Jump to content

RJC

Members
 View Profile  See their activity

  • Posts

    8

  • Joined

  • Last visited

 Content Type 

Everything posted by RJC

  1. RJC
    STEP 1 RogueKiller RogueKiller V8.8.0 [Dec 27 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User : Wraithchilde [Admin rights] Mode : Scan -- Date : 01/06/2014 19:43:26 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ SECU][PUM] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Browser Addons : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0xc0000033] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST3320620AS +++++ --- User --- [MBR] d3ad061161be7bb8170b6b511eda71ee [bSP] 0865dbc3033a5b0d1557ae0b87d99f0b : Windows XP MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 300442 Mo 2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 615401955 | Size: 4753 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST31500341AS +++++ --- User --- [MBR] 164bf18ef624175da2f198bf9765a4e2 [bSP] 84bed909411e513407b4f1e9ef90eb3b : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1430796 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_01062014_194326.txt >> STEP 2 TDSKiller I ran this prior to asking for help here, so I know this is clean. STEP 3 Malwarebytes Anti-Rootkit I currently have no way to backup my HDD including boot sector, so I don't feel comfortable using this tool. STEP 4 HitmanPro HitmanPro 3.7.8.208www.hitmanpro.com Computer name . . . . : BOB Windows . . . . . . . : 5.1.3.2600.X86/2 User name . . . . . . : BOB\Wraithchilde License . . . . . . . : Free Scan date . . . . . . : 2014-01-07 07:47:58 Scan mode . . . . . . : Normal Scan duration . . . . : 12m 43s Disk access mode . . : Direct disk access (SRB) Cloud . . . . . . . . : Internet Reboot . . . . . . . : No Threats . . . . . . . : 0 Traces . . . . . . . : 33 Objects scanned . . . : 1,259,710 Files scanned . . . . : 50,806 Remnants scanned . . : 510,334 files / 698,570 keysCookies _____________________________________________________________________ C:\Documents and Settings\Wraithchilde\Cookies\03K2Q6DT.txt C:\Documents and Settings\Wraithchilde\Cookies\05250RMU.txt C:\Documents and Settings\Wraithchilde\Cookies\1KHLJUQ3.txt C:\Documents and Settings\Wraithchilde\Cookies\2WN3I5I8.txt C:\Documents and Settings\Wraithchilde\Cookies\44TYXD3I.txt C:\Documents and Settings\Wraithchilde\Cookies\4CZD9391.txt C:\Documents and Settings\Wraithchilde\Cookies\4ZTFYDHG.txt C:\Documents and Settings\Wraithchilde\Cookies\5KRSXK9A.txt C:\Documents and Settings\Wraithchilde\Cookies\5Q0WTL4X.txt C:\Documents and Settings\Wraithchilde\Cookies\5X526CV1.txt C:\Documents and Settings\Wraithchilde\Cookies\5Z7DUT4H.txt C:\Documents and Settings\Wraithchilde\Cookies\AZAF1891.txt C:\Documents and Settings\Wraithchilde\Cookies\BDRD7M8F.txt C:\Documents and Settings\Wraithchilde\Cookies\BJ3TSBG6.txt C:\Documents and Settings\Wraithchilde\Cookies\CDYQT0HI.txt C:\Documents and Settings\Wraithchilde\Cookies\DUEJSGCS.txt C:\Documents and Settings\Wraithchilde\Cookies\EAP0FR92.txt C:\Documents and Settings\Wraithchilde\Cookies\HHPTZ1K4.txt C:\Documents and Settings\Wraithchilde\Cookies\IYNMNSRP.txt C:\Documents and Settings\Wraithchilde\Cookies\KGLISOEU.txt C:\Documents and Settings\Wraithchilde\Cookies\LH2HHDUV.txt C:\Documents and Settings\Wraithchilde\Cookies\OYNEDPJK.txt C:\Documents and Settings\Wraithchilde\Cookies\QTNCNGOF.txt C:\Documents and Settings\Wraithchilde\Cookies\R2MKT8ID.txt C:\Documents and Settings\Wraithchilde\Cookies\S4VDJJAV.txt C:\Documents and Settings\Wraithchilde\Cookies\SQSDL46L.txt C:\Documents and Settings\Wraithchilde\Cookies\SWVUG0TP.txt C:\Documents and Settings\Wraithchilde\Cookies\TGDC4RBX.txt C:\Documents and Settings\Wraithchilde\Cookies\U2LOSX7Y.txt C:\Documents and Settings\Wraithchilde\Cookies\UJ3VYR93.txt C:\Documents and Settings\Wraithchilde\Cookies\XCQ2GSPC.txt C:\Documents and Settings\Wraithchilde\Cookies\XXD3UVK8.txt C:\Documents and Settings\Wraithchilde\Cookies\YPAEXAK3.txt STEP 5 Security Check by screen317 Results of screen317's Security Check version 0.99.78 Windows XP Service Pack 3 x86 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! Microsoft Security Essentials McAfee Anti-Virus and Anti-Spyware Microsoft Security Essentials Antivirus up to date! (On Access scanning disabled!) `````````Anti-malware/Other Utilities Check:````````` Out of date HijackThis installed! Spybot - Search & Destroy Malwarebytes Anti-Malware version 1.75.0.1300 HijackThis 2.0.2 Java 7 Update 45 ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials msseces.exe Windows Defender MSMpEng.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Microsoft Security Client Antimalware MsMpEng.exe MalwarebytesAnti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 6% ````````````````````End of Log`````````````````````` I'm pretty confident the PC is clean now, thanks to you.
  2. RJC
    Thanks again. Yes I meant it crashed during defrag. I won't finish these steps tonight. I will post some time tomorrow. I hope you have a good rest.
  3. RJC
    Disk cleanup: After about 4 hours the PC crashed with "Unknown hard error". It rebooted ok. This is an old PC and the HD is a bit slow. I will get a Windows 8 PC in a few months (since XP will no longer be supported) so I'm not concerned much about the HD performance. msconfig: There is nothing I want to remove. Some things I do after reboot, like sync my tablet and backup, then I kill the processes manually. Process explorer: System idle process is at 99% now so there is nothing to show. The svchost problem seems to be gone. FRST: Merged the Wmi.reg and scanned. Here is the log. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-01-2014 Ran by Wraithchilde (administrator) on BOB on 06-01-2014 09:23:57 Running from C:\Documents and Settings\Wraithchilde\Desktop Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (Microsoft Corporation) C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe (Creative Technology Ltd.) C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe (VIA Technologies, Inc.) C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (CobianSoft, Luis Cobian) C:\Program Files\Cobian Backup 10\cbVSCService.exe (Creative Technology Ltd) C:\WINDOWS\system32\CTSVCCDA.EXE (Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe (Microsoft Corporation) C:\WINDOWS\ehome\ehSched.exe (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe (Apple Inc.) E:\Program Files\iTunes\iTunesHelper.exe () C:\Program Files\Dell\Media Experience\DMXLauncher.exe (Sonic Solutions) C:\WINDOWS\system32\DLA\DLACTRLW.EXE (McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe (Creative Technology Ltd) C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Malwarebytes Corporation) E:\Program Files\MalwarebytesAnti-Malware\mbamscheduler.exe (Malwarebytes Corporation) E:\Program Files\MalwarebytesAnti-Malware\mbamservice.exe (McAfee, Inc.) C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe (Malwarebytes Corporation) E:\Program Files\MalwarebytesAnti-Malware\mbamgui.exe (McAfee, Inc.) C:\WINDOWS\system32\mfevtps.exe () C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe (NVIDIA) C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe (VMware, Inc.) C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe (McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe (Microsoft Corporation) C:\WINDOWS\ehome\mcrdsvc.exe (McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe (McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (VMware, Inc.) C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Microsoft Corporation) C:\WINDOWS\ehome\ehmsas.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [ehTray] - C:\WINDOWS\ehome\ehtray.exe [59392 2004-08-10] (Microsoft Corporation) HKLM\...\Run: [AudioDrvEmulator] - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [49152 2005-11-04] (Creative Technology Ltd.) HKLM\...\Run: [Cobian Backup 10] - C:\Program Files\Cobian Backup 10\Cobian.exe [421376 2010-04-21] (Luis Cobian, CobianSoft) HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [997408 2010-11-30] (Microsoft Corporation) HKLM\...\Run: [HDAudDeck] - C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [33628160 2009-06-05] (VIA Technologies, Inc.) HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit HKLM\...\Run: [nwiz] - C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2586912 2013-06-21] () HKLM\...\Run: [mcpltui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [516912 2013-09-24] (McAfee, Inc.) HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.) HKLM\...\Run: [iTunesHelper] - E:\Program Files\iTunes\iTunesHelper.exe [152392 2013-10-01] (Apple Inc.) HKLM\...\Run: [VolPanel] - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe [122880 2005-10-14] (Creative Technology Ltd) HKLM\...\Run: [updReg] - C:\WINDOWS\Updreg.EXE [90112 2000-05-11] (Creative Technology Ltd.) HKLM\...\Run: [DMXLauncher] - C:\Program Files\Dell\Media Experience\DMXLauncher.exe [94208 2005-10-05] () HKLM\...\Run: [DLA] - C:\WINDOWS\system32\DLA\DLACTRLW.EXE [122940 2005-09-08] (Sonic Solutions) HKLM\...\Run: [CTDVDDET] - C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe [45056 2003-06-18] (Creative Technology Ltd) HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation) HKLM\...\Policies\Explorer: [NoCDBurning] 0 HKLM\...\Policies\Explorer: [NoControlPanel] 0 HKCU\...\Run: [NVIDIA nTune] - C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [81920 2007-04-04] (NVIDIA) HKCU\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-13] (Microsoft Corporation) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xC6E91084900DCB01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC) BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5854/mcfscan.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.) Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 24.196.64.53 68.113.206.10 24.178.162.3 ========================== Services (Whitelisted) ================= R2 cbVSCService; C:\Program Files\Cobian Backup 10\cbVSCService.exe [67584 2010-04-21] (CobianSoft, Luis Cobian) R2 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [44032 1999-12-13] (Creative Technology Ltd) S2 DAZContentManagementService; E:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe [18432 2011-05-05] () R2 HomeNetSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 MBAMScheduler; E:\Program Files\MalwarebytesAnti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation) R2 MBAMService; E:\Program Files\MalwarebytesAnti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation) R2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [103112 2013-11-07] (McAfee, Inc.) R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [145088 2013-11-28] (McAfee, Inc.) R2 mcbootdelaystartsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [471592 2013-08-02] (McAfee, Inc.) R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation) R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [643608 2013-11-26] (McAfee, Inc.) R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-11-04] (McAfee, Inc.) R2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [172416 2013-11-04] (McAfee, Inc.) R2 mi-raysat_3dsmax2011_32; C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [86016 2010-03-10] () R2 MSK80Service; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [11736 2010-11-11] (Microsoft Corporation) R2 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [126976 2007-04-04] (NVIDIA) S3 usprserv; C:\Windows\System32\svchost.exe [14336 2008-04-13] (Microsoft Corporation) R2 wsnm; C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe [494192 2011-09-07] (VMware, Inc.) R2 wsnm_usbctrl; C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [797296 2011-09-07] (VMware, Inc.) R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" ==================== Drivers (Whitelisted) ==================== S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation) S3 apf003; C:\WINDOWS\system32\apf003.sys [13232 2013-04-09] () R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [271360 2007-07-28] () R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-11-04] (McAfee, Inc.) S3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [340704 2005-07-13] (Creative Technology Ltd) R2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions) R1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions) R2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions) R2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions) R2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions) R2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions) R1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions) R2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions) R2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions) R2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions) R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [239168 2012-01-21] (DT Soft Ltd) S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [147912 2013-09-23] (McAfee, Inc.) R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [18048 2007-07-28] () R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation) R2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133992 2013-11-04] (McAfee, Inc.) R2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [236000 2013-11-04] (McAfee, Inc.) S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-11-04] (McAfee, Inc.) R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [365416 2013-11-04] (McAfee, Inc.) R2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [572528 2013-11-04] (McAfee, Inc.) R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [319808 2013-11-26] (McAfee, Inc.) S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [80752 2013-11-26] (McAfee, Inc.) S3 mfendisk; C:\Windows\System32\DRIVERS\mfendisk.sys [85064 2013-11-04] (McAfee, Inc.) R3 mfendiskmp; C:\Windows\System32\DRIVERS\mfendisk.sys [85064 2013-11-04] (McAfee, Inc.) R1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [91736 2013-11-04] (McAfee, Inc.) R3 monfilt; C:\Windows\System32\drivers\monfilt.sys [1389056 2008-02-14] (Creative Technology Ltd.) R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation) R0 nvatabus; C:\Windows\System32\DRIVERS\NVATABUS.SYS [105472 2010-04-18] (NVIDIA Corporation) S3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [124264 2013-02-18] (NVIDIA Corporation) R3 NVR0Dev; C:\WINDOWS\nvoclock.sys [6912 2007-04-04] (NVidia Corp.) R3 SCREAMINGBDRIVER; C:\Windows\System32\drivers\ScreamingBAudio.sys [23064 2008-11-22] (Screaming Bee LLC) R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1374464 2009-06-02] (VIA Technologies, Inc.) R3 vmwvusb; C:\Windows\System32\Drivers\vmwvusb.sys [40048 2011-09-07] (VMware, Inc.) R3 WmBEnum; C:\Windows\System32\drivers\WmBEnum.sys [10144 2005-04-12] (Logitech Inc.) S3 WmFilter; C:\Windows\System32\drivers\WmFilter.sys [22240 2005-04-12] (Logitech Inc.) S3 WmVirHid; C:\Windows\System32\drivers\WmVirHid.sys [5600 2005-04-12] (Logitech Inc.) R3 WmXlCore; C:\Windows\System32\drivers\WmXlCore.sys [45504 2005-04-12] (Logitech Inc.) U2 mfewfpk; U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) S3 XDva398; \??\C:\WINDOWS\system32\XDva398.sys [x] ==================== NetSvcs (Whitelisted) =================== NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation) ==================== One Month Created Files and Folders ======== 2014-01-06 09:23 - 2014-01-06 09:23 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Desktop\FRST-OlderVersion 2014-01-06 09:02 - 2014-01-06 09:03 - 140022632 _____ C:\Documents and Settings\Wraithchilde\My Documents\1-1-14-reg backup.reg 2014-01-05 16:53 - 2014-01-05 16:53 - 00003274 _____ C:\Documents and Settings\Wraithchilde\Desktop\Wmi.reg 2014-01-05 16:28 - 2014-01-05 16:28 - 00000623 _____ C:\Documents and Settings\All Users\Desktop\MyDefrag.lnk 2014-01-05 14:47 - 2014-01-05 14:47 - 00002247 _____ C:\Documents and Settings\Wraithchilde\Desktop\FSS.txt 2014-01-05 14:11 - 2014-01-05 14:11 - 00708597 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FSS.exe 2014-01-05 13:14 - 2014-01-05 13:17 - 00002003 _____ C:\Documents and Settings\Wraithchilde\Desktop\Search.txt 2014-01-05 13:05 - 2014-01-05 13:13 - 00023462 _____ C:\Documents and Settings\Wraithchilde\Desktop\Addition.txt 2014-01-05 13:01 - 2014-01-06 09:24 - 00015758 _____ C:\Documents and Settings\Wraithchilde\Desktop\FRST.txt 2014-01-05 12:59 - 2014-01-06 09:23 - 00000000 ____D C:\FRST 2014-01-05 12:58 - 2014-01-06 09:23 - 01064805 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FRST.exe 2014-01-05 10:55 - 2014-01-05 10:58 - 00012270 _____ C:\WINDOWS\KB2888505-IE8.log 2014-01-05 08:20 - 2014-01-05 08:20 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Sun 2014-01-05 08:10 - 2014-01-05 08:10 - 00000000 ____D C:\Program Files\Common Files\Java 2014-01-05 08:10 - 2014-01-05 08:09 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe 2014-01-05 08:10 - 2014-01-05 08:09 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl 2014-01-05 08:09 - 2014-01-05 08:09 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe 2014-01-05 08:09 - 2014-01-05 08:09 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe 2014-01-05 08:09 - 2014-01-05 08:09 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll 2014-01-05 08:09 - 2014-01-05 08:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java 2014-01-04 06:10 - 2014-01-06 09:19 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\McAfee 2014-01-03 06:08 - 2014-01-03 06:08 - 00000650 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Malwarebytes 2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2014-01-03 06:08 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys 2014-01-02 20:15 - 2014-01-02 20:15 - 00000000 ____D C:\Program Files\ESET 2014-01-02 19:57 - 2014-01-05 11:17 - 00021817 _____ C:\Documents and Settings\Wraithchilde\Desktop\attach.txt 2014-01-02 19:57 - 2014-01-05 11:17 - 00016066 _____ C:\Documents and Settings\Wraithchilde\Desktop\dds.txt 2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\DEFAULT.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SYSTEM.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG 2014-01-02 18:11 - 2011-06-26 00:45 - 00256000 _____ C:\WINDOWS\PEV.exe 2014-01-02 18:11 - 2010-11-07 11:20 - 00208896 _____ C:\WINDOWS\MBR.exe 2014-01-02 18:11 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00098816 _____ C:\WINDOWS\sed.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00080412 _____ C:\WINDOWS\grep.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00068096 _____ C:\WINDOWS\zip.exe 2014-01-02 18:09 - 2014-01-02 18:33 - 00000000 ____D C:\Qoobox 2014-01-02 18:08 - 2014-01-02 18:30 - 00000000 ____D C:\WINDOWS\erdnt 2014-01-01 15:22 - 2014-01-02 06:45 - 00065536 _____ C:\WINDOWS\system32\config\Cobian B.evt 2013-12-28 07:36 - 2013-12-28 07:36 - 00000853 ____N C:\Documents and Settings\All Users\Desktop\Firestorm-Beta.lnk ==================== One Month Modified Files and Folders ======= 2014-01-06 09:24 - 2014-01-05 13:01 - 00015758 _____ C:\Documents and Settings\Wraithchilde\Desktop\FRST.txt 2014-01-06 09:24 - 2005-08-16 03:40 - 01279946 _____ C:\WINDOWS\WindowsUpdate.log 2014-01-06 09:23 - 2014-01-06 09:23 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Desktop\FRST-OlderVersion 2014-01-06 09:23 - 2014-01-05 12:59 - 00000000 ____D C:\FRST 2014-01-06 09:23 - 2014-01-05 12:58 - 01064805 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FRST.exe 2014-01-06 09:19 - 2014-01-04 06:10 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\McAfee 2014-01-06 09:19 - 2013-08-26 17:29 - 00001611 _____ C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk 2014-01-06 09:19 - 2011-01-29 12:24 - 00000424 ____H C:\WINDOWS\Tasks\MP Scheduled Scan.job 2014-01-06 09:18 - 2013-05-10 14:01 - 00007518 _____ C:\WINDOWS\system32\nvAppTimestamps 2014-01-06 09:16 - 2005-08-16 03:38 - 00000000 ____D C:\WINDOWS\Registration 2014-01-06 09:13 - 2005-08-16 03:35 - 00000159 _____ C:\WINDOWS\wiadebug.log 2014-01-06 09:13 - 2005-08-16 03:35 - 00000048 _____ C:\WINDOWS\wiaservc.log 2014-01-06 09:12 - 2005-08-16 03:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2014-01-06 09:11 - 2007-06-02 11:31 - 00000178 ___SH C:\Documents and Settings\Wraithchilde\ntuser.ini 2014-01-06 09:11 - 2005-08-16 03:49 - 00032500 _____ C:\WINDOWS\SchedLgU.Txt 2014-01-06 09:03 - 2014-01-06 09:02 - 140022632 _____ C:\Documents and Settings\Wraithchilde\My Documents\1-1-14-reg backup.reg 2014-01-06 08:58 - 2007-06-07 19:43 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Misc 2014-01-06 08:50 - 2012-03-29 04:20 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2014-01-06 08:11 - 2009-03-25 10:49 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\TurboTax 2014-01-06 08:07 - 2007-06-03 04:00 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Adobe 2014-01-06 07:17 - 2005-08-16 03:18 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl 2014-01-06 03:16 - 2008-03-16 17:34 - 00000000 __SHD C:\WINDOWS\CSC 2014-01-05 16:53 - 2014-01-05 16:53 - 00003274 _____ C:\Documents and Settings\Wraithchilde\Desktop\Wmi.reg 2014-01-05 16:28 - 2014-01-05 16:28 - 00000623 _____ C:\Documents and Settings\All Users\Desktop\MyDefrag.lnk 2014-01-05 15:27 - 2012-01-30 12:56 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Firestorm 2014-01-05 15:20 - 2013-07-11 09:46 - 01098252 _____ C:\WINDOWS\system32\nvdrsdb0.bin 2014-01-05 15:20 - 2013-07-11 09:46 - 00000001 _____ C:\WINDOWS\system32\nvdrssel.bin 2014-01-05 14:47 - 2014-01-05 14:47 - 00002247 _____ C:\Documents and Settings\Wraithchilde\Desktop\FSS.txt 2014-01-05 14:41 - 2013-07-11 09:46 - 01098252 _____ C:\WINDOWS\system32\nvdrsdb1.bin 2014-01-05 14:11 - 2014-01-05 14:11 - 00708597 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FSS.exe 2014-01-05 13:29 - 2010-03-01 08:19 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat 2014-01-05 13:17 - 2014-01-05 13:14 - 00002003 _____ C:\Documents and Settings\Wraithchilde\Desktop\Search.txt 2014-01-05 13:13 - 2014-01-05 13:05 - 00023462 _____ C:\Documents and Settings\Wraithchilde\Desktop\Addition.txt 2014-01-05 11:17 - 2014-01-02 19:57 - 00021817 _____ C:\Documents and Settings\Wraithchilde\Desktop\attach.txt 2014-01-05 11:17 - 2014-01-02 19:57 - 00016066 _____ C:\Documents and Settings\Wraithchilde\Desktop\dds.txt 2014-01-05 11:07 - 2011-01-12 14:39 - 00000506 _____ C:\Documents and Settings\Wraithchilde\Desktop\Misc Notes.txt 2014-01-05 10:58 - 2014-01-05 10:55 - 00012270 _____ C:\WINDOWS\KB2888505-IE8.log 2014-01-05 10:58 - 2005-08-16 03:33 - 01408683 _____ C:\WINDOWS\iis6.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00563217 _____ C:\WINDOWS\tsoc.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00410176 _____ C:\WINDOWS\comsetup.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00249840 _____ C:\WINDOWS\ntdtcsetup.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00179312 _____ C:\WINDOWS\MedCtrOC.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00070146 _____ C:\WINDOWS\ehOCGen.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00067313 _____ C:\WINDOWS\ocmsn.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00060540 _____ C:\WINDOWS\tabletoc.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00001355 _____ C:\WINDOWS\imsins.log 2014-01-05 10:57 - 2005-08-16 20:04 - 00244755 _____ C:\WINDOWS\updspapi.log 2014-01-05 10:57 - 2005-08-16 03:33 - 01220207 _____ C:\WINDOWS\FaxSetup.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00606827 _____ C:\WINDOWS\ocgen.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00385812 _____ C:\WINDOWS\msmqinst.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00225716 _____ C:\WINDOWS\netfxocm.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00144724 _____ C:\WINDOWS\plusoc.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00061129 _____ C:\WINDOWS\msgsocm.log 2014-01-05 10:56 - 2010-04-15 15:16 - 00000000 ____D C:\WINDOWS\ie8updates 2014-01-05 08:20 - 2014-01-05 08:20 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Sun 2014-01-05 08:10 - 2014-01-05 08:10 - 00000000 ____D C:\Program Files\Common Files\Java 2014-01-05 08:09 - 2014-01-05 08:10 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe 2014-01-05 08:09 - 2014-01-05 08:10 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl 2014-01-05 08:09 - 2014-01-05 08:09 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe 2014-01-05 08:09 - 2014-01-05 08:09 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe 2014-01-05 08:09 - 2014-01-05 08:09 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll 2014-01-05 08:09 - 2014-01-05 08:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java 2014-01-05 08:08 - 2007-05-16 07:33 - 00000000 ____D C:\Program Files\Java 2014-01-05 08:00 - 2013-08-26 17:27 - 00000000 ____D C:\Program Files\McAfee 2014-01-05 08:00 - 2013-08-26 17:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee 2014-01-05 06:36 - 2010-05-01 13:57 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe 2014-01-05 06:36 - 2007-05-16 07:45 - 00000000 ____D C:\Program Files\Common Files\Adobe 2014-01-05 06:36 - 2007-05-16 07:45 - 00000000 ____D C:\Program Files\Adobe 2014-01-04 06:47 - 2009-04-11 06:23 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Second Life 2014-01-04 06:19 - 2007-05-16 07:21 - 00000209 ___SH C:\boot.ini 2014-01-04 06:19 - 2005-08-16 03:18 - 00000602 _____ C:\WINDOWS\win.ini 2014-01-04 06:19 - 2005-08-16 03:18 - 00000227 _____ C:\WINDOWS\system.ini 2014-01-04 05:53 - 2009-08-20 12:16 - 00000000 ____D C:\WINDOWS\pss 2014-01-03 11:55 - 2012-01-22 04:18 - 00284373 _____ C:\WINDOWS\setupapi.log 2014-01-03 07:45 - 2005-08-16 03:22 - 00000000 ____D C:\WINDOWS\Resources 2014-01-03 06:08 - 2014-01-03 06:08 - 00000650 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Malwarebytes 2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2014-01-03 01:07 - 2005-08-16 03:49 - 00000000 __SHD C:\Documents and Settings\NetworkService 2014-01-02 20:15 - 2014-01-02 20:15 - 00000000 ____D C:\Program Files\ESET 2014-01-02 18:33 - 2014-01-02 18:09 - 00000000 ____D C:\Qoobox 2014-01-02 18:30 - 2014-01-02 18:08 - 00000000 ____D C:\WINDOWS\erdnt 2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\DEFAULT.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SYSTEM.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG 2014-01-02 18:21 - 2013-06-07 09:08 - 41943040 _____ C:\WINDOWS\system32\config\SOFTWARE.bak 2014-01-02 18:21 - 2007-05-16 14:19 - 14417920 _____ C:\WINDOWS\system32\config\SYSTEM.bak 2014-01-02 18:21 - 2005-08-15 22:27 - 01048576 _____ C:\WINDOWS\system32\config\DEFAULT.bak 2014-01-02 18:21 - 2005-08-15 22:27 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak 2014-01-02 18:21 - 2005-08-15 22:27 - 00262144 _____ C:\WINDOWS\system32\config\SAM.bak 2014-01-02 18:19 - 2007-06-02 11:31 - 00000000 ____D C:\Documents and Settings\Wraithchilde 2014-01-02 18:01 - 2010-08-07 22:06 - 00011958 _____ C:\Documents and Settings\Wraithchilde\My Documents\hijackthis.log 2014-01-02 15:00 - 2009-11-19 21:37 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\vlc 2014-01-02 06:45 - 2014-01-01 15:22 - 00065536 _____ C:\WINDOWS\system32\config\Cobian B.evt 2014-01-01 07:12 - 2005-08-16 03:22 - 00000000 ____D C:\WINDOWS\repair 2013-12-28 07:36 - 2013-12-28 07:36 - 00000853 ____N C:\Documents and Settings\All Users\Desktop\Firestorm-Beta.lnk 2013-12-27 15:48 - 2013-08-26 17:20 - 00000000 ____D C:\Program Files\Common Files\McAfee 2013-12-20 06:42 - 2007-07-17 14:38 - 00000230 _____ C:\WINDOWS\CTWave32.ini 2013-12-20 06:37 - 2007-07-17 14:20 - 00000072 _____ C:\WINDOWS\sbwin.ini 2013-12-18 18:22 - 2005-08-16 03:33 - 00574102 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2013-12-13 13:30 - 2007-06-03 07:21 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Projects Files to move or delete: ==================== C:\Documents and Settings\Wraithchilde\random.dat ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll [2005-08-16 03:18] - [2009-02-09 04:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2 C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================ This is odd. I have no idea what this is or where it comes from. The file doesn't exist. S3 XDva398; \??\C:\WINDOWS\system32\XDva398.sys [x]
  4. RJC
    Thank you. This might take a while. It will likely be tomorrow before I can complete this and post the results.
  5. RJC
    A strange file with unicode characters for a name was created on the desktop. Not sure where that came from. CPU usage from System and svchost seems to have calmed down a bit. Still took a very long time to reboot. No blocked website message so far. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-01-2014 Ran by Wraithchilde at 2014-01-05 14:24:38 Run:1 Running from C:\Documents and Settings\Wraithchilde\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** start Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File S3 catchme; \??\C:\ComboFix\catchme.sys [x] S2 vmhnavixan; \??\C:\WINDOWS\system32\drivers\mmdzrgupcuxacl.sys [x] C:\WINDOWS\system32\drivers\mmdzrgupcuxacl.sys U3 mbr; \??\C:\DOCUME~1\WRAITH~1\LOCALS~1\Temp\mbr.sys [x] 2014-01-02 12:44 - 2014-01-02 12:44 - 00028672 _____ C:\WINDOWS\system32\gwbxgwx.ner 2014-01-02 12:34 - 2014-01-05 12:10 - 00000081 _____ C:\WINDOWS\system32\wbwd.vmy 2014-01-02 12:31 - 2014-01-02 12:44 - 00000102 _____ C:\WINDOWS\system32\ryer.xah 2014-01-02 12:31 - 2014-01-02 12:31 - 00000064 _____ C:\WINDOWS\system32\pecdt.jfe 2013-12-28 15:11 - 2013-12-28 15:11 - 00101213 ____S C:\WINDOWS\system32\pydray.bma Replace: C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll C:\WINDOWS\system32\rpcss.dll Replace: C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll C:\WINDOWS\system32\dllcache\rpcss.dll end ***************** HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully. HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found. catchme => Service deleted successfully. vmhnavixan => Service deleted successfully. "C:\WINDOWS\system32\drivers\mmdzrgupcuxacl.sys" => File/Directory not found. mbr => Service deleted successfully. C:\WINDOWS\system32\gwbxgwx.ner => Moved successfully. C:\WINDOWS\system32\wbwd.vmy => Moved successfully. C:\WINDOWS\system32\ryer.xah => Moved successfully. C:\WINDOWS\system32\pecdt.jfe => Moved successfully. Could not move "C:\WINDOWS\system32\pydray.bma" => Scheduled to move on reboot. C:\WINDOWS\system32\rpcss.dll => Moved successfully. C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll copied successfully to C:\WINDOWS\system32\rpcss.dll "C:\WINDOWS\system32\dllcache\rpcss.dll" => Could not move. C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll copied successfully to C:\WINDOWS\system32\dllcache\rpcss.dll => Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-05 14:28:29)<= C:\WINDOWS\system32\pydray.bma => Is moved successfully. ==== End of Fixlog ==== Farbar Service Scanner Version: 05-12-2013 Ran by Wraithchilde (administrator) on 05-01-2014 at 14:47:12 Running from "C:\Documents and Settings\Wraithchilde\Desktop" Microsoft Windows XP Professional Service Pack 3 (X86) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Security Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Other Services: ============== File Check: ======== C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit C:\WINDOWS\system32\netman.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\srsvc.dll => MD5 is legit C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit C:\WINDOWS\system32\wscsvc.dll => MD5 is legit C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit C:\WINDOWS\system32\wuauserv.dll => MD5 is legit C:\WINDOWS\system32\qmgr.dll => MD5 is legit C:\WINDOWS\system32\es.dll => MD5 is legit C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit C:\WINDOWS\system32\svchost.exe => MD5 is legit C:\WINDOWS\system32\rpcss.dll => MD5 is legit C:\WINDOWS\system32\services.exe => MD5 is legit Extra List: ======= Gpc(6) IPSec(4) mfetdi2k(8) NetBT(5) PSched(7) Tcpip(3) 0x080000000400000001000000020000000300000008000000050000000600000007000000 IpSec Tag value is correct. **** End of log ****
  6. RJC
    Thank you Georgi Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 04-01-2014 Ran by Wraithchilde (administrator) on BOB on 05-01-2014 13:11:54 Running from C:\Documents and Settings\Wraithchilde\Desktop Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Normal ATTENTION: If processes are not listed WMI should be repaired. ==================== Processes (Whitelisted) =================== ==================== Registry (Whitelisted) ================== HKLM\...\Run: [ehTray] - C:\WINDOWS\ehome\ehtray.exe [59392 2004-08-10] (Microsoft Corporation) HKLM\...\Run: [AudioDrvEmulator] - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe [49152 2005-11-04] (Creative Technology Ltd.) HKLM\...\Run: [Cobian Backup 10] - C:\Program Files\Cobian Backup 10\Cobian.exe [421376 2010-04-21] (Luis Cobian, CobianSoft) HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [997408 2010-11-30] (Microsoft Corporation) HKLM\...\Run: [HDAudDeck] - C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [33628160 2009-06-05] (VIA Technologies, Inc.) HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit HKLM\...\Run: [nwiz] - C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2586912 2013-06-21] () HKLM\...\Run: [mcpltui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [516912 2013-09-24] (McAfee, Inc.) HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.) HKLM\...\Run: [iTunesHelper] - E:\Program Files\iTunes\iTunesHelper.exe [152392 2013-10-01] (Apple Inc.) HKLM\...\Run: [VolPanel] - C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe [122880 2005-10-14] (Creative Technology Ltd) HKLM\...\Run: [updReg] - C:\WINDOWS\Updreg.EXE [90112 2000-05-11] (Creative Technology Ltd.) HKLM\...\Run: [DMXLauncher] - C:\Program Files\Dell\Media Experience\DMXLauncher.exe [94208 2005-10-05] () HKLM\...\Run: [DLA] - C:\WINDOWS\system32\DLA\DLACTRLW.EXE [122940 2005-09-08] (Sonic Solutions) HKLM\...\Run: [CTDVDDET] - C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe [45056 2003-06-18] (Creative Technology Ltd) HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation) HKLM\...\Policies\Explorer: [NoCDBurning] 0 HKLM\...\Policies\Explorer: [NoControlPanel] 0 HKCU\...\Run: [NVIDIA nTune] - C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [81920 2007-04-04] (NVIDIA) HKCU\...\Run: [MSMSGS] - C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-13] (Microsoft Corporation) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xC6E91084900DCB01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC) BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation) Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5854/mcfscan.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.) Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 24.196.64.53 68.113.206.10 24.178.162.3 ========================== Services (Whitelisted) ================= R2 cbVSCService; C:\Program Files\Cobian Backup 10\cbVSCService.exe [67584 2010-04-21] (CobianSoft, Luis Cobian) R2 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [44032 1999-12-13] (Creative Technology Ltd) S2 DAZContentManagementService; E:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe [18432 2011-05-05] () R2 HomeNetSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 MBAMScheduler; E:\Program Files\MalwarebytesAnti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation) R2 MBAMService; E:\Program Files\MalwarebytesAnti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation) R2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [103112 2013-11-07] (McAfee, Inc.) R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [145088 2013-11-28] (McAfee, Inc.) R2 mcbootdelaystartsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [471592 2013-08-02] (McAfee, Inc.) R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation) R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [643608 2013-11-26] (McAfee, Inc.) R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-11-04] (McAfee, Inc.) R2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [172416 2013-11-04] (McAfee, Inc.) R2 mi-raysat_3dsmax2011_32; C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [86016 2010-03-10] () R2 MSK80Service; C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe [281560 2013-07-30] (McAfee, Inc.) R2 MsMpSvc; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [11736 2010-11-11] (Microsoft Corporation) R2 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [126976 2007-04-04] (NVIDIA) S3 usprserv; C:\Windows\System32\svchost.exe [14336 2008-04-13] (Microsoft Corporation) R2 wsnm; C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe [494192 2011-09-07] (VMware, Inc.) S2 wsnm_usbctrl; C:\Program Files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [797296 2011-09-07] (VMware, Inc.) R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf" ==================== Drivers (Whitelisted) ==================== S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation) S3 apf003; C:\WINDOWS\system32\apf003.sys [13232 2013-04-09] () R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [271360 2007-07-28] () R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-11-04] (McAfee, Inc.) S3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [340704 2005-07-13] (Creative Technology Ltd) R2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions) R1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions) R2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions) R2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions) R2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions) R2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions) R1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions) R2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions) R2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions) R2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions) R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [239168 2012-01-21] (DT Soft Ltd) S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [147912 2013-09-23] (McAfee, Inc.) R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [18048 2007-07-28] () R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation) R2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133992 2013-11-04] (McAfee, Inc.) R2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [236000 2013-11-04] (McAfee, Inc.) S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-11-04] (McAfee, Inc.) R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [365416 2013-11-04] (McAfee, Inc.) R2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [572528 2013-11-04] (McAfee, Inc.) R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [319808 2013-11-26] (McAfee, Inc.) S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [80752 2013-11-26] (McAfee, Inc.) S3 mfendisk; C:\Windows\System32\DRIVERS\mfendisk.sys [85064 2013-11-04] (McAfee, Inc.) R3 mfendiskmp; C:\Windows\System32\DRIVERS\mfendisk.sys [85064 2013-11-04] (McAfee, Inc.) R1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [91736 2013-11-04] (McAfee, Inc.) R3 monfilt; C:\Windows\System32\drivers\monfilt.sys [1389056 2008-02-14] (Creative Technology Ltd.) R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation) R0 nvatabus; C:\Windows\System32\DRIVERS\NVATABUS.SYS [105472 2010-04-18] (NVIDIA Corporation) S3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [124264 2013-02-18] (NVIDIA Corporation) R3 NVR0Dev; C:\WINDOWS\nvoclock.sys [6912 2007-04-04] (NVidia Corp.) R3 SCREAMINGBDRIVER; C:\Windows\System32\drivers\ScreamingBAudio.sys [23064 2008-11-22] (Screaming Bee LLC) R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1374464 2009-06-02] (VIA Technologies, Inc.) R3 vmwvusb; C:\Windows\System32\Drivers\vmwvusb.sys [40048 2011-09-07] (VMware, Inc.) R3 WmBEnum; C:\Windows\System32\drivers\WmBEnum.sys [10144 2005-04-12] (Logitech Inc.) S3 WmFilter; C:\Windows\System32\drivers\WmFilter.sys [22240 2005-04-12] (Logitech Inc.) S3 WmVirHid; C:\Windows\System32\drivers\WmVirHid.sys [5600 2005-04-12] (Logitech Inc.) R3 WmXlCore; C:\Windows\System32\drivers\WmXlCore.sys [45504 2005-04-12] (Logitech Inc.) S3 catchme; \??\C:\ComboFix\catchme.sys [x] U2 mfewfpk; U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) S2 vmhnavixan; \??\C:\WINDOWS\system32\drivers\mmdzrgupcuxacl.sys [x] S3 XDva398; \??\C:\WINDOWS\system32\XDva398.sys [x] U3 mbr; \??\C:\DOCUME~1\WRAITH~1\LOCALS~1\Temp\mbr.sys [x] ==================== NetSvcs (Whitelisted) =================== NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation) ==================== One Month Created Files and Folders ======== 2014-01-05 13:05 - 2014-01-05 13:07 - 00023462 _____ C:\Documents and Settings\Wraithchilde\Desktop\Addition.txt 2014-01-05 13:01 - 2014-01-05 13:12 - 00013595 _____ C:\Documents and Settings\Wraithchilde\Desktop\FRST.txt 2014-01-05 12:59 - 2014-01-05 12:59 - 00000000 ____D C:\FRST 2014-01-05 12:58 - 2014-01-05 12:58 - 01064761 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FRST.exe 2014-01-05 10:55 - 2014-01-05 10:58 - 00012270 _____ C:\WINDOWS\KB2888505-IE8.log 2014-01-05 08:20 - 2014-01-05 08:20 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Sun 2014-01-05 08:10 - 2014-01-05 08:10 - 00000000 ____D C:\Program Files\Common Files\Java 2014-01-05 08:10 - 2014-01-05 08:09 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe 2014-01-05 08:10 - 2014-01-05 08:09 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl 2014-01-05 08:09 - 2014-01-05 08:09 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe 2014-01-05 08:09 - 2014-01-05 08:09 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe 2014-01-05 08:09 - 2014-01-05 08:09 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll 2014-01-05 08:09 - 2014-01-05 08:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java 2014-01-04 06:10 - 2014-01-05 11:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\McAfee 2014-01-03 06:08 - 2014-01-03 06:08 - 00000650 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Malwarebytes 2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2014-01-03 06:08 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys 2014-01-02 20:15 - 2014-01-02 20:15 - 00000000 ____D C:\Program Files\ESET 2014-01-02 19:57 - 2014-01-05 11:17 - 00021817 _____ C:\Documents and Settings\Wraithchilde\Desktop\attach.txt 2014-01-02 19:57 - 2014-01-05 11:17 - 00016066 _____ C:\Documents and Settings\Wraithchilde\Desktop\dds.txt 2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\DEFAULT.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SYSTEM.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG 2014-01-02 18:11 - 2011-06-26 00:45 - 00256000 _____ C:\WINDOWS\PEV.exe 2014-01-02 18:11 - 2010-11-07 11:20 - 00208896 _____ C:\WINDOWS\MBR.exe 2014-01-02 18:11 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00098816 _____ C:\WINDOWS\sed.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00080412 _____ C:\WINDOWS\grep.exe 2014-01-02 18:11 - 2000-08-30 18:00 - 00068096 _____ C:\WINDOWS\zip.exe 2014-01-02 18:09 - 2014-01-02 18:33 - 00000000 ____D C:\Qoobox 2014-01-02 18:08 - 2014-01-02 18:30 - 00000000 ____D C:\WINDOWS\erdnt 2014-01-02 12:44 - 2014-01-02 12:44 - 00028672 _____ C:\WINDOWS\system32\gwbxgwx.ner 2014-01-02 12:34 - 2014-01-05 12:10 - 00000081 _____ C:\WINDOWS\system32\wbwd.vmy 2014-01-02 12:31 - 2014-01-02 12:44 - 00000102 _____ C:\WINDOWS\system32\ryer.xah 2014-01-02 12:31 - 2014-01-02 12:31 - 00000064 _____ C:\WINDOWS\system32\pecdt.jfe 2014-01-01 15:22 - 2014-01-02 06:45 - 00065536 _____ C:\WINDOWS\system32\config\Cobian B.evt 2013-12-28 15:11 - 2013-12-28 15:11 - 00101213 ____S C:\WINDOWS\system32\pydray.bma 2013-12-28 07:36 - 2013-12-28 07:36 - 00000853 ____N C:\Documents and Settings\All Users\Desktop\Firestorm-Beta.lnk ==================== One Month Modified Files and Folders ======= 2014-01-05 13:12 - 2014-01-05 13:01 - 00013595 _____ C:\Documents and Settings\Wraithchilde\Desktop\FRST.txt 2014-01-05 13:12 - 2013-05-10 14:01 - 00007252 _____ C:\WINDOWS\system32\nvAppTimestamps 2014-01-05 13:12 - 2010-03-01 08:19 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat 2014-01-05 13:07 - 2014-01-05 13:05 - 00023462 _____ C:\Documents and Settings\Wraithchilde\Desktop\Addition.txt 2014-01-05 12:59 - 2014-01-05 12:59 - 00000000 ____D C:\FRST 2014-01-05 12:58 - 2014-01-05 12:58 - 01064761 _____ (Farbar) C:\Documents and Settings\Wraithchilde\Desktop\FRST.exe 2014-01-05 12:57 - 2012-01-30 12:56 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Firestorm 2014-01-05 12:50 - 2012-03-29 04:20 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2014-01-05 12:42 - 2013-07-11 09:46 - 01098252 _____ C:\WINDOWS\system32\nvdrsdb0.bin 2014-01-05 12:42 - 2013-07-11 09:46 - 00000001 _____ C:\WINDOWS\system32\nvdrssel.bin 2014-01-05 12:10 - 2014-01-02 12:34 - 00000081 _____ C:\WINDOWS\system32\wbwd.vmy 2014-01-05 11:17 - 2014-01-02 19:57 - 00021817 _____ C:\Documents and Settings\Wraithchilde\Desktop\attach.txt 2014-01-05 11:17 - 2014-01-02 19:57 - 00016066 _____ C:\Documents and Settings\Wraithchilde\Desktop\dds.txt 2014-01-05 11:09 - 2014-01-04 06:10 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\McAfee 2014-01-05 11:09 - 2013-08-26 17:29 - 00001611 _____ C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk 2014-01-05 11:07 - 2011-01-29 12:24 - 00000424 ____H C:\WINDOWS\Tasks\MP Scheduled Scan.job 2014-01-05 11:07 - 2011-01-12 14:39 - 00000506 _____ C:\Documents and Settings\Wraithchilde\Desktop\Misc Notes.txt 2014-01-05 11:05 - 2005-08-16 03:38 - 00000000 ____D C:\WINDOWS\Registration 2014-01-05 11:03 - 2005-08-16 03:40 - 01259446 _____ C:\WINDOWS\WindowsUpdate.log 2014-01-05 11:01 - 2005-08-16 03:35 - 00000159 _____ C:\WINDOWS\wiadebug.log 2014-01-05 11:01 - 2005-08-16 03:35 - 00000048 _____ C:\WINDOWS\wiaservc.log 2014-01-05 11:00 - 2005-08-16 03:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2014-01-05 10:58 - 2014-01-05 10:55 - 00012270 _____ C:\WINDOWS\KB2888505-IE8.log 2014-01-05 10:58 - 2007-06-02 11:31 - 00000178 ___SH C:\Documents and Settings\Wraithchilde\ntuser.ini 2014-01-05 10:58 - 2005-08-16 03:49 - 00032422 _____ C:\WINDOWS\SchedLgU.Txt 2014-01-05 10:58 - 2005-08-16 03:33 - 01408683 _____ C:\WINDOWS\iis6.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00563217 _____ C:\WINDOWS\tsoc.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00410176 _____ C:\WINDOWS\comsetup.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00249840 _____ C:\WINDOWS\ntdtcsetup.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00179312 _____ C:\WINDOWS\MedCtrOC.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00070146 _____ C:\WINDOWS\ehOCGen.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00067313 _____ C:\WINDOWS\ocmsn.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00060540 _____ C:\WINDOWS\tabletoc.log 2014-01-05 10:58 - 2005-08-16 03:33 - 00001355 _____ C:\WINDOWS\imsins.log 2014-01-05 10:57 - 2005-08-16 20:04 - 00244755 _____ C:\WINDOWS\updspapi.log 2014-01-05 10:57 - 2005-08-16 03:33 - 01220207 _____ C:\WINDOWS\FaxSetup.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00606827 _____ C:\WINDOWS\ocgen.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00385812 _____ C:\WINDOWS\msmqinst.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00225716 _____ C:\WINDOWS\netfxocm.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00144724 _____ C:\WINDOWS\plusoc.log 2014-01-05 10:57 - 2005-08-16 03:33 - 00061129 _____ C:\WINDOWS\msgsocm.log 2014-01-05 10:56 - 2010-04-15 15:16 - 00000000 ____D C:\WINDOWS\ie8updates 2014-01-05 10:49 - 2014-01-05 10:49 - 00003038 _____ C:\Documents and Settings\Wraithchilde\Desktop\fix_svchost.bat 2014-01-05 10:26 - 2013-07-11 09:46 - 01098252 _____ C:\WINDOWS\system32\nvdrsdb1.bin 2014-01-05 08:20 - 2014-01-05 08:20 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Local Settings\Application Data\Sun 2014-01-05 08:10 - 2014-01-05 08:10 - 00000000 ____D C:\Program Files\Common Files\Java 2014-01-05 08:09 - 2014-01-05 08:10 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe 2014-01-05 08:09 - 2014-01-05 08:10 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl 2014-01-05 08:09 - 2014-01-05 08:09 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe 2014-01-05 08:09 - 2014-01-05 08:09 - 00174504 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe 2014-01-05 08:09 - 2014-01-05 08:09 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll 2014-01-05 08:09 - 2014-01-05 08:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java 2014-01-05 08:08 - 2007-05-16 07:33 - 00000000 ____D C:\Program Files\Java 2014-01-05 08:00 - 2013-08-26 17:27 - 00000000 ____D C:\Program Files\McAfee 2014-01-05 08:00 - 2013-08-26 17:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\McAfee 2014-01-05 06:36 - 2010-05-01 13:57 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe 2014-01-05 06:36 - 2007-05-16 07:45 - 00000000 ____D C:\Program Files\Common Files\Adobe 2014-01-05 06:36 - 2007-05-16 07:45 - 00000000 ____D C:\Program Files\Adobe 2014-01-04 06:47 - 2009-04-11 06:23 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Second Life 2014-01-04 06:19 - 2007-05-16 07:21 - 00000209 ___SH C:\boot.ini 2014-01-04 06:19 - 2005-08-16 03:18 - 00000602 _____ C:\WINDOWS\win.ini 2014-01-04 06:19 - 2005-08-16 03:18 - 00000227 _____ C:\WINDOWS\system.ini 2014-01-04 05:53 - 2009-08-20 12:16 - 00000000 ____D C:\WINDOWS\pss 2014-01-03 16:14 - 2007-06-07 19:43 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Misc 2014-01-03 11:55 - 2012-01-22 04:18 - 00284373 _____ C:\WINDOWS\setupapi.log 2014-01-03 07:45 - 2005-08-16 03:22 - 00000000 ____D C:\WINDOWS\Resources 2014-01-03 06:08 - 2014-01-03 06:08 - 00000650 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk 2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Malwarebytes 2014-01-03 06:08 - 2014-01-03 06:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2014-01-03 01:07 - 2005-08-16 03:49 - 00000000 __SHD C:\Documents and Settings\NetworkService 2014-01-02 20:15 - 2014-01-02 20:15 - 00000000 ____D C:\Program Files\ESET 2014-01-02 19:03 - 2014-01-02 18:33 - 00020425 _____ C:\ComboFix1.txt 2014-01-02 18:33 - 2014-01-02 18:09 - 00000000 ____D C:\Qoobox 2014-01-02 18:30 - 2014-01-02 18:08 - 00000000 ____D C:\WINDOWS\erdnt 2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00008192 ____H C:\WINDOWS\system32\config\DEFAULT.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SYSTEM.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SOFTWARE.tmp.LOG 2014-01-02 18:21 - 2014-01-02 18:21 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG 2014-01-02 18:21 - 2013-06-07 09:08 - 41943040 _____ C:\WINDOWS\system32\config\SOFTWARE.bak 2014-01-02 18:21 - 2007-05-16 14:19 - 14417920 _____ C:\WINDOWS\system32\config\SYSTEM.bak 2014-01-02 18:21 - 2005-08-15 22:27 - 01048576 _____ C:\WINDOWS\system32\config\DEFAULT.bak 2014-01-02 18:21 - 2005-08-15 22:27 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak 2014-01-02 18:21 - 2005-08-15 22:27 - 00262144 _____ C:\WINDOWS\system32\config\SAM.bak 2014-01-02 18:19 - 2007-06-02 11:31 - 00000000 ____D C:\Documents and Settings\Wraithchilde 2014-01-02 18:01 - 2010-08-07 22:06 - 00011958 _____ C:\Documents and Settings\Wraithchilde\My Documents\hijackthis.log 2014-01-02 17:12 - 2005-08-16 03:18 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl 2014-01-02 15:00 - 2009-11-19 21:37 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\vlc 2014-01-02 12:44 - 2014-01-02 12:44 - 00028672 _____ C:\WINDOWS\system32\gwbxgwx.ner 2014-01-02 12:44 - 2014-01-02 12:31 - 00000102 _____ C:\WINDOWS\system32\ryer.xah 2014-01-02 12:31 - 2014-01-02 12:31 - 00000064 _____ C:\WINDOWS\system32\pecdt.jfe 2014-01-02 06:45 - 2014-01-01 15:22 - 00065536 _____ C:\WINDOWS\system32\config\Cobian B.evt 2014-01-01 07:12 - 2005-08-16 03:22 - 00000000 ____D C:\WINDOWS\repair 2013-12-30 11:26 - 2007-06-03 04:00 - 00000000 ____D C:\Documents and Settings\Wraithchilde\Application Data\Adobe 2013-12-28 15:11 - 2013-12-28 15:11 - 00101213 ____S C:\WINDOWS\system32\pydray.bma 2013-12-28 07:36 - 2013-12-28 07:36 - 00000853 ____N C:\Documents and Settings\All Users\Desktop\Firestorm-Beta.lnk 2013-12-27 15:48 - 2013-08-26 17:20 - 00000000 ____D C:\Program Files\Common Files\McAfee 2013-12-23 12:26 - 2008-03-16 17:34 - 00000000 __SHD C:\WINDOWS\CSC 2013-12-20 06:42 - 2007-07-17 14:38 - 00000230 _____ C:\WINDOWS\CTWave32.ini 2013-12-20 06:37 - 2007-07-17 14:20 - 00000072 _____ C:\WINDOWS\sbwin.ini 2013-12-18 18:22 - 2005-08-16 03:33 - 00574102 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2013-12-13 13:30 - 2007-06-03 07:21 - 00000000 ____D C:\Documents and Settings\Wraithchilde\My Documents\Projects Files to move or delete: ==================== C:\Documents and Settings\Wraithchilde\random.dat ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll [2005-08-16 03:18] - [2009-02-09 06:10] - 0401408 ____A (Microsoft Corporation) 53685605a29b5ad32463b903ed7bb136 C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================ Addition.txt Farbar Recovery Scan Tool (x86) Version: 04-01-2014 Ran by Wraithchilde at 2014-01-05 13:14:25 Running from C:\Documents and Settings\Wraithchilde\Desktop Boot Mode: Normal ================== Search: "rpcss.dll" =================== C:\WINDOWS\system32\rpcss.dll [2005-08-16 03:18] - [2009-02-09 06:10] - 0401408 ____A (Microsoft Corporation) 53685605a29b5ad32463b903ed7bb136 C:\WINDOWS\system32\dllcache\rpcss.dll [2005-08-16 03:18] - [2009-02-09 06:10] - 0401408 ____A (Microsoft Corporation) a58eae6c65b8a66e6cd49ed1308050bf C:\WINDOWS\ServicePackFiles\i386\rpcss.dll [2009-05-01 21:55] - [2008-04-13 18:12] - 0399360 ____N (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509 C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll [2009-05-02 02:01] - [2008-04-13 18:12] - 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509 C:\WINDOWS\$NtUninstallKB902400$\rpcss.dll [2007-06-04 02:01] - [2005-04-28 13:31] - 0395776 ____C (Microsoft Corporation) c8061f289e000703e7672916b7fe1571 C:\WINDOWS\$NtUninstallKB894391$\rpcss.dll [2007-06-04 02:00] - [2004-08-10 04:00] - 0395776 ____C (Microsoft Corporation) 5c83a4408604f737717ab96371201680 C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll [2009-05-01 21:59] - [2005-07-25 22:39] - 0397824 ____C (Microsoft Corporation) ce94a2bd25e3e9f4d46a7373ff455c6d C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll [2009-05-02 00:31] - [2009-02-09 04:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2 C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll [2005-07-25 22:20] - [2005-07-25 22:20] - 0398336 ____A (Microsoft Corporation) c369df215d352b6f3a0b8c3469aa34f8 C:\WINDOWS\$hf_mig$\KB894391\SP2QFE\rpcss.dll [2005-04-28 13:35] - [2005-04-28 13:35] - 0396288 ____A (Microsoft Corporation) da383fb39a6f1c445f3afc94b3eb1248 C:\i386\rpcss.dll [2007-06-04 14:51] - [2005-07-25 22:39] - 0397824 ____A (Microsoft Corporation) ce94a2bd25e3e9f4d46a7373ff455c6d === End Of Search ===
  7. RJC
    I can usually remove problems with a combination of tools but this one has me stumped. I think I should ask for some assistance. On Jan 2, I got the message "DCOM Server Process Launcher Service terminated unexpectly" and the PC rebooted. Since then I have set the action to restart the service instead of reboot so I could complete scans, etc. PC performance is very slow now. Takes forever to reboot. I have done full scans with McAfee, Microsoft Security Essentials, ESET online scanner, Spybot S&D: all came up clean. I did a full scan with Malware Bytes: It deleted some registry entries that I believe were old. Since then the scans are clean. I keep getting a blocked website message, outoging, 66.45.56.109, even when no programs are running. DDS logs. The Attach.txt was kind of big so I attached it. DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.45.2 Run by Wraithchilde at 11:14:49 on 2014-01-05 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2671 [GMT -6:00] . AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF} FW: McAfee Firewall *Enabled* . ============== Running Processes ================ . C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cobian Backup 10\cbVSCService.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Cobian Backup 10\Cobian.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe E:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Java\jre7\bin\jqs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Cobian Backup 10\cbInterface.exe E:\Program Files\MalwarebytesAnti-Malware\mbamscheduler.exe E:\Program Files\MalwarebytesAnti-Malware\mbamservice.exe c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe E:\Program Files\MalwarebytesAnti-Malware\mbamgui.exe C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe C:\WINDOWS\system32\mfevtps.exe C:\Program Files\Autodesk\3ds Max Design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe C:\Program Files\McAfee\MSC\McAPExe.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\svchost.exe -k DcomLaunch C:\WINDOWS\system32\svchost.exe -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k imgsvc . ============== Pseudo HJT Report =============== . uStart Page = about:blank uProxyOverride = <local>;*.local BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll" mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [Cobian Backup 10] "c:\program files\cobian backup 10\Cobian.exe" mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1 mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [mcpltui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe" mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r mRun: [updReg] c:\windows\UpdReg.EXE mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe uPolicies-Explorer: NoDriveAutoRun = dword:67108863 uPolicies-Explorer: NoDriveTypeAutoRun = dword:323 uPolicies-Explorer: NoDrives = dword:0 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 mPolicies-Explorer: NoDrives = dword:0 mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1 mPolicies-Explorer: NoDriveAutoRun = dword:67108863 mPolicies-Explorer: NoDriveTypeAutoRun = dword:323 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe Trusted Zone: soe.com Trusted Zone: sony.com TCP: NameServer = 24.196.64.53 68.113.206.10 24.178.162.3 TCP: Interfaces\{57B888B6-65B4-428C-A4E9-B64B0F66E308} : DHCPNameServer = 24.196.64.53 68.113.206.10 24.178.162.3 Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll Notify: igfxcui - igfxdev.dll LSA: Security Packages = kerberos msv1_0 schannel wdigest wsauth . ============= SERVICES / DRIVERS =============== . R?2 mcbootdelaystartsvc;McAfee Boot Delay Start Service;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560] R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-1-21 239168] R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2013-4-3 91736] R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264] R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-1-28 67584] R2 HomeNetSvc;McAfee Home Network;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560] R2 MBAMScheduler;MBAMScheduler;e:\program files\malwarebytesanti-malware\mbamscheduler.exe [2014-1-3 418376] R2 MBAMService;MBAMService;e:\program files\malwarebytesanti-malware\mbamservice.exe [2014-1-3 701512] R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2013-8-26 103112] R2 McAPExe;McAfee AP Service;c:\program files\mcafee\msc\McAPExe.exe [2013-8-26 145088] R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560] R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560] R2 mcpltsvc;McAfee Platform Services;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560] R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\platform\mcsvchost\McSvHost.exe [2013-8-26 281560] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2013-4-3 236000] R2 mfecore;McAfee Anti-Malware Core;c:\program files\common files\mcafee\amcore\mcshield.exe [2013-8-26 643608] R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2013-8-26 169320] R2 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-12-26 572528] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-8-26 172416] R2 mi-raysat_3dsmax2011_32;mental ray 3.8 Satellite for Autodesk 3ds Max Design 2011 32-bit 32-bit;c:\program files\autodesk\3ds max design 2011\mentalimages\satellite\raysat_3dsmax2011_32server.exe [2010-3-10 86016] R2 wsnm;VMware View Client;c:\program files\vmware\vmware view\client\bin\wsnm.exe [2011-9-7 494192] R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-4-3 60920] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-1-3 22856] R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-4-3 365416] R3 mfencbdc;McAfee Inc. mfencbdc;c:\windows\system32\drivers\mfencbdc.sys [2013-2-18 319808] R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2013-8-26 85064] R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2008-11-22 23064] R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-1-27 1374464] R3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys [2012-6-25 40048] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 DAZContentManagementService;DAZ Content Management Service;e:\program files\daz 3d\content management service\ContentManagementServer.exe [2012-3-10 18432] S2 vmhnavixan;vmhnavixan;\??\c:\windows\system32\drivers\mmdzrgupcuxacl.sys --> c:\windows\system32\drivers\mmdzrgupcuxacl.sys [?] S2 wsnm_usbctrl;VMware View USB Control;c:\program files\vmware\vmware view\client\bin\wsnm_usbctrl.exe [2011-9-7 797296] S3 apf003;apf003;c:\windows\system32\apf003.sys [2013-4-9 13232] S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-11-19 147912] S3 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672] S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2013-4-3 65928] S3 mfencrk;McAfee Inc. mfencrk;c:\windows\system32\drivers\mfencrk.sys [2013-2-18 80752] S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2013-8-26 85064] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S3 XDva398;XDva398;\??\c:\windows\system32\xdva398.sys --> c:\windows\system32\XDva398.sys [?] . =============== File Associations =============== . ShellExec: DAZStudio.exe: open="e:\program files\daz 3d\DAZStudio4/DAZStudio.exe" "%1" . =============== Created Last 30 ================ . 2014-01-05 14:20:54 -------- d-----w- c:\documents and settings\wraithchilde\local settings\application data\Sun 2014-01-05 14:10:06 145408 ----a-w- c:\windows\system32\javacpl.cpl 2014-01-05 14:09:48 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2014-01-05 12:10:21 7760024 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{65de4406-9ff0-4c7b-8dac-eabd97619033}\mpengine.dll 2014-01-03 12:08:41 -------- d-----w- c:\documents and settings\wraithchilde\application data\Malwarebytes 2014-01-03 12:08:27 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2014-01-03 12:08:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-01-03 02:15:41 -------- d-----w- c:\program files\ESET 2014-01-03 00:11:18 98816 ----a-w- c:\windows\sed.exe 2014-01-03 00:11:18 256000 ----a-w- c:\windows\PEV.exe 2014-01-03 00:11:18 208896 ----a-w- c:\windows\MBR.exe . ==================== Find3M ==================== . 2014-01-05 16:26:12 1098252 ----a-w- c:\windows\system32\nvdrsdb1.bin 2014-01-05 16:26:12 1 ----a-w- c:\windows\system32\nvdrssel.bin 2014-01-05 14:35:25 1098252 ----a-w- c:\windows\system32\nvdrsdb0.bin 2013-11-27 04:06:42 10152 ----a-w- c:\windows\system32\drivers\mfeclnrk.sys 2013-11-27 04:06:22 80752 ----a-w- c:\windows\system32\drivers\mfencrk.sys 2013-11-27 04:06:00 319808 ----a-w- c:\windows\system32\drivers\mfencbdc.sys 2013-11-19 10:21:30 230048 ------w- c:\windows\system32\MpSigStub.exe 2013-11-04 23:22:36 60920 ----a-w- c:\windows\system32\drivers\cfwids.sys 2013-11-04 23:16:54 172416 ----a-w- c:\windows\system32\mfevtps.exe 2013-11-04 23:16:14 91736 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys 2013-11-04 23:12:26 572528 ----a-w- c:\windows\system32\drivers\mfehidk.sys 2013-11-04 23:11:04 85064 ----a-w- c:\windows\system32\drivers\mfendisk.sys 2013-11-04 23:10:42 365416 ----a-w- c:\windows\system32\drivers\mfefirek.sys 2013-11-04 23:10:02 65928 ----a-w- c:\windows\system32\drivers\mfebopk.sys 2013-11-04 23:09:20 236000 ----a-w- c:\windows\system32\drivers\mfeavfk.sys 2013-11-04 23:08:22 133992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys 2013-10-13 07:25:38 920064 ----a-w- c:\windows\system32\wininet.dll 2013-10-13 07:25:08 43520 ----a-w- c:\windows\system32\licmgr10.dll 2013-10-13 07:25:02 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2013-10-13 07:24:17 18944 ----a-w- c:\windows\system32\corpol.dll 2013-10-13 06:57:59 385024 ----a-w- c:\windows\system32\html.iec . ============= FINISH: 11:17:23.07 =============== attach.txt
  8. RJC
    This message comes in a balloon showing the IP address. There is no other info and these events are not logged. Is it possible to show or log these events including what process (or whatever) attempted this connection? I believe this may be helpful in finding undetected malware. I'm getting quite a few of these messages when no programs are running (only background processes are running) so I have to suspect there is an issue that wasn't found.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.