Jump to content

Is it still infected?


Recommended Posts

Hello! Google Chrome infected with gala find malware.

My attempts : used MalwareBytes's Anti-malware,Avast, superantispyware, spybot earch and destroy, Unfortunately did not save logs,did remember no detection of gala find.

Gala find continues to redirect links and websites.

Next action : opened c:\windows\system32\drivers\etc\hosts

deleted anything below the local host 127.0.0.1 (highlight the text and hit 'delete')

used combofix in safe mode.

Gala find not appearing. wonder if still infected?

thanks!

Update : It is still infected. a redirect to gala did happen.

attach.txt

dds.txt

hijackthis.log

ComboFix.txt

ComboFix.txt

hijackthis.log

dds.txt

attach.txt

mbam-log-2012-11-08 (20-45-40).txt

Link to post
Share on other sites

Edit: should not have attached files since its still infected.here are the logs:

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.08.03

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

[administrator]

11/8/2012 8:45:40 PM

mbam-log-2012-11-08 (20-45-40).txt

Scan type: Full scan (C:\|D:\|E:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 353990

Time elapsed: 52 minute(s), 22 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

-------------------

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:30:15 PM, on 11/8/2012

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v9.00 (9.00.8112.16450)

Boot mode: Normal

Running processes:

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: (no name) - {d8fb4583-db9d-4c7b-85be-294c13a3e5c4} - (no file)

O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\DAEMON Tools Lite\DTLite.exe" -autorun

O4 - HKCU\..\Run: [uTorrent] "D:\uTorrent.exe" /MINIMIZED

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O20 - AppInit_DLLs: C:\PROGRA~2\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: GoogleDesktopManager - Google - C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 8128 bytes

-----------------------

ComboFix 12-11-08.01 - 11/08/2012 19:22:42.3.2 - x64 NETWORK

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3067.2327 [GMT 8:00]

Running from: c:\users\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((( Files Created from 2012-10-08 to 2012-11-08 )))))))))))))))))))))))))))))))

.

.

2012-11-07 01:35 . 2012-10-12 07:19 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1DCFC2F7-8654-425D-826B-4FB4FAE54AB6}\mpengine.dll

2012-11-05 05:56 . 2012-11-05 05:56 -------- d-----w- c:\users\AppData\Local\VirtualStore

2012-11-04 22:38 . 2012-10-30 22:50 285328 ----a-w- c:\windows\system32\aswBoot.exe

2012-11-04 22:37 . 2012-11-04 22:37 -------- d-----w- c:\program files\AVAST Software

2012-11-03 15:45 . 2012-11-03 15:45 -------- d-----w- C:\TDSSKiller_Quarantine

2012-10-23 11:58 . 2012-10-23 11:58 -------- d-----w- c:\users\Tracing

2012-10-23 09:18 . 2012-11-03 16:24 -------- d-----w- c:\users\fourclover

2012-10-17 10:50 . 2012-10-23 13:26 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-17 10:50 . 2012-10-23 13:26 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-10-17 08:40 . 2012-10-17 08:41 -------- d-----w- c:\program files (x86)\Calibre2

2012-10-13 20:45 . 2012-08-27 23:40 4204272 ----a-w- c:\windows\SysWow64\GameMon.des

2012-10-13 20:43 . 2005-01-04 09:43 4682 ----a-w- c:\windows\SysWow64\npptNT2.sys

2012-10-13 20:43 . 2003-07-20 18:17 5174 ----a-w- c:\windows\SysWow64\nppt9x.vxd

2012-10-13 20:43 . 2012-10-13 20:43 -------- d-----w- c:\program files\Common Files\INCA Shared

2012-10-10 16:32 . 2012-08-24 18:05 220160 ----a-w- c:\windows\system32\wintrust.dll

2012-10-10 16:32 . 2012-08-24 17:10 172544 ----a-w- c:\windows\SysWow64\wintrust.dll

2012-10-10 16:32 . 2012-09-14 19:23 2048 ----a-w- c:\windows\system32\tzres.dll

2012-10-10 16:32 . 2012-09-14 18:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-10-10 16:32 . 2012-08-11 00:53 714752 ----a-w- c:\windows\system32\kerberos.dll

2012-10-10 16:32 . 2012-08-10 23:54 541184 ----a-w- c:\windows\SysWow64\kerberos.dll

2012-10-10 16:32 . 2012-06-02 05:25 182272 ----a-w- c:\windows\system32\cryptsvc.dll

2012-10-10 16:32 . 2012-06-02 05:25 1462784 ----a-w- c:\windows\system32\crypt32.dll

2012-10-10 16:32 . 2012-06-02 05:25 140288 ----a-w- c:\windows\system32\cryptnet.dll

2012-10-10 16:32 . 2012-06-02 04:45 1157632 ----a-w- c:\windows\SysWow64\crypt32.dll

2012-10-10 16:32 . 2012-06-02 04:45 139264 ----a-w- c:\windows\SysWow64\cryptsvc.dll

2012-10-10 16:32 . 2012-06-02 04:45 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-10 17:58 . 2010-10-09 07:01 65309168 ----a-w- c:\windows\system32\MRT.exe

2012-09-29 11:54 . 2010-09-22 18:13 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-08-24 11:15 . 2012-09-22 19:00 17810944 ----a-w- c:\windows\system32\mshtml.dll

2012-08-24 10:39 . 2012-09-22 19:00 10925568 ----a-w- c:\windows\system32\ieframe.dll

2012-08-24 10:31 . 2012-09-22 19:00 2312704 ----a-w- c:\windows\system32\jscript9.dll

2012-08-24 10:22 . 2012-09-22 19:00 1346048 ----a-w- c:\windows\system32\urlmon.dll

2012-08-24 10:21 . 2012-09-22 19:00 1392128 ----a-w- c:\windows\system32\wininet.dll

2012-08-24 10:20 . 2012-09-22 19:00 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

2012-08-24 10:18 . 2012-09-22 19:00 237056 ----a-w- c:\windows\system32\url.dll

2012-08-24 10:17 . 2012-09-22 19:00 85504 ----a-w- c:\windows\system32\jsproxy.dll

2012-08-24 10:14 . 2012-09-22 19:00 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2012-08-24 10:14 . 2012-09-22 19:00 816640 ----a-w- c:\windows\system32\jscript.dll

2012-08-24 10:13 . 2012-09-22 19:00 599040 ----a-w- c:\windows\system32\vbscript.dll

2012-08-24 10:12 . 2012-09-22 19:00 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-08-24 10:11 . 2012-09-22 19:00 729088 ----a-w- c:\windows\system32\msfeeds.dll

2012-08-24 10:10 . 2012-09-22 19:00 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-08-24 10:09 . 2012-09-22 19:00 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-08-24 10:04 . 2012-09-22 19:00 248320 ----a-w- c:\windows\system32\ieui.dll

2012-08-24 06:59 . 2012-09-22 19:00 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-08-24 06:51 . 2012-09-22 19:00 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

2012-08-24 06:51 . 2012-09-22 19:00 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-08-24 06:47 . 2012-09-22 19:00 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-08-24 06:47 . 2012-09-22 19:00 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

2012-08-24 06:43 . 2012-09-22 19:00 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-08-21 05:01 . 2012-10-09 08:39 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2012-08-21 05:01 . 2011-04-04 11:35 125872 ----a-w- c:\windows\system32\GEARAspi64.dll

2012-08-21 05:01 . 2011-04-04 11:35 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll

2012-08-18 11:19 . 2012-10-10 16:35 44032 ----a-w- c:\windows\apppatch\acwow64.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="d:\daemon tools lite\DTLite.exe" [2010-04-01 357696]

"uTorrent"="D:\uTorrent.exe" [2012-05-11 880496]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

"AppInit_DLLs"=c:\progra~2\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

.

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]

R3 1394hub;1394 Enabled Hub;c:\windows\System32\svchost.exe [2009-07-14 27136]

R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-12-03 716872]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-13 54824]

R3 GGSAFERDriver;GGSAFER Driver;d:\garena plus\Room\safedrv.sys [x]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]

R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-22 1255736]

R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [2008-02-21 393728]

S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-08-29 2369960]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-28 395264]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-01 14:41]

.

2012-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-01 14:41]

.

2012-11-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-653543735-296090576-2018118724-1001Core.job

- c:\users\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-21 15:58]

.

2012-11-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-653543735-296090576-2018118724-1001UA.job

- c:\users\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-21 15:58]

.

.

--------- X64 Entries -----------

.

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{d8fb4583-db9d-4c7b-85be-294c13a3e5c4} - (no file)

AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe

AddRemove-{26604C7E-A313-4D12-867F-7C6E7820BE4C} - c:\program files (x86)\InstallShield Installation Information\{26604C7E-A313-4D12-867F-7C6E7820BE4C}\setup.exe

AddRemove-{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E} - c:\program files (x86)\InstallShield Installation Information\{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}\setup.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-653543735-296090576-2018118724-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:2d,f3,11,22,f6,e3,3a,0c,a3,97,b4,83,a7,00,3b,3a,5f,87,82,a5,e1,ef,07,

49,0b,43,d7,66,9b,25,6e,01,20,4a,f6,bb,2f,ea,f0,59,4c,fb,c4,cc,c9,d5,c5,a6,\

"??"=hex:fb,8e,33,19,1a,6f,15,23,28,fd,86,c1,b8,4d,d3,5d

.

[HKEY_USERS\S-1-5-21-653543735-296090576-2018118724-1001\Software\SecuROM\License information*]

"datasecu"=hex:ab,cf,b2,2f,26,ec,b7,07,43,50,45,5b,0c,0a,16,56,b2,f7,aa,d5,17,

ad,e8,84,70,d2,7c,cf,5d,44,5f,83,c9,3e,52,46,d4,2f,2e,54,30,c1,87,a0,fb,9d,\

"rkeysecu"=hex:f5,fd,47,34,3f,18,4d,5d,54,6c,de,45,09,47,9e,52

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-11-08 19:32:01

ComboFix-quarantined-files.txt 2012-11-08 11:32

ComboFix2.txt 2012-11-08 11:09

.

Pre-Run: 20,710,404,096 bytes free

Post-Run: 20,646,273,024 bytes free

.

- - End Of File - - 65A134CFE2BD95507F4A172254A42E66

--------------------------------------

DS (Ver_2012-11-07.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16450

Run by at 20:38:06 on 2012-11-08

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3067.1476 [GMT 8:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\wuauclt.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe

C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com.sg/

mURLSearchHooks: {d8fb4583-db9d-4c7b-85be-294c13a3e5c4} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

uRun: [DAEMON Tools Lite] "D:\DAEMON Tools Lite\DTLite.exe" -autorun

uRun: [uTorrent] "D:\uTorrent.exe" /MINIMIZED

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

TCP: Interfaces\{A96D1D90-4422-43A0-BE93-FA2498BC4D5B} : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{A96D1D90-4422-43A0-BE93-FA2498BC4D5B}\3594E4744554C4D223435393 : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{A96D1D90-4422-43A0-BE93-FA2498BC4D5B}\3594E4744554C4D273936303 : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{A96D1D90-4422-43A0-BE93-FA2498BC4D5B}\7796275643732393 : DHCPNameServer = 192.168.1.1 192.168.1.1

SSODL: WebCheck - <orphaned>

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-8-29 2369960]

R3 ATSwpWDF;AuthenTec TruePrint USB WBF WDF Driver;C:\Windows\System32\drivers\ATSwpWDF.sys [2009-12-3 716872]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-11 5434368]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-9-28 395264]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 btusbflt;Bluetooth USB Filter;C:\Windows\System32\drivers\btusbflt.sys [2010-4-14 54824]

S3 npggsvc;nProtect GameGuard Service;C:\Windows\System32\GameMon.des -service --> C:\Windows\System32\GameMon.des -service [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]

S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-9-22 1255736]

S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2008-2-21 393728]

.

=============== Created Last 30 ================

.

2012-11-08 11:55:10 -------- d-sh--w- C:\$RECYCLE.BIN

2012-11-08 10:57:00 98816 ----a-w- C:\Windows\sed.exe

2012-11-08 10:57:00 256000 ----a-w- C:\Windows\PEV.exe

2012-11-08 10:57:00 208896 ----a-w- C:\Windows\MBR.exe

2012-11-07 14:32:41 -------- d-----w- C:\Users\AppData\Local\{68FC57F7-D664-46E4-9063-74986ED17604}

2012-11-07 01:35:47 9291768 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{1DCFC2F7-8654-425D-826B-4FB4FAE54AB6}\mpengine.dll

2012-11-06 08:37:08 -------- d-----w- C:\Users\AppData\Local\{8A7424D3-6A4D-4EE0-983D-D5BABBB38E5A}

2012-11-05 12:19:56 -------- d-----w- C:\Users\AppData\Local\{5824996B-1129-4C2F-BD17-771C73B5B612}

2012-11-05 05:56:18 -------- d-----w- C:\Users\AppData\Local\VirtualStore

2012-11-04 22:37:23 -------- d-----w- C:\Program Files\AVAST Software

2012-11-03 15:45:46 -------- d-----w- C:\TDSSKiller_Quarantine

2012-10-23 11:58:50 -------- d-----w- C:\Users\ee\Tracing

2012-10-23 09:18:28 -------- d-----w- C:\Users\ee\fourclover

2012-10-17 10:50:35 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-10-17 10:50:35 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-10-17 08:40:55 -------- d-----w- C:\Program Files (x86)\Calibre2

2012-10-13 20:45:30 4204272 ----a-w- C:\Windows\SysWow64\GameMon.des

2012-10-13 20:43:59 5174 ----a-w- C:\Windows\SysWow64\nppt9x.vxd

2012-10-13 20:43:59 4682 ----a-w- C:\Windows\SysWow64\npptNT2.sys

2012-10-13 20:43:01 -------- d-----w- C:\Program Files\Common Files\INCA Shared

2012-10-10 16:32:44 220160 ----a-w- C:\Windows\System32\wintrust.dll

2012-10-10 16:32:44 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll

2012-10-10 16:32:41 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-10-10 16:32:41 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-10-10 16:32:36 714752 ----a-w- C:\Windows\System32\kerberos.dll

2012-10-10 16:32:36 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll

2012-10-10 16:32:34 182272 ----a-w- C:\Windows\System32\cryptsvc.dll

2012-10-10 16:32:34 1462784 ----a-w- C:\Windows\System32\crypt32.dll

2012-10-10 16:32:34 140288 ----a-w- C:\Windows\System32\cryptnet.dll

2012-10-10 16:32:34 1157632 ----a-w- C:\Windows\SysWow64\crypt32.dll

2012-10-10 16:32:33 139264 ----a-w- C:\Windows\SysWow64\cryptsvc.dll

2012-10-10 16:32:33 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll

.

==================== Find3M ====================

.

2012-09-29 11:54:26 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-08-31 18:02:20 1656688 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2012-08-30 18:11:29 5505904 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-08-30 17:18:33 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2012-08-30 17:18:33 3902832 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2012-08-24 10:31:32 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-08-24 10:21:18 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-08-24 10:20:11 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-08-24 10:14:45 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-08-24 10:13:29 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-08-24 10:09:42 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-08-24 06:59:17 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-08-24 06:51:27 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-08-24 06:51:02 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-08-24 06:47:26 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-08-24 06:47:12 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-08-24 06:43:58 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-08-21 05:01:20 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys

2012-08-21 05:01:20 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll

2012-08-21 05:01:20 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll

2012-08-18 15:43:05 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-08-18 15:43:05 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-08-18 15:43:05 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-08-18 15:42:31 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-08-18 15:40:26 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-08-18 15:37:49 425984 ----a-w- C:\Windows\System32\KernelBase.dll

2012-08-18 15:34:13 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-08-18 11:22:55 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-08-18 11:19:45 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2012-08-18 11:19:22 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-08-18 11:17:56 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-08-18 11:17:56 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-08-18 09:12:09 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-08-18 09:12:09 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-08-18 09:07:02 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-08-18 09:07:02 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-08-18 09:07:02 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-08-18 09:07:02 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

.

============= FINISH: 20:39:07.81 ===============

Link to post
Share on other sites

:welcome: I am TheDarkKnight and will be assisting you. Please ask questions if anything is unclear. :)

Edit: should not have attached files since its still infected.here are the logs:

;)

***Your log shows you have the uTorrent client installed, which is a P2P (Peer-to-Peer) file sharing program.***

I highly recommend that you consider uninstalling this program. P2P programs represent a security threat to the information on your system as they allow others to access your system. Just look at the number of high profile compromises in the news as a result of P2P software:

Data about Obama's helicopter breached via P2P?

Leak of congressional ethics document prompts calls for cybersecurity probe

Walter Reed suffers peer-to-peer data breach

Update: Seattle man arrested for p-to-p ID theft

More listed here:

Data Security Threats And Breaches

You should read the link at the bottom of that page:

Why File Sharing Networks Are Dangerous (Dartmouth study, .pdf file)

In many cases P2P programs also represent a risk of infection from the program itself, as some have installed adware/spyware, or other programs without consent. Even if the program itself is clean, many P2P networks are riddled with malware, and it's often the newest, most difficult to-remove malware. There are many risks associated with P2P programs; none are worth the risks.

If you don't uninstall the P2P software, I will continue to help clean your system, but please realise that it's likely only a matter of time before you are infected again.

Also, please our policy here regarding the use of P2P programs.

=====

Your logs appear clean.

Please run a free online scan with the ESET Online Scanner.

Note: You can use Internet Explorer or Mozilla Firefox for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
  • Click Scan.
    Wait for the scan to finish.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

=====

I would like to see the contents of the ESET log please and a description of any current issues in your computer.

Link to post
Share on other sites

hello!

Thanks for the advice on p2p & sharing the information with me. I have removed the program.

Today find gala returned with a vengeance, directing chrome sites to a sports ad, to a fake anti virus page. Mostly it just redirected to its find gala page.

should I do another round of scans?

my laptop has no issues, its been running smoothly for 4 years now!

Here is the ESET log:

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=77e67b4d5cf0dd44a2136bddcf1264e3

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-11-11 08:05:56

# local_time=2012-11-12 04:05:56 (+0800, Malay Peninsula Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=768 16777215 100 0 0 0 0 0

# compatibility_mode=5893 16776573 100 94 89118 104288366 0 0

# compatibility_mode=8192 67108863 100 0 667 667 0 0

# scanned=169909

# found=1

# cleaned=0

# scan_time=5840

D:\DAEMON Tools Lite\DTLite4461-0327.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=77e67b4d5cf0dd44a2136bddcf1264e3

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-11-12 12:08:13

# local_time=2012-11-12 08:08:13 (+0800, Malay Peninsula Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=768 16777215 100 0 0 0 0 0

# compatibility_mode=5893 16776573 100 94 138264 104337512 0 0

# compatibility_mode=8192 67108863 100 0 49813 49813 0 0

# scanned=181947

# found=1

# cleaned=0

# scan_time=14430

D:\DAEMON Tools Lite\DTLite4461-0327.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

Link to post
Share on other sites

Good morning horimiya,

Please download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

=====

Also, please download AdwCleaner by Xplode onto your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

=====

In your reply please post the contents of the following logs:

  • OTL.txt.
  • Extras.txt.
  • AdwCleaner[R1].txt.

Link to post
Share on other sites

Good evening TheDarkKnight,

A question, is there any private information on all these logs posted I should be aware about?

Here are the OTL.txt. Extras.txt. AdwCleaner[R1].txt. logs:

TL logfile created on: 11/13/2012 10:44:41 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\ee\Desktop

64bit- Professional (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.06 Gb Available Physical Memory | 68.66% Memory free

5.99 Gb Paging File | 4.50 Gb Available in Paging File | 75.07% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 60.00 Gb Total Space | 19.90 Gb Free Space | 33.17% Space Free | Partition Type: NTFS

Drive D: | 110.00 Gb Total Space | 78.88 Gb Free Space | 71.71% Space Free | Partition Type: NTFS

Drive E: | 128.08 Gb Total Space | 41.02 Gb Free Space | 32.03% Space Free | Partition Type: NTFS

Computer Name: EE-PC | User Name: ee | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/13 22:43:21 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\ee\Desktop\OTL.exe

PRC - [2012/10/25 09:05:36 | 000,529,744 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe

PRC - [2012/10/06 20:15:09 | 001,353,080 | ---- | M] (Valve Corporation) -- D:\steam\Steam.exe

PRC - [2011/10/15 16:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

========== Modules (No Company Name) ==========

MOD - [2012/11/01 06:15:05 | 000,460,312 | ---- | M] () -- C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\ppgooglenaclpluginchrome.dll

MOD - [2012/11/01 06:15:02 | 004,007,448 | ---- | M] () -- C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\pdf.dll

MOD - [2012/11/01 06:13:47 | 000,587,288 | ---- | M] () -- C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\libglesv2.dll

MOD - [2012/11/01 06:13:46 | 000,123,928 | ---- | M] () -- C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\libegl.dll

MOD - [2012/11/01 06:13:35 | 000,156,712 | ---- | M] () -- C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\avutil-51.dll

MOD - [2012/11/01 06:13:34 | 000,274,984 | ---- | M] () -- C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\avformat-54.dll

MOD - [2012/11/01 06:13:32 | 002,168,360 | ---- | M] () -- C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\avcodec-54.dll

MOD - [2012/10/25 09:05:36 | 020,317,008 | ---- | M] () -- D:\steam\bin\libcef.dll

MOD - [2012/10/25 09:05:35 | 001,099,616 | ---- | M] () -- D:\steam\bin\avcodec-53.dll

MOD - [2012/10/25 09:05:35 | 000,902,480 | ---- | M] () -- D:\steam\bin\chromehtml.dll

MOD - [2012/10/25 09:05:35 | 000,190,816 | ---- | M] () -- D:\steam\bin\avformat-53.dll

MOD - [2012/10/25 09:05:35 | 000,123,232 | ---- | M] () -- D:\steam\bin\avutil-51.dll

========== Services (SafeList) ==========

SRV:64bit: - [2009/07/14 09:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV:64bit: - [2009/07/14 09:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)

SRV - [2012/10/25 09:05:36 | 000,529,744 | ---- | M] (Valve Corporation) [On_Demand | Running] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2012/08/29 12:03:36 | 002,369,960 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)

SRV - [2012/08/28 07:40:00 | 004,204,272 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWOW64\GameMon.des -- (npggsvc)

SRV - [2011/10/15 16:53:00 | 002,253,120 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe -- (nvUpdatusService)

SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)

SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)

SRV - [2009/06/11 05:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/11/11 01:41:13 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)

DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV:64bit: - [2012/07/09 13:42:54 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)

DRV:64bit: - [2012/03/01 14:54:38 | 000,022,896 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)

DRV:64bit: - [2011/07/08 07:21:28 | 000,174,184 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)

DRV:64bit: - [2011/03/11 14:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)

DRV:64bit: - [2011/03/11 14:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)

DRV:64bit: - [2010/04/14 01:01:44 | 000,054,824 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt)

DRV:64bit: - [2009/12/03 16:48:32 | 000,716,872 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ATSwpWDF.sys -- (ATSwpWDF)

DRV:64bit: - [2009/09/28 09:22:00 | 000,395,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)

DRV:64bit: - [2009/07/14 09:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)

DRV:64bit: - [2009/07/14 09:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)

DRV:64bit: - [2009/07/14 09:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)

DRV:64bit: - [2009/07/14 09:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)

DRV:64bit: - [2009/07/14 09:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\svchost.exe -- (1394hub)

DRV:64bit: - [2009/06/11 05:01:06 | 001,146,880 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\agrsm64.sys -- (AgereSoftModem)

DRV:64bit: - [2009/06/11 04:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64)

DRV:64bit: - [2009/06/11 04:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)

DRV:64bit: - [2009/06/11 04:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)

DRV:64bit: - [2009/06/11 04:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)

DRV:64bit: - [2009/06/11 04:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)

DRV:64bit: - [2009/03/18 17:35:42 | 000,033,856 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\hamachi.sys -- (hamachi)

DRV:64bit: - [2008/02/21 17:55:00 | 000,393,728 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\yk60x64.sys -- (yukonx64)

DRV - [2009/07/14 09:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKLM\..\URLSearchHook: {d8fb4583-db9d-4c7b-85be-294c13a3e5c4} - No CLSID value found

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.sg/'>http://www.google.com.sg/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CE EB 63 17 0C 5C CC 01 [binary data]

IE - HKCU\..\SearchScopes,DefaultScope = {BA2B6456-3147-46D6-8BEE-D95878968E92}

IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

IE - HKCU\..\SearchScopes\{2B777B68-9A82-4DA6-800B-882955F1F07F}: "URL" = http://www.baidu.com/baidu?tn=dealio_dg&wd={searchTerms}

IE - HKCU\..\SearchScopes\{BA2B6456-3147-46D6-8BEE-D95878968E92}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}'>http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}

IE - HKCU\..\SearchScopes\{E79D06E1-62C7-4091-80FF-1A7CAB6F4BB4}: "URL" = http://sg.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=937811&p={searchTerms}

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

========== Chrome ==========

CHR - homepage: http://www.google.com

CHR - default_search_provider: Google (Enabled)

CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}

CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter},

CHR - homepage: http://www.google.com

CHR - plugin: Shockwave Flash (Enabled) = C:\Users\ee\AppData\Local\Google\Chrome\Application\21.0.1180.75\PepperFlash\pepflashplayer.dll

CHR - plugin: Shockwave Flash (Enabled) = C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\gcswf32.dll

CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer

CHR - plugin: Native Client (Enabled) = C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\ppGoogleNaClPluginChrome.dll

CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\ee\AppData\Local\Google\Chrome\Application\23.0.1271.64\pdf.dll

CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll

CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll

CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll

CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll

CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll

CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll

CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll

CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll

CHR - plugin: Picasa (Enabled) = C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll

CHR - plugin: Java Platform SE 7 U5 (Enabled) = C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll

CHR - plugin: Java Deployment Toolkit 7.0.50.255 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll

CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll

CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll

CHR - Extension: Entanglement = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.7.9_0\

CHR - Extension: Bookmark Sentry = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdglbbcbmgnimogcmcdenggkpdmihlga\1.7.3_0\

CHR - Extension: Glow = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\bekmjjakgojplnhahcilegeiklenjbgb\1.0_0\

CHR - Extension: Turn Off the Lights = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn\2.1.0.16_0\

CHR - Extension: High Contrast = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\djcfdncoelnlbldjfhinnjlhdjlikmph\0.4_0\

CHR - Extension: Collusion for Chrome = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\1.10.4_0\

CHR - Extension: 3D Function Graphics = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\iobplelaajiidonodpenmapjhndgohhn\1.2_0\

CHR - Extension: Dropbox = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\ioekoebejdcmnlefjiknokhhafglcjdl\3.0.2_0\

CHR - Extension: Ghostery = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij\4.0.0_0\

CHR - Extension: Flash Player = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pcplidffijapllcadglkoenobogpgdlb\11_0\

CHR - Extension: Psykopaint = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgjchkcfmigkkhedgjedmffdepgmpfil\0.0.0.10_0\

CHR - Extension: Psykopaint = C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgjchkcfmigkkhedgjedmffdepgmpfil\0.0.0.10_0\.bak

O1 HOSTS File: ([2012/11/03 23:43:04 | 000,000,797 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts

O3 - HKLM\..\Toolbar: (no name) - {d8fb4583-db9d-4c7b-85be-294c13a3e5c4} - No CLSID value found.

O4 - HKCU..\Run: [DAEMON Tools Lite] D:\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)

O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A96D1D90-4422-43A0-BE93-FA2498BC4D5B}: DhcpNameServer = 192.168.1.254

O18:64bit: - Protocol\Handler\livecall - No CLSID value found

O18:64bit: - Protocol\Handler\ms-help - No CLSID value found

O18:64bit: - Protocol\Handler\msnim - No CLSID value found

O20 - AppInit_DLLs: (C:\PROGRA~2\Google\GOOGLE~1\GoogleDesktopNetwork3.dll) - C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

Drivers32: VIDC.FFDS - D:\Combined Community Codec Pack\Filters\FFDShow\ff_vfw.dll ()

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/11/13 22:43:07 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\ee\Desktop\OTL.exe

[2012/11/13 21:07:38 | 000,000,000 | ---D | C] -- C:\Users\ee\AppData\Local\{FF66EE4E-B40F-44DF-B39D-68355298AD06}

[2012/11/12 22:50:28 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2012/11/12 19:32:04 | 000,000,000 | ---D | C] -- C:\Users\ee\AppData\Local\{8174B6C9-07B4-4ADD-A860-27EA8E392A3F}

[2012/11/12 02:17:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET

[2012/11/11 08:22:51 | 000,000,000 | ---D | C] -- C:\Users\ee\AppData\Local\{F4936680-C053-47F2-AEED-01BFCB4A8B7D}

[2012/11/11 02:11:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kalypso Media

[2012/11/11 01:42:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite

[2012/11/11 01:41:13 | 000,283,200 | ---- | C] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys

[2012/11/10 10:58:22 | 000,000,000 | ---D | C] -- C:\Users\ee\AppData\Local\{4B597F43-E070-4E56-AF35-3A0659C6950B}

[2012/11/09 18:10:49 | 000,000,000 | ---D | C] -- C:\Users\ee\AppData\Local\{B232200F-D29D-450A-A4C5-943CC16B281C}

[2012/11/08 22:15:02 | 000,000,000 | ---D | C] -- C:\Users\ee\Desktop\logs

[2012/11/08 18:57:00 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/11/08 18:57:00 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/11/08 18:57:00 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/11/08 18:56:42 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/11/08 18:56:35 | 000,000,000 | R--D | C] -- C:\Users\ee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

[2012/11/08 18:56:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt

[2012/11/07 22:32:41 | 000,000,000 | ---D | C] -- C:\Users\ee\AppData\Local\{68FC57F7-D664-46E4-9063-74986ED17604}

[2012/11/06 16:37:08 | 000,000,000 | ---D | C] -- C:\Users\ee\AppData\Local\{8A7424D3-6A4D-4EE0-983D-D5BABBB38E5A}

[2012/11/05 20:19:56 | 000,000,000 | ---D | C] -- C:\Users\ee\AppData\Local\{5824996B-1129-4C2F-BD17-771C73B5B612}

[2012/11/05 13:56:18 | 000,000,000 | ---D | C] -- C:\Users\ee\AppData\Local\VirtualStore

[2012/11/05 06:38:45 | 000,285,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe

[2012/11/03 23:45:46 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine

[2012/10/24 01:31:41 | 000,000,000 | R--D | C] -- C:\Users\ee\Videos

[2012/10/23 21:23:31 | 000,000,000 | R--D | C] -- C:\Users\ee\Favorites

[2012/10/23 21:23:26 | 000,000,000 | R--D | C] -- C:\Users\ee\Searches

[2012/10/23 19:58:50 | 000,000,000 | ---D | C] -- C:\Users\ee\Tracing

[2012/10/23 18:12:35 | 000,000,000 | ---D | C] -- C:\Users\ee\Desktop

[2012/10/23 17:18:28 | 000,000,000 | ---D | C] -- C:\Users\ee\fourclover

[2012/10/17 18:50:35 | 000,696,760 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe

[2012/10/17 18:50:35 | 000,073,656 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

[2012/10/17 16:41:10 | 000,000,000 | ---D | C] -- C:\Users\ee\Documents\Calibre Library

[2012/10/17 16:40:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Calibre2

[2012/10/17 16:40:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management

[3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/13 22:43:21 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\ee\Desktop\OTL.exe

[2012/11/13 22:22:00 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2012/11/13 22:01:00 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-653543735-296090576-2018118724-1001UA.job

[2012/11/13 17:22:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2012/11/13 12:01:00 | 000,000,844 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-653543735-296090576-2018118724-1001Core.job

[2012/11/13 07:30:22 | 000,020,720 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

[2012/11/13 07:30:22 | 000,020,720 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

[2012/11/13 07:27:28 | 000,779,306 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2012/11/13 07:27:28 | 000,660,546 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2012/11/13 07:27:28 | 000,121,442 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2012/11/13 07:22:52 | 2411,876,352 | -HS- | M] () -- C:\hiberfil.sys

[2012/11/11 01:41:13 | 000,283,200 | ---- | M] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys

[2012/11/08 18:52:53 | 000,000,448 | ---- | M] () -- C:\Windows\SysNative\drivers\kgpcpy.cfg

[2012/11/05 09:39:19 | 000,037,070 | ---- | M] () -- C:\UPIFZ.jpg

[2012/11/05 06:38:45 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt

[2012/11/03 19:53:36 | 000,001,738 | ---- | M] () -- C:\Users\ee\AppData\Local\iwmvwspbz1m.crx

[2012/10/31 09:33:29 | 002,175,795 | ---- | M] () -- C:\Users\ee\ibdb3QC8lsFRNj.gif

[2012/10/31 09:15:18 | 000,035,308 | ---- | M] () -- C:\Users\ee\s2lVu.jpg

[2012/10/31 08:19:40 | 000,253,279 | ---- | M] () -- C:\Users\ee\tuzX2.jpg

[2012/10/31 07:36:56 | 000,075,265 | ---- | M] () -- C:\Users\ee\EVZKj.jpg

[2012/10/31 06:50:30 | 000,285,328 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe

[2012/10/23 21:26:54 | 000,696,760 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe

[2012/10/23 21:26:54 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

[2012/10/23 18:13:14 | 000,026,855 | ---- | M] () -- C:\2.JPG

[2012/10/23 18:12:55 | 000,064,747 | ---- | M] () -- C:\1.JPG

[3 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/08 18:57:00 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/11/08 18:57:00 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/11/08 18:57:00 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/11/08 18:57:00 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2012/11/08 18:57:00 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/11/08 18:44:07 | 000,000,448 | ---- | C] () -- C:\Windows\SysNative\drivers\kgpcpy.cfg

[2012/11/05 09:39:18 | 000,037,070 | ---- | C] () -- C:\UPIFZ.jpg

[2012/11/03 19:53:36 | 000,001,738 | ---- | C] () -- C:\Users\ee\AppData\Local\iwmvwspbz1m.crx

[2012/10/31 09:33:29 | 002,175,795 | ---- | C] () -- C:\Users\ee\ibdb3QC8lsFRNj.gif

[2012/10/31 09:15:18 | 000,035,308 | ---- | C] () -- C:\Users\ee\s2lVu.jpg

[2012/10/31 08:19:39 | 000,253,279 | ---- | C] () -- C:\Users\ee\tuzX2.jpg

[2012/10/31 07:36:55 | 000,075,265 | ---- | C] () -- C:\Users\ee\EVZKj.jpg

[2012/10/23 18:13:14 | 000,026,855 | ---- | C] () -- C:\2.JPG

[2012/10/23 18:12:55 | 000,064,747 | ---- | C] () -- C:\1.JPG

[2012/06/06 01:18:32 | 000,773,522 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2011/12/23 12:58:54 | 000,000,419 | ---- | C] () -- C:\Windows\BRWMARK.INI

[2011/12/23 12:58:54 | 000,000,027 | ---- | C] () -- C:\Windows\BRPP2KA.INI

[2011/08/17 04:04:16 | 000,003,584 | ---- | C] () -- C:\Users\ee\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/12/14 13:44:14 | 000,000,030 | ---- | C] () -- C:\Users\ee\AppData\Local\wic.exe!

[2010/11/20 13:14:29 | 000,000,268 | ---- | C] () -- C:\Windows\game.ini

========== ZeroAccess Check ==========

[2009/07/14 12:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 13:30:56 | 014,165,504 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 12:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/14 09:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/14 09:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64

"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/14 09:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2012/10/23 18:12:55 | 000,064,747 | ---- | M] () -- C:\1.JPG

[2012/10/23 18:13:14 | 000,026,855 | ---- | M] () -- C:\2.JPG

[2009/07/14 09:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr

[2010/09/22 15:04:52 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK

[2012/11/12 22:43:06 | 000,021,816 | ---- | M] () -- C:\ComboFix.txt

[2010/10/06 16:50:00 | 000,203,836 | RHS- | M] () -- C:\grldr

[2012/11/13 07:22:52 | 2411,876,352 | -HS- | M] () -- C:\hiberfil.sys

[2012/11/13 07:22:55 | 3215,839,232 | -HS- | M] () -- C:\pagefile.sys

[2012/11/12 22:58:32 | 000,131,592 | ---- | M] () -- C:\TDSSKiller.2.8.15.0_12.11.2012_22.57.40_log.txt

[2012/11/05 09:39:19 | 000,037,070 | ---- | M] () -- C:\UPIFZ.jpg

[2010/10/06 16:50:01 | 000,000,000 | RHS- | M] () -- C:\winx.ld

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

========== Files - Unicode (All) ==========

[2012/07/13 18:27:18 | 007,679,639 | ---- | M] ()(C:\Users\ee\Documents\IU - 04. ?? ? (You & I).mp3) -- C:\Users\ee\Documents\IU - 04. 너랑 나 (You & I).mp3

[2012/07/13 18:27:05 | 007,679,639 | ---- | C] ()(C:\Users\ee\Documents\IU - 04. ?? ? (You & I).mp3) -- C:\Users\ee\Documents\IU - 04. 너랑 나 (You & I).mp3

< End of report >

-----------------------

OTL Extras logfile created on: 11/13/2012 10:44:41 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\ee\Desktop

64bit- Professional (Version = 6.1.7600) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.99 Gb Total Physical Memory | 2.06 Gb Available Physical Memory | 68.66% Memory free

5.99 Gb Paging File | 4.50 Gb Available in Paging File | 75.07% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 60.00 Gb Total Space | 19.90 Gb Free Space | 33.17% Space Free | Partition Type: NTFS

Drive D: | 110.00 Gb Total Space | 78.88 Gb Free Space | 71.71% Space Free | Partition Type: NTFS

Drive E: | 128.08 Gb Total Space | 41.02 Gb Free Space | 32.03% Space Free | Partition Type: NTFS

Computer Name: EE-PC | User Name: ee | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [bridge] -- D:\photoshop\ps\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [bridge] -- D:\photoshop\ps\Adobe Bridge CS5.1\Bridge.exe "%L" (Adobe Systems, Inc.)

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{01F7FB5C-3858-4861-B28B-226ADDC66860}" = lport=10243 | protocol=6 | dir=in | app=system |

"{09134F4B-005F-4466-96AD-F572F1C5710A}" = lport=8370 | protocol=6 | dir=in | name=league of legends launcher |

"{0DC6793B-7C21-45C4-94B8-5DFE7757EA89}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{167A249A-C73F-4979-9506-A78F7C875D29}" = rport=139 | protocol=6 | dir=out | app=system |

"{1C8EFDAB-4E59-44E8-AC26-19A725B246F3}" = rport=10243 | protocol=6 | dir=out | app=system |

"{1E3E5CCC-2807-44FE-810F-9DAB57A99F91}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{1E684C35-8E21-4DE1-AEE2-DCB2852445A5}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{230CAD33-32CB-44CE-B372-608DB048B364}" = lport=137 | protocol=17 | dir=in | app=system |

"{6D064941-3324-430C-88F2-94240B9584DF}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{71848359-2BB8-4606-93C1-4780809E09B9}" = lport=138 | protocol=17 | dir=in | app=system |

"{8480A487-1D4C-4619-9FA2-C7FC43217872}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{903773D3-CA68-43C6-A7C1-053B3FBCD344}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{916B9DD1-A88B-4516-9126-C7D8D0D2BD01}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |

"{9D219D05-B9BD-443C-B09D-93B1E5512DE2}" = lport=8370 | protocol=17 | dir=in | name=league of legends launcher |

"{A266A19E-39A8-417C-9E9E-5ECB282F0E51}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{ACBF2270-5966-42D1-8316-CF69BD7F041B}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{B00D2503-3735-4755-89A8-330474456869}" = lport=6893 | protocol=17 | dir=in | name=league of legends launcher |

"{B3CBC02F-A10F-404F-9FE1-BAFBFD1605B6}" = lport=6893 | protocol=6 | dir=in | name=league of legends launcher |

"{C0F64B43-63E5-4AEB-84BA-D7C356D166B1}" = lport=445 | protocol=6 | dir=in | app=system |

"{C57259BF-C42C-45D2-8977-E77D187983FB}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |

"{D79B9B20-0E57-43E4-979D-900D04B59302}" = lport=2869 | protocol=6 | dir=in | app=system |

"{DE7EE85A-27B0-4885-A516-0CD4AD01AFCE}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

"{E81E8C67-A7BE-40DF-98DD-45108F7F0353}" = rport=445 | protocol=6 | dir=out | app=system |

"{EBDDDC86-BE5F-4EB2-8B3D-BBEE0733F5CA}" = rport=138 | protocol=17 | dir=out | app=system |

"{EC64BCA5-B915-451C-A1D5-75FEA6DFEA67}" = rport=137 | protocol=17 | dir=out | app=system |

"{F4FD3D8C-960B-4F0D-9BE1-FF7263E01317}" = lport=139 | protocol=6 | dir=in | app=system |

"{F75327B4-4357-4C9A-849A-9BA6B138FF2B}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{092A9CF8-8CB9-4CA7-A545-6C9AE01C5E6E}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |

"{0B996DC9-B4BC-42B2-8FDE-310EAF9C71F0}" = protocol=6 | dir=in | app=d:\halite.exe |

"{0C271F8C-E4CD-4CE7-AEF7-FDA27EDEE846}" = protocol=6 | dir=out | app=system |

"{0F46C674-DB77-4F75-9675-130385E5D23A}" = protocol=6 | dir=in | app=d:\steam\steamapps\common\dota 2 beta\dota.exe |

"{1406342D-885F-4C29-B1F8-C98874C55ACB}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\the battle for middle-earth ii\game.dat |

"{151A1846-B35D-49B9-AE07-09EA38608397}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |

"{165F2298-0216-4438-A0C0-3DB89DD42605}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{16EB4FFE-7CAB-4CA6-922F-8E887A41C8FE}" = protocol=17 | dir=in | app=d:\diablo 2 with lord of destruction (v1.13c) (direct play)\diablo ii\game.exe |

"{1A67FC89-32C5-427C-AAF7-345EF31DBBD9}" = protocol=17 | dir=in | app=d:\fm.exe |

"{1B780551-3054-4D65-A259-916B4B58875F}" = protocol=17 | dir=in | app=c:\program files (x86)\garena messenger\apps\lol\game\league of legends.exe |

"{1C184435-D473-4915-B01C-5FEAE4C8FB67}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{1E7518AF-4799-4810-AE8E-75158025B689}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{1EEBCA22-73B4-47F4-996F-58DDD5794790}" = protocol=17 | dir=in | app=d:\halite.exe |

"{243D872C-371E-481D-8DD4-7C0EC8A17647}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{29E87208-D818-4BDE-B11B-86C89E2A6211}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\the battle for middle-earth ii\game.dat |

"{2CAB6C49-B0FE-450B-8FCC-19F1F29C87B9}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{32BD1AA6-5AC7-4C99-98FA-B08C966DDD3A}" = protocol=6 | dir=in | app=d:\garena messenger\gamedata\apps\lol\air\lolclient.exe |

"{3812F908-2EE0-45D2-9AFF-410AC3EE1093}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |

"{3BBB832A-E1E7-4C25-BBB7-3C74BC5D397A}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |

"{47387B14-AE4E-4657-AED7-EFC0A0838E0E}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{4DB7557B-88F6-46A2-842B-4CFDB8E00AF8}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |

"{5000033F-1EB3-4CF8-8EFC-95CED26054F1}" = protocol=6 | dir=in | app=c:\program files (x86)\garena messenger\apps\lol\air\lolclient.exe |

"{554B6936-88FF-495C-B3E0-7029D623CE96}" = protocol=6 | dir=in | app=d:\dn\dragonnest.exe |

"{5716CB77-4615-4D24-9275-F86AA61241E8}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{5EECDE6F-5B19-4E97-9696-D5B26D40389A}" = protocol=6 | dir=in | app=d:\fm.exe |

"{604DC840-2970-434A-A193-226DDE6F6559}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |

"{61E7E45B-0453-4B94-A4C8-183CC8A807E1}" = protocol=6 | dir=in | app=d:\diablo 3\diablo iii beta\diablo iii.exe |

"{63EB0765-1C39-4ABC-BEF8-7E06595FF4EB}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{6BAB9F6A-BB9B-4820-A2D2-2C5589EE10DF}" = protocol=6 | dir=in | app=d:\diablo 2 with lord of destruction (v1.13c) (direct play)\diablo ii\game.exe |

"{6D6DD07C-1584-425C-89C9-8E2BA3260F4A}" = protocol=17 | dir=in | app=d:\dn\dragonnest.exe |

"{6D9491D0-1CBE-4C74-BDC1-5E01A1DD00E3}" = protocol=17 | dir=in | app=d:\steam\steamapps\common\dota 2 beta\dota.exe |

"{6F067044-2343-4813-B3B8-9F760FBA2545}" = protocol=6 | dir=in | app=d:\dn\dragonnest.exe |

"{70357A08-1C28-4E11-88E0-73D95765D57C}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |

"{70F3AF1E-41BC-412F-BE3E-7CA3BEFF15C5}" = protocol=17 | dir=in | app=d:\steam\steam.exe |

"{722EA1F6-CB33-429E-B7E2-0337DA37F612}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{767433B1-70B5-40E5-B016-298260E460C3}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{79216725-F253-4C9F-9B03-B953A0EB2F81}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{7A087BCB-3076-4E39-8746-59748449A043}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{7AAC63AE-D43D-48B9-B89E-854B0CBA1E1E}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |

"{7AEEFE8B-268F-4F4B-AA3D-816DCD38B4A8}" = protocol=6 | dir=in | app=d:\dragonnest.exe |

"{84272A52-E7B7-4D83-B6A3-7127831BD26B}" = protocol=17 | dir=in | app=d:\garena messenger\gamedata\apps\lol\air\lolclient.exe |

"{899327D7-215E-471B-BBA7-AE09B18A2C78}" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.515\agent.exe |

"{92B98B69-FB5B-47FC-97C6-6F5A3E54C46D}" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.515\agent.exe |

"{9529629A-BCDE-401B-9C87-CFE6861C5A94}" = protocol=17 | dir=in | app=d:\dragonnest.exe |

"{9A858604-D8C6-4211-9B86-A073E7588560}" = protocol=6 | dir=in | app=d:\steam\steam.exe |

"{9C494448-D958-48B2-8F84-0BB4C62002B3}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{9FAE2570-EFC4-42AD-89F6-8E3189A31461}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{A08FCB2A-9100-4B92-87F6-5B13B226C051}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |

"{A2BD39A3-40C8-4AAC-89ED-EA0B595B0FA0}" = protocol=17 | dir=in | app=d:\dn\dragonnest.exe |

"{A8C44987-0512-4DC7-834C-45F154628511}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{A947A19A-85AA-4434-A844-BC32C4A554E6}" = protocol=6 | dir=in | app=d:\dragonnest.exe |

"{AD45B360-50D8-4F2F-B154-62A8F5B941E0}" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.868\agent.exe |

"{AEEF178C-717D-487B-9233-CADD1B08B18A}" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.868\agent.exe |

"{B35905D6-90D7-4329-A866-01CC72B551E0}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |

"{B8E5606A-C084-41C2-A239-F2E6138C0568}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |

"{B96E51B8-931F-40CB-86C5-A1AD1B4A40D3}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{BDA31937-B83E-4A67-BF68-923B9087B8DA}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{BF0FA97C-E924-462A-88EA-C25D02328235}" = protocol=17 | dir=in | app=d:\garena messenger\gamedata\apps\lol\game\league of legends.exe |

"{C3570F68-0F3E-46F9-A6AA-97046761F309}" = protocol=17 | dir=in | app=d:\dragonnest.exe |

"{C700C6F4-7D77-4145-9EB0-4DD13DBA61E9}" = protocol=17 | dir=in | app=d:\diablo 3\diablo iii beta\diablo iii.exe |

"{CC829972-7FAE-43B2-91F9-0B9B98240B39}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{D655BA1F-EC05-4CB1-A91A-5731309FC0E8}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{D665B0A0-E14A-48CB-AA31-C57AF807087D}" = protocol=6 | dir=in | app=d:\garena messenger\gamedata\apps\lol\game\league of legends.exe |

"{D8CE0E0C-7C99-4E9D-9400-EFE50557F499}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |

"{E4F8108A-F30B-4A4A-A6D2-4FA3736DC478}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{E60E6146-C0F5-42D6-85FB-094C5290E190}" = protocol=17 | dir=in | app=c:\program files (x86)\garena messenger\apps\lol\air\lolclient.exe |

"{F02859B6-BD20-42D8-A206-C431419C725B}" = protocol=6 | dir=in | app=c:\program files (x86)\garena messenger\apps\lol\game\league of legends.exe |

"TCP Query User{02450EAC-8C6D-4905-AB4A-8E382B862C41}D:\utorrent.exe" = protocol=6 | dir=in | app=d:\utorrent.exe |

"TCP Query User{050B1DD5-CEF7-4D65-A503-522B7A9FBD26}D:\diablo 2 with lord of destruction (v1.13c) (direct play)\diablo ii\game.exe" = protocol=6 | dir=in | app=d:\diablo 2 with lord of destruction (v1.13c) (direct play)\diablo ii\game.exe |

"TCP Query User{1229C332-EF25-4A6F-A41A-65BDFA03A011}D:\torchlight.ii-reloaded\torchlight ii\torchlight2.exe" = protocol=6 | dir=in | app=d:\torchlight.ii-reloaded\torchlight ii\torchlight2.exe |

"TCP Query User{12CCF92C-ECBE-4A4F-8489-4AF853DA95A9}D:\left 4 dead 2 v2.0.0.1 cracked\left4dead2.exe" = protocol=6 | dir=in | app=d:\left 4 dead 2 v2.0.0.1 cracked\left4dead2.exe |

"TCP Query User{1BD5FD3D-69CC-463D-BDEF-CE2FB9942C73}C:\program files (x86)\garena messenger\room\garena_room.exe" = protocol=6 | dir=in | app=c:\program files (x86)\garena messenger\room\garena_room.exe |

"TCP Query User{1E80794C-5C23-488B-957E-F86C5A87FDF6}D:\left 4 dead 2 v2.0.0.1 cracked\left4dead2.exe" = protocol=6 | dir=in | app=d:\left 4 dead 2 v2.0.0.1 cracked\left4dead2.exe |

"TCP Query User{23D36B1C-3098-4B20-B54D-936E5E0C8B88}E:\steam\steamapps\woahlzxh\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=e:\steam\steamapps\woahlzxh\team fortress 2\hl2.exe |

"TCP Query User{37BD2B21-3581-4EEF-B680-E2CBFE200E82}D:\garena messenger\garenamessenger.exe" = protocol=6 | dir=in | app=d:\garena messenger\garenamessenger.exe |

"TCP Query User{38C73AB2-E18B-47F3-BF37-93E5A4D71369}D:\reckoning\kingdoms of amalur reckoning\reckoning.exe" = protocol=6 | dir=in | app=d:\reckoning\kingdoms of amalur reckoning\reckoning.exe |

"TCP Query User{3B5B4AB8-426F-482E-BDD9-611A99DB9BB2}D:\lolinstaller.exe" = protocol=6 | dir=in | app=d:\lolinstaller.exe |

"TCP Query User{3FEF3E1B-9483-4342-8FCA-0C23314D0585}C:\program files (x86)\steam\steamapps\woahlzxh\team fortress 2\hl2.exe" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\woahlzxh\team fortress 2\hl2.exe |

"TCP Query User{45FAB807-801B-4039-869D-D7E932B0DCBC}D:\omd2\orcs must die 2\build\release\orcsmustdie2.exe" = protocol=6 | dir=in | app=d:\omd2\orcs must die 2\build\release\orcsmustdie2.exe |

"TCP Query User{6F3D2C7A-F2C6-4A65-AE8D-B6A4A8FC78A3}D:\utorrent.exe" = protocol=6 | dir=in | app=d:\utorrent.exe |

"TCP Query User{73C98552-5F75-4C8B-BFA7-EBCFDB82B564}C:\program files (x86)\garena messenger\garenamessenger.exe" = protocol=6 | dir=in | app=c:\program files (x86)\garena messenger\garenamessenger.exe |

"TCP Query User{74AE4AD1-8922-4C02-A90A-9BC87119E1BB}D:\garena plus\room\garena_room.exe" = protocol=6 | dir=in | app=d:\garena plus\room\garena_room.exe |

"TCP Query User{85467F8E-E0C8-444E-A8B2-010A06B4F41B}D:\unmechanical\binaries\win32\udk.exe" = protocol=6 | dir=in | app=d:\unmechanical\binaries\win32\udk.exe |

"TCP Query User{857ACBFD-DF96-4BF1-835F-1BCD1EFCD265}E:\grimlauncher1.5\grim fandango launcher.exe" = protocol=6 | dir=in | app=e:\grimlauncher1.5\grim fandango launcher.exe |

"TCP Query User{B61208AE-3150-4DDA-9E9D-F42C4E46ECDF}D:\reckoning\kingdoms of amalur reckoning\reckoning.exe" = protocol=6 | dir=in | app=d:\reckoning\kingdoms of amalur reckoning\reckoning.exe |

"TCP Query User{C0DE5F5A-0FD8-4C00-BE4A-F907695CF668}D:\garena plus\room\garena_room.exe" = protocol=6 | dir=in | app=d:\garena plus\room\garena_room.exe |

"TCP Query User{C2BC08B3-D08A-4D61-8A3A-02D73598CED9}D:\sins of a solar empire\sins of a solar empire diplomacy ico\sins of a solar empire diplomacy.exe" = protocol=6 | dir=in | app=d:\sins of a solar empire\sins of a solar empire diplomacy ico\sins of a solar empire diplomacy.exe |

"TCP Query User{D08AF38E-630B-45B4-96D4-313DABDF4FFC}C:\users\ee\downloads\lolinstaller.exe" = protocol=6 | dir=in | app=c:\users\ee\downloads\lolinstaller.exe |

"TCP Query User{D998120A-5444-4FC5-94A5-EA155E25B64B}D:\fifa 12\fifa 12\game\fifa.exe" = protocol=6 | dir=in | app=d:\fifa 12\fifa 12\game\fifa.exe |

"TCP Query User{FB1BA204-9802-441B-AEA8-1BF1941266C2}D:\l4d2\left 4 dead 2\left4dead2.exe" = protocol=6 | dir=in | app=d:\l4d2\left 4 dead 2\left4dead2.exe |

"UDP Query User{0E6F4E38-E631-4823-A59A-27FA5510F30D}C:\program files (x86)\garena messenger\room\garena_room.exe" = protocol=17 | dir=in | app=c:\program files (x86)\garena messenger\room\garena_room.exe |

"UDP Query User{1696BE1E-DCD2-4B12-B7E5-0656CD2346E3}D:\garena messenger\garenamessenger.exe" = protocol=17 | dir=in | app=d:\garena messenger\garenamessenger.exe |

"UDP Query User{2233428D-B57F-4ED6-9470-3095B1AC6ECD}D:\garena plus\room\garena_room.exe" = protocol=17 | dir=in | app=d:\garena plus\room\garena_room.exe |

"UDP Query User{33708BB5-2286-48A9-8D9E-C41F70850907}E:\grimlauncher1.5\grim fandango launcher.exe" = protocol=17 | dir=in | app=e:\grimlauncher1.5\grim fandango launcher.exe |

"UDP Query User{3A501273-288A-42AC-A9ED-9757CA8E4D0A}D:\utorrent.exe" = protocol=17 | dir=in | app=d:\utorrent.exe |

"UDP Query User{50D38B3C-36B5-4A0E-AFA7-D37F806C36A8}D:\garena plus\room\garena_room.exe" = protocol=17 | dir=in | app=d:\garena plus\room\garena_room.exe |

"UDP Query User{5779F626-45B6-4E55-BAA6-EEB82F5C75EB}D:\lolinstaller.exe" = protocol=17 | dir=in | app=d:\lolinstaller.exe |

"UDP Query User{619E8489-7068-44C6-8AD1-C0510B9E1C5B}D:\left 4 dead 2 v2.0.0.1 cracked\left4dead2.exe" = protocol=17 | dir=in | app=d:\left 4 dead 2 v2.0.0.1 cracked\left4dead2.exe |

"UDP Query User{65A0798E-6C8B-4F8F-9627-EB13FDD825A7}D:\fifa 12\fifa 12\game\fifa.exe" = protocol=17 | dir=in | app=d:\fifa 12\fifa 12\game\fifa.exe |

"UDP Query User{6FC3D863-77B8-439A-A7EB-63BBBD7984CC}D:\l4d2\left 4 dead 2\left4dead2.exe" = protocol=17 | dir=in | app=d:\l4d2\left 4 dead 2\left4dead2.exe |

"UDP Query User{755DCDA5-205B-472D-BFB6-E6EB7EF640BB}C:\program files (x86)\steam\steamapps\woahlzxh\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\woahlzxh\team fortress 2\hl2.exe |

"UDP Query User{81CE298B-A7C3-4B07-BDCF-DBEBED691DF0}C:\users\ee\downloads\lolinstaller.exe" = protocol=17 | dir=in | app=c:\users\ee\downloads\lolinstaller.exe |

"UDP Query User{87241116-7143-4FA5-8ECC-818D299269C0}D:\reckoning\kingdoms of amalur reckoning\reckoning.exe" = protocol=17 | dir=in | app=d:\reckoning\kingdoms of amalur reckoning\reckoning.exe |

"UDP Query User{8D959418-C5C7-4197-BB79-4650AEEE3C85}D:\diablo 2 with lord of destruction (v1.13c) (direct play)\diablo ii\game.exe" = protocol=17 | dir=in | app=d:\diablo 2 with lord of destruction (v1.13c) (direct play)\diablo ii\game.exe |

"UDP Query User{98A4D880-35E8-4B16-9437-F9AA8E1C66CE}D:\torchlight.ii-reloaded\torchlight ii\torchlight2.exe" = protocol=17 | dir=in | app=d:\torchlight.ii-reloaded\torchlight ii\torchlight2.exe |

"UDP Query User{9D6275ED-0516-4093-9BED-639EB2B9A514}C:\program files (x86)\garena messenger\garenamessenger.exe" = protocol=17 | dir=in | app=c:\program files (x86)\garena messenger\garenamessenger.exe |

"UDP Query User{A3E11DD9-A658-449A-BB23-C8304AFE4D1E}D:\omd2\orcs must die 2\build\release\orcsmustdie2.exe" = protocol=17 | dir=in | app=d:\omd2\orcs must die 2\build\release\orcsmustdie2.exe |

"UDP Query User{B3128373-E183-4EAA-A787-58DDAFBEBDE4}D:\sins of a solar empire\sins of a solar empire diplomacy ico\sins of a solar empire diplomacy.exe" = protocol=17 | dir=in | app=d:\sins of a solar empire\sins of a solar empire diplomacy ico\sins of a solar empire diplomacy.exe |

"UDP Query User{B6374CB1-DF20-4988-A68F-C524B3A9A772}D:\reckoning\kingdoms of amalur reckoning\reckoning.exe" = protocol=17 | dir=in | app=d:\reckoning\kingdoms of amalur reckoning\reckoning.exe |

"UDP Query User{B9794620-473D-45DD-A990-DCC1801A1EB6}E:\steam\steamapps\woahlzxh\team fortress 2\hl2.exe" = protocol=17 | dir=in | app=e:\steam\steamapps\woahlzxh\team fortress 2\hl2.exe |

"UDP Query User{C9C30463-9D9A-4DF3-A6C0-8E99C7165D5F}D:\unmechanical\binaries\win32\udk.exe" = protocol=17 | dir=in | app=d:\unmechanical\binaries\win32\udk.exe |

"UDP Query User{E47A236B-3A62-41D6-9DDC-EBB918C67715}D:\left 4 dead 2 v2.0.0.1 cracked\left4dead2.exe" = protocol=17 | dir=in | app=d:\left 4 dead 2 v2.0.0.1 cracked\left4dead2.exe |

"UDP Query User{F1482B1B-6430-4D46-AE29-09120B2C9BC0}D:\utorrent.exe" = protocol=17 | dir=in | app=d:\utorrent.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{027E5FAB-1476-4C59-AAB4-32EF28520399}" = Windows Live Language Selector

"{1493B2AE-0261-47D2-B1AA-F4DAD0F6C48B}" = iTunes

"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant

"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

"{1E9FC118-651D-4934-97BE-E53CAE5C7D45}" = Microsoft_VC80_MFCLOC_x86_x64

"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)

"{4569AD91-47F4-4D9E-8FC9-717EC32D7AE1}" = Microsoft_VC80_CRT_x86_x64

"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour

"{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}" = Apple Mobile Device Support

"{8338783A-0968-3B85-AFC7-BAAE0A63DC50}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570

"{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64

"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended

"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007

"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007

"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

"{90BF0360-A1DB-4599-A643-95AB90A52C1E}" = Microsoft_VC90_MFCLOC_x86_x64

"{925D058B-564A-443A-B4B2-7E90C6432E55}" = Microsoft_VC80_ATL_x86_x64

"{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64

"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting

"{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 285.62

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 285.62

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 260.99

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.5.20

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD Audio Driver 1.2.24.0

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components

"{C8C1BAD5-54E6-4146-AD07-3A8AD36569C3}" = Microsoft_VC80_MFC_x86_x64

"{E6C44758-FF49-47D1-8182-65E3818ACE23}" = AuthenTec TrueSuite

"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148

"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86

"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer

"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86

"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1

"{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}" = Microsoft XNA Framework Redistributable 3.1

"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YTD YouTube Downloader & Converter 3.6

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions

"{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema 1.5.3.3898

"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron JMB38X Flash Media Controller

"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger

"{3521BDBD-D453-5D9F-AA55-44B75D214629}" = Adobe Community Help

"{3C36247E-5879-401C-B423-EB5D663B02D9}" = FMRTE

"{45410935-B52C-468A-A836-0D1000018201}" = BulletStorm

"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR

"{4D53090A-CE35-42BD-B377-831000018301}" = Fable III

"{4D53090A-CE35-42BD-B377-831000018302}" = Fable III

"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack

"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM

"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86

"{63EC2120-1742-4625-AA47-C6A8AEC9C64C}" = Apple Application Support

"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update

"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform

"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT

"{90120000-001B-0000-0000-0000000FF1CE}" = Microsoft Office Word 2007

"{90120000-001B-0000-0000-0000000FF1CE}_WORD_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_WORD_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_WORD_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_WORD_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_WORD_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-002A-0000-1000-0000000FF1CE}_WORD_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-002A-0409-1000-0000000FF1CE}_WORD_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_WORD_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_WORD_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0116-0409-1000-0000000FF1CE}_WORD_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{9158FF30-78D7-40EF-B83E-451AC5334640}" = Adobe Photoshop CS5.1

"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}" = Acer Crystal Eye Webcam 2.0.8

"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common

"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1

"{AC76BA86-7AD7-5760-0000-900000000003}" = Japanese Fonts Support For Adobe Reader 9

"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86

"{B8ABD8C7-991E-4A70-B5A3-20C6FC680680}" = LogMeIn Hamachi

"{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}" = NVIDIA PhysX

"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime

"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform

"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86

"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common

"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform

"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86

"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10

"{E0AF5EFE-5971-4A54-A69F-D2D95E9E5363}" = Halite

"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger

"{ED8DE18A-421A-46CE-884B-E913EB16AB49}" = calibre

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.6

"CCleaner" = CCleaner

"CDisplayEx_is1" = CDisplayEx 1.8

"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help

"Combined Community Codec Pack_is1" = Combined Community Codec Pack 2011-11-11

"DAEMON Tools Lite" = DAEMON Tools Lite

"ESET Online Scanner" = ESET Online Scanner v3

"foobar2000" = foobar2000 v1.1.10

"lavfilters_is1" = LAV Filters 0.42

"LogMeIn Hamachi" = LogMeIn Hamachi

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000

"Marvell Miniport Driver" = Marvell Miniport Driver

"Messenger Plus!" = Messenger Plus! 5

"Picasa 3" = Picasa 3

"Sine Mora_is1" = Sine Mora

"Steam App 570" = Dota 2

"Torchlight II © Runic Games_is1" = Torchlight II © Runic Games version 1

"WinLiveSuite" = Windows Live Essentials

"WORD" = Microsoft Office Word 2007

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 11/5/2011 9:21:50 AM | Computer Name = ee-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/5/2011 9:21:50 AM | Computer Name = ee-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledEvent 12121

Error - 11/5/2011 9:21:50 AM | Computer Name = ee-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledSPRetry 12121

Error - 11/5/2011 9:21:47 AM | Computer Name = ee-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/5/2011 9:21:47 AM | Computer Name = ee-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledEvent 13213

Error - 11/5/2011 9:21:47 AM | Computer Name = ee-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledSPRetry 13213

Error - 11/5/2011 10:07:16 AM | Computer Name = ee-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/5/2011 10:07:16 AM | Computer Name = ee-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledEvent 2741670

Error - 11/5/2011 10:07:16 AM | Computer Name = ee-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledSPRetry 2741670

Error - 11/5/2011 12:30:39 PM | Computer Name = ee-PC | Source = SideBySide | ID = 16842815

Description = Activation context generation failed for "d:\spybot - search & destroy\DelZip179.dll".Error

in manifest or policy file "d:\spybot - search & destroy\DelZip179.dll" on line

8. The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

[ System Events ]

Error - 11/12/2012 10:50:12 AM | Computer Name = ee-PC | Source = Service Control Manager | ID = 7000

Description = The sbapifs service failed to start due to the following error: %%2

Error - 11/12/2012 10:50:33 AM | Computer Name = ee-PC | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SBRE

Error - 11/12/2012 10:51:42 AM | Computer Name = ee-PC | Source = Service Control Manager | ID = 7005

Description = The LoadUserProfile call failed with the following error: %%3

Error - 11/12/2012 1:48:27 PM | Computer Name = ee-PC | Source = EventLog | ID = 6008

Description = The previous system shutdown at 1:46:47 AM on ?11/?13/?2012 was unexpected.

Error - 11/12/2012 1:48:27 PM | Computer Name = ee-PC | Source = Service Control Manager | ID = 7000

Description = The sbapifs service failed to start due to the following error: %%2

Error - 11/12/2012 1:48:50 PM | Computer Name = ee-PC | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SBRE

Error - 11/12/2012 1:49:59 PM | Computer Name = ee-PC | Source = Service Control Manager | ID = 7005

Description = The LoadUserProfile call failed with the following error: %%3

Error - 11/12/2012 7:22:59 PM | Computer Name = ee-PC | Source = Service Control Manager | ID = 7000

Description = The sbapifs service failed to start due to the following error: %%2

Error - 11/12/2012 7:23:16 PM | Computer Name = ee-PC | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

SBRE

Error - 11/12/2012 7:24:02 PM | Computer Name = ee-PC | Source = Service Control Manager | ID = 7005

Description = The LoadUserProfile call failed with the following error: %%3

< End of report >

--------------------------

# AdwCleaner v2.007 - Logfile created 11/13/2012 at 23:03:07

# Updated 06/11/2012 by Xplode

# Operating system : Windows 7 Professional (64 bits)

# User : ee - EE-PC

# Boot Mode : Normal

# Running from : C:\Users\ee\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\Users\ee\AppData\LocalLow\Conduit

Folder Found : C:\Users\ee\AppData\LocalLow\MessengerPlusLive_TB

Folder Found : C:\Users\ee\AppData\LocalLow\PriceGong

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit

Key Found : HKCU\Software\AppDataLow\Software\MessengerPlusLive_TB

Key Found : HKCU\Software\AppDataLow\Software\PriceGong

Key Found : HKCU\Software\AppDataLow\Toolbar

Key Found : HKLM\SOFTWARE\Classes\Prod.cap

Key Found : HKLM\Software\Conduit

Key Found : HKLM\Software\MessengerPlusLive_TB

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{54A1A003-0A7A-496B-9A27-2ABC4D044623}

Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{D8FB4583-DB9D-4C7B-85BE-294C13A3E5C4}]

Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D8FB4583-DB9D-4C7B-85BE-294C13A3E5C4}]

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.64

File : C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1503 octets] - [13/11/2012 23:03:07]

########## EOF - C:\AdwCleaner[R1].txt - [1563 octets] ##########

Link to post
Share on other sites

Good afternoon horimiya,

A question, is there any private information on all these logs posted I should be aware about?

The logs will display the file paths for any files, and will also at times show your user's name. Other than that no private information will be shown.

=====

I see that you have the MessengerPlusToolbar installed. It has been known to exhibit suspicious behaviour and for this reason I recommend removing it. You can find more information here.

Please go to Start>Control Panel>Programs and Features>Programs and uninstall the following (if present):

  • MessengerPlusToolbar

Please restart your computer after this program removal.

=====

Next, please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :OTL
    IE - HKCU\..\SearchScopes\{2B777B68-9A82-4DA6-800B-882955F1F07F}: "URL" = http://www.baidu.com...d={searchTerms}
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
    [2012/11/08 18:52:53 | 000,000,448 | ---- | M] () -- C:\Windows\SysNative\drivers\kgpcpy.cfg
    [2012/11/03 19:53:36 | 000,001,738 | ---- | M] () -- C:\Users\ee\AppData\Local\iwmvwspbz1m.crx
    :Commands
    [EmptyTemp]
  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=====

I notice some odd files in your logs. Do you recognise these:

C:\Users\ee\ibdb3QC8lsFRNj.gif

C:\Users\ee\s2lVu.jpg

C:\Users\ee\tuzX2.jpg

C:\Users\ee\EVZKj.jpg

=====

  • Finally, please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

=====

In your reply please provide the following:

  • OTL fix log.
  • AdwCleaner[s1].txt.
  • Info on those files.

Are the redirects still present?

Link to post
Share on other sites

Good afternoon TheDarkKnight,

While I was reading your instructions and advice, Techno music started playing. No other browser was open, this was the only tab opened. I was not playing any music programs as well.It was only after i closed this sole window did it stop.

Tool bar removed.

Oh, those are cropped pictures from the guardian newspaper website, & the gif was from reddit.

After opening a few tabs, there have been no redirects.

Here are the OTL fix and AdwCleaner logs:

All processes killed

========== OTL ==========

Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2B777B68-9A82-4DA6-800B-882955F1F07F}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B777B68-9A82-4DA6-800B-882955F1F07F}\ not found.

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\restrictions\ deleted successfully.

Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\control panel\ deleted successfully.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.

C:\Windows\SysNative\drivers\kgpcpy.cfg moved successfully.

C:\Users\ee\AppData\Local\iwmvwspbz1m.crx moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User

User: ee

->Temp folder emptied: 1797476 bytes

->Temporary Internet Files folder emptied: 35894465 bytes

->Java cache emptied: 54460 bytes

->Google Chrome cache emptied: 241774336 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 2711 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 602112 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 531263 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes

RecycleBin emptied: 1814312 bytes

Total Files Cleaned = 269.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 11142012_172130

Files\Folders moved on Reboot...

C:\Users\ee\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

---------------

# AdwCleaner v2.007 - Logfile created 11/14/2012 at 17:27:02

# Updated 06/11/2012 by Xplode

# Operating system : Windows 7 Professional (64 bits)

# User : ee - EE-PC

# Boot Mode : Normal

# Running from : C:\Users\ee\Desktop\logs\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v23.0.1271.64

File : C:\Users\ee\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1632 octets] - [13/11/2012 23:03:07]

AdwCleaner[R2].txt - [1697 octets] - [13/11/2012 23:08:09]

AdwCleaner[R3].txt - [1757 octets] - [13/11/2012 23:08:21]

AdwCleaner[s1].txt - [1843 octets] - [13/11/2012 23:13:15]

AdwCleaner[s2].txt - [875 octets] - [14/11/2012 17:27:02]

########## EOF - C:\AdwCleaner[s2].txt - [934 octets] ##########

Link to post
Share on other sites

Evening horimiya,

While I was reading your instructions and advice, Techno music started playing. No other browser was open, this was the only tab opened. I was not playing any music programs as well.It was only after i closed this sole window did it stop.

Hmm that sounds a little fishy.

Please download Malwarebytes Anti-Rootkit here.

  • Unzip the contents to a folder on the Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe ( right-click and select Run as adminsistrator for Vista and Windows 7).
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Please post the two logs produced.

Please note: This tool is still in BETA mode, so please ensure you have backed up any important files.

Link to post
Share on other sites

Good evening TheDarkKnight,

When I ran the mbar.exe this message appeared: Registry value "AppInit_Dlls" has been found which may be caused by rootkit activity.

Note: press NO button if you're not sure. If the tool crashes or terminates unexpectedly during a system scan, restart the tool and press YES should this message appear again.

I clicked no & the scan ran smoothly. Here are the logs :

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED

CPU speed: 2.394000 GHz

Memory total: 3215839232, free: 1950830592

------------ Kernel report ------------

11/14/2012 20:26:44

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\DRIVERS\ACPI.sys

\SystemRoot\system32\DRIVERS\WMILIB.SYS

\SystemRoot\system32\DRIVERS\msisadrv.sys

\SystemRoot\system32\DRIVERS\vdrvroot.sys

\SystemRoot\system32\DRIVERS\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\compbatt.sys

\SystemRoot\system32\DRIVERS\BATTC.SYS

\SystemRoot\system32\DRIVERS\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\atapi.sys

\SystemRoot\system32\DRIVERS\ataport.SYS

\SystemRoot\system32\DRIVERS\msahci.sys

\SystemRoot\system32\DRIVERS\PCIIDEX.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\DRIVERS\vmstorfl.sys

\SystemRoot\system32\DRIVERS\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\dtsoftbus01.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\yk62x64.sys

\SystemRoot\system32\DRIVERS\netw5v64.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\hamachi.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\agrsm64.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\modem.sys

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_msahci.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\ATSwpWDF.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\System32\Drivers\usbvideo.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\imagehlp.dll

\Windows\System32\user32.dll

\Windows\System32\imm32.dll

\Windows\System32\difxapi.dll

\Windows\System32\lpk.dll

\Windows\System32\sechost.dll

\Windows\System32\ws2_32.dll

\Windows\System32\msvcrt.dll

\Windows\System32\urlmon.dll

\Windows\System32\Wldap32.dll

\Windows\System32\shell32.dll

\Windows\System32\ole32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\msctf.dll

\Windows\System32\kernel32.dll

\Windows\System32\nsi.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\iertutil.dll

\Windows\System32\clbcatq.dll

\Windows\System32\shlwapi.dll

\Windows\System32\psapi.dll

\Windows\System32\oleaut32.dll

\Windows\System32\normaliz.dll

\Windows\System32\wininet.dll

\Windows\System32\advapi32.dll

\Windows\System32\usp10.dll

\Windows\System32\gdi32.dll

\Windows\System32\setupapi.dll

\Windows\System32\crypt32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\devobj.dll

\Windows\System32\wintrust.dll

\Windows\System32\KernelBase.dll

\Windows\System32\comctl32.dll

\Windows\System32\msasn1.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa8003410170

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa8002f1d060

Lower Device Driver Name: \Driver\atapi\

Driver name found: atapi

DriverEntry returned 0x0

Function returned 0x0

Downloaded database version: v2012.11.14.02

Downloaded database version: v2012.11.12.01

=======================================

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.01.0.1009

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED

CPU speed: 2.394000 GHz

Memory total: 3215839232, free: 1987518464

------------ Kernel report ------------

11/14/2012 20:27:17

------------ Loaded modules -----------

\SystemRoot\system32\ntoskrnl.exe

\SystemRoot\system32\hal.dll

\SystemRoot\system32\kdcom.dll

\SystemRoot\system32\mcupdate_GenuineIntel.dll

\SystemRoot\system32\PSHED.dll

\SystemRoot\system32\CLFS.SYS

\SystemRoot\system32\CI.dll

\SystemRoot\system32\drivers\Wdf01000.sys

\SystemRoot\system32\drivers\WDFLDR.SYS

\SystemRoot\system32\DRIVERS\ACPI.sys

\SystemRoot\system32\DRIVERS\WMILIB.SYS

\SystemRoot\system32\DRIVERS\msisadrv.sys

\SystemRoot\system32\DRIVERS\vdrvroot.sys

\SystemRoot\system32\DRIVERS\pci.sys

\SystemRoot\System32\drivers\partmgr.sys

\SystemRoot\system32\DRIVERS\compbatt.sys

\SystemRoot\system32\DRIVERS\BATTC.SYS

\SystemRoot\system32\DRIVERS\volmgr.sys

\SystemRoot\System32\drivers\volmgrx.sys

\SystemRoot\System32\drivers\mountmgr.sys

\SystemRoot\system32\DRIVERS\atapi.sys

\SystemRoot\system32\DRIVERS\ataport.SYS

\SystemRoot\system32\DRIVERS\msahci.sys

\SystemRoot\system32\DRIVERS\PCIIDEX.SYS

\SystemRoot\system32\drivers\amdxata.sys

\SystemRoot\system32\drivers\fltmgr.sys

\SystemRoot\system32\drivers\fileinfo.sys

\SystemRoot\System32\Drivers\Ntfs.sys

\SystemRoot\System32\Drivers\msrpc.sys

\SystemRoot\System32\Drivers\ksecdd.sys

\SystemRoot\System32\Drivers\cng.sys

\SystemRoot\System32\drivers\pcw.sys

\SystemRoot\System32\Drivers\Fs_Rec.sys

\SystemRoot\system32\drivers\ndis.sys

\SystemRoot\system32\drivers\NETIO.SYS

\SystemRoot\System32\Drivers\ksecpkg.sys

\SystemRoot\System32\drivers\tcpip.sys

\SystemRoot\System32\drivers\fwpkclnt.sys

\SystemRoot\system32\DRIVERS\vmstorfl.sys

\SystemRoot\system32\DRIVERS\volsnap.sys

\SystemRoot\System32\Drivers\spldr.sys

\SystemRoot\System32\drivers\rdyboost.sys

\SystemRoot\System32\Drivers\mup.sys

\SystemRoot\System32\drivers\hwpolicy.sys

\SystemRoot\System32\DRIVERS\fvevol.sys

\SystemRoot\system32\DRIVERS\disk.sys

\SystemRoot\system32\DRIVERS\CLASSPNP.SYS

\SystemRoot\system32\DRIVERS\dtsoftbus01.sys

\SystemRoot\system32\DRIVERS\cdrom.sys

\SystemRoot\System32\Drivers\Null.SYS

\SystemRoot\System32\Drivers\Beep.SYS

\SystemRoot\System32\drivers\vga.sys

\SystemRoot\System32\drivers\VIDEOPRT.SYS

\SystemRoot\System32\drivers\watchdog.sys

\SystemRoot\System32\DRIVERS\RDPCDD.sys

\SystemRoot\system32\drivers\rdpencdd.sys

\SystemRoot\system32\drivers\rdprefmp.sys

\SystemRoot\System32\Drivers\Msfs.SYS

\SystemRoot\System32\Drivers\Npfs.SYS

\SystemRoot\system32\DRIVERS\tdx.sys

\SystemRoot\system32\DRIVERS\TDI.SYS

\SystemRoot\system32\drivers\afd.sys

\SystemRoot\System32\DRIVERS\netbt.sys

\SystemRoot\system32\drivers\ws2ifsl.sys

\SystemRoot\system32\DRIVERS\wfplwf.sys

\SystemRoot\system32\DRIVERS\pacer.sys

\SystemRoot\system32\DRIVERS\netbios.sys

\SystemRoot\system32\DRIVERS\wanarp.sys

\SystemRoot\system32\DRIVERS\termdd.sys

\SystemRoot\system32\DRIVERS\rdbss.sys

\SystemRoot\system32\drivers\nsiproxy.sys

\SystemRoot\system32\DRIVERS\mssmbios.sys

\SystemRoot\System32\drivers\discache.sys

\SystemRoot\system32\drivers\csc.sys

\SystemRoot\System32\Drivers\dfsc.sys

\SystemRoot\system32\DRIVERS\blbdrive.sys

\SystemRoot\system32\DRIVERS\tunnel.sys

\SystemRoot\system32\DRIVERS\nvlddmkm.sys

\SystemRoot\System32\drivers\dxgkrnl.sys

\SystemRoot\System32\drivers\dxgmms1.sys

\SystemRoot\system32\DRIVERS\usbuhci.sys

\SystemRoot\system32\DRIVERS\USBPORT.SYS

\SystemRoot\system32\DRIVERS\usbehci.sys

\SystemRoot\system32\DRIVERS\HDAudBus.sys

\SystemRoot\system32\DRIVERS\yk62x64.sys

\SystemRoot\system32\DRIVERS\netw5v64.sys

\SystemRoot\system32\DRIVERS\CmBatt.sys

\SystemRoot\system32\DRIVERS\i8042prt.sys

\SystemRoot\system32\DRIVERS\kbdclass.sys

\SystemRoot\system32\DRIVERS\mouclass.sys

\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

\SystemRoot\system32\DRIVERS\wmiacpi.sys

\SystemRoot\system32\DRIVERS\intelppm.sys

\SystemRoot\system32\DRIVERS\CompositeBus.sys

\SystemRoot\system32\DRIVERS\AgileVpn.sys

\SystemRoot\system32\DRIVERS\rasl2tp.sys

\SystemRoot\system32\DRIVERS\ndistapi.sys

\SystemRoot\system32\DRIVERS\ndiswan.sys

\SystemRoot\system32\DRIVERS\raspppoe.sys

\SystemRoot\system32\DRIVERS\raspptp.sys

\SystemRoot\system32\DRIVERS\rassstp.sys

\SystemRoot\system32\DRIVERS\hamachi.sys

\SystemRoot\system32\DRIVERS\rdpbus.sys

\SystemRoot\system32\DRIVERS\swenum.sys

\SystemRoot\system32\DRIVERS\ks.sys

\SystemRoot\system32\DRIVERS\umbus.sys

\SystemRoot\system32\DRIVERS\usbhub.sys

\SystemRoot\System32\Drivers\NDProxy.SYS

\SystemRoot\system32\drivers\HdAudio.sys

\SystemRoot\system32\drivers\portcls.sys

\SystemRoot\system32\drivers\drmk.sys

\SystemRoot\system32\drivers\ksthunk.sys

\SystemRoot\system32\DRIVERS\agrsm64.sys

\SystemRoot\system32\DRIVERS\USBD.SYS

\SystemRoot\system32\drivers\modem.sys

\SystemRoot\system32\drivers\nvhda64v.sys

\SystemRoot\System32\Drivers\crashdmp.sys

\SystemRoot\System32\Drivers\dump_dumpata.sys

\SystemRoot\System32\Drivers\dump_msahci.sys

\SystemRoot\System32\Drivers\dump_dumpfve.sys

\SystemRoot\System32\win32k.sys

\SystemRoot\System32\drivers\Dxapi.sys

\SystemRoot\System32\Drivers\ATSwpWDF.sys

\SystemRoot\system32\DRIVERS\usbccgp.sys

\SystemRoot\System32\Drivers\usbvideo.sys

\SystemRoot\system32\DRIVERS\hidusb.sys

\SystemRoot\system32\DRIVERS\HIDCLASS.SYS

\SystemRoot\system32\DRIVERS\HIDPARSE.SYS

\SystemRoot\system32\DRIVERS\mouhid.sys

\SystemRoot\system32\DRIVERS\kbdhid.sys

\SystemRoot\system32\DRIVERS\monitor.sys

\SystemRoot\System32\TSDDD.dll

\SystemRoot\System32\cdd.dll

\SystemRoot\System32\ATMFD.DLL

\SystemRoot\system32\drivers\luafv.sys

\SystemRoot\system32\drivers\WudfPf.sys

\SystemRoot\system32\DRIVERS\lltdio.sys

\SystemRoot\system32\DRIVERS\nwifi.sys

\SystemRoot\system32\DRIVERS\ndisuio.sys

\SystemRoot\system32\DRIVERS\rspndr.sys

\SystemRoot\system32\drivers\HTTP.sys

\SystemRoot\system32\DRIVERS\bowser.sys

\SystemRoot\System32\drivers\mpsdrv.sys

\SystemRoot\system32\DRIVERS\mrxsmb.sys

\SystemRoot\system32\DRIVERS\mrxsmb10.sys

\SystemRoot\system32\DRIVERS\mrxsmb20.sys

\SystemRoot\system32\drivers\peauth.sys

\SystemRoot\System32\Drivers\secdrv.SYS

\SystemRoot\System32\DRIVERS\srvnet.sys

\SystemRoot\System32\drivers\tcpipreg.sys

\SystemRoot\System32\DRIVERS\srv2.sys

\SystemRoot\System32\DRIVERS\srv.sys

\??\C:\Windows\system32\drivers\mbamchameleon.sys

\??\C:\Windows\system32\drivers\mbamswissarmy.sys

\Windows\System32\ntdll.dll

\Windows\System32\smss.exe

\Windows\System32\apisetschema.dll

\Windows\System32\autochk.exe

\Windows\System32\imagehlp.dll

\Windows\System32\user32.dll

\Windows\System32\imm32.dll

\Windows\System32\difxapi.dll

\Windows\System32\lpk.dll

\Windows\System32\sechost.dll

\Windows\System32\ws2_32.dll

\Windows\System32\msvcrt.dll

\Windows\System32\urlmon.dll

\Windows\System32\Wldap32.dll

\Windows\System32\shell32.dll

\Windows\System32\ole32.dll

\Windows\System32\comdlg32.dll

\Windows\System32\msctf.dll

\Windows\System32\kernel32.dll

\Windows\System32\nsi.dll

\Windows\System32\rpcrt4.dll

\Windows\System32\iertutil.dll

\Windows\System32\clbcatq.dll

\Windows\System32\shlwapi.dll

\Windows\System32\psapi.dll

\Windows\System32\oleaut32.dll

\Windows\System32\normaliz.dll

\Windows\System32\wininet.dll

\Windows\System32\advapi32.dll

\Windows\System32\usp10.dll

\Windows\System32\gdi32.dll

\Windows\System32\setupapi.dll

\Windows\System32\crypt32.dll

\Windows\System32\cfgmgr32.dll

\Windows\System32\devobj.dll

\Windows\System32\wintrust.dll

\Windows\System32\KernelBase.dll

\Windows\System32\comctl32.dll

\Windows\System32\msasn1.dll

----------- End -----------

<<<1>>>

Upper Device Name: \Device\Harddisk0\DR0

Upper Device Object: 0xfffffa8003410170

Upper Device Driver Name: \Driver\Disk\

Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\

Lower Device Object: 0xfffffa8002f1d060

Lower Device Driver Name: \Driver\atapi\

Device already Exists: 0xfffffa80037fb1f0

Initializing...

Done!

Scanning directory: C:\Windows\system32\drivers...

<<<2>>>

Device number: 0, partition: 1

Physical Sector Size: 512

Drive: 0, DevicePointer: 0xfffffa8003410170, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

--------- Disk Stack ------

DevicePointer: 0xfffffa8003411b90, DeviceName: Unknown, DriverName: \Driver\partmgr\

DevicePointer: 0xfffffa8003410170, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\

DevicePointer: 0xfffffa8002f1d060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\

------------ End ----------

Upper DeviceData: 0xfffff8a00a447f50, 0xfffffa8003410170, 0xfffffa8002d7d360

Lower DeviceData: 0xfffff8a0099c6050, 0xfffffa8002f1d060, 0xfffffa80037fb1f0

<<<3>>>

Volume: C:

File system type: NTFS

SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: ADB8E06B

Partition information:

Partition 0 type is Primary (0x7)

Partition is ACTIVE.

Partition starts at LBA: 63 Numsec = 125837082

Partition file system is NTFS

Partition is bootable

Partition 1 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 125837145 Numsec = 230693400

Partition 2 type is Primary (0x7)

Partition is NOT ACTIVE.

Partition starts at LBA: 356530545 Numsec = 268606800

Partition 3 type is Empty (0x0)

Partition is NOT ACTIVE.

Partition starts at LBA: 0 Numsec = 0

Disk Size: 320072933376 bytes

Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-625122448-625142448)...

Done!

Performing system, memory and registry scan...

Done!

Scan finished

=======================================

Malwarebytes Anti-Rootkit 1.1.0.1009

www.malwarebytes.org

Database version: v2012.11.14.02

Windows 7 x64 NTFS

Internet Explorer 9.0.8112.16421

ee :: EE-PC [administrator]

11/14/2012 8:37:21 PM

mbar-log-2012-11-14 (20-37-21).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: PUP | PUM | P2P

Objects scanned: 24701

Time elapsed: 9 minute(s), 44 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

Hey horimiya,

MBAM didn't find anything.

Please download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.

It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.

Link to post
Share on other sites

Hello TheDarkKnight,

the log MBRcheck:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows 7 Professional

Windows Information: (build 7600), 64-bit

Base Board Manufacturer: Acer

BIOS Manufacturer: Phoenix Technologies LTD

System Manufacturer: Acer

System Product Name: Aspire 5930

Logical Drives Mask: 0x0000007c

Kernel Drivers (total 191):

0x02C50000 \SystemRoot\system32\ntoskrnl.exe

0x02C07000 \SystemRoot\system32\hal.dll

0x00BCE000 \SystemRoot\system32\kdcom.dll

0x00C35000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x00C79000 \SystemRoot\system32\PSHED.dll

0x00C8D000 \SystemRoot\system32\CLFS.SYS

0x00CEB000 \SystemRoot\system32\CI.dll

0x00E2A000 \SystemRoot\system32\drivers\Wdf01000.sys

0x00ECE000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x00EDD000 \SystemRoot\system32\DRIVERS\ACPI.sys

0x00F34000 \SystemRoot\system32\DRIVERS\WMILIB.SYS

0x00F3D000 \SystemRoot\system32\DRIVERS\msisadrv.sys

0x00F47000 \SystemRoot\system32\DRIVERS\vdrvroot.sys

0x00F54000 \SystemRoot\system32\DRIVERS\pci.sys

0x00F87000 \SystemRoot\System32\drivers\partmgr.sys

0x00F9C000 \SystemRoot\system32\DRIVERS\compbatt.sys

0x00FA5000 \SystemRoot\system32\DRIVERS\BATTC.SYS

0x00FB1000 \SystemRoot\system32\DRIVERS\volmgr.sys

0x01028000 \SystemRoot\System32\drivers\volmgrx.sys

0x01084000 \SystemRoot\System32\drivers\mountmgr.sys

0x0109E000 \SystemRoot\system32\DRIVERS\atapi.sys

0x010A7000 \SystemRoot\system32\DRIVERS\ataport.SYS

0x010D1000 \SystemRoot\system32\DRIVERS\msahci.sys

0x010DC000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS

0x010EC000 \SystemRoot\system32\drivers\amdxata.sys

0x010F7000 \SystemRoot\system32\drivers\fltmgr.sys

0x01143000 \SystemRoot\system32\drivers\fileinfo.sys

0x01206000 \SystemRoot\System32\Drivers\Ntfs.sys

0x01157000 \SystemRoot\System32\Drivers\msrpc.sys

0x013A8000 \SystemRoot\System32\Drivers\ksecdd.sys

0x01444000 \SystemRoot\System32\Drivers\cng.sys

0x014B6000 \SystemRoot\System32\drivers\pcw.sys

0x014C7000 \SystemRoot\System32\Drivers\Fs_Rec.sys

0x014D1000 \SystemRoot\system32\drivers\ndis.sys

0x016EC000 \SystemRoot\system32\drivers\NETIO.SYS

0x0174C000 \SystemRoot\System32\Drivers\ksecpkg.sys

0x01800000 \SystemRoot\System32\drivers\tcpip.sys

0x01777000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x017C1000 \SystemRoot\system32\DRIVERS\vmstorfl.sys

0x01600000 \SystemRoot\system32\DRIVERS\volsnap.sys

0x0164C000 \SystemRoot\System32\Drivers\spldr.sys

0x01654000 \SystemRoot\System32\drivers\rdyboost.sys

0x0168E000 \SystemRoot\System32\Drivers\mup.sys

0x016A0000 \SystemRoot\System32\drivers\hwpolicy.sys

0x016A9000 \SystemRoot\System32\DRIVERS\fvevol.sys

0x017D1000 \SystemRoot\system32\DRIVERS\disk.sys

0x015C3000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS

0x011B5000 \SystemRoot\system32\DRIVERS\dtsoftbus01.sys

0x01413000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x016E3000 \SystemRoot\System32\Drivers\Null.SYS

0x0143D000 \SystemRoot\System32\Drivers\Beep.SYS

0x013C2000 \SystemRoot\System32\drivers\vga.sys

0x013D0000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x01000000 \SystemRoot\System32\drivers\watchdog.sys

0x013F5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x01010000 \SystemRoot\system32\drivers\rdpencdd.sys

0x01019000 \SystemRoot\system32\drivers\rdprefmp.sys

0x00FC6000 \SystemRoot\System32\Drivers\Msfs.SYS

0x00FD1000 \SystemRoot\System32\Drivers\Npfs.SYS

0x00FE2000 \SystemRoot\system32\DRIVERS\tdx.sys

0x00E00000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x02C14000 \SystemRoot\system32\drivers\afd.sys

0x02C9D000 \SystemRoot\System32\DRIVERS\netbt.sys

0x02CE2000 \SystemRoot\system32\drivers\ws2ifsl.sys

0x02CED000 \SystemRoot\system32\DRIVERS\wfplwf.sys

0x02CF6000 \SystemRoot\system32\DRIVERS\pacer.sys

0x02D1C000 \SystemRoot\system32\DRIVERS\netbios.sys

0x02D2B000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x02D46000 \SystemRoot\system32\DRIVERS\termdd.sys

0x02D5A000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x02DAB000 \SystemRoot\system32\drivers\nsiproxy.sys

0x02DB7000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x02DC2000 \SystemRoot\System32\drivers\discache.sys

0x066BA000 \SystemRoot\system32\drivers\csc.sys

0x0673D000 \SystemRoot\System32\Drivers\dfsc.sys

0x0675B000 \SystemRoot\system32\DRIVERS\blbdrive.sys

0x0676C000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x0F090000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys

0x0FD07000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x0F000000 \SystemRoot\System32\drivers\dxgmms1.sys

0x0F046000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0x06792000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x0F053000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x0F064000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x06600000 \SystemRoot\system32\DRIVERS\yk62x64.sys

0x0689E000 \SystemRoot\system32\DRIVERS\netw5v64.sys

0x06DD9000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0x06DDE000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0x06800000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x0680F000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x0681E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

0x06825000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0x0682E000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x06844000 \SystemRoot\system32\DRIVERS\CompositeBus.sys

0x06854000 \SystemRoot\system32\DRIVERS\AgileVpn.sys

0x0686A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x0688E000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x06665000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x06694000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x02DD1000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x00E0D000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x066AF000 \SystemRoot\system32\DRIVERS\hamachi.sys

0x067E8000 \SystemRoot\system32\DRIVERS\rdpbus.sys

0x0689A000 \SystemRoot\system32\DRIVERS\swenum.sys

0x00DAB000 \SystemRoot\system32\DRIVERS\ks.sys

0x02C00000 \SystemRoot\system32\DRIVERS\umbus.sys

0x07220000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x0727A000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x0728F000 \SystemRoot\system32\drivers\HdAudio.sys

0x072EB000 \SystemRoot\system32\drivers\portcls.sys

0x07328000 \SystemRoot\system32\drivers\drmk.sys

0x0734A000 \SystemRoot\system32\drivers\ksthunk.sys

0x0740A000 \SystemRoot\system32\DRIVERS\agrsm64.sys

0x0752C000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x0752E000 \SystemRoot\system32\drivers\modem.sys

0x0753D000 \SystemRoot\system32\drivers\nvhda64v.sys

0x00040000 \SystemRoot\System32\win32k.sys

0x0756A000 \SystemRoot\System32\drivers\Dxapi.sys

0x07576000 \SystemRoot\System32\Drivers\crashdmp.sys

0x07584000 \SystemRoot\System32\Drivers\dump_dumpata.sys

0x07590000 \SystemRoot\System32\Drivers\dump_msahci.sys

0x0759B000 \SystemRoot\System32\Drivers\dump_dumpfve.sys

0x075AE000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x075BC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x075D5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x075DE000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x07350000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x0736D000 \SystemRoot\System32\Drivers\usbvideo.sys

0x02ACB000 \SystemRoot\System32\Drivers\ATSwpWDF.sys

0x02B80000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x02B8E000 \SystemRoot\system32\DRIVERS\monitor.sys

0x004F0000 \SystemRoot\System32\TSDDD.dll

0x007A0000 \SystemRoot\System32\cdd.dll

0x008D0000 \SystemRoot\System32\ATMFD.DLL

0x02B9C000 \SystemRoot\system32\drivers\luafv.sys

0x02BBF000 \SystemRoot\system32\drivers\WudfPf.sys

0x02BE0000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x02A00000 \SystemRoot\system32\DRIVERS\nwifi.sys

0x02A53000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x02A66000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x054B0000 \SystemRoot\system32\drivers\HTTP.sys

0x05578000 \SystemRoot\system32\DRIVERS\bowser.sys

0x05596000 \SystemRoot\System32\drivers\mpsdrv.sys

0x055AE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x05400000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x0544E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x088F4000 \SystemRoot\system32\drivers\peauth.sys

0x0899A000 \SystemRoot\System32\Drivers\secdrv.SYS

0x089A5000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x089D2000 \SystemRoot\System32\drivers\tcpipreg.sys

0x08800000 \SystemRoot\System32\DRIVERS\srv2.sys

0x08EB9000 \SystemRoot\System32\DRIVERS\srv.sys

0x76F20000 \Windows\System32\ntdll.dll

0x47A30000 \Windows\System32\smss.exe

0xFF240000 \Windows\System32\apisetschema.dll

0xFFA90000 \Windows\System32\autochk.exe

0xFF020000 \Windows\System32\ole32.dll

0xFEE40000 \Windows\System32\setupapi.dll

0x770F0000 \Windows\System32\normaliz.dll

0xFED70000 \Windows\System32\usp10.dll

0xFECD0000 \Windows\System32\comdlg32.dll

Link to post
Share on other sites

Hey TheDarkKnight,

silly me ugh.

the full log:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows 7 Professional

Windows Information: (build 7600), 64-bit

Base Board Manufacturer: Acer

BIOS Manufacturer: Phoenix Technologies LTD

System Manufacturer: Acer

System Product Name: Aspire 5930

Logical Drives Mask: 0x0000007c

Kernel Drivers (total 191):

0x02C50000 \SystemRoot\system32\ntoskrnl.exe

0x02C07000 \SystemRoot\system32\hal.dll

0x00BCE000 \SystemRoot\system32\kdcom.dll

0x00C35000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x00C79000 \SystemRoot\system32\PSHED.dll

0x00C8D000 \SystemRoot\system32\CLFS.SYS

0x00CEB000 \SystemRoot\system32\CI.dll

0x00E2A000 \SystemRoot\system32\drivers\Wdf01000.sys

0x00ECE000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x00EDD000 \SystemRoot\system32\DRIVERS\ACPI.sys

0x00F34000 \SystemRoot\system32\DRIVERS\WMILIB.SYS

0x00F3D000 \SystemRoot\system32\DRIVERS\msisadrv.sys

0x00F47000 \SystemRoot\system32\DRIVERS\vdrvroot.sys

0x00F54000 \SystemRoot\system32\DRIVERS\pci.sys

0x00F87000 \SystemRoot\System32\drivers\partmgr.sys

0x00F9C000 \SystemRoot\system32\DRIVERS\compbatt.sys

0x00FA5000 \SystemRoot\system32\DRIVERS\BATTC.SYS

0x00FB1000 \SystemRoot\system32\DRIVERS\volmgr.sys

0x01028000 \SystemRoot\System32\drivers\volmgrx.sys

0x01084000 \SystemRoot\System32\drivers\mountmgr.sys

0x0109E000 \SystemRoot\system32\DRIVERS\atapi.sys

0x010A7000 \SystemRoot\system32\DRIVERS\ataport.SYS

0x010D1000 \SystemRoot\system32\DRIVERS\msahci.sys

0x010DC000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS

0x010EC000 \SystemRoot\system32\drivers\amdxata.sys

0x010F7000 \SystemRoot\system32\drivers\fltmgr.sys

0x01143000 \SystemRoot\system32\drivers\fileinfo.sys

0x01206000 \SystemRoot\System32\Drivers\Ntfs.sys

0x01157000 \SystemRoot\System32\Drivers\msrpc.sys

0x013A8000 \SystemRoot\System32\Drivers\ksecdd.sys

0x01444000 \SystemRoot\System32\Drivers\cng.sys

0x014B6000 \SystemRoot\System32\drivers\pcw.sys

0x014C7000 \SystemRoot\System32\Drivers\Fs_Rec.sys

0x014D1000 \SystemRoot\system32\drivers\ndis.sys

0x016EC000 \SystemRoot\system32\drivers\NETIO.SYS

0x0174C000 \SystemRoot\System32\Drivers\ksecpkg.sys

0x01800000 \SystemRoot\System32\drivers\tcpip.sys

0x01777000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x017C1000 \SystemRoot\system32\DRIVERS\vmstorfl.sys

0x01600000 \SystemRoot\system32\DRIVERS\volsnap.sys

0x0164C000 \SystemRoot\System32\Drivers\spldr.sys

0x01654000 \SystemRoot\System32\drivers\rdyboost.sys

0x0168E000 \SystemRoot\System32\Drivers\mup.sys

0x016A0000 \SystemRoot\System32\drivers\hwpolicy.sys

0x016A9000 \SystemRoot\System32\DRIVERS\fvevol.sys

0x017D1000 \SystemRoot\system32\DRIVERS\disk.sys

0x015C3000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS

0x011B5000 \SystemRoot\system32\DRIVERS\dtsoftbus01.sys

0x01413000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x016E3000 \SystemRoot\System32\Drivers\Null.SYS

0x0143D000 \SystemRoot\System32\Drivers\Beep.SYS

0x013C2000 \SystemRoot\System32\drivers\vga.sys

0x013D0000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x01000000 \SystemRoot\System32\drivers\watchdog.sys

0x013F5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x01010000 \SystemRoot\system32\drivers\rdpencdd.sys

0x01019000 \SystemRoot\system32\drivers\rdprefmp.sys

0x00FC6000 \SystemRoot\System32\Drivers\Msfs.SYS

0x00FD1000 \SystemRoot\System32\Drivers\Npfs.SYS

0x00FE2000 \SystemRoot\system32\DRIVERS\tdx.sys

0x00E00000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x02C14000 \SystemRoot\system32\drivers\afd.sys

0x02C9D000 \SystemRoot\System32\DRIVERS\netbt.sys

0x02CE2000 \SystemRoot\system32\drivers\ws2ifsl.sys

0x02CED000 \SystemRoot\system32\DRIVERS\wfplwf.sys

0x02CF6000 \SystemRoot\system32\DRIVERS\pacer.sys

0x02D1C000 \SystemRoot\system32\DRIVERS\netbios.sys

0x02D2B000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x02D46000 \SystemRoot\system32\DRIVERS\termdd.sys

0x02D5A000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x02DAB000 \SystemRoot\system32\drivers\nsiproxy.sys

0x02DB7000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x02DC2000 \SystemRoot\System32\drivers\discache.sys

0x066BA000 \SystemRoot\system32\drivers\csc.sys

0x0673D000 \SystemRoot\System32\Drivers\dfsc.sys

0x0675B000 \SystemRoot\system32\DRIVERS\blbdrive.sys

0x0676C000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x0F090000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys

0x0FD07000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x0F000000 \SystemRoot\System32\drivers\dxgmms1.sys

0x0F046000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0x06792000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x0F053000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x0F064000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x06600000 \SystemRoot\system32\DRIVERS\yk62x64.sys

0x0689E000 \SystemRoot\system32\DRIVERS\netw5v64.sys

0x06DD9000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0x06DDE000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0x06800000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x0680F000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x0681E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

0x06825000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0x0682E000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x06844000 \SystemRoot\system32\DRIVERS\CompositeBus.sys

0x06854000 \SystemRoot\system32\DRIVERS\AgileVpn.sys

0x0686A000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x0688E000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x06665000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x06694000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x02DD1000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x00E0D000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x066AF000 \SystemRoot\system32\DRIVERS\hamachi.sys

0x067E8000 \SystemRoot\system32\DRIVERS\rdpbus.sys

0x0689A000 \SystemRoot\system32\DRIVERS\swenum.sys

0x00DAB000 \SystemRoot\system32\DRIVERS\ks.sys

0x02C00000 \SystemRoot\system32\DRIVERS\umbus.sys

0x07220000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x0727A000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x0728F000 \SystemRoot\system32\drivers\HdAudio.sys

0x072EB000 \SystemRoot\system32\drivers\portcls.sys

0x07328000 \SystemRoot\system32\drivers\drmk.sys

0x0734A000 \SystemRoot\system32\drivers\ksthunk.sys

0x0740A000 \SystemRoot\system32\DRIVERS\agrsm64.sys

0x0752C000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x0752E000 \SystemRoot\system32\drivers\modem.sys

0x0753D000 \SystemRoot\system32\drivers\nvhda64v.sys

0x00040000 \SystemRoot\System32\win32k.sys

0x0756A000 \SystemRoot\System32\drivers\Dxapi.sys

0x07576000 \SystemRoot\System32\Drivers\crashdmp.sys

0x07584000 \SystemRoot\System32\Drivers\dump_dumpata.sys

0x07590000 \SystemRoot\System32\Drivers\dump_msahci.sys

0x0759B000 \SystemRoot\System32\Drivers\dump_dumpfve.sys

0x075AE000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x075BC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x075D5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x075DE000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x07350000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x0736D000 \SystemRoot\System32\Drivers\usbvideo.sys

0x02ACB000 \SystemRoot\System32\Drivers\ATSwpWDF.sys

0x02B80000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x02B8E000 \SystemRoot\system32\DRIVERS\monitor.sys

0x004F0000 \SystemRoot\System32\TSDDD.dll

0x007A0000 \SystemRoot\System32\cdd.dll

0x008D0000 \SystemRoot\System32\ATMFD.DLL

0x02B9C000 \SystemRoot\system32\drivers\luafv.sys

0x02BBF000 \SystemRoot\system32\drivers\WudfPf.sys

0x02BE0000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x02A00000 \SystemRoot\system32\DRIVERS\nwifi.sys

0x02A53000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x02A66000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x054B0000 \SystemRoot\system32\drivers\HTTP.sys

0x05578000 \SystemRoot\system32\DRIVERS\bowser.sys

0x05596000 \SystemRoot\System32\drivers\mpsdrv.sys

0x055AE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x05400000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x0544E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x088F4000 \SystemRoot\system32\drivers\peauth.sys

0x0899A000 \SystemRoot\System32\Drivers\secdrv.SYS

0x089A5000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x089D2000 \SystemRoot\System32\drivers\tcpipreg.sys

0x08800000 \SystemRoot\System32\DRIVERS\srv2.sys

0x08EB9000 \SystemRoot\System32\DRIVERS\srv.sys

0x76F20000 \Windows\System32\ntdll.dll

0x47A30000 \Windows\System32\smss.exe

0xFF240000 \Windows\System32\apisetschema.dll

0xFFA90000 \Windows\System32\autochk.exe

0xFF020000 \Windows\System32\ole32.dll

0xFEE40000 \Windows\System32\setupapi.dll

0x770F0000 \Windows\System32\normaliz.dll

0xFED70000 \Windows\System32\usp10.dll

0xFECD0000 \Windows\System32\comdlg32.dll

0x76E20000 \Windows\System32\user32.dll

0x770E0000 \Windows\System32\psapi.dll

0x76C10000 \Windows\System32\iertutil.dll

0xFEBC0000 \Windows\System32\msctf.dll

0xFEAE0000 \Windows\System32\advapi32.dll

0xFEA90000 \Windows\System32\ws2_32.dll

0xFEA70000 \Windows\System32\sechost.dll

0xFE990000 \Windows\System32\oleaut32.dll

0x76AB0000 \Windows\System32\wininet.dll

0x76990000 \Windows\System32\kernel32.dll

0xFE970000 \Windows\System32\imagehlp.dll

0xFE8D0000 \Windows\System32\clbcatq.dll

0xFE8C0000 \Windows\System32\nsi.dll

0xFE820000 \Windows\System32\msvcrt.dll

0xFE810000 \Windows\System32\lpk.dll

0xFE7E0000 \Windows\System32\imm32.dll

0xFE770000 \Windows\System32\gdi32.dll

0xFE6F0000 \Windows\System32\difxapi.dll

0xFE5C0000 \Windows\System32\rpcrt4.dll

0xFE540000 \Windows\System32\shlwapi.dll

0xFE4F0000 \Windows\System32\Wldap32.dll

0xFD760000 \Windows\System32\shell32.dll

0x76840000 \Windows\System32\urlmon.dll

0xFD6C0000 \Windows\System32\comctl32.dll

0xFD6A0000 \Windows\System32\devobj.dll

0xFD530000 \Windows\System32\crypt32.dll

0xFD4F0000 \Windows\System32\wintrust.dll

0xFD480000 \Windows\System32\KernelBase.dll

0xFD440000 \Windows\System32\cfgmgr32.dll

0xFD430000 \Windows\System32\msasn1.dll

Processes (total 61):

0 System Idle Process

4 System

256 C:\Windows\System32\smss.exe

360 csrss.exe

424 C:\Windows\System32\wininit.exe

440 csrss.exe

472 C:\Windows\System32\services.exe

488 C:\Windows\System32\lsass.exe

496 C:\Windows\System32\lsm.exe

612 C:\Windows\System32\svchost.exe

672 C:\Windows\System32\nvvsvc.exe

716 C:\Windows\System32\svchost.exe

784 C:\Windows\System32\svchost.exe

820 C:\Windows\System32\svchost.exe

864 C:\Windows\System32\svchost.exe

992 C:\Windows\System32\svchost.exe

288 C:\Windows\System32\winlogon.exe

912 C:\Windows\System32\svchost.exe

1208 C:\Windows\System32\spoolsv.exe

1228 C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

1240 C:\Windows\System32\nvvsvc.exe

1300 C:\Windows\System32\svchost.exe

1396 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

1568 C:\Windows\System32\taskhost.exe

1656 C:\Windows\System32\taskeng.exe

1688 C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

1696 C:\Windows\System32\dwm.exe

1724 C:\Windows\explorer.exe

1876 C:\Program Files\Bonjour\mDNSResponder.exe

1904 C:\Windows\System32\svchost.exe

1948 C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe

840 C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe

1356 C:\Windows\System32\svchost.exe

1276 C:\Windows\System32\svchost.exe

1796 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

2316 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

2628 C:\Windows\System32\svchost.exe

2816 C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

2660 C:\Windows\System32\SearchIndexer.exe

1040 C:\Program Files\Windows Media Player\wmpnetwk.exe

1376 C:\Windows\System32\svchost.exe

3740 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

3976 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

3992 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

4012 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

4028 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

4040 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

3248 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

3428 C:\Windows\System32\taskhost.exe

3424 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

2020 C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

2540 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

1840 C:\Users\ee\AppData\Local\Google\Chrome\Application\chrome.exe

1444 WmiPrvSE.exe

2688 C:\Windows\System32\SearchProtocolHost.exe

3288 C:\Windows\System32\SearchFilterHost.exe

596 C:\Windows\System32\dllhost.exe

684 C:\Windows\System32\audiodg.exe

3732 C:\Users\ee\Desktop\MBRCheck.exe

3716 C:\Windows\System32\conhost.exe

3112 C:\Windows\System32\notepad.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000f`003eb200 (NTFS)

\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000002a`8072e200 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEVT-22ZCT0, Rev: 11.01A11

Size Device Name MBR Status

--------------------------------------------

298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected

SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79

Done!

Link to post
Share on other sites

Hello horimiya,

Well that log came back clean as well. Are you noticing any other weird things on your computer? Has the music played again?

Please download GMER from one of the following locations and save it to your Desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your Desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress).
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in Safe Mode.

-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

Link to post
Share on other sites

Hello TheDarkKnight,

No, no other weird things thus far. The music has also stopped appearing (: Not gotten any redirect so far as well.

here is the log:

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-11-15 18:36:03

Windows 6.1.7600

Running: uk899jte.exe

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe1f53957

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe1f53957@7cc53745c4ed 0xE1 0x7D 0xF2 0xDD ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe1f53957 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe1f53957@7cc53745c4ed 0xE1 0x7D 0xF2 0xDD ...

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\sins of a solar empire\Çàêàò Ñîëíå\xf7íîé Èìïåðèè. Íîâàÿ âîéíà\Uninstall\unins000.exe 1

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hey horimiya,

Please do a scan with the Kaspersky Online Scanner.

To optimise scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

  • Click on the Accept button and install the components it needs.
  • Click on Full Scan.
  • The scan will take a while, so please be patient and let it run.
  • When the scan has completed, it will display a window with a list of the issues it has found.
  • Please click Details.
  • Under the categories that have found entries, please copy and paste their reports into your next reply.

Link to post
Share on other sites

Hello TheDarkKnight,

Here are the reports:

Malware (0)

Information about malware detected on the computer.

Vulnerabilities


  • C:\Program Files (x86)\Google\Picasa3\plugins\expwebsites\expwebsites.yti

  • C:\Program Files (x86)\QuickTime\QuickTimePlayer.exe

  • C:\Windows\system32\Macromed\Flash\NPSWF64_11_4_402_287.dll

  • C:\Windows\SysWOW64\Adobe\Shockwave 11\SwInit.exe

  • C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.d
    Other issues

    • "Autorun from hard drives is allowed"

    • "Autorun from network drives is enabled"

    • "CD/DVD autorun is enabled"

    • "Removable media autorun is enabled"

    • "Microsoft Internet Explorer: clear history of typed URLs"

    • "Microsoft Internet Explorer - disable caching data received via protected channel"

    • "Microsoft Internet Explorer: disable sending error reports"

    • "Microsoft Internet Explorer: clear list of pop-up blocker exceptions"

    • "Microsoft Internet Explorer: enable cache autocleanup on browser closing"

    • "Windows Explorer: display of known file types extensions is disabled"

    • "Microsoft Internet Explorer: start page reset"

Link to post
Share on other sites

Hey horimiya,

Are there any current issues on your computer?

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

good morning TheDarkKnight,

Currently, none as far as I'm aware of. No redirects or music playing thus far.

here is the 317 log:

Results of screen317's Security Check version 0.99.54

Windows 7 x64 (UAC is enabled)

Out of date service pack!!

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

CCleaner

JavaFX 2.1.1

Java version out of Date!

Adobe Flash Player 11.4.402.287

Adobe Reader 9 Adobe Reader out of Date!

Google Chrome 21.0.1180.83

Google Chrome 21.0.1180.89

Google Chrome 22.0.1229.79

Google Chrome 22.0.1229.92

Google Chrome 22.0.1229.94

Google Chrome 23.0.1271.64

````````Process Check: objlist.exe by Laurent````````

Kaspersky Lab Kaspersky Security Scan 2.0 kss.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 3%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Good evening horimiya,

Please do the following updates. Your Windows and Internet Explorer are out of date and by updating to the latest Service Packs you will minimise the risk of future infections through these security patches and fixes.

Service Pack 1 (SP1) is an extremely important update for Vista and Windows 7 and will help reduce the chance of an infection through security patches. I strongly recommend you install this update.

Please open Internet Explorer and follow the instructions below to update Windows:

  • Go to this link: Windows Update
  • Download all the Critical updates, making sure you have selected SP1.
  • Once they have been installed, please revisit Windows Update and select any further Critical updates, making sure you have selected SP3 and Internet Explorer 8.

Note:

It will be necessary for you to restart the computer during the updates, and return to the Windows Update site several times before all critical updates are installed.

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections.

=====

Your version of Java is out of date. It's important to remove older versions of Java since it does not do so automatically and older versions can leave you vulnerable.

Please follow the instructions below to update Java:

  • Please go to the below link and download the latest Windows 7 version:

http://www.java.com/...load/manual.jsp

  • Save it to your Desktop.
  • Please go to Start>Control Panel >Programs and Features>Programs.
  • Navigate to any versions of Java (J2SE Runtime Environment) you have installed. They will have this icon next to them: javaicon.gif
  • Select Remove.
  • Please double-click the installer and follow the prompts to install the latest version once all the previous versions have been successfully removed.

Also, your version of Adobe Reader is out of date. It could have security vulnerabilities, so please follow these instructions to update it:

  • Please go to Start>All Programs>Adobe Reader.
  • Open Adobe Reader and navigate to Help>Check for Updates.
  • Please follow the prompts to install the latest version.

=====

In your reply please let me know how the updates go.

Link to post
Share on other sites

Good morning TheDarkKnight,

Turned on the automatic windows update, . SP1 was installed successfully & after a few restarts for further updates, all important installations are done.Also installed Microsoft security essentials.

Downloaded the latest java first because Java did not allow me to remove old versions unless the latest was installed. Remove the old versions thereafter.

Updated Adobe reader to the latest version as well.

Link to post
Share on other sites

Good afternoon horimiya,

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Right-click the Recycle Bin and please select Empty Recycle Bin.

==========

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster, can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.