Jump to content

sppvc malware


Philipp

Recommended Posts

Hi,

I'm new here and i found a file that acts like it is the "software protection" service in windows 8

in my service manager i have 2 service of "Software protection" one links to the C:\Windows\system32\sppsvc.exe <- real one

the other links to C:\Windows\sppsvc.exe<- malware, this file is only 10 kb

I scanned it with various virus/malware scanners but none seem to find anything including malware bytes

i only found this out because i do a crc check on microsoft system and and services files

did anyone hear of this virus/malware before and if so are there other files that i need to delete to get rid of it completely ?

Link to post
Share on other sites

Hello Philipp and welcome to MalwareBytes forums.

If you check the Properties of the exe in \Windows\System32, it should show version 6.2.9200.16384 with a size 4.65 MB

Take the file in the Windows folder, Zip it into a zip file, and attach the zip-file into a reply here.

Then delete the C:\Windows\sppsvc.exe <- (only in Windows folder).

AFAIK, this has not been seen before. More than that, infection of Windows 8 system is rare, if not yet heard of.

Let's have you get a DDS log-report, then Copy and Paste it into a new reply, for review.

Download DDS and save it to your desktop from http://download.bleepingcomputer.com/sUBs/dds.com here

or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.infospyware.net/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then Right click dds.scr and select Run as Administrator to run the tool.

DDS will run in a command prompt window and will take 3 to 4 minutes or so.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please Copy & Paste contents of the following logs in your next reply:
DDS.txt
Attach.txt
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Right click SecurityCheck.exe and select Run as Administrator .
    follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please Copy & Paste the contents of that document.

Link to post
Share on other sites

hey Maurice,

Sorry that I didn't reply sooner i think the virus is already removed completely, it was a trojan for sure because there were services started that would normally never start like the telephony and some secured network services, i stopped them and put them to manual and they didn't startup any more after reboot so lucky there is nothing managing them.

i still have the virus because i wanted to open it with an editor se if there are some lines in it i could recognise and there are some redirections to files called "os2.exe" and "pmshell.exe"

i dont have an option here to post files yet, maybe its because i have to few posts?

i can send the virus file of sppsvc, the windows file thats in the system 32 is the original windows ver with cert and crc that are correct.

strange thing tho that the virus has all the correct info even down to the version number in the details tab of the file properties

i'm doing a disc clone not from my old hdd to an SSD so i cant run any scans atm but i will run them when i'm finished cloning in abt 5 houres

Link to post
Share on other sites

Hey Maurice,

Sorry for the delay i've been a bit busy with installing a new drive in my pc,

i've uploaded the files but a lot has been changed on my pc since so i dont know if it is of any use

let me know if you need any further help, i'm finally finished with everything so i have some time :)

Moderator note: Please always Copy all contents of log(s) and Paste directly into main-body of Reply.

Do NOT use the attach option unless I ask you.

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer:

Run by Philippe at 22:34:28 on 2012-12-20

Microsoft Windows 8 Pro 6.2.9200.0.1252.1.1033.18.4091.211 [GMT 1:00]

.

AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\dwm.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.2.9200.16455_none_624a7aa150f57306\TiWorker.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe

C:\Windows\system32\taskhostex.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Windows\explorer7\explorer.exe

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Windows\SysWOW64\ctfmon.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

D:\Noname\mIRC.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

C:\Program Files (x86)\Trillian\trillian.exe

C:\Program Files\tixati\tixati.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Yamicsoft\Windows 8 Manager\Windows8Manager.exe

C:\Program Files\Yamicsoft\Windows 8 Manager\StartupManager.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_110.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uWinlogon: Shell = C:\Windows\explorer7\explorer.exe

mWinlogon: Userinit = userinit.exe

mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: TaskbarNoDragToolbar = dword:0

uPolicies-Explorer: TaskbarLockAll = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

mPolicies-System: EnableLUA = dword:0

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: SynchronousMachineGroupPolicy = dword:1

mPolicies-System: SynchronousUserGroupPolicy = dword:1

mPolicies-System: disablecad = dword:1

mPolicies-Windows\System: AllowBlockingAppsAtShutdown = dword:1

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office15\EXCEL.EXE/3000

TCP: NameServer = 192.168.1.254 195.241.77.55 195.241.77.58

TCP: Interfaces\{C812BFDB-764E-4483-9674-E4CE2A30F753} : DHCPNameServer = 192.168.1.254 195.241.77.55 195.241.77.58

Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL

Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL

SSODL: WebCheck - <orphaned>

mASetup: {A6EADE66-0000-0000-484E-7E8A45000000} - "C:\Windows\SysWOW64\Rundll32.exe" "C:\Program Files (x86)\Adobe\Reader 11.0\Esl\AiodLite.dll",CreateReaderUserSettings

x64-mPolicies-System: PromptOnSecureDesktop = dword:0

x64-mPolicies-System: EnableLUA = dword:0

x64-mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

x64-mPolicies-System: SynchronousMachineGroupPolicy = dword:1

x64-mPolicies-System: SynchronousUserGroupPolicy = dword:1

x64-mPolicies-System: disablecad = dword:1

x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL

x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\

FF - prefs.js: browser.startup.homepage - hxxps://news.google.nl/

FF - plugin: C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.124\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll

FF - ExtSQL: 2012-11-06 01:45; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

FF - ExtSQL: 2012-11-06 02:06; {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi

FF - ExtSQL: 2012-11-06 02:06; {dc572301-7619-498c-a57d-39143191b318}; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi

FF - ExtSQL: 2012-11-06 03:23; {0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}.xpi

FF - ExtSQL: 2012-11-06 09:47; google@hitachi.com; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\google@hitachi.com.xpi

FF - ExtSQL: 2012-11-13 00:04; en-gb@flyingtophat.co.uk; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\en-gb@flyingtophat.co.uk

FF - ExtSQL: 2012-11-13 00:29; nl-NL@dictionaries.addons.mozilla.org; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\nl-NL@dictionaries.addons.mozilla.org

FF - ExtSQL: 2012-11-15 04:07; https-everywhere@eff.org; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\https-everywhere@eff.org

FF - ExtSQL: 2012-11-19 16:22; {DDC359D1-844A-42a7-9AA1-88A850A938A8}; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi

FF - ExtSQL: 2012-12-06 02:00; donottrackplus@abine.com; C:\Users\Philippe\AppData\Roaming\Mozilla\Firefox\Profiles\xkta2gt0.default\extensions\donottrackplus@abine.com

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=b673939000000000000000215d2ca897&q=

FF - user.js: extensions.BabylonToolbar.id - b673939000000000000000215d2ca897

FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}

FF - user.js: extensions.BabylonToolbar.instlDay - 15689

FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.4.9

FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.4.9

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.4.918:52:58

FF - user.js: extensions.BabylonToolbar.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar.tlbrId - base

FF - user.js: extensions.BabylonToolbar.instlRef - sst

FF - user.js: extensions.BabylonToolbar.dfltLng - en

FF - user.js: extensions.BabylonToolbar_i.excTlbr - false

FF - user.js: extensions.BabylonToolbar.excTlbr - false

FF - user.js: extensions.BabylonToolbar.admin - false

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=111511&tt=5012_4

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar.autoRvrt - false

FF - user.js: extensions.BabylonToolbar.rvrt - false

FF - user.js: extensions.BabylonToolbar_i.newTab - false

.

============= SERVICES / DRIVERS ===============

.

R0 FancyCcV;FancyCache Driver For Volume;C:\Windows\System32\Drivers\rxfcv.sys [2012-12-20 129984]

R1 aswKbd;aswKbd;C:\Windows\System32\Drivers\aswKbd.sys [2012-12-20 21136]

R1 aswSP;aswSP;C:\Windows\System32\Drivers\aswSP.sys [2012-12-20 370288]

R1 SABI;SAMSUNG Kernel Driver For Windows 7;C:\Windows\System32\Drivers\SABI.sys [2012-11-5 13824]

R2 aswFsBlk;aswFsBlk;C:\Windows\System32\Drivers\aswFsBlk.sys [2012-12-20 25232]

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\Drivers\aswMonFlt.sys [2012-12-20 71600]

R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-12-20 44808]

R3 bcbtums;Bluetooth USB LD Filter;C:\Windows\System32\Drivers\bcbtums.sys [2012-12-18 169240]

R3 btwampfl;btwampfl Bluetooth filter driver;C:\Windows\System32\Drivers\btwampfl.sys [2012-12-18 161144]

R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\Drivers\btwl2cap.sys [2012-12-18 40248]

R3 yukonw8;NDIS6.3 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\Drivers\yk63x64.sys [2012-10-2 295792]

S1 aswSnx;aswSnx;C:\Windows\System32\Drivers\aswSnx.sys [2012-12-20 984144]

S3 BcmBtRSupport;Bluetooth Radio Control Service;C:\Windows\System32\BtwRSupportService.exe [2012-12-18 2227992]

S3 BthHFAud;Bluetooth Hands-Free;C:\Windows\System32\Drivers\BthHfAud.sys [2012-11-6 30720]

S3 BthHFSrv;Bluetooth Handsfree Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2012-11-6 29696]

S3 BthLEEnum;Bluetooth Low Energy Driver;C:\Windows\System32\Drivers\BthLEEnum.sys [2012-7-26 202752]

S3 DIRECTIO;DIRECTIO;C:\Program Files\PerformanceTest\DirectIo64.sys [2012-11-5 25704]

S3 GenericMount;Generic Mount Driver;C:\Windows\System32\Drivers\GenericMount.sys [2010-2-12 66608]

S3 NdisImPlatformMp;Microsoft Network Adapter Multiplexor Driver;C:\Windows\System32\Drivers\NdisImPlatform.sys [2012-7-26 126464]

S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE [2012-10-1 178824]

S3 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\CyberLink\Shared files\RichVideo64.exe [2012-11-23 390672]

S3 RT-USB;Ross-Tech USB driver;C:\Windows\System32\Drivers\RT-USB64.SYS [2010-6-16 70984]

S3 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2012-12-5 92632]

S3 vmbusr;Virtual Machine Bus Provider;C:\Windows\System32\Drivers\vmbusr.sys [2012-7-26 117248]

S3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-26 198656]

.

=============== File Associations ===============

.

FileExt: .txt: textfile="C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE" "%1" [userChoice]

FileExt: .vbs: VBSFile="C:\Windows\System32\WScript.exe" "%1" %* [userChoice]

.

=============== Created Last 30 ================

.

2012-12-20 19:59:45 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys

2012-12-20 19:59:45 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2012-12-20 19:59:45 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys

2012-12-20 19:59:45 21136 ----a-w- C:\Windows\System32\drivers\aswKbd.sys

2012-12-20 19:59:37 41224 ----a-w- C:\Windows\avastSS.scr

2012-12-20 19:35:13 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-20 19:35:13 362496 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-20 19:35:13 35328 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-20 19:35:13 300032 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-20 18:44:10 21440 ----a-w- C:\Windows\System32\drivers\rxbsknl.sys

2012-12-20 18:44:10 129984 ----a-w- C:\Windows\System32\drivers\rxfcv.sys

2012-12-20 18:44:09 -------- d-----w- C:\Program Files\FancyCache For Volume (Beta)

2012-12-20 14:15:16 215144 ----a-r- C:\Windows\pw32a.dll

2012-12-20 13:30:51 -------- d-----w- C:\Users\Philippe\AppData\Roaming\Symantec

2012-12-20 13:30:51 -------- d-----w- C:\Users\Philippe\AppData\Local\Symantec_Corporation

2012-12-20 13:23:43 503808 ----a-w- C:\Windows\SysWow64\MSVCP71.DLL

2012-12-20 13:23:43 348160 ----a-w- C:\Windows\SysWow64\MSVCR71.DLL

2012-12-20 13:23:43 1060864 ----a-w- C:\Windows\SysWow64\MFC71.DLL

2012-12-20 13:23:41 -------- d-----w- C:\Program Files (x86)\Symantec

2012-12-20 13:20:10 34152 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys

2012-12-20 13:20:10 126312 ----a-w- C:\Windows\System32\GEARAspi64.dll

2012-12-20 13:20:10 107368 ----a-w- C:\Windows\SysWow64\GEARAspi.dll

2012-12-20 13:19:52 -------- d-----w- C:\ProgramData\Symantec

2012-12-20 13:19:52 -------- d-----w- C:\ProgramData\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}

2012-12-20 13:11:16 -------- d-sh--w- C:\Windows\ftpcache

2012-12-20 13:06:56 -------- d-----w- C:\Program Files (x86)\Samsung SSD Magician

2012-12-20 08:54:00 -------- d-----w- C:\Users\Philippe\AppData\Roaming\tixati

2012-12-20 08:53:47 -------- d-----w- C:\Program Files\tixati

2012-12-20 06:48:30 -------- d-----w- C:\Users\Philippe\AppData\Roaming\deluge

2012-12-20 03:55:48 -------- d-----w- C:\Program Files\VideoLAN

2012-12-19 23:57:07 -------- d-----w- C:\Program Files\CCleaner

2012-12-19 23:27:58 -------- d-----w- C:\Users\Philippe\AppData\Local\Apps

2012-12-19 22:24:03 -------- d-----w- C:\Windows\explorer7

2012-12-19 00:30:59 -------- d-----w- C:\Program Files (x86)\Edxor

2012-12-18 17:11:27 -------- d-----w- C:\Program Files (x86)\TomTom HOME 2

2012-12-18 16:56:48 -------- d-----w- C:\Users\Philippe\AppData\Local\Broadcom

2012-12-18 16:56:45 161144 ----a-w- C:\Windows\System32\drivers\btwampfl.sys

2012-12-18 16:55:20 2231064 ----a-w- C:\Windows\System32\BcmBtRSupport.dll

2012-12-18 16:55:20 2227992 ----a-w- C:\Windows\System32\BtwRSupportService.exe

2012-12-18 16:55:17 40248 ----a-w- C:\Windows\System32\drivers\btwl2cap.sys

2012-12-18 16:55:17 226680 ----a-w- C:\Windows\System32\drivers\btwavdt.sys

2012-12-18 16:55:17 20856 ----a-w- C:\Windows\System32\drivers\btwrchid.sys

2012-12-18 16:55:17 186136 ----a-w- C:\Windows\System32\drivers\btwaudio.sys

2012-12-18 16:55:16 169240 ----a-w- C:\Windows\System32\drivers\bcbtums.sys

2012-12-18 16:54:52 -------- d-----w- C:\Program Files\WIDCOMM

2012-12-18 10:47:07 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard

2012-12-18 10:15:22 890880 ----a-w- C:\Windows\SysWow64\msctf.dll

2012-12-18 10:15:22 707584 ----a-w- C:\Windows\System32\AppXDeploymentExtensions.dll

2012-12-18 10:15:22 1131520 ----a-w- C:\Windows\System32\AppXDeploymentServer.dll

2012-12-18 10:15:22 1120768 ----a-w- C:\Windows\System32\msctf.dll

2012-12-18 10:13:59 98304 ----a-w- C:\Windows\System32\wudriver.dll

2012-12-18 09:05:17 -------- d-----w- C:\Users\Philippe\AppData\Roaming\Mp3tag

2012-12-18 09:02:35 -------- d-----w- C:\Program Files (x86)\Mp3tag

2012-12-18 07:22:05 -------- d-----w- C:\ProgramData\PRICache

2012-12-18 06:36:12 16114176 ----a-w- C:\Program Files\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll

2012-12-18 06:36:11 15541248 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\Microsoft Camera Codec Pack\MicrosoftRawCodec.dll

2012-12-18 05:42:53 144384 ----a-w- C:\Windows\System32\tssdisai.dll

2012-12-18 05:37:51 778856 ----a-w- C:\Windows\SysWow64\PresentationNative_v0300.dll

2012-12-18 05:37:51 35400 ----a-w- C:\Windows\SysWow64\TsWpfWrp.exe

2012-12-18 05:37:50 102528 ----a-w- C:\Windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll

2012-12-18 05:37:48 35400 ----a-w- C:\Windows\System32\TsWpfWrp.exe

2012-12-18 05:37:48 124040 ----a-w- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll

2012-12-18 05:37:48 1166440 ----a-w- C:\Windows\System32\PresentationNative_v0300.dll

2012-12-18 01:04:17 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-12-18 01:04:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-12-17 23:35:15 222451 ----a-w- C:\ProgramData\1355787274.bdinstall.bin

2012-12-17 22:50:02 457123 ----a-w- C:\ProgramData\1355784441.bdinstall.bin

2012-12-17 22:49:04 511328 ----a-w- C:\Windows\capicom.dll

2012-12-17 22:22:30 391467 ----a-w- C:\ProgramData\1355782599.bdinstall.bin

2012-12-17 22:14:15 54665 ----a-w- C:\ProgramData\1355782447.bdinstall.bin

2012-12-17 22:13:53 254879 ----a-w- C:\ProgramData\1355782403.bdinstall.bin

2012-12-17 21:33:28 625502 ----a-w- C:\ProgramData\1355779774.bdinstall.bin

2012-12-17 21:30:08 -------- d-----w- C:\Users\Philippe\AppData\Roaming\QuickScan

2012-12-17 19:51:29 -------- d-----w- C:\Users\Philippe\AppData\Roaming\Malwarebytes

2012-12-17 19:50:17 -------- d-----w- C:\ProgramData\Malwarebytes

2012-12-17 17:10:34 -------- d-----w- C:\ProgramData\AVAST Software

2012-12-17 17:10:34 -------- d-----w- C:\Program Files\AVAST Software

2012-12-17 00:11:18 -------- d--h--w- C:\ProgramData\Common Files

2012-12-15 17:52:46 -------- d-----w- C:\Program Files\Core Temp

2012-12-15 16:16:09 -------- d-----w- C:\Program Files (x86)\MyTomTom 3

2012-12-15 15:21:07 -------- d-----w- C:\ProgramData\FlashFXP

2012-12-15 15:21:04 -------- d-----w- C:\Program Files (x86)\FlashFXP 4

2012-12-15 14:22:32 -------- d-----w- C:\Users\Philippe\AppData\Roaming\TomTom

2012-12-15 14:22:32 -------- d-----w- C:\Users\Philippe\AppData\Local\TomTom

2012-12-15 13:56:27 -------- d-----w- C:\Users\Philippe\AppData\Local\Downloaded Installations

2012-12-13 19:06:30 -------- d-----w- C:\Windows\System32\ShellExt

2012-12-13 19:06:29 -------- d-----w- C:\Windows\SysWow64\ShellExt

2012-12-05 21:20:45 -------- d-----w- C:\Users\Philippe\AppData\Local\QuickPar

2012-12-05 20:05:26 -------- d-----w- C:\Program Files (x86)\QuickPar

2012-12-05 15:53:48 -------- d-----w- C:\Users\Philippe\AppData\Local\Alt.Binz

2012-12-05 15:53:46 -------- d-----w- C:\Program Files (x86)\Alt.Binz

2012-12-05 01:08:16 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll

2012-12-02 15:00:07 -------- d-----w- C:\Users\Philippe\AppData\Roaming\IrfanView

2012-12-02 15:00:07 -------- d-----w- C:\Program Files (x86)\IrfanView

2012-11-29 15:17:15 -------- d-----w- C:\Program Files (x86)\Elaborate Bytes

2012-11-29 14:01:56 -------- d-----w- C:\Windows\SSuite Office Installations

2012-11-26 14:26:26 1075712 ----a-w- C:\Windows\System32\drivers\WlanGZG.sys

2012-11-26 06:31:03 -------- d-----w- C:\Users\Philippe\AppData\Local\Plus500

2012-11-26 06:31:03 -------- d-----w- C:\Program Files (x86)\Plus500

2012-11-26 05:30:07 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server

2012-11-26 05:29:42 -------- d-----w- C:\Windows\PCHEALTH

2012-11-26 05:29:42 -------- d-----w- C:\Program Files\Microsoft SQL Server

2012-11-26 05:27:08 -------- d-----w- C:\Program Files\Microsoft Analysis Services

2012-11-26 05:27:08 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services

2012-11-26 05:26:57 -------- d-----w- C:\Users\Philippe\AppData\Local\Microsoft Help

2012-11-24 16:01:04 1721576 ----a-w- C:\Windows\System32\WdfCoInstaller01009.dll

2012-11-24 16:01:03 229176 ----a-w- C:\Windows\System32\SynTPAPI.dll

2012-11-24 16:01:03 177976 ----a-w- C:\Windows\System32\SynTPCo14.dll

2012-11-24 16:01:03 113976 ----a-w- C:\Windows\SysWow64\SynTPCOM.dll

2012-11-24 16:01:02 461624 ----a-w- C:\Windows\System32\drivers\SynTP.sys

2012-11-24 16:01:00 539960 ----a-w- C:\Windows\SysWow64\SynCOM.dll

2012-11-24 16:01:00 1048576 ----a-w- C:\Windows\System32\syndata.bin

2012-11-24 16:01:00 1048376 ----a-w- C:\Windows\System32\SynCOM.dll

2012-11-23 16:35:16 -------- d-----w- C:\ProgramData\install_clap

2012-11-23 16:04:49 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin7.dll

2012-11-23 16:04:49 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin6.dll

2012-11-23 16:04:49 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll

2012-11-23 16:04:49 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll

2012-11-23 16:04:49 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll

2012-11-23 16:04:49 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll

2012-11-23 16:04:49 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll

2012-11-23 16:03:49 -------- d-----w- C:\Users\Philippe\AppData\Local\Apple

2012-11-23 15:44:23 -------- d-----w- C:\Users\Philippe\AppData\Roaming\NVIDIA

2012-11-22 00:26:33 -------- d-----w- C:\Users\Philippe\AppData\Local\CANON_INC

2012-11-22 00:25:14 -------- d-----w- C:\Program Files (x86)\Common Files\Canon_Inc_IC

2012-11-22 00:24:59 -------- d-----w- C:\ProgramData\Canon_Inc_IC

2012-11-22 00:21:35 -------- d-----w- C:\Program Files (x86)\Canon

2012-11-21 18:50:44 -------- d-----w- C:\Program Files (x86)\VAG-COM

.

==================== Find3M ====================

.

2012-11-29 23:06:06 80736 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-11-29 23:06:06 695648 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-11-28 04:21:17 44032 ----a-w- C:\Windows\SysWow64\UXInit.dll

2012-11-28 04:20:59 53760 ----a-w- C:\Windows\System32\UXInit.dll

2012-11-20 08:00:23 6971624 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-11-20 05:24:19 1164800 ----a-w- C:\Windows\SysWow64\Display.dll

2012-11-20 05:24:17 36352 ----a-w- C:\Windows\SysWow64\DevDispItemProvider.dll

2012-11-20 05:17:23 1184256 ----a-w- C:\Windows\System32\Display.dll

2012-11-20 05:17:20 49152 ----a-w- C:\Windows\System32\DevDispItemProvider.dll

2012-11-20 05:02:46 6656 ----a-w- C:\Windows\SysWow64\KBDKURD.DLL

2012-11-20 04:59:26 7168 ----a-w- C:\Windows\System32\KBDKURD.DLL

2012-11-20 04:56:27 27136 ----a-w- C:\Windows\System32\drivers\usbohci.sys

2012-11-20 04:56:11 83456 ----a-w- C:\Windows\System32\drivers\hidclass.sys

2012-11-20 04:54:31 39936 ----a-w- C:\Windows\System32\drivers\hidi2c.sys

2012-11-15 06:08:41 2706432 ----a-w- C:\Windows\System32\mshtml.tlb

2012-11-15 06:06:34 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-11-10 04:23:25 132608 ----a-w- C:\Windows\SysWow64\poqexec.exe

2012-11-10 04:23:18 148480 ----a-w- C:\Windows\System32\poqexec.exe

2012-11-10 04:22:40 122880 ----a-w- C:\Windows\System32\VmHostAI.dll

2012-11-10 04:22:14 126976 ----a-w- C:\Windows\System32\RDWebAI.dll

2012-11-10 04:20:20 135680 ----a-w- C:\Windows\System32\appserverai.dll

2012-11-09 04:49:51 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-11-09 04:03:48 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-11-08 04:25:36 523776 ----a-w- C:\Windows\SysWow64\WSShared.dll

2012-11-08 04:25:36 143872 ----a-w- C:\Windows\SysWow64\Windows.ApplicationModel.Store.dll

2012-11-08 04:25:36 124928 ----a-w- C:\Windows\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll

2012-11-08 04:25:35 1775104 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-11-08 04:24:27 2881536 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-11-08 04:24:22 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll

2012-11-08 04:24:22 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll

2012-11-08 04:24:19 75776 ----a-w- C:\Windows\SysWow64\fontsub.dll

2012-11-08 04:24:06 10752 ----a-w- C:\Windows\SysWow64\dciman32.dll

2012-11-08 04:22:21 641536 ----a-w- C:\Windows\System32\WSShared.dll

2012-11-08 04:22:20 198656 ----a-w- C:\Windows\System32\Windows.ApplicationModel.Store.dll

2012-11-08 04:22:20 163840 ----a-w- C:\Windows\System32\Windows.ApplicationModel.Store.TestingFramework.dll

2012-11-08 04:22:19 2246656 ----a-w- C:\Windows\System32\wininet.dll

2012-11-08 04:22:12 907776 ----a-w- C:\Windows\System32\uxtheme.dll

2012-11-08 04:21:00 3966464 ----a-w- C:\Windows\System32\jscript9.dll

2012-11-08 04:20:56 67072 ----a-w- C:\Windows\System32\iesetup.dll

2012-11-08 04:20:56 136704 ----a-w- C:\Windows\System32\iesysprep.dll

2012-11-08 04:20:50 96256 ----a-w- C:\Windows\System32\fontsub.dll

2012-11-08 04:20:37 14336 ----a-w- C:\Windows\System32\dciman32.dll

2012-11-08 04:02:16 3072 ----a-w- C:\Windows\System32\lpk.dll

2012-11-08 04:01:40 3072 ----a-w- C:\Windows\SysWow64\lpk.dll

2012-11-08 03:59:49 4056576 ----a-w- C:\Windows\System32\win32k.sys

2012-11-08 01:56:52 534528 ----a-w- C:\Windows\SysWow64\uxtheme.dll

2012-11-06 07:52:07 445160 ----a-w- C:\Windows\System32\drivers\USBHUB3.SYS

2012-11-06 07:52:04 277736 ----a-w- C:\Windows\System32\drivers\msiscsi.sys

2012-11-06 07:36:23 69864 ----a-w- C:\Windows\System32\drivers\pdc.sys

2012-11-06 07:36:14 96488 ----a-w- C:\Windows\System32\drivers\wfplwfs.sys

2012-11-06 07:35:34 194280 ----a-w- C:\Windows\System32\drivers\sdbus.sys

2012-11-06 07:35:31 124648 ----a-w- C:\Windows\System32\drivers\dumpsd.sys

2012-11-06 07:33:46 522640 ----a-w- C:\Windows\System32\AUDIOKSE.dll

2012-11-06 07:33:46 253512 ----a-w- C:\Windows\System32\audiodg.exe

2012-11-06 07:33:45 490064 ----a-w- C:\Windows\System32\AudioEng.dll

2012-11-06 07:33:45 447792 ----a-w- C:\Windows\System32\AudioSes.dll

2012-11-06 07:33:30 1566432 ----a-w- C:\Windows\System32\ole32.dll

2012-11-06 05:00:06 463768 ----a-w- C:\Windows\SysWow64\AUDIOKSE.dll

2012-11-06 05:00:06 427568 ----a-w- C:\Windows\SysWow64\AudioEng.dll

2012-11-06 05:00:06 324344 ----a-w- C:\Windows\SysWow64\AudioSes.dll

2012-11-06 04:48:27 1150160 ----a-w- C:\Windows\SysWow64\ole32.dll

2012-11-06 04:19:59 470016 ----a-w- C:\Windows\System32\wlanmsm.dll

2012-11-06 04:18:58 84992 ----a-w- C:\Windows\SysWow64\fdWCN.dll

2012-11-06 04:17:58 110080 ----a-w- C:\Windows\System32\dafWCN.dll

2012-11-06 04:17:44 718848 ----a-w- C:\Windows\System32\BFE.DLL

2012-11-06 04:17:43 2302464 ----a-w- C:\Windows\System32\authui.dll

2012-11-06 04:17:42 785920 ----a-w- C:\Windows\System32\audiosrv.dll

2012-11-06 04:17:41 169472 ----a-w- C:\Windows\System32\AudioEndpointBuilder.dll

2012-11-06 04:17:35 2146816 ----a-w- C:\Windows\System32\actxprxy.dll

2012-11-06 04:17:33 322560 ----a-w- C:\Windows\System32\aaclient.dll

2012-11-06 04:17:32 212992 ----a-w- C:\Windows\System32\bthprops.cpl

2012-11-06 04:00:44 99328 ----a-w- C:\Windows\System32\wushareduxresources.dll

2012-11-06 04:00:17 16384 ----a-w- C:\Windows\System32\iscsilog.dll

2012-11-06 03:58:53 9728 ----a-w- C:\Windows\System32\wlanhlp.dll

2012-11-06 03:56:35 9728 ----a-w- C:\Windows\SysWow64\wlanhlp.dll

2012-11-06 03:55:44 22528 ----a-w- C:\Windows\System32\drivers\fxppm.sys

2012-11-06 03:55:09 212992 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys

2012-11-06 03:55:02 90624 ----a-w- C:\Windows\System32\drivers\amdk8.sys

2012-11-06 03:55:02 89088 ----a-w- C:\Windows\System32\drivers\intelppm.sys

2012-11-06 03:55:02 88064 ----a-w- C:\Windows\System32\drivers\amdppm.sys

2012-11-06 03:55:02 87552 ----a-w- C:\Windows\System32\drivers\processr.sys

2012-11-06 03:54:40 74752 ----a-w- C:\Windows\System32\drivers\BTHUSB.SYS

2012-11-06 03:54:09 859136 ----a-w- C:\Windows\System32\drivers\http.sys

2012-11-06 03:53:56 51712 ----a-w- C:\Windows\System32\drivers\bthenum.sys

2012-11-06 03:53:44 560640 ----a-w- C:\Windows\System32\drivers\afd.sys

2012-11-06 03:53:12 1171968 ----a-w- C:\Windows\System32\drivers\bthport.sys

2012-11-06 03:52:49 366080 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys

2012-11-06 03:51:47 665600 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-11-05 09:39:46 21712 ----a-w- C:\Windows\SysWow64\drivers\DrvAgent64.SYS

2012-11-03 05:26:59 132096 ----a-w- C:\Windows\System32\sysreset.exe

2012-11-03 05:26:40 34816 ----a-w- C:\Windows\System32\dpnsvr.exe

2012-11-03 05:26:12 32256 ----a-w- C:\Windows\SysWow64\dpnsvr.exe

2012-11-03 05:25:40 945152 ----a-w- C:\Windows\System32\resetengmig.dll

2012-11-03 05:25:40 375808 ----a-w- C:\Windows\SysWow64\ReAgent.dll

2012-11-03 05:25:40 1009664 ----a-w- C:\Windows\System32\reseteng.dll

2012-11-03 05:25:39 443392 ----a-w- C:\Windows\System32\ReAgent.dll

2012-11-03 05:24:34 8192 ----a-w- C:\Windows\SysWow64\dpnhupnp.dll

2012-11-03 05:24:34 8192 ----a-w- C:\Windows\SysWow64\dpnhpast.dll

2012-11-03 05:24:34 58880 ----a-w- C:\Windows\SysWow64\dpnathlp.dll

2012-11-03 05:24:34 375808 ----a-w- C:\Windows\SysWow64\dpnet.dll

.

============= FINISH: 22:34:37.04 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 8 Pro

Boot Device: \Device\HarddiskVolume1

Install Date: 11/5/2012 1:22:28

System Uptime: 12/20/2012 20:46:17 (2 hours ago)

.

Motherboard: SAMSUNG ELECTRONICS CO., LTD. | | R510/P510

Processor: Intel® Core2 Duo CPU P8400 @ 2.26GHz | U2E1 | 2267/mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 49 GiB total, 26.441 GiB free.

D: is FIXED (NTFS) - 189 GiB total, 107.331 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}

Description: USB Video Device

Device ID: USB\VID_0AC8&PID_C302&MI_00\6&3295EB3&0&0000

Manufacturer: Microsoft

Name: Vega USB 2.0 Camera.

PNP Device ID: USB\VID_0AC8&PID_C302&MI_00\6&3295EB3&0&0000

Service: usbvideo

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 11 Plugin

Adobe Reader XI

AIDA64 Extreme Edition v2.70

Alt.Binz 0.39.4

AMIP (remove only)

Apple Application Support

Apple Software Update

avast! Pro Antivirus

BS.Player FREE

Canon Utilities Digital Photo Professional 1.0

Canon Utilities EOS Utility

CCleaner

Core Temp 1.0 RC4

CyberLink PowerDirector 11

Easy Display Manager

EDXOR

Ex7forW8

FancyCache For Volume (Beta) 0.8.0

FlashFXP v4.2

Google Earth

Google Update Helper

HashCheck Shell Extension (x86-32)

HashCheck Shell Extension (x86-64)

HD Tune Pro 5.00

ImgBurn

IrfanView (remove only)

Malwarebytes Anti-Malware version 1.65.1.1000

Microsoft .NET Compact Framework 3.5

Microsoft Access MUI (English) 2013

Microsoft Access Setup Metadata MUI (English) 2013

Microsoft DCF MUI (English) 2013

Microsoft Excel MUI (English) 2013

Microsoft Groove MUI (English) 2013

Microsoft InfoPath MUI (English) 2013

Microsoft Lync MUI (English) 2013

Microsoft Office 32-bit Components 2013

Microsoft Office OSM MUI (English) 2013

Microsoft Office OSM UX MUI (English) 2013

Microsoft Office Professional Plus 2013

Microsoft Office Proofing (English) 2013

Microsoft Office Proofing Tools 2013 - English

Microsoft Office Proofing Tools 2013 - Español

Microsoft Office Shared 32-bit MUI (English) 2013

Microsoft Office Shared MUI (English) 2013

Microsoft Office Shared Setup Metadata MUI (English) 2013

Microsoft OneNote MUI (English) 2013

Microsoft Outlook MUI (English) 2013

Microsoft PowerPoint MUI (English) 2013

Microsoft Publisher MUI (English) 2013

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Word MUI (English) 2013

Mozilla Firefox 17.0.1 (x86 en-US)

Mozilla Maintenance Service

Mp3tag v2.53

MyTomTom 3.2.0.802

NVIDIA Control Panel 310.33

NVIDIA Graphics Driver 310.33

NVIDIA HD Audio Driver 1.3.18.0

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.0904

NVIDIA Update 1.11.3

NVIDIA Update Components

PerformanceTest v8.0

Picasa 3

Plus500

PowerDirector

QuickPar 0.9

QuickTime

Samsung SSD Magician

SoulSeek 157 NS 13e

Synaptics Pointing Device Driver

Tixati

TomTom HOME

TomTom HOME Visual Studio Merge Modules

Trillian

VirtualCloneDrive

Visual Studio 2010 x64 Redistributables

Visual Studio C++ 10.0 Runtime

VLC media player 2.0.5

WIDCOMM Bluetooth Software

Winamp

Windows 8 Manager

Windows Driver Package - Ross-Tech USB Driver Package (06/16/2010 2.06.02)

WinPcap 4.1.2

WinRAR 4.20 (64-bit)

.

==== Event Viewer Messages From Past Week ========

.

12/20/2012 20:46:31, Error: Service Control Manager [7001] - The Network Connectivity Assistant service depends on the IP Helper service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

12/20/2012 20:46:29, Error: Service Control Manager [7000] - The UAC File Virtualization service failed to start due to the following error: This driver has been blocked from loading

12/20/2012 19:59:17, Error: Service Control Manager [7031] - The avast! Antivirus service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

12/20/2012 18:59:13, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

12/20/2012 18:59:13, Error: Service Control Manager [7024] -

12/20/2012 15:29:44, Error: Service Control Manager [7001] - The COM+ System Application service depends on the System Event Notification Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

12/20/2012 15:29:44, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service COMSysApp with arguments "Unavailable" in order to run the server: {182C40F0-32E4-11D0-818B-00A0C9231C29}

12/20/2012 1:49:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service COMSysApp with arguments "Unavailable" in order to run the server: {ECABAFB9-7F19-11D2-978E-0000F8757E2A}

12/20/2012 1:48:35, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service COMSysApp with arguments "Unavailable" in order to run the server: {ECABAFBC-7F19-11D2-978E-0000F8757E2A}

12/19/2012 22:46:53, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

12/19/2012 22:13:06, Error: Service Control Manager [7031] - The Software Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

12/19/2012 21:08:42, Error: Service Control Manager [7001] - The Internet Connection Sharing (ICS) service depends on the Base Filtering Engine service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

12/19/2012 20:42:00, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

12/19/2012 20:37:51, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: The user name or password is incorrect. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

12/19/2012 20:37:51, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

12/19/2012 17:50:46, Error: Microsoft-Windows-Kernel-Power [137] - The system firmware has changed the processor's memory type range registers (MTRRs) across a sleep state transition (S4). This can result in reduced resume performance.

12/18/2012 8:02:43, Error: Service Control Manager [7034] - The Stardock Start8 service terminated unexpectedly. It has done this 1 time(s).

12/18/2012 18:11:31, Error: Service Control Manager [7030] - The TomTomHOMEService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

12/18/2012 12:07:29, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

12/18/2012 11:04:10, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64 based Systems (KB2769166).

12/18/2012 11:04:10, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft .NET Framework 3.5 on Windows 8 and Windows Server 2012 for x64-based Systems (KB2729462).

12/18/2012 11:04:09, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Update for Windows 8 for x64-based Systems (KB2779768).

.

==== End Of File ===========================

Edited by Maurice Naggar
Logs put In-line
Link to post
Share on other sites

here is the checkup.txt maybe i should say i'm running Avast too but i've reinstalled it a couple of times

Results of screen317's Security Check version 0.99.56

x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

Windows Defender

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Adobe Flash Player 11.5.502.110

Adobe Reader XI

Mozilla Firefox (17.0.1)

````````Process Check: objlist.exe by Laurent````````

AVAST Software Avast AvastSvc.exe

AVAST Software Avast AvastUI.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: %

````````````````````End of Log``````````````````````

Edited by Maurice Naggar
Link to post
Share on other sites

Hello Philipp,

This needs to be done in the Desktop side of Windows 8 (as almost all other steps as well). If you will recall, pressing Windows-key +D key will get you to the DESKTOP.

Windows services

This will be a batch-fix .

  • Press the Windows-key +R key on keyboard to get the RUN option.
  • In the RUN box, type notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
    @Echo off
    sc stop wuauserv
    sc stop bits
    sc config dcomlaunch start= auto
    sc config nsi start= auto
    sc config dhcp start= auto
    sc config rpcss start= auto
    sc config winmgmt start= auto
    sc config wscsvc start= delayed-auto
    sc config bits start= delayed-auto
    sc config wuauserv start= manual
    sc config sdrsvc start= manual
    sc config vss start= manual
    sc config eventlog start= auto
    sc config bfe start= auto
    sc config eventsystem start= auto
    sc start sdrsvc
    sc start vss
    sc start rpcss
    sc start eventsystem
    sc start bfe
    sc start bits
    sc start wuauserv
    shutdown -r -t 1
    del %0


  • Select File -> Save AS.
  • Press the Desktop button on the left side of the save dialog.
  • In the 10-16-2011%204-37-58%20PM.png box, type in Fix.bat.
  • Press 10-16-2011%204-36-39%20PM.png.
  • Close Notepad.
  • Right click Fix.bat on your desktop, and choose 10-16-2011%204-40-48%20PM.png.
  • Press Yes if prompted by User Account Control.

This procedure will do its tasks and then it will Restart Windows.

Let me know after this is completed. There will be more to follow.

Edited by Maurice Naggar
Link to post
Share on other sites

Hey thanks for the file i runned it and the services seem to start fine, there are 2 other things that i find peculiar and may relate tho this trojan, in the windows event logs it cant find the following sub logs:

Microsoft-Windows-Security-SPP-UX/Analytic

Microsoft-Windows-Security-Vault/Performance

Microsoft-Windows-SendTo/Diagnostic

and the main security "error" i get in the event log is that the driver for the UAC is blocked from starting even though i disabled the UAC in the control panel, the driver shouldnt be blocked completely i think

Link to post
Share on other sites

I would strongly urge you to set User Account Control back on! You do have to have it on, as Windows 8 needs it.

Save and close any work documents, close any apps that you started.

Temporarily turn off (disable) your antivirus program

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab and then the General Settings sub-tab. Make sure all option lines have a checkmark.

Then click the Scanner settings sub-tab in second row of tabs. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

If prompted for a Restart, do that.

When done, click the Scanner tab.

Do a Full Scan. i_arrow-l.gif

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

When all done, Copy & paste the MBAM scan log into a new reply.

Tell me, How is the system ?

Re-enable your antivirus program.

Link to post
Share on other sites

i'm sorry but i cant turn on any UAC settings, i'm not a desktop user and i'm testing custom scripts and batches for new drivers, i already have problems running them on an user account with admin privileges now after i executed the batch file you gave me.

i disabled and removed the virus the minute it came on my system and saved the file in quarantine.

This whole topic was just to help malwarebytes identify a new virus not to strip my user accounts of admin privileges and exposing my systems privacy and potential weaknesses to the world

Link to post
Share on other sites

i fixed my admin privileges now, you can close the thread, thanks for the effort though, i hope you have enough info to detect this malware in the future.

maybe there can be a component in malware bytes that scans for system files and check them by crc, that way no malware can ever pretend to be a system file even if its not in the same location as the original system file is

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.