\Local\Temp\libusb-1.0.dll => Moved successfully. C:\Users\Dook\AppData\Local\Temp\setup.exe => Moved successfully. C:\Users\Dook\AppData\Local\Temp\ShellLink.dll => Moved successfully. C:\Users\Dook\AppData\Local\Temp\steam1r.exe => Moved successfully. C:\Users\Dook\AppData\Local\Temp\swt-win32-3448.dll => Moved successfully. C:\Users\Dook\AppData\Local\Temp\ubi3B87.tmp.exe => Moved successfully. C:\Users\Dook\AppData\Local\Temp\ubi5A4E.tmp.exe => Moved successfully. C:\Users\Dook\AppData\Local\Temp\Uninstall.exe => Moved successfully. ==== End of Fixlog ====
- February 21, 2014
- 15 replies
Requesting help with my infected PC

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

First of all, thank you very much for your time, I honestly appreciate it. I am still in safe mode with networking. I hope it is ok for me to follow these instructions while logged in this way. FRST.txt log : ------------------------- Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 20-02-2014 Ran by Dook (administrator) on DOOK-PC on 21-02-2014 09:33:54 Running from C:\Users\Dook\Desktop Windows 7 Home Premium (X64) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Safe Mode (with Networking) The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery- scan-tool/ ==================== Processes (Whitelisted) ================= (SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe ==================== Registry (Whitelisted) ================== HKLM-x32\...\Run: [amd_dc_opt] - C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07- 22] (AMD) HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11- 10] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2010-11-10] (Adobe Systems Incorporated) HKLM-x32\...\Run: [Adobe] - C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Recent.vbe [15550 2013-01-20] () HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation) HKLM-x32\...\Run: [Windows Configuration] - C:\{$5812-5333-4513-5757-7153$}\nacl64.exe -rundll32 /SYSTEM32 "C: \Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" HKLM-x32\...\RunOnce: [1] - C:\Temp\mbam-chameleon.exe /r /p [218184 2012-08-15] () HKLM\...\Policies\Explorer: [HideSCAHealth] 1 HKU\S-1-5-21-2980796359-892880252-2195086714-1000\...\Run: [Adobe Updater] - C:\Program Files (x86)\Adobe \Updater.exe [735232 2013-05-17] () HKU\S-1-5-21-2980796359-892880252-2195086714-1000\...\Run: [sUPERAntiSpyware] - C:\Program Files \SUPERAntiSpyware\SUPERAntiSpyware.exe [6563608 2014-01-06] (SUPERAntiSpyware) HKU\S-1-5-21-2980796359-892880252-2195086714-1000\...\CurrentVersion\Windows: [Load] C:\{$5812-5333-4513-5757- 7153$}\nacl64.exe <===== ATTENTION IFEO\avcenter.exe: [Debugger] euaie.exe IFEO\avguard.exe: [Debugger] euaie.exe IFEO\avp.exe: [Debugger] euaie.exe IFEO\bdagent.exe: [Debugger] euaie.exe IFEO\ccuac.exe: [Debugger] euaie.exe IFEO\ComboFix.exe: [Debugger] euaie.exe IFEO\egui.exe: [Debugger] euaie.exe IFEO\hijackthis.exe: [Debugger] euaie.exe IFEO\keyscrambler.exe: [Debugger] euaie.exe IFEO\MpCmdRun.exe: [Debugger] euaie.exe IFEO\MSASCui.exe: [Debugger] euaie.exe IFEO\MsMpEng.exe: [Debugger] euaie.exe IFEO\msseces.exe: [Debugger] euaie.exe IFEO\spybotsd.exe: [Debugger] euaie.exe IFEO\SUPERAntiSpyware.exe: [Debugger] euaie.exe IFEO\wireshark.exe: [Debugger] euaie.exe IFEO\zlclient.exe: [Debugger] euaie.exe Startup: C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.ini.url () ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll? prd=ie&ar=iesearch HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://ixquick.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xD655AE1080FECB01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin \ssv.dll (Oracle Corporation) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin \jp2ssv.dll (Oracle Corporation) BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files \Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java \jre7\bin\ssv.dll (Oracle Corporation) BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java \jre7\bin\jp2ssv.dll (Oracle Corporation) DPF: HKLM {615A1925-0E5B-4767-A65E-3165AEAC32A3} http://quickscan.bitdefender.com/qsax/qsax64.cab Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot% \System32\mswsock.dll" Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot% \system32\NLAapi.dll" Winsock: Catalog5 04 %SystemRoot%\System32\nwprovau.dll File Not found () Winsock: Catalog9 01 mswsock.dll File Not found () Winsock: Catalog9 02 mswsock.dll File Not found () Winsock: Catalog9 03 mswsock.dll File Not found () Winsock: Catalog9 04 mswsock.dll File Not found () Winsock: Catalog9 05 mswsock.dll File Not found () Winsock: Catalog9 06 mswsock.dll File Not found () Winsock: Catalog9 07 mswsock.dll File Not found () Winsock: Catalog9 08 mswsock.dll File Not found () Winsock: Catalog9 09 mswsock.dll File Not found () Winsock: Catalog9 10 mswsock.dll File Not found () Winsock: Catalog9 11 mswsock.dll File Not found () Winsock: Catalog9 12 mswsock.dll File Not found () Winsock: Catalog9 13 mswsock.dll File Not found () Winsock: Catalog9 14 mswsock.dll File Not found () Winsock: Catalog9 15 mswsock.dll File Not found () Winsock: Catalog9 16 mswsock.dll File Not found () Winsock: Catalog9 17 mswsock.dll File Not found () Winsock: Catalog9 18 mswsock.dll File Not found () Winsock: Catalog9 19 mswsock.dll File Not found () Winsock: Catalog9 25 mswsock.dll File Not found () Winsock: Catalog9 26 mswsock.dll File Not found () Winsock: Catalog9 27 mswsock.dll File Not found () Winsock: Catalog9 28 mswsock.dll File Not found () Winsock: Catalog9 29 mswsock.dll File Not found () Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot% \system32\NLAapi.dll" Winsock: Catalog5-x64 02 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot% \System32\mswsock.dll" Winsock: Catalog9-x64 01 mswsock.dll File Not found () Winsock: Catalog9-x64 02 mswsock.dll File Not found () Winsock: Catalog9-x64 03 mswsock.dll File Not found () Winsock: Catalog9-x64 04 mswsock.dll File Not found () Winsock: Catalog9-x64 05 mswsock.dll File Not found () Winsock: Catalog9-x64 06 mswsock.dll File Not found () Winsock: Catalog9-x64 07 mswsock.dll File Not found () Winsock: Catalog9-x64 08 mswsock.dll File Not found () Winsock: Catalog9-x64 09 mswsock.dll File Not found () Winsock: Catalog9-x64 10 mswsock.dll File Not found () Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 FireFox: ======== FF ProfilePath: C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default FF Homepage: https://www.ixquick.com/ FF NetworkProxy: "type", 0 FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll () FF Plugin: @java.com/DTPlugin,version=10.5.0 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.5.0 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @microsoft.com/GENUINE - disabled No File FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll () FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin-x32: @microsoft.com/GENUINE - disabled No File FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight \4.1.10329.0\npctrl.dll ( Microsoft Corporation) FF Plugin-x32: @nvidia.com/3DVision - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF Plugin-x32: @nvidia.com/3DVisionStreaming - C:\Program Files (x86)\NVIDIA Corporation\3D Vision \npnv3dvstreaming.dll (NVIDIA Corporation) FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster \npPandoWebPlugin.dll (Pando Networks) FF Plugin-x32: @videolan.org/vlc,version=1.1.5 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (the VideoLAN Team) FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Dook\AppData\LocalLow\Unity\WebPlayer\loader \npUnity3D32.dll (Unity Technologies ApS) FF Plugin HKCU: pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster \npPandoWebPlugin.dll (Pando Networks) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.) FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml FF Extension: baNdit - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions \{51114877-d928-5d13-4e22-53a228937a5c} [2011-02-27] FF Extension: Ghostery - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions \firefox@ghostery.com.xpi [2013-08-02] FF Extension: NoScript - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions \{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2011-04-01] FF Extension: Adblock Plus - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\Extensions \{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011-03-26] FF Extension: BetterPrivacy - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default \Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2011-08-20] Chrome: ======= CHR HKLM-x32\...\Chrome\Extension: [pmcmflmkceipgecmhoddphflfndnfbbe] - C:\Users\Dook\AppData\Local\Temp \tbch.crx [] ==================== Services (Whitelisted) ================= R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [144152 2013-10-10] (SUPERAntiSpyware.com) S3 PSEXESVC; C:\Windows\PSEXESVC.EXE [181064 2014-02-21] (Sysinternals) ==================== Drivers (Whitelisted) ==================== S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2010-12-05] () S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2010-12-05] () R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] () S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com) S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com) S3 SNL320XP; C:\Windows\System32\DRIVERS\9kdUSB64.sys [30720 2007-07-03] (Sonix Technology Co., Ltd.) S0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-12-12] (Duplex Secure Ltd.) U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-02-21 09:33 - 2014-02-21 09:34 - 00011561 _____ () C:\Users\Dook\Desktop\FRST.txt 2014-02-21 09:33 - 2014-02-21 09:33 - 02153984 _____ (Farbar) C:\Users\Dook\Desktop\FRST64.exe 2014-02-21 09:33 - 2014-02-21 09:33 - 00000000 ____D () C:\FRST 2014-02-21 09:32 - 2014-02-21 09:32 - 00000000 _____ () C:\Users\Dook\Desktop\VIRUS.txt 2014-02-21 08:05 - 2014-02-21 08:40 - 00022495 _____ () C:\Users\Dook\Desktop\attach.txt 2014-02-21 08:05 - 2014-02-21 08:05 - 00007966 _____ () C:\Users\Dook\Desktop\dds.txt 2014-02-21 08:03 - 2014-02-21 08:03 - 00688992 ____R (Swearware) C:\Users\Dook\Desktop\dds.scr 2014-02-21 07:56 - 2014-02-21 07:56 - 04697744 _____ (AVAST Software) C:\Users\Dook\Desktop \avast_free_antivirus_setup_online.exe 2014-02-21 07:55 - 2014-02-21 07:55 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\pxzsvitd.sys 2014-02-21 07:54 - 2014-02-21 07:54 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\alskvflw.sys 2014-02-21 07:52 - 2014-02-21 07:52 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\lrkxzijc.sys 2014-02-21 07:52 - 2014-02-21 07:52 - 00181064 _____ (Sysinternals) C:\Windows\PSEXESVC.EXE 2014-02-21 07:41 - 2014-02-21 07:41 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\ggkphcrz.sys 2014-02-21 07:32 - 2014-02-21 07:32 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\zmavmbuo.sys 2014-02-21 06:48 - 2014-02-21 07:01 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware 2014-02-21 06:48 - 2014-02-21 06:48 - 00001808 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk 2014-02-21 06:48 - 2014-02-21 06:48 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\SUPERAntiSpyware.com 2014-02-21 06:48 - 2014-02-21 06:48 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com 2014-02-20 21:32 - 2014-02-20 21:32 - 00080456 _____ (Malwarebytes Corporation) C:\Users\Dook\Desktop\mbam- clean-1.60.2.0003.exe 2014-02-20 21:25 - 2014-02-20 21:28 - 00000794 _____ () C:\Users\Dook\Desktop\unhide.txt 2014-02-20 21:25 - 2014-02-20 21:25 - 00398752 _____ (Bleeping Computer, LLC) C:\Users\Dook\Desktop\unhide.exe 2014-02-20 21:17 - 2014-02-20 21:17 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Dook\Desktop\mbam- setup-1.75.0.1300.exe 2014-02-20 20:58 - 2014-02-20 20:59 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\QuickScan 2014-02-20 20:08 - 2014-02-20 20:08 - 00943777 _____ () C:\Windows\SysWOW64\scrypt130511GeForce GTX 460glg2tc1472w64l4.bin 2014-02-20 20:07 - 2014-02-20 20:07 - 00001443 _____ () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2014-02-20 20:07 - 2014-02-20 20:07 - 00001409 _____ () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk 2014-02-20 20:04 - 2014-02-20 20:04 - 00000000 ____D () C:\Users\Dook\AppData\Local\Microsoft Corporation 2014-02-20 20:04 - 2014-02-20 20:04 - 00000000 ____D () C:\ProgramData\Microsoft Corporation 2014-02-20 19:54 - 2014-02-20 20:27 - 90578216 _____ (AVAST Software) C:\Users\Dook\Downloads \avast_free_antivirus_setup.exe 2014-02-20 06:42 - 2014-02-20 06:42 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\Basilisk Games 2014-02-20 06:13 - 2014-02-21 06:42 - 00000000 ___HD () C:\{$5812-5333-4513-5757-7153$} 2014-02-20 05:57 - 2014-02-20 06:11 - 00000000 ____D () C:\Users\Dook\Downloads\Eschalon.Book.III 2014-02-19 13:58 - 2014-02-19 13:58 - 01199104 __RSH ( ) C:\ProgramData\737923934.exe 2014-02-19 04:36 - 2014-02-19 04:36 - 00001164 _____ () C:\Users\Dook\Desktop\Banished.exe - Shortcut.lnk 2014-02-18 11:21 - 2014-02-18 11:21 - 00000000 ____D () C:\Users\Dook\Documents\Banished 2014-02-18 10:45 - 2014-02-18 10:45 - 00000000 ____D () C:\Users\Dook\Downloads\Banished 2014-02-14 13:15 - 2014-02-14 13:15 - 00002039 _____ () C:\Users\Public\Desktop\Ultima 4 - Quest of the Avatar.lnk 2014-02-14 13:00 - 2014-02-14 13:02 - 26824360 _____ (GOG.com ) C:\Users\Dook\Downloads \setup_ultima4_2.0.0.19.exe 2014-02-14 11:22 - 2014-02-14 11:22 - 00001911 _____ () C:\Users\Public\Desktop\Magic Carpet 2.lnk 2014-02-14 10:51 - 2014-02-14 11:00 - 00000000 ____D () C:\Users\Dook\Downloads\Magic Carpet 2 GOG 2014-02-13 07:53 - 2014-02-13 08:04 - 09004360 _____ (Perfect World Entertainment) C:\Users\Dook\Downloads \ArcInstall_v20140121a.exe 2014-02-13 07:41 - 2014-02-13 07:41 - 00000222 _____ () C:\Users\Dook\Desktop\Neverwinter.url 2014-02-10 04:27 - 2014-02-10 04:42 - 00000000 ____D () C:\Users\Dook\Documents\Horizon Game 2014-02-10 03:16 - 2014-02-10 03:16 - 00001543 _____ () C:\Users\Public\Desktop\Horizon.lnk 2014-02-09 07:48 - 2014-02-09 12:03 - 00000000 ____D () C:\Users\Dook\Downloads\Horizon 2014-02-03 20:43 - 2014-02-03 20:43 - 00000000 ____D () C:\Users\Dook\AppData\Local\Octodad Dadliest Catch 2014-02-03 20:43 - 2014-02-03 20:43 - 00000000 ____D () C:\ProgramData\CODEX 2014-02-03 20:39 - 2014-02-03 20:39 - 00000870 _____ () C:\Users\Dook\Desktop\Octodad Dadliest Catch.lnk 2014-01-31 13:57 - 2014-01-31 13:57 - 00000222 _____ () C:\Users\Dook\Desktop\Viscera Cleanup Detail Santa's Rampage.url 2014-01-29 22:06 - 2014-01-29 22:06 - 00001825 _____ () C:\Users\Dook\Desktop\Viscera Cleanup Detail - Alpha.lnk 2014-01-29 22:06 - 2014-01-29 22:06 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VisceraCleanupDetail-Alpha 2014-01-28 21:01 - 2014-01-29 00:53 - 1215219712 _____ () C:\Users\Dook\Downloads\rld-bragea1.iso 2014-01-25 15:38 - 2014-01-25 15:38 - 00000000 _____ () C:\Users\Dook\Desktop\New Text Document (3).txt 2014-01-24 15:13 - 2014-01-27 12:37 - 00000000 ____D () C:\Users\Dook\Documents\MightAndMagicXLegacy 2014-01-24 15:06 - 2014-01-24 15:06 - 00000731 _____ () C:\Users\Public\Desktop\Might and Magic X Legacy.lnk 2014-01-24 14:38 - 2014-01-24 14:38 - 00001588 _____ () C:\Users\Dook\Desktop\Eador-Mechanics.doc - Shortcut.lnk 2014-01-24 14:37 - 2014-01-24 14:37 - 00001565 _____ () C:\Users\Dook\Desktop\MTG.lnk 2014-01-23 20:56 - 2014-01-23 20:56 - 00000946 _____ () C:\Users\Dook\Desktop\Zeno Clash 2.lnk ==================== One Month Modified Files and Folders ======= 2014-02-21 09:34 - 2014-02-21 09:33 - 00011561 _____ () C:\Users\Dook\Desktop\FRST.txt 2014-02-21 09:33 - 2014-02-21 09:33 - 02153984 _____ (Farbar) C:\Users\Dook\Desktop\FRST64.exe 2014-02-21 09:33 - 2014-02-21 09:33 - 00000000 ____D () C:\FRST 2014-02-21 09:32 - 2014-02-21 09:32 - 00000000 _____ () C:\Users\Dook\Desktop\VIRUS.txt 2014-02-21 08:40 - 2014-02-21 08:05 - 00022495 _____ () C:\Users\Dook\Desktop\attach.txt 2014-02-21 08:05 - 2014-02-21 08:05 - 00007966 _____ () C:\Users\Dook\Desktop\dds.txt 2014-02-21 08:03 - 2014-02-21 08:03 - 00688992 ____R (Swearware) C:\Users\Dook\Desktop\dds.scr 2014-02-21 07:57 - 2009-07-14 00:13 - 00791944 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-02-21 07:56 - 2014-02-21 07:56 - 04697744 _____ (AVAST Software) C:\Users\Dook\Desktop \avast_free_antivirus_setup_online.exe 2014-02-21 07:55 - 2014-02-21 07:55 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\pxzsvitd.sys 2014-02-21 07:54 - 2014-02-21 07:54 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\alskvflw.sys 2014-02-21 07:52 - 2014-02-21 07:52 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\lrkxzijc.sys 2014-02-21 07:52 - 2014-02-21 07:52 - 00181064 _____ (Sysinternals) C:\Windows\PSEXESVC.EXE 2014-02-21 07:50 - 2010-12-05 16:52 - 01066982 _____ () C:\Windows\WindowsUpdate.log 2014-02-21 07:50 - 2009-07-13 23:45 - 00015008 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012- 9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-02-21 07:50 - 2009-07-13 23:45 - 00015008 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012- 9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-02-21 07:46 - 2013-07-14 00:00 - 00004037 _____ () C:\Windows\setupact.log 2014-02-21 07:46 - 2010-12-05 00:59 - 00000000 ____D () C:\ProgramData\NVIDIA 2014-02-21 07:41 - 2014-02-21 07:41 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\ggkphcrz.sys 2014-02-21 07:36 - 2013-03-12 13:57 - 00000000 ____D () C:\Program Files\AVAST Software 2014-02-21 07:36 - 2012-05-16 20:25 - 00000000 _____ () C:\Windows\SysWOW64\config.nt 2014-02-21 07:32 - 2014-02-21 07:32 - 00421704 _____ (AVAST Software) C:\Windows\system32\Drivers\zmavmbuo.sys 2014-02-21 07:01 - 2014-02-21 06:48 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware 2014-02-21 06:48 - 2014-02-21 06:48 - 00001808 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk 2014-02-21 06:48 - 2014-02-21 06:48 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\SUPERAntiSpyware.com 2014-02-21 06:48 - 2014-02-21 06:48 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com 2014-02-21 06:45 - 2012-06-14 11:20 - 00000000 ____D () C:\Users\Dook\AppData\Local\CrashDumps 2014-02-21 06:42 - 2014-02-20 06:13 - 00000000 ___HD () C:\{$5812-5333-4513-5757-7153$} 2014-02-21 06:39 - 2013-03-12 13:27 - 00000000 ____D () C:\TDSSKiller_Quarantine 2014-02-20 21:32 - 2014-02-20 21:32 - 00080456 _____ (Malwarebytes Corporation) C:\Users\Dook\Desktop\mbam- clean-1.60.2.0003.exe 2014-02-20 21:28 - 2014-02-20 21:25 - 00000794 _____ () C:\Users\Dook\Desktop\unhide.txt 2014-02-20 21:25 - 2014-02-20 21:25 - 00398752 _____ (Bleeping Computer, LLC) C:\Users\Dook\Desktop\unhide.exe 2014-02-20 21:17 - 2014-02-20 21:17 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\Dook\Desktop\mbam- setup-1.75.0.1300.exe 2014-02-20 21:15 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF 2014-02-20 20:59 - 2014-02-20 20:58 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\QuickScan 2014-02-20 20:27 - 2014-02-20 19:54 - 90578216 _____ (AVAST Software) C:\Users\Dook\Downloads \avast_free_antivirus_setup.exe 2014-02-20 20:08 - 2014-02-20 20:08 - 00943777 _____ () C:\Windows\SysWOW64\scrypt130511GeForce GTX 460glg2tc1472w64l4.bin 2014-02-20 20:07 - 2014-02-20 20:07 - 00001443 _____ () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2014-02-20 20:07 - 2014-02-20 20:07 - 00001409 _____ () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk 2014-02-20 20:07 - 2010-12-05 16:44 - 00000000 ____D () C:\Windows\Panther 2014-02-20 20:04 - 2014-02-20 20:04 - 00000000 ____D () C:\Users\Dook\AppData\Local\Microsoft Corporation 2014-02-20 20:04 - 2014-02-20 20:04 - 00000000 ____D () C:\ProgramData\Microsoft Corporation 2014-02-20 19:31 - 2013-03-12 13:18 - 00017634 _____ () C:\Windows\PFRO.log 2014-02-20 10:55 - 2010-12-05 12:47 - 00000000 ____D () C:\Program Files (x86)\Steam 2014-02-20 09:19 - 2010-12-06 20:59 - 00003918 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization- {C71DB46F-2FB1-4F78-A79A-B9FCEBD9CAB7} 2014-02-20 06:42 - 2014-02-20 06:42 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\Basilisk Games 2014-02-20 06:14 - 2012-08-05 01:20 - 00000000 ____D () C:\Games 2014-02-20 06:13 - 2010-12-05 00:49 - 00000000 ___RD () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 2014-02-20 06:11 - 2014-02-20 05:57 - 00000000 ____D () C:\Users\Dook\Downloads\Eschalon.Book.III 2014-02-19 13:58 - 2014-02-19 13:58 - 01199104 __RSH ( ) C:\ProgramData\737923934.exe 2014-02-19 04:36 - 2014-02-19 04:36 - 00001164 _____ () C:\Users\Dook\Desktop\Banished.exe - Shortcut.lnk 2014-02-18 11:21 - 2014-02-18 11:21 - 00000000 ____D () C:\Users\Dook\Documents\Banished 2014-02-18 10:45 - 2014-02-18 10:45 - 00000000 ____D () C:\Users\Dook\Downloads\Banished 2014-02-14 13:15 - 2014-02-14 13:15 - 00002039 _____ () C:\Users\Public\Desktop\Ultima 4 - Quest of the Avatar.lnk 2014-02-14 13:02 - 2014-02-14 13:00 - 26824360 _____ (GOG.com ) C:\Users\Dook\Downloads \setup_ultima4_2.0.0.19.exe 2014-02-14 11:22 - 2014-02-14 11:22 - 00001911 _____ () C:\Users\Public\Desktop\Magic Carpet 2.lnk 2014-02-14 11:04 - 2011-01-12 09:26 - 00009159 _____ () C:\Users\Dook\Desktop\New Text Document.txt 2014-02-14 11:00 - 2014-02-14 10:51 - 00000000 ____D () C:\Users\Dook\Downloads\Magic Carpet 2 GOG 2014-02-13 13:16 - 2013-06-19 18:36 - 00141538 _____ () C:\Windows\DirectX.log 2014-02-13 08:04 - 2014-02-13 07:53 - 09004360 _____ (Perfect World Entertainment) C:\Users\Dook\Downloads \ArcInstall_v20140121a.exe 2014-02-13 07:41 - 2014-02-13 07:41 - 00000222 _____ () C:\Users\Dook\Desktop\Neverwinter.url 2014-02-10 04:42 - 2014-02-10 04:27 - 00000000 ____D () C:\Users\Dook\Documents\Horizon Game 2014-02-10 03:16 - 2014-02-10 03:16 - 00001543 _____ () C:\Users\Public\Desktop\Horizon.lnk 2014-02-09 12:03 - 2014-02-09 07:48 - 00000000 ____D () C:\Users\Dook\Downloads\Horizon 2014-02-03 20:43 - 2014-02-03 20:43 - 00000000 ____D () C:\Users\Dook\AppData\Local\Octodad Dadliest Catch 2014-02-03 20:43 - 2014-02-03 20:43 - 00000000 ____D () C:\ProgramData\CODEX 2014-02-03 20:39 - 2014-02-03 20:39 - 00000870 _____ () C:\Users\Dook\Desktop\Octodad Dadliest Catch.lnk 2014-02-03 10:34 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-01-31 13:57 - 2014-01-31 13:57 - 00000222 _____ () C:\Users\Dook\Desktop\Viscera Cleanup Detail Santa's Rampage.url 2014-01-29 22:06 - 2014-01-29 22:06 - 00001825 _____ () C:\Users\Dook\Desktop\Viscera Cleanup Detail - Alpha.lnk 2014-01-29 22:06 - 2014-01-29 22:06 - 00000000 ____D () C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VisceraCleanupDetail-Alpha 2014-01-29 00:53 - 2014-01-28 21:01 - 1215219712 _____ () C:\Users\Dook\Downloads\rld-bragea1.iso 2014-01-27 20:00 - 2014-01-09 20:52 - 00001803 _____ () C:\Users\Dook\Desktop\VCD Santa's Rampage.lnk 2014-01-27 19:59 - 2014-01-10 12:09 - 00002049 _____ () C:\Users\Public\Desktop\VCD Shadow Warrior.lnk 2014-01-27 12:37 - 2014-01-24 15:13 - 00000000 ____D () C:\Users\Dook\Documents\MightAndMagicXLegacy 2014-01-25 15:38 - 2014-01-25 15:38 - 00000000 _____ () C:\Users\Dook\Desktop\New Text Document (3).txt 2014-01-24 15:14 - 2013-10-22 17:53 - 00000000 ____D () C:\ProgramData\Orbit 2014-01-24 15:06 - 2014-01-24 15:06 - 00000731 _____ () C:\Users\Public\Desktop\Might and Magic X Legacy.lnk 2014-01-24 14:47 - 2012-03-09 05:47 - 00000000 ____D () C:\Users\Dook\Downloads\Comics 2014-01-24 14:38 - 2014-01-24 14:38 - 00001588 _____ () C:\Users\Dook\Desktop\Eador-Mechanics.doc - Shortcut.lnk 2014-01-24 14:37 - 2014-01-24 14:37 - 00001565 _____ () C:\Users\Dook\Desktop\MTG.lnk 2014-01-23 20:56 - 2014-01-23 20:56 - 00000946 _____ () C:\Users\Dook\Desktop\Zeno Clash 2.lnk ZeroAccess: C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80} C:\Windows\Installer\{2bc322fd-374a-335c-86c0-be0568af8c80}\@ Files to move or delete: ==================== C:\ProgramData\737923934.exe Some content of TEMP: ==================== C:\Users\Dook\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe C:\Users\Dook\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe C:\Users\Dook\AppData\Local\Temp\libusb-1.0.dll C:\Users\Dook\AppData\Local\Temp\setup.exe C:\Users\Dook\AppData\Local\Temp\ShellLink.dll C:\Users\Dook\AppData\Local\Temp\steam1r.exe C:\Users\Dook\AppData\Local\Temp\swt-win32-3448.dll C:\Users\Dook\AppData\Local\Temp\ubi3B87.tmp.exe C:\Users\Dook\AppData\Local\Temp\ubi5A4E.tmp.exe C:\Users\Dook\AppData\Local\Temp\Uninstall.exe ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2014-02-18 00:45 ==================== End Of Log ============================ ADDITION.txt log ------------------------------ Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-02-2014 Ran by Dook at 2014-02-21 09:34:25 Running from C:\Users\Dook\Desktop Boot Mode: Safe Mode (with Networking) ========================================================== ==================== Security Center ======================== AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== "How To Survive" (x32 Version: 1.0.0.0 - ) "XCOM - Enemy Within" (x32 Version: 1.0.0.926 - ) 12 Labours of Hercules (x32 Version: 1.1) 7-Zip 9.20 (x64 edition) (Version: 9.20.00.0 - Igor Pavlov) Adobe AIR (x32 Version: 2.5.1.17730 - Adobe Systems Inc.) Adobe AIR (x32 Version: 2.5.1.17730 - Adobe Systems Inc.) Hidden Adobe Flash Player 11 ActiveX 64-bit (Version: 11.2.202.235 - Adobe Systems Incorporated) Adobe Flash Player 11 Plugin (x32 Version: 11.8.800.94 - Adobe Systems Incorporated) Adobe Reader X (x32 Version: 10.0.0 - Adobe Systems Incorporated) Age of Mythology - The Titans Expansion (x32 Version: - ) Age of Mythology (x32 Version: - ) Age of Wonders (x32 Version: - ) Age of Wonders II (x32 Version: - ) Alarm Clock v1.0 (x32 Version: - Moore Design Lmt.) All My Gods (x32 Version: 1.0) Anomaly 2 © 11 bit studios version 1 (x32 Version: 1 - ) ASUS nVidia Driver (x32 Version: 1.00.0000 - ASUSTek) Hidden Avernum (x32 Version: 1.0.1 - Spiderweb Software) AviSynth 2.5 (x32 Version: - ) AVStoDVD 2.6.0 (x32 Version: 2.6.0 - MrC) Baldur's Gate II: Enhanced Edition (x32 Version: 1 - ) Batman Arkham Origins version 1.0.3 (x32 Version: 1.0.3 - Joker_RETURNS, WB. Entertainment) Batman.Arkham Origins + 1 DLC (x32 Version: Batman.Arkham Origins + 1 DLC (25.10.2013)) Battle for Wesnoth 1.8.5 (x32 Version: 1.8.5 - ) Bully Scholarship Edition (x32 Version: 1.00.0200 - Rockstar Games) Bully Scholarship Edition (x32 Version: 1.00.0200 - Rockstar Games) Hidden CCleaner (Version: 3.26 - Piriform) Circle of Eight Modpack version 7.6.0 NC (x32 Version: 7.6.0 NC - Circle of Eight) ComicRack v0.9.149 (Version: v0.9.149 - cYo Soft) Dead Space™ 2 (x32 Version: 1.0.941.0 - Electronic Arts) Deadfall Adventures (x32 Version: 1 - ) DEMISE (x32 Version: - ) DROD: Journey to Rooted Hold 2.0.12 (x32 Version: 2.0.12 - Caravel Games) Droid Assault / by NSIS (x32 Version: - Puppy Games) Dual-Core Optimizer (x32 Version: 1.1.4.0169 - AMD) Duke Nukem Forever (x32 Version: - ) Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.13.00.802 (x32 Version: 01.13.00.8029 - Atari, Inc.) Eador - Masters of The Broken World (x32 Version: - ) Fable III (x32 Version: 1.0.0001.131 - Microsoft Game Studios) Hidden Fallout 3 (HKCU Version: 1.00.0000 - Bethesda Softworks) Fallout: New Vegas (x32 Version: - Bethesda Softworks) Far Cry 2 with Fortunes Pack (x32 Version: - GOG.com) ffdshow v1.2.4422 [2012-04-09] (x32 Version: 1.2.4422.0 - ) Fieldrunners 2 1.0 (x32 Version: 1.0 - Cat-A-Cat) Flashback (x32 Version: 1 - ) Folk Tale (x32 Version: - ) From Dust (x32 Version: 1.0.0 - Ubisoft) FTL version 1.01 (x32 Version: 1.01 - Subset Games) Glare (x32 Version: 1 - ) Grand Theft Auto IV (x32 Version: 1.00.0000 - Rockstar Games) Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0002.135 - Rockstar Games Inc.) Hidden Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0003.135 - Rockstar Games Inc.) Hidden Grand Theft Auto: Episodes From Liberty City (x32 Version: 1.1.0.0 - Rockstar Games) Grimm (x32 Version: - Spicyhorse Games) Haali Media Splitter (x32 Version: - ) Hellgate: London (Version: 1.10.180.3416 - Flagship Studios) Horizon (x32 Version: - Iceberg Interactive) Hydrophobia Prophecy (x32 Version: 1.0.0.1 - VEBMAX) I Am Alive (x32 Version: 1.00.0 - Ubisoft) I Am Alive (x32 Version: 1.00.0 - Ubisoft) Hidden ImgBurn (x32 Version: 2.5.7.0 - LIGHTNING UK!) Java 7 Update 25 (x32 Version: 7.0.250 - Oracle) Java Auto Updater (x32 Version: 2.1.9.5 - Sun Microsystems, Inc.) Hidden Java 7 Update 5 (64-bit) (Version: 7.0.50 - Oracle) Kingdoms of Amalur Reckoning (x32 Version: - ) King's Bounty. The Legend (Remove Only) (Version: 1.0.0.0 - Atari) King's Bounty. The Legend (Remove Only) (x32 Version: 1.0.0.0 - Atari) Legend of Grimrock (x32 Version: - GOG.com) Magic Carpet 2 (x32 Version: 2.0.0.6 - GOG.com) Magic The Gathering - Duels of the Planeswalkers 2013 (x32 Version: - ) Majesty 2 Collection (x32 Version: - Paradox Interactive) Mark of the Ninja Special Edition (x32 Version: - ) Master Of Magic (x32 Version: - GOG.com) MediaInfo (x32 Version: - MediaInfo.SourceForge.net) Microsoft .NET Framework 1.1 (x32 Version: - ) Microsoft .NET Framework 1.1 (x32 Version: 1.1.4322 - Microsoft) Hidden Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden Microsoft Application Compatibility Toolkit 5.6 (x32 Version: 5.6.7324.0 - Microsoft Corporation) Microsoft Games for Windows - LIVE (x32 Version: 3.1.186.0 - Microsoft Corporation) Microsoft Games for Windows - LIVE Redistributable (x32 Version: 3.1.99.0 - Microsoft Corporation) Microsoft Reader (x32 Version: - ) Microsoft Silverlight (x32 Version: 4.1.10329.0 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (x32 Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (x32 Version: 12.0.21005.1 - Microsoft Corporation) Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (Version: 12.0.21005 - Microsoft Corporation) Hidden Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (Version: 12.0.21005 - Microsoft Corporation) Hidden Microsoft XNA Framework Redistributable 3.1 (x32 Version: 3.1.10527.0 - Microsoft Corporation) Microsoft XNA Framework Redistributable 4.0 (x32 Version: 4.0.20823.0 - Microsoft Corporation) Might and Magic X Legacy (x32 Version: 1 - ) Mozilla Firefox 19.0.2 (x86 en-US) (x32 Version: 19.0.2 - Mozilla) Mozilla Maintenance Service (x32 Version: 19.0.2 - Mozilla) MSXML4 Parser (x32 Version: 1.0.0 - Microsoft Game Studios) My Game Long Name (Version: - Epic Games, Inc.) Neverwinter (x32 Version: - Cryptic Studios) Newsbin Pro (Version: 6.21 - DJI Interprises, LLC) Northern Tale 2 1.0 (x32 Version: 1.0 - Cat-A-Cat) NVIDIA 3D Vision Driver 296.10 (Version: 296.10 - NVIDIA Corporation) NVIDIA Control Panel 296.10 (Version: 296.10 - NVIDIA Corporation) Hidden NVIDIA Graphics Driver 296.10 (Version: 296.10 - NVIDIA Corporation) NVIDIA HD Audio Driver 1.3.12.0 (Version: 1.3.12.0 - NVIDIA Corporation) NVIDIA Install Application (Version: 2.1002.62.312 - NVIDIA Corporation) Hidden NVIDIA PhysX (x32 Version: 9.13.0725 - NVIDIA Corporation) NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.12.9610 - NVIDIA Corporation) Hidden Octodad Dadliest Catch (x32 Version: ) OpenAL (x32 Version: - ) OpenOffice.org 3.3 (x32 Version: 3.3.9567 - OpenOffice.org) Pando Media Booster (x32 Version: 2.3.5.1 - Pando Networks Inc.) Panzer Corps (x32 Version: 1.00 - Slitherine) Panzer Corps version 1.0 (x32 Version: 1.0 - ) Papers, Please (x32 Version: 2.0.0.4 - GOG.com) Plants vs. Zombies (x32 Version: - PopCap Games) Pool of Radiance: RoMD (x32 Version: - ) Populous - The Beginning (x32 Version: - GOG.com) POR (Version: - ) QuickPar 0.9 (x32 Version: 0.9 - Peter B. Clements) Rage (x32 Version: ) Realtek Ethernet Controller Driver For Windows 7 (x32 Version: 7.17.304.2010 - Realtek) Rise of Venice (x32 Version: 1 - ) Risen 2: Dark Waters (x32 Version: 1.0.1210.0 ) Rockstar Games Social Club (x32 Version: 1.00.0000 - Rockstar Games) Rogue Legacy version 0.0.0.9 (x32 Version: 0.0.0.9 ) Sacrifice (x32 Version: - ) Saints Row IV Update 5 Incl. DLC (x32 Version: 1 - ) Sanctum 2 © CoffeeStainStudios version 1 (x32 Version: 1 - ) Shadow Warrior (x32 Version: - Devolver Digital) Shadowrun Returns (x32 Version: - Harebrained Holdings) SmartGlobe Deluxe V3.12 (x32 Version: - Oregon Scientific) Solar 2 version 1.01 (x32 Version: 1.01 - ) Stanza (x32 Version: - ) StarTopia (x32 Version: - GOG.com) State of Decay - Breakdown (x32 Version: - ) Steam (x32 Version: 1.0.0.0 - Valve Corporation) Stonekeep (x32 Version: 2.0.0.10 - GOG.com) SUPERAntiSpyware (Version: 5.7.1018 - SUPERAntiSpyware.com) Temple of Elemental Evil (x32 Version: 1.00.000 - ) Tetrobot and Co (x32 Version: -) The Cave 1.1.0 (x32 Version: 1.1.0 - Double Fine Productions) Titan Attacks (x32 Version: 2.00.6 - Puppy Games) Torchlight II © Runic Games version 1 (x32 Version: 1 - ) Ubisoft Game Launcher (x32 Version: 1.0.0.0 - UBISOFT) Ultima 4 - Quest of the Avatar (x32 Version: 2.0.0.19 - GOG.com) Ultratron / by NSIS (x32 Version: - Puppy Games) Unity Web Player (HKCU Version: - Unity Technologies ApS) Unreal Development Kit: 2012-07 (Version: - Epic Games, Inc.) Uplay (x32 Version: 3.0 - Ubisoft) Viscera Cleanup Detail - ALPHA (Version: - RuneStorm) Viscera Cleanup Detail: Santas Rampage Viscera Cleanup Detail: Santa's Rampage (x32 Version: - RuneStorm) Visual C++ 2008 x86 Runtime - (v9.0.30729) (x32 Version: 9.0.30729 - Microsoft Corporation) Hidden Visual C++ 2008 x86 Runtime - v9.0.30729.01 (x32 Version: 9.0.30729.01 - Microsoft Corporation) Visual Studio 2008 x64 Redistributables (x32 Version: 10.0.0.2 - AVG Technologies) VLC media player 1.1.5 (x32 Version: 1.1.5 - VideoLAN) Warlock - Master of the Arcane © Paradox Interactive version 1 (x32 Version: 1 - ) Weird Worlds: Return To Infinite Space v1.30 (x32 Version: - Digital Eel) WinRAR archiver (x32 Version: - ) Zeno Clash 2 (x32 Version: ) Zip Motion Block Video codec (Remove Only) (Version: - DOSBox Team) ==================== Restore Points ========================= 21-02-2014 00:28:24 avast! Free Antivirus Setup 21-02-2014 01:05:13 Windows Modules Installer 21-02-2014 01:29:56 avast! antivirus system restore point 21-02-2014 01:36:29 avast! antivirus system restore point 21-02-2014 01:48:45 avast! antivirus system restore point 21-02-2014 02:36:31 Restore Operation ==================== Hosts content: ========================== 2009-07-13 21:34 - 2013-03-03 05:56 - 00582353 ____A C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost 127.0.0.1 fr.a2dfp.net 127.0.0.1 m.fr.a2dfp.net 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 abcstats.com 127.0.0.1 a.abv.bg 127.0.0.1 adserver.abv.bg 127.0.0.1 adv.abv.bg 127.0.0.1 bimg.abv.bg 127.0.0.1 ca.abv.bg 127.0.0.1 www2.a-counter.kiev.ua 127.0.0.1 track.acclaimnetwork.com 127.0.0.1 accuserveadsystem.com 127.0.0.1 www.accuserveadsystem.com 127.0.0.1 achmedia.com 127.0.0.1 aconti.net 127.0.0.1 secure.aconti.net 127.0.0.1 www.aconti.net #[Dialer.Aconti] 127.0.0.1 csh.actiondesk.com 127.0.0.1 www.activemeter.com #[Tracking.Cookie] 127.0.0.1 ads.activepower.net 127.0.0.1 stat.active24stats.nl #[Tracking.Cookie] 127.0.0.1 cms.ad2click.nl 127.0.0.1 ad2games.com 127.0.0.1 ads.ad2games.com 127.0.0.1 content.ad20.net 127.0.0.1 core.ad20.net 127.0.0.1 banner.ad.nu There are 1000 more lines. ==================== Scheduled Tasks (whitelisted) ============= Task: {2C764E98-B467-4AE0-A38D-A59CAB0510AF} - System32\Tasks\{C2B1A140-2659-4618-95FD-1397C5D1BE3D} => D: \INSTALL.EXE Task: {6A36FA60-0603-45B8-9F2F-DBB5C1EE51B0} - System32\Tasks\{A7AC37F8-598E-4867-B2D8-2AD3276E56BB} => C: \Games\Anachronox\anox.exe Task: {75AAAB47-6D9C-4E2E-A511-1F629D4FA482} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe Task: {833CA20C-E7A0-4DC3-9555-DE08E51FFF1E} - System32\Tasks\{D668E880-AFB8-4AE1-91A1-BE9638C0F326} => C: \Games\kotor\launcher.exe Task: {DBEC5176-8ACF-4B9D-945C-CAE6524B68E5} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner \CCleaner.exe [2012-12-19] (Piriform Ltd) Task: {FFF2FFCC-182F-4475-885A-A132BCE0EC6B} - System32\Tasks\{1E476B08-8197-4055-B66B-21A97D7FA4FA} => D: \INSTALL.EXE ==================== Loaded Modules (whitelisted) ============= 2011-03-22 20:50 - 2013-03-12 13:22 - 03069848 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll 2012-02-29 12:26 - 2012-02-29 12:26 - 00360768 _____ () C:\Program Files (x86)\NVIDIA Corporation\3D Vision \Nv3DVStreaming.dll ==================== Alternate Data Streams (whitelisted) ========= AlternateDataStreams: C:\ProgramData:gs5sys AlternateDataStreams: C:\Users\All Users:gs5sys AlternateDataStreams: C:\Users\Dook:gs5sys AlternateDataStreams: C:\ProgramData\Application Data:gs5sys AlternateDataStreams: C:\ProgramData\TEMP:38849DE5 AlternateDataStreams: C:\ProgramData\Templates:gs5sys AlternateDataStreams: C:\Users\Dook\Application Data:gs5sys AlternateDataStreams: C:\Users\Dook\Cookies:gs5sys AlternateDataStreams: C:\Users\Dook\Local Settings:gs5sys AlternateDataStreams: C:\Users\Dook\Templates:gs5sys AlternateDataStreams: C:\Users\Dook\AppData\Local:gs5sys AlternateDataStreams: C:\Users\Dook\AppData\Roaming:gs5sys AlternateDataStreams: C:\Users\Dook\AppData\Local\Application Data:gs5sys AlternateDataStreams: C:\Users\Dook\AppData\Local\History:gs5sys AlternateDataStreams: C:\Users\Dook\Documents\desktop.ini:gs5sys AlternateDataStreams: C:\Users\Public\Documents\desktop.ini:gs5sys ==================== Safe Mode (whitelisted) =================== HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\35300461.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\47847442.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\35300461.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\47847442.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR250 => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2" ==================== Disabled items from MSCONFIG ============== ==================== Faulty Device Manager Devices ============= Name: Security Processor Loader Driver Description: Security Processor Loader Driver Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1} Manufacturer: Service: spldr Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. Name: sptd Description: sptd Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1} Manufacturer: Service: sptd Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. ==================== Event log errors: ========================= Application errors: ================== Error: (02/21/2014 06:42:06 AM) (Source: Application Error) (User: ) Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2 Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1 Exception code: 0xc0000005 Fault offset: 0x0001604c Faulting process id: 0xd6c Faulting application start time: 0xmbam.exe0 Faulting application path: mbam.exe1 Faulting module path: mbam.exe2 Report Id: mbam.exe3 Error: (02/21/2014 05:49:43 AM) (Source: Application Error) (User: ) Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2 Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1 Exception code: 0xc0000005 Fault offset: 0x0001604c Faulting process id: 0xdc8 Faulting application start time: 0xmbam.exe0 Faulting application path: mbam.exe1 Faulting module path: mbam.exe2 Report Id: mbam.exe3 Error: (02/21/2014 05:48:11 AM) (Source: Application Error) (User: ) Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2 Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1 Exception code: 0xc0000005 Fault offset: 0x0001604c Faulting process id: 0xc60 Faulting application start time: 0xmbam.exe0 Faulting application path: mbam.exe1 Faulting module path: mbam.exe2 Report Id: mbam.exe3 Error: (02/21/2014 05:46:55 AM) (Source: Application Error) (User: ) Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2 Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1 Exception code: 0xc0000005 Fault offset: 0x0001604c Faulting process id: 0xec8 Faulting application start time: 0xmbam.exe0 Faulting application path: mbam.exe1 Faulting module path: mbam.exe2 Report Id: mbam.exe3 Error: (02/21/2014 05:46:18 AM) (Source: Application Error) (User: ) Description: Faulting application name: mbam.exe, version: 1.75.0.1, time stamp: 0x511f8eb2 Faulting module name: OLEAUT32.dll, version: 6.1.7600.16872, time stamp: 0x4e5873c1 Exception code: 0xc0000005 Fault offset: 0x0001604c Faulting process id: 0xd74 Faulting application start time: 0xmbam.exe0 Faulting application path: mbam.exe1 Faulting module path: mbam.exe2 Report Id: mbam.exe3 Error: (02/21/2014 05:40:24 AM) (Source: System Restore) (User: ) Description: The restore point selected was damaged or deleted during the restore (Scheduled Checkpoint). Error: (02/20/2014 09:36:20 PM) (Source: Windows Search Service) (User: ) Description: The Windows Search Service has failed to create the new search index. Internal error <4, 0x8004117f, Failed to add project: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects>. Error: (02/20/2014 09:36:20 PM) (Source: Windows Search Service) (User: ) Description: The Windows Search Service cannot open the Jet property store. Details: 0x%08x (0x8004117f - The content index server cannot update or access information because of a database error. Stop and restart the search service. If the problem persists, reset and recrawl the content index. In some cases it may be necessary to delete and recreate the content index. (HRESULT : 0x8004117f)) Error: (02/20/2014 09:36:20 PM) (Source: ESENT) (User: ) Description: Windows (1452) Windows: Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1032. Error: (02/20/2014 09:36:20 PM) (Source: ESENT) (User: ) Description: Windows (1452) Windows: An attempt to move the file "C:\ProgramData\Microsoft\Search\Data \Applications\Windows\MSStmp.log" to "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log" failed with system error 5 (0x00000005): "Access is denied. ". The move file operation will fail with error -1032 (0xfffffbf8). System errors: ============= Error: (02/21/2014 09:32:18 AM) (Source: DCOM) (User: ) Description: 1084NVSvc{DCAB0989-1301-4319-BE5F-ADE89F88581C} Error: (02/21/2014 07:53:57 AM) (Source: DCOM) (User: ) Description: 1068fdPHost{D3DCB472-7261-43CE-924B-0704BD730D5F} Error: (02/21/2014 07:53:57 AM) (Source: DCOM) (User: ) Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF} Error: (02/21/2014 07:53:41 AM) (Source: DCOM) (User: ) Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030} Error: (02/21/2014 07:53:41 AM) (Source: DCOM) (User: ) Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} Error: (02/21/2014 07:53:35 AM) (Source: DCOM) (User: ) Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF} Error: (02/21/2014 07:53:29 AM) (Source: DCOM) (User: ) Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC} Error: (02/21/2014 07:53:24 AM) (Source: Service Control Manager) (User: ) Description: The following boot-start or system-start driver(s) failed to load: discache SASDIFSV SASKUTIL spldr sptd Wanarpv6 Error: (02/21/2014 07:53:24 AM) (Source: Service Control Manager) (User: ) Description: The IPsec Policy Agent service depends the following service: BFE. This service might not be installed. Error: (02/21/2014 07:53:24 AM) (Source: Service Control Manager) (User: ) Description: The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed. Microsoft Office Sessions: ========================= Error: (02/21/2014 06:42:06 AM) (Source: Application Error)(User: ) Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cd6c01cf2ef9f0ae4cb1C: \Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dll2fe5abb2-9aed-11e3-9835 -485b39977c51 Error: (02/21/2014 05:49:43 AM) (Source: Application Error)(User: ) Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cdc801cf2ef2a00bcafeC: \Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dllde687bb3-9ae5-11e3- a38c-485b39977c51 Error: (02/21/2014 05:48:11 AM) (Source: Application Error)(User: ) Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cc6001cf2ef26946ada5C: \Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dlla7ace3db-9ae5-11e3- a38c-485b39977c51 Error: (02/21/2014 05:46:55 AM) (Source: Application Error)(User: ) Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cec801cf2ef23c05645aC: \Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dll7a588f8d-9ae5-11e3- a38c-485b39977c51 Error: (02/21/2014 05:46:18 AM) (Source: Application Error)(User: ) Description: mbam.exe1.75.0.1511f8eb2OLEAUT32.dll6.1.7600.168724e5873c1c00000050001604cd7401cf2ef22530ddc7C: \Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\syswow64\OLEAUT32.dll644e5df1-9ae5-11e3- a38c-485b39977c51 Error: (02/21/2014 05:40:24 AM) (Source: System Restore)(User: ) Description: Scheduled Checkpoint Error: (02/20/2014 09:36:20 PM) (Source: Windows Search Service)(User: ) Description: 40x8004117fFailed to add project: C:\ProgramData\Microsoft\Search\Data\Applications\Windows \Projects Error: (02/20/2014 09:36:20 PM) (Source: Windows Search Service)(User: ) Description: Details: 0x%08x (0x8004117f - The content index server cannot update or access information because of a database error. Stop and restart the search service. If the problem persists, reset and recrawl the content index. In some cases it may be necessary to delete and recreate the content index. (HRESULT : 0x8004117f)) Error: (02/20/2014 09:36:20 PM) (Source: ESENT)(User: ) Description: Windows1452Windows: -1032 Error: (02/20/2014 09:36:20 PM) (Source: ESENT)(User: ) Description: Windows1452Windows: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.logC: \ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log-1032 (0xfffffbf8)5 (0x00000005)Access is denied. CodeIntegrity Errors: =================================== Date: 2012-05-17 18:42:44.756 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega \catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-05-17 18:42:44.726 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega \catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-05-17 18:42:44.706 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega \catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-05-17 18:42:44.686 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega \catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-05-17 17:13:14.234 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega \catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2012-05-17 17:13:14.219 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\sega \catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. ==================== Memory info =========================== Percentage of memory in use: 24% Total physical RAM: 4094.05 MB Available physical RAM: 3081.54 MB Total Pagefile: 10220.27 MB Available Pagefile: 9288.04 MB Total Virtual: 8192 MB Available Virtual: 8191.81 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:465.66 GB) (Free:5.79 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: D2A1CA1E) Partition: GPT Partition Type. ==================== End Of Log ============================
- February 21, 2014
- 15 replies
Requesting help with my infected PC

Poorsoul posted a topic in Resolved Malware Removal Logs

Hello, My PC has managed to become infected with a very troublesome virus. Malwarebytes will not run at all. I get permission denied errors when I try to run it and even chameleon doesn't work (even when I get malwarebytes to start it crashes before running.) Exactly when this started occuring, firefox started hanging upon any attempt to download. I followed a walkthrough for common fixes for that issue and was unable to resolve it. I mention this because it might be a related symptom that could help you. In safe mode with networking malwarebytes gives "runtime error 13 type mismatch". I looked this error up and found people referencing a fix involving changing my region/language settings via control panel. I am not sure how, but only my date and time show up under my control panel so I cannot try that fix. Could this could also be related to this infection? I was unable to get superantispyware to run in normal mode, but it ran in safe mode and found 1 infection and cleaned it up. I then rebooted into normal windows and the same problems persist, now including superantispyware getting killed upon bootup. I am sorry to beg for help, but I am unable to fix this alone and would appreciate any assistance anyone can offer. Please let me know of anything else I can add to help you help me. Here are the dds.txt and attach.txt DDS.txt -------------------------------------------------------------------- DDS (Ver_2012-11-20.01) - NTFS_AMD64 NETWORK Internet Explorer: 8.0.7600.16800 BrowserJavaVersion: 10.25.2 Run by Dook at 8:03:34 on 2014-02-21 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4094.3258 [GMT -5:00] . SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe C:\Windows\helppane.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Windows\system32\mmc.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . uWindows: Load = C:\{$5812-5333-4513-5757-7153$}\nacl64.exe BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll uRun: [Adobe Updater] C:\Program Files (x86)\Adobe\Updater.exe uRun: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" mRun: [Adobe] C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Recent.vbe mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [Windows Configuration] C:\{$5812-5333-4513-5757-7153$}\nacl64.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" StartupFolder: C:\Users\Dook\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.ini.url mPolicies-Explorer: HideSCAHealth = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:0 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableLUA = dword:0 mPolicies-System: EnableUIADesktopToggle = dword:0 mPolicies-System: PromptOnSecureDesktop = dword:0 LSP: mswsock.dll Trusted Zone: clonewarsadventures.com Trusted Zone: freerealms.com Trusted Zone: soe.com Trusted Zone: sony.com TCP: NameServer = 192.168.1.1 TCP: Interfaces\{1D659983-B13C-4FF5-B4E2-90E1048147AE} : DHCPNameServer = 192.168.1.1 IFEO: avcenter.exe - euaie.exe IFEO: avguard.exe - euaie.exe IFEO: avp.exe - euaie.exe IFEO: bdagent.exe - euaie.exe IFEO: ccuac.exe - euaie.exe x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll x64-IFEO: avcenter.exe - euaie.exe x64-IFEO: avguard.exe - euaie.exe x64-IFEO: avp.exe - euaie.exe x64-IFEO: bdagent.exe - euaie.exe x64-IFEO: ccuac.exe - euaie.exe . Note: multiple IFEO entries found. Please refer to Attach.txt Hosts: 127.0.0.1 ads.mcafee.com Hosts: 127.0.0.1 analytics.microsoft.com Hosts: 127.0.0.1 metrics.bitdefender.com Hosts: 127.0.0.1 metrics.mcafee.com Hosts: 127.0.0.1 om.symantec.com . Note: multiple HOSTS entries found. Please refer to Attach.txt . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Dook\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\ FF - prefs.js: network.proxy.type - 0 FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll FF - plugin: C:\Users\Dook\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll FF - plugin: C:\Windows\SysWOW64\npmproxy.dll . ============= SERVICES / DRIVERS =============== . R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2013-10-10 144152] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-12-5 346144] S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928] S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-29 382272] S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2014-2-21 36680] S3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;C:\Windows\System32\drivers\9kdUSB64.sys [2011-1-5 30720] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-12-5 1255736] SUnknown alskvflw;alskvflw; [x] SUnknown chtzttgh;chtzttgh; [x] SUnknown pxzsvitd;pxzsvitd; [x] . =============== File Associations =============== . FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [userChoice] . =============== Created Last 30 ================ . 2014-02-21 12:55:12 421704 ----a-w- C:\Windows\System32\drivers\pxzsvitd.sys 2014-02-21 12:54:15 421704 ----a-w- C:\Windows\System32\drivers\alskvflw.sys 2014-02-21 12:52:25 421704 ----a-w- C:\Windows\System32\drivers\lrkxzijc.sys 2014-02-21 12:41:24 421704 ----a-w- C:\Windows\System32\drivers\ggkphcrz.sys 2014-02-21 12:32:01 421704 ----a-w- C:\Windows\System32\drivers\zmavmbuo.sys 2014-02-21 11:48:57 -------- d-----w- C:\Users\Dook\AppData\Roaming\SUPERAntiSpyware.com 2014-02-21 11:48:27 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com 2014-02-21 11:48:27 -------- d-----w- C:\Program Files\SUPERAntiSpyware 2014-02-21 11:41:46 36680 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys 2014-02-21 01:58:28 -------- d-----w- C:\Users\Dook\AppData\Roaming\QuickScan 2014-02-21 01:08:12 943777 ----a-w- C:\Windows\SysWow64\scrypt130511GeForce GTX 460glg2tc1472w64l4.bin 2014-02-21 01:04:03 -------- d-----w- C:\Users\Dook\AppData\Local\Microsoft Corporation 2014-02-21 00:29:10 -------- d-s---w- C:\Windows\SysWow64\Microsoft 2014-02-20 11:42:59 -------- d-----w- C:\Users\Dook\AppData\Roaming\Basilisk Games 2014-02-20 11:13:44 -------- d--h--w- C:\{$5812-5333-4513-5757-7153$} 2014-02-19 18:58:25 1199104 --sha-r- C:\ProgramData\737923934.exe 2014-02-04 01:43:09 -------- d-----w- C:\Users\Dook\AppData\Local\Octodad Dadliest Catch 2014-02-04 01:43:09 -------- d-----w- C:\ProgramData\CODEX . ==================== Find3M ==================== . . ============= FINISH: 8:05:20.22 =============== attach.txt ------------------------------- . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2012-11-20.01) . Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume1 Install Date: 12/5/2010 12:49:05 AM System Uptime: 2/21/2014 7:53:01 AM (1 hours ago) . Motherboard: ASUSTeK Computer INC. | | M4A88T-M Processor: AMD Athlon II X4 640 Processor | AM3 | 3013/200mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 466 GiB total, 5.884 GiB free. D: is CDROM () . ==== Disabled Device Manager Items ============= . Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1} Description: Security Processor Loader Driver Device ID: ROOT\LEGACY_SPLDR\0000 Manufacturer: Name: Security Processor Loader Driver PNP Device ID: ROOT\LEGACY_SPLDR\0000 Service: spldr . Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1} Description: sptd Device ID: ROOT\LEGACY_SPTD\0000 Manufacturer: Name: sptd PNP Device ID: ROOT\LEGACY_SPTD\0000 Service: sptd . ==== System Restore Points =================== . RP419: 2/20/2014 7:28:24 PM - avast! Free Antivirus Setup RP420: 2/20/2014 8:05:13 PM - Windows Modules Installer RP421: 2/20/2014 8:29:56 PM - avast! antivirus system restore point RP422: 2/20/2014 8:36:29 PM - avast! antivirus system restore point RP423: 2/20/2014 8:48:45 PM - avast! antivirus system restore point RP424: 2/20/2014 9:36:31 PM - Restore Operation . ==== Image File Execution Options ============= . IFEO: avcenter.exe - euaie.exe IFEO: avguard.exe - euaie.exe IFEO: avp.exe - euaie.exe IFEO: bdagent.exe - euaie.exe IFEO: ccuac.exe - euaie.exe IFEO: ComboFix.exe - euaie.exe IFEO: egui.exe - euaie.exe IFEO: hijackthis.exe - euaie.exe IFEO: keyscrambler.exe - euaie.exe IFEO: mbam.exe - euaie.exe IFEO: MpCmdRun.exe - euaie.exe IFEO: MSASCui.exe - euaie.exe IFEO: MsMpEng.exe - euaie.exe IFEO: msseces.exe - euaie.exe IFEO: spybotsd.exe - euaie.exe IFEO: SUPERAntiSpyware.exe - euaie.exe IFEO: wireshark.exe - euaie.exe IFEO: zlclient.exe - euaie.exe x64-IFEO: avcenter.exe - euaie.exe x64-IFEO: avguard.exe - euaie.exe x64-IFEO: avp.exe - euaie.exe x64-IFEO: bdagent.exe - euaie.exe x64-IFEO: ccuac.exe - euaie.exe x64-IFEO: ComboFix.exe - euaie.exe x64-IFEO: egui.exe - euaie.exe x64-IFEO: hijackthis.exe - euaie.exe x64-IFEO: keyscrambler.exe - euaie.exe x64-IFEO: mbam.exe - euaie.exe x64-IFEO: MpCmdRun.exe - euaie.exe x64-IFEO: MSASCui.exe - euaie.exe x64-IFEO: MsMpEng.exe - euaie.exe x64-IFEO: msseces.exe - euaie.exe x64-IFEO: spybotsd.exe - euaie.exe x64-IFEO: SUPERAntiSpyware.exe - euaie.exe x64-IFEO: wireshark.exe - euaie.exe x64-IFEO: zlclient.exe - euaie.exe . ==== Hosts File Hijack ====================== . Hosts: 127.0.0.1 ads.mcafee.com Hosts: 127.0.0.1 analytics.microsoft.com Hosts: 127.0.0.1 metrics.bitdefender.com Hosts: 127.0.0.1 metrics.mcafee.com Hosts: 127.0.0.1 om.symantec.com Hosts: 127.0.0.1 ads.bleepingcomputer.com Hosts: 127.0.0.1 wdcs.trendmicro.com . ==== Installed Programs ====================== . "How To Survive" "XCOM - Enemy Within" 12 Labours of Hercules 7-Zip 9.20 (x64 edition) Adobe AIR Adobe Flash Player 11 ActiveX 64-bit Adobe Flash Player 11 Plugin Adobe Reader X Age of Mythology Age of Mythology - The Titans Expansion Age of Wonders Age of Wonders II Alarm Clock v1.0 All My Gods Anomaly 2 © 11 bit studios version 1 ASUS nVidia Driver Avernum AviSynth 2.5 AVStoDVD 2.6.0 Baldur's Gate II: Enhanced Edition Batman Arkham Origins version 1.0.3 Batman.Arkham Origins + 1 DLC Battle for Wesnoth 1.8.5 BitTorrent Bully Scholarship Edition CCleaner Circle of Eight Modpack version 7.6.0 NC ComicRack v0.9.149 Dead Space™ 2 Deadfall Adventures DEMISE DROD: Journey to Rooted Hold 2.0.12 Droid Assault / by NSIS Dual-Core Optimizer Duke Nukem Forever Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.13.00.802 Eador - Masters of The Broken World Fable III Fallout 3 Fallout: New Vegas Far Cry 2 with Fortunes Pack ffdshow v1.2.4422 [2012-04-09] Fieldrunners 2 1.0 Flashback Folk Tale From Dust FTL version 1.01 Glare Grand Theft Auto IV Grand Theft Auto: Episodes from Liberty City Grimm Haali Media Splitter Hellgate: London Horizon Hydrophobia Prophecy I Am Alive ImgBurn Java 7 Update 25 Java Auto Updater Java 7 Update 5 (64-bit) King's Bounty. The Legend (Remove Only) Kingdoms of Amalur Reckoning Legend of Grimrock Magic Carpet 2 Magic The Gathering - Duels of the Planeswalkers 2013 Majesty 2 Collection Mark of the Ninja Special Edition Master Of Magic MediaInfo Microsoft .NET Framework 1.1 Microsoft .NET Framework 4 Client Profile Microsoft .NET Framework 4 Extended Microsoft Application Compatibility Toolkit 5.6 Microsoft Games for Windows - LIVE Microsoft Games for Windows - LIVE Redistributable Microsoft Reader Microsoft Silverlight Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 Microsoft XNA Framework Redistributable 3.1 Microsoft XNA Framework Redistributable 4.0 Might and Magic X Legacy Mozilla Firefox 19.0.2 (x86 en-US) Mozilla Maintenance Service MSXML4 Parser My Game Long Name Neverwinter Newsbin Pro Northern Tale 2 1.0 NVIDIA 3D Vision Driver 296.10 NVIDIA Control Panel 296.10 NVIDIA Graphics Driver 296.10 NVIDIA HD Audio Driver 1.3.12.0 NVIDIA Install Application NVIDIA PhysX NVIDIA Stereoscopic 3D Driver Octodad Dadliest Catch OpenAL OpenOffice.org 3.3 Pando Media Booster Panzer Corps Panzer Corps version 1.0 Papers, Please Plants vs. Zombies Pool of Radiance: RoMD Populous - The Beginning POR QuickPar 0.9 Rage Realtek Ethernet Controller Driver For Windows 7 Rise of Venice Risen 2: Dark Waters Rockstar Games Social Club Rogue Legacy version 0.0.0.9 Sacrifice Saints Row IV Update 5 Incl. DLC Sanctum 2 © CoffeeStainStudios version 1 Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Extended (KB2487367) Security Update for Microsoft .NET Framework 4 Extended (KB2656351) Shadow Warrior Shadowrun Returns SmartGlobe Deluxe V3.12 Solar 2 version 1.01 Stanza StarTopia State of Decay - Breakdown Steam Stonekeep SUPERAntiSpyware Temple of Elemental Evil Tetrobot and Co The Cave 1.1.0 Titan Attacks Torchlight II © Runic Games version 1 Ubisoft Game Launcher Ultima 4 - Quest of the Avatar Ultratron / by NSIS Unity Web Player Unreal Development Kit: 2012-07 Uplay Viscera Cleanup Detail - ALPHA Viscera Cleanup Detail: Santa's Rampage Viscera Cleanup Detail: Santas Rampage Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 Visual Studio 2008 x64 Redistributables VLC media player 1.1.5 Warlock - Master of the Arcane © Paradox Interactive version 1 Weird Worlds: Return To Infinite Space v1.30 WinRAR archiver Zeno Clash 2 Zip Motion Block Video codec (Remove Only) . ==== Event Viewer Messages From Past Week ======== . 2/21/2014 7:53:57 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F} 2/21/2014 7:53:57 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF} 2/21/2014 7:53:41 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030} 2/21/2014 7:53:41 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} 2/21/2014 7:53:35 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 2/21/2014 7:53:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} 2/21/2014 7:53:24 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache SASDIFSV SASKUTIL spldr sptd Wanarpv6 2/21/2014 7:53:24 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed. 2/21/2014 7:53:24 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed. 2/21/2014 7:53:24 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start. 2/21/2014 7:53:05 AM, Error: sptd [4] - Driver detected an internal error in its data structures for . 2/21/2014 7:47:08 AM, Error: Service Control Manager [7031] - The SAS Core Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service. 2/21/2014 7:46:49 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service. 2/21/2014 7:39:22 AM, Error: Service Control Manager [7023] - The Server service terminated with the following error: The service has not been started. 2/21/2014 7:39:22 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: A system shutdown is in progress. 2/21/2014 7:39:21 AM, Error: Microsoft-Windows-Directory-Services-SAM [12291] - SAM failed to start the TCP/IP or SPX/IPX listening thread 2/21/2014 7:00:12 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswRdr aswRvrt aswSnx aswSP aswVmm discache SASDIFSV SASKUTIL spldr sptd Wanarpv6 2/21/2014 6:55:30 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswRdr aswRvrt aswSnx aswSP aswVmm 2/21/2014 6:55:28 AM, Error: Service Control Manager [7001] - The avast! Antivirus service depends on the aswMonFlt service which failed to start because of the following error: The system cannot find the file specified. 2/21/2014 6:55:26 AM, Error: Service Control Manager [7000] - The aswMonFlt service failed to start due to the following error: The system cannot find the file specified. 2/21/2014 6:47:43 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswRdr aswRvrt aswSnx aswSP aswVmm discache spldr sptd Wanarpv6 2/21/2014 6:25:32 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 2/21/2014 5:41:06 AM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004 2/20/2014 9:39:10 PM, Error: Service Control Manager [7022] - The Windows Search service hung on starting. 2/20/2014 9:36:20 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 3 time(s). 2/20/2014 9:36:20 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-2147217025. 2/20/2014 9:35:37 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. 2/20/2014 9:34:55 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. 2/20/2014 9:33:20 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 15 time(s). 2/20/2014 9:32:23 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 14 time(s). 2/20/2014 9:32:23 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473536. 2/20/2014 9:29:23 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 13 time(s). 2/20/2014 9:29:15 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 12 time(s). 2/20/2014 9:26:34 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 11 time(s). 2/20/2014 9:25:29 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 10 time(s). 2/20/2014 9:19:10 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 9 time(s). 2/20/2014 9:18:49 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 8 time(s). 2/20/2014 9:18:34 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 7 time(s). 2/20/2014 9:17:07 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 6 time(s). 2/20/2014 9:12:11 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 5 time(s). 2/20/2014 9:10:56 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 4 time(s). 2/20/2014 8:49:53 PM, Error: Service Control Manager [7000] - The avast! VM Monitor service failed to start due to the following error: The system cannot find the file specified. 2/20/2014 8:49:53 PM, Error: Service Control Manager [7000] - The aswSnx service failed to start due to the following error: The system cannot find the file specified. 2/20/2014 8:49:53 PM, Error: Service Control Manager [7000] - The aswRdr service failed to start due to the following error: The system cannot find the file specified. 2/20/2014 8:45:26 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start. 2/20/2014 8:45:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service NVSvc with arguments "" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C} 2/20/2014 8:44:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89} 2/20/2014 8:44:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E} 2/20/2014 8:44:08 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswRvrt aswSnx aswSP aswVmm DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx Wanarpv6 WfpLwf ws2ifsl 2/20/2014 8:44:08 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 2/20/2014 8:44:08 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 2/20/2014 8:44:08 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning. 2/20/2014 8:44:08 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 2/20/2014 8:44:08 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 2/20/2014 8:44:08 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning. 2/20/2014 8:44:08 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 2/20/2014 8:44:08 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning. 2/20/2014 8:44:08 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 2/20/2014 8:42:03 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 21 time(s). 2/20/2014 8:37:00 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Type with the following error: Access is denied. 2/20/2014 8:36:57 PM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ServiceSidType with the following error: Access is denied. 2/20/2014 8:36:56 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 20 time(s). 2/20/2014 8:36:33 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 19 time(s). 2/20/2014 8:36:17 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 18 time(s). 2/20/2014 8:36:02 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 17 time(s). 2/20/2014 8:35:48 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 16 time(s). 2/20/2014 8:05:53 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 31 time(s). 2/20/2014 8:05:47 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 30 time(s). 2/20/2014 8:04:01 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 29 time(s). 2/20/2014 8:03:46 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 28 time(s). 2/20/2014 8:03:30 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 27 time(s). 2/20/2014 8:02:58 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 26 time(s). 2/20/2014 8:02:56 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 25 time(s). 2/20/2014 8:02:43 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 24 time(s). 2/20/2014 8:00:49 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 23 time(s). 2/20/2014 8:00:27 PM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 22 time(s). 2/20/2014 7:34:09 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running. 2/20/2014 7:32:11 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535. 2/19/2014 2:15:51 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit. . ==== End Of File ===========================
- February 21, 2014
- 15 replies
Poorsoul

MrCharlie
Very helpful and prompt to respond. God Bless.
- May 18, 2012
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

The computer seems to be running fine, nothing unusual that I have noticed. Thanks again for all of your help. Here is the MABAM log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.05.18.07 Windows 7 x64 NTFS Internet Explorer 8.0.7600.16385 XXXX:: XXXX-PC [administrator] 5/18/2012 2:42:14 PM mbam-log-2012-05-18 (14-42-14).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 205646 Time elapsed: 2 minute(s), Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
- May 18, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Here it is. http://virusscan.jotti.org/en/scanresult/8f886da5680ce3e36ca27d1b43947fc7d095a0fa
- May 18, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

That site has been down all morning. I will keep trying throughout the day to check the file.
- May 18, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Upon further scanning, c:\windows\assembly\GAC_32\Desktop.ini and c:\windows\assembly\GAC_64\Desktop.ini no longer show up as infected. Still no ping.exe being generated and no pop ups. I will check back in the morning to see if perhaps you see something amiss, whihc I am hopeful that you don't heh Thank you very much for you help again.
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Ok, here is the log from combofix: ComboFix 12-05-17.05 - XXXX 05/17/2012 18:35:15.2.4 - x64 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4094.2985 [GMT -4:00] Running from: c:\users\XXXX\Desktop\sega.exe AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C} SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\assembly\GAC_32\Desktop.ini c:\windows\assembly\GAC_64\Desktop.ini . ---- Previous Run ------- . C:\install.exe c:\windows\assembly\GAC_32\Desktop.ini c:\windows\assembly\GAC_64\Desktop.ini . . ((((((((((((((((((((((((( Files Created from 2012-04-17 to 2012-05-17 ))))))))))))))))))))))))))))))) . . 2012-05-17 22:43 . 2012-05-17 22:43 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-05-17 18:33 . 2012-05-17 18:33 -------- d-----w- C:\_OTL 2012-05-17 02:22 . 2012-05-17 12:42 -------- d-----w- c:\users\XXXX\AppData\Local\NPE 2012-05-17 02:22 . 2012-05-17 02:22 -------- d-----w- c:\programdata\Norton 2012-05-17 01:44 . 2012-03-06 23:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2012-05-17 01:44 . 2012-03-06 23:04 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys 2012-05-17 01:44 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys 2012-05-17 01:44 . 2012-03-06 23:01 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2012-05-17 01:43 . 2012-03-06 23:04 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2012-05-17 01:43 . 2012-03-06 23:01 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2012-05-17 01:43 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr 2012-05-17 01:43 . 2012-03-06 23:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe 2012-05-17 01:25 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe 2012-05-17 01:24 . 2012-05-17 01:43 -------- d-----w- c:\programdata\AVAST Software 2012-05-17 01:24 . 2012-05-17 01:43 -------- d-----w- c:\program files\AVAST Software 2012-05-17 00:53 . 2012-03-01 06:54 22896 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2012-05-17 00:53 . 2012-03-01 06:45 220672 ----a-w- c:\windows\system32\wintrust.dll 2012-05-17 00:53 . 2012-03-01 06:40 80896 ----a-w- c:\windows\system32\imagehlp.dll 2012-05-17 00:53 . 2012-03-01 05:49 172544 ----a-w- c:\windows\SysWow64\wintrust.dll 2012-05-17 00:53 . 2012-03-01 05:45 158720 ----a-w- c:\windows\SysWow64\imagehlp.dll 2012-05-17 00:53 . 2012-03-01 06:35 5120 ----a-w- c:\windows\system32\wmi.dll 2012-05-17 00:53 . 2012-03-01 05:40 5120 ----a-w- c:\windows\SysWow64\wmi.dll 2012-05-17 00:49 . 2010-11-02 05:17 1169408 ----a-w- c:\windows\system32\taskschd.dll 2012-05-17 00:49 . 2010-11-02 05:16 1114624 ----a-w- c:\windows\system32\schedsvc.dll 2012-05-17 00:49 . 2010-11-02 05:10 464384 ----a-w- c:\windows\system32\taskeng.exe 2012-05-17 00:49 . 2010-11-02 05:18 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll 2012-05-17 00:49 . 2010-11-02 05:17 473600 ----a-w- c:\windows\system32\taskcomp.dll 2012-05-17 00:49 . 2010-11-02 05:10 285696 ----a-w- c:\windows\system32\schtasks.exe 2012-05-17 00:49 . 2010-11-02 04:40 496128 ----a-w- c:\windows\SysWow64\taskschd.dll 2012-05-17 00:49 . 2010-11-02 04:40 305152 ----a-w- c:\windows\SysWow64\taskcomp.dll 2012-05-17 00:49 . 2010-11-02 04:34 192000 ----a-w- c:\windows\SysWow64\taskeng.exe 2012-05-17 00:49 . 2010-11-02 04:34 179712 ----a-w- c:\windows\SysWow64\schtasks.exe 2012-05-17 00:46 . 2012-02-15 06:27 1031680 ----a-w- c:\windows\system32\rdpcore.dll 2012-05-17 00:45 . 2011-03-03 06:14 30208 ----a-w- c:\windows\system32\dnscacheugc.exe 2012-05-17 00:41 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll 2012-05-17 00:41 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll 2012-05-17 00:41 . 2011-11-19 15:07 77312 ----a-w- c:\windows\system32\packager.dll 2012-05-17 00:41 . 2011-11-19 14:06 67072 ----a-w- c:\windows\SysWow64\packager.dll 2012-05-16 21:40 . 2012-05-16 21:40 -------- d-----w- c:\users\XXXX\AppData\Roaming\Malwarebytes 2012-05-16 21:40 . 2012-05-16 23:16 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-05-16 21:40 . 2012-05-16 21:40 -------- d-----w- c:\programdata\Malwarebytes 2012-05-16 21:40 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-05-16 18:23 . 2012-05-16 18:23 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2012-05-16 13:54 . 2012-05-16 13:54 -------- d-sh--w- c:\windows\SysWow64\%APPDATA% 2012-05-09 14:29 . 2012-05-09 14:29 -------- d-----w- c:\program files (x86)\Warlock - Master of the Arcane 2012-05-06 11:40 . 2012-05-06 11:40 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2012-05-06 11:40 . 2012-05-06 11:40 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe 2012-05-06 11:40 . 2012-05-06 11:40 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe 2012-04-29 18:44 . 2012-04-29 18:44 -------- d-----w- c:\program files (x86)\DROD - Journey to Rooted Hold 2012-04-25 15:12 . 2012-04-25 15:20 -------- d-----w- c:\users\XXXX\AppData\Local\BoH 2012-04-22 03:36 . 2012-02-29 21:00 3089728 ----a-w- c:\windows\system32\nvsvc64.dll 2012-04-22 03:36 . 2012-02-29 21:00 6074176 ----a-w- c:\windows\system32\nvcpl.dll 2012-04-22 03:36 . 2012-02-29 20:59 889664 ----a-w- c:\windows\system32\nvvsvc.exe 2012-04-22 03:36 . 2012-02-29 20:59 63296 ----a-w- c:\windows\system32\nvshext.dll 2012-04-22 03:36 . 2012-02-29 20:59 118080 ----a-w- c:\windows\system32\nvmctray.dll 2012-04-22 03:36 . 2012-02-29 20:59 2515790 ----a-w- c:\windows\system32\nvcoproc.bin 2012-04-22 00:08 . 2012-04-22 00:09 -------- d-----w- c:\programdata\Battle.net 2012-04-21 00:22 . 2012-04-21 00:22 -------- d--h--w- c:\programdata\Common Files 2012-04-21 00:22 . 2012-04-21 00:22 -------- d-----w- c:\users\XXXX\AppData\Roaming\AVG2012 2012-04-21 00:21 . 2012-04-21 01:15 -------- d-----w- c:\programdata\AVG2012 2012-04-21 00:21 . 2012-04-21 00:21 -------- d-----w- c:\program files (x86)\AVG 2012-04-21 00:12 . 2012-04-21 01:14 -------- d-----w- c:\programdata\MFAData 2012-04-19 11:25 . 2012-04-19 11:25 -------- d-----w- c:\program files (x86)\Strategy First 2012-04-18 23:57 . 2012-04-18 23:57 -------- d-----w- c:\programdata\Trymedia . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-05-16 18:23 . 2012-02-08 11:54 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2012-02-29 17:26 . 2012-02-29 17:26 416064 ----a-w- c:\windows\SysWow64\nvStreaming.exe 2012-02-23 14:18 . 2010-12-05 07:08 279656 ------w- c:\windows\system32\MpSigStub.exe . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2009-07-14 . 24ACB7E5BE595468E3B9AA488B9B4FCB . 328704 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe [-] 2009-07-14 . 50BEA589F7D7958BDD2528A8F69D05CC . 329216 . . [6.1.7600.16385] .. c:\windows\system32\services.exe . ((((((((((((((((((((((((((((( SnapShot@2012-05-17_22.23.15 ))))))))))))))))))))))))))))))))))))))))) . + 2010-12-05 06:03 . 2012-05-17 22:45 27320 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin + 2009-07-14 05:10 . 2012-05-17 22:45 27774 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin + 2010-12-05 05:56 . 2012-05-17 22:45 11866 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2980796359-892880252-2195086714-1000_UserData.bin + 2012-05-17 22:43 . 2012-05-17 22:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-05-17 21:14 . 2012-05-17 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2012-05-17 21:14 . 2012-05-17 21:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2012-05-17 22:43 . 2012-05-17 22:43 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2009-07-14 04:54 . 2012-05-17 22:44 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2009-07-14 04:54 . 2012-05-17 21:14 327680 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2009-07-14 02:36 . 2012-05-17 22:33 668836 c:\windows\system32\perfh009.dat - 2009-07-14 02:36 . 2012-05-17 21:21 668836 c:\windows\system32\perfh009.dat + 2009-07-14 02:36 . 2012-05-17 22:33 125022 c:\windows\system32\perfc009.dat - 2009-07-14 02:36 . 2012-05-17 21:21 125022 c:\windows\system32\perfc009.dat + 2009-07-14 05:01 . 2012-05-17 22:43 302884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat - 2009-07-14 05:01 . 2012-05-17 16:05 302884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat - 2009-07-14 04:54 . 2012-05-17 21:14 3538944 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2009-07-14 04:54 . 2012-05-17 22:44 3538944 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2009-07-14 04:54 . 2012-05-17 21:14 2424832 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2009-07-14 04:54 . 2012-05-17 22:44 2424832 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 44544] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] "amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696] "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512] . c:\users\XXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "mixer9"=wdmaud.drv . R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 257696] R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-05-06 129976] R3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\DRIVERS\9kdUSB64.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x] S1 aswSnx;aswSnx; [x] S1 aswSP;aswSP; [x] S2 aswFsBlk;aswFsBlk; [x] S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x] . . Contents of the 'Scheduled Tasks' folder . 2012-05-17 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 18:23] . . --------- x86-64 ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.google.com/ LSP: mswsock.dll TCP: DhcpNameServer = 205.152.37.23 205.152.144.23 FF - ProfilePath - c:\users\XXXX\AppData\Roaming\Mozilla\Firefox\Profiles\uetpaw7r.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/ FF - prefs.js: network.proxy.type - 0 . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{f999a48b-1950-4d81-9971-79018f807b4b} - (no file) AddRemove-Colossus - c:\windows\system32\javaws.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-2980796359-892880252-2195086714-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) "??"=hex:7d,cf,5b,34,ec,48,56,42,4e,88,81,b0,58,70,a2,9c,53,42,fb,dd,c7,30,71, 2b,c2,8e,5d,7b,e5,2c,20,76,49,a3,73,c8,75,c3,43,87,85,a3,71,31,ca,c2,89,09,\ "??"=hex:e2,bf,e6,2a,68,02,e7,0c,52,ce,22,c1,42,12,59,53 . [HKEY_USERS\S-1-5-21-2980796359-892880252-2195086714-1000\Software\SecuROM\License information*] "datasecu"=hex:3c,a9,11,c3,79,9f,72,00,7d,67,71,ff,bc,ee,af,78,a2,74,45,58,80, 1a,0e,82,c7,b5,b9,b9,1e,c7,28,41,16,66,87,aa,ca,e5,71,03,93,5c,e5,b9,af,0d,\ "rkeysecu"=hex:20,5c,10,af,cd,f4,aa,f1,13,38,db,b1,20,73,47,4f . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files\AVAST Software\Avast\AvastSvc.exe c:\program files (x86)\OpenOffice.org 3\program\soffice.exe c:\program files (x86)\OpenOffice.org 3\program\soffice.bin . ************************************************************************** . Completion time: 2012-05-17 18:50:47 - machine was rebooted ComboFix-quarantined-files.txt 2012-05-17 22:50 . Pre-Run: 37,393,956,864 bytes free Post-Run: 37,351,129,088 bytes free . - - End Of File - - 44FE77373CC2B4E43723BDA38AD69C95
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

I was eventually able to delete c:\windows\installer\{2bc322fd-374a-335c-86c0-be0568af8c80} and everything in it. ping.exe is no longer being launched and no more tabs are being opened in my browser. I just launched combofix and it ran this time.
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Combofix will not run, it looks like it created and installed to a directory named 32788R22FWJFW. Do you know if I can try clicking an executable in that directory safely?
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

2 Subdirectories "L" and "U" and a system file named "@", 2 kb in size. In L there are 3 files, all 1kb in size : 1afb2d56 , 201d3dde , and 00000004.@ In U there are 6 files, including the one often blocked by avast, 00000008.@ (228 kb)
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Also, I don't know if this helps but when avast was running before we started it was blocking requests from c:\windows\installer\{2bc322fd-374a-335c-86c0-be0568af8c80} and its sub-directories.
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

RogueKiller V7.4.4 [05/08/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7600 ) 64 bits version Started in : Safe mode with network support User: XXXX [Admin rights] Mode: Scan -- Date: 05/17/2012 15:05:42 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 5 ¤¤¤ [sUSP PATH] HKLM\[...]\Wow6432Node\RunOnce : OTL ("C:\Users\XXXX\Desktop\OTL.com") -> FOUND [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDS721050CLA362 ATA Device +++++ --- User --- [MBR] 79afe5bcbfc5f257e57928f6acf34914 [bSP] 1f84320b928eeee4fd2e6532c395516f : Windows 7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[3].txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Here is the log file. I tried to run combofix again, but it will not run. All processes killed ========== FILES ========== C:\Windows\assembly\GAC_32\Desktop.ini moved successfully. C:\Windows\assembly\GAC_64\Desktop.ini moved successfully. File\Folder [EMPTYJAVA] not found. File\Folder [emptytemp] not found. OTL by OldTimer - Version 3.2.43.0 log created on 05172012_145802
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

combofix still will not run. I am clueless, but should we have changed C:\Windows\assembly\GAC_64\Desktop.ini as well?
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Here is the log file. All processes killed ========== FILES ========== C:\Windows\assembly\GAC_32\Desktop.ini moved successfully. ========== COMMANDS ========== [EMPTYJAVA] User: All Users User: Default User: Default User User: XXXX ->Java cache emptied: 63508046 bytes User: Public Total Java Files Cleaned = 61.00 mb [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 56502 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: XXXX ->Temp folder emptied: 1002409701 bytes ->Temporary Internet Files folder emptied: 81202502 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 135859734 bytes ->Flash cache emptied: 7711 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 802816 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 84912038 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 1,245.00 mb OTL by OldTimer - Version 3.2.43.0 log created on 05172012_143347
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Here it is again. aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-05-17 13:09:58 ----------------------------- 13:09:58.163 OS Version: Windows x64 6.1.7600 13:09:58.163 Number of processors: 4 586 0x503 13:09:58.164 ComputerName: XXXX-PC UserName: XXXX 13:10:01.735 Initialize success 13:10:01.947 AVAST engine defs: 12051700 13:10:10.002 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 13:10:10.005 Disk 0 Vendor: Hitachi_HDS721050CLA362 JP2OA3MA Size: 476940MB BusType: 3 13:10:10.028 Disk 0 MBR read successfully 13:10:10.030 Disk 0 MBR scan 13:10:10.033 Disk 0 Windows 7 default MBR code 13:10:10.041 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048 13:10:10.059 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848 13:10:10.138 Disk 0 scanning C:\Windows\system32\drivers 13:10:36.150 Service scanning 13:11:59.713 Modules scanning 13:11:59.713 Disk 0 trace - called modules: 13:11:59.721 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 13:11:59.722 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80049d9060] 13:11:59.722 3 CLASSPNP.SYS[fffff880015a643f] -> nt!IofCallDriver -> [0xfffffa8004760520] 13:11:59.722 5 ACPI.sys[fffff8800100b781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800475d060] 13:12:02.759 AVAST engine scan C:\Windows 13:12:36.540 AVAST engine scan C:\Windows\system32 13:14:54.554 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk] 13:14:57.326 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk] 13:16:23.389 AVAST engine scan C:\Windows\system32\drivers 13:16:34.768 AVAST engine scan C:\Users\XXXX 13:58:53.287 AVAST engine scan C:\ProgramData 14:01:58.532 Scan finished successfully 14:08:26.333 Disk 0 MBR has been saved successfully to "C:\Users\XXXX\Desktop\MBR.dat" 14:08:26.338 The log file has been saved successfully to "C:\Users\XXXX\Desktop\aswMBR.txt"
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Oh wait, it's still running. Sorry about that.
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Here it is. aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-05-17 12:44:05 ----------------------------- 12:44:05.669 OS Version: Windows x64 6.1.7600 12:44:05.669 Number of processors: 4 586 0x503 12:44:05.670 ComputerName: XXXX-PC UserName: XXXX 12:44:09.006 Initialize success 12:44:10.356 AVAST engine defs: 12051700 12:45:10.350 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 12:45:10.352 Disk 0 Vendor: Hitachi_HDS721050CLA362 JP2OA3MA Size: 476940MB BusType: 3 12:45:10.360 Disk 0 MBR read successfully 12:45:10.362 Disk 0 MBR scan 12:45:10.676 Disk 0 Windows 7 default MBR code 12:45:10.699 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048 12:45:11.008 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848 12:45:11.385 Disk 0 scanning C:\Windows\system32\drivers 12:45:23.437 Service scanning 12:45:41.241 Modules scanning 12:45:41.248 Disk 0 trace - called modules: 12:45:41.258 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 12:45:41.277 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80049d9060] 12:45:41.282 3 CLASSPNP.SYS[fffff880015a643f] -> nt!IofCallDriver -> [0xfffffa8004760520] 12:45:41.287 5 ACPI.sys[fffff8800100b781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800475d060] 12:45:43.551 AVAST engine scan C:\Windows 12:45:46.355 AVAST engine scan C:\Windows\system32 12:46:56.965 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk] 12:46:58.771 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk] 12:48:10.924 AVAST engine scan C:\Windows\system32\drivers 12:48:32.783 AVAST engine scan C:\Users\XXXX 12:54:56.637 Disk 0 MBR has been saved successfully to "C:\Users\XXXX\Documents\MBR.dat" 12:54:56.642 The log file has been saved successfully to "C:\Users\XXXX\Documents\aswMBR.txt" 12:55:50.193 Disk 0 MBR has been saved successfully to "C:\Users\XXXX\Desktop\MBR.dat" 12:55:50.226 The log file has been saved successfully to "C:\Users\XXXX\Desktop\aswMBR.txt"
- May 17, 2012
- 44 replies
Need help, please

Poorsoul replied to Poorsoul's topic in Resolved Malware Removal Logs

Ok, it is running. It appears as though this one might take awhile but I am still here and monitoring this thread. Thank you very much for your help, I really do appreciate your time and effort.
- May 17, 2012
- 44 replies

Events

Profiles

Forums

Everything posted by Poorsoul

Important Information