Jump to content

Need Help with Virus:Win64/Alureon.gen!A


NSCodeRed
 Share

Recommended Posts

I've been fighting with this thing the past few days and I know that if I don't do something soon it is probably going to get worse but I don't feel like taking my laptop somewhere unless I have to so any help I can get on here would be awesome!

 

Anyway, I have an Asus G74 that has been clean just until a few days ago when Microsoft Security Essentials picked up Virus:Win64/Alureon.gen!A. It's recommendation was of course to use their windows defender offline but I can't get my laptop to boot from any of the multiple usb's or the cd I made, and I have doubts as to whether it would work or not either.

 

I'm sure it would help if I zipped some log files on here but I don't really have any idea what or from where lol (I'm hardware savvy but not when it comes to software or the inner workings of windows. So I guess I need some help with even the first steps...

Link to post
Share on other sites

  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply
 
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

I can't seem to figure out how to post the DDS.txt to my topic but here is the text from Gmer with the attach.txt from DDS attached.

 

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-11-11 10:04:18

Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.01.0 698.64GB

Running: 7qlg5su8.exe; Driver: C:\Users\Nick\AppData\Local\Temp\pxldqpoc.sys

 

 

---- Devices - GMER 2.1 ----

Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 fffffa800c7315e8

 

---- Trace I/O - GMER 2.1 ----

Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800c7315e8]<< fffffa800c7315e8

Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800a811790] fffffa800a811790

Trace 3 CLASSPNP.SYS[fffff88001b9943f] -> nt!IofCallDriver -> [0xfffffa800a23a520] fffffa800a23a520

Trace 5 ACPI.sys[fffff88000f127a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800a239050] fffffa800a239050

Trace \Driver\iaStor[0xfffffa800a728b40] -> IRP_MJ_CREATE -> 0xfffffa800c7315e8 fffffa800c7315e8

 

---- Threads - GMER 2.1 ----

Thread C:\Windows\SysWOW64\regsvr32.exe [7004:6388] 000000006e3d2f10

Thread C:\Windows\SysWOW64\regsvr32.exe [7004:7132] 000000006e3d2f10

Thread C:\Windows\SysWOW64\regsvr32.exe [7004:2428] 000000006e3d2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [10160:10196] 0000000003ac2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [10160:10152] 0000000003ac2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:4956] 00000000034a2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:5852] 00000000034a2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:8288] 00000000034a2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:9916] 00000000034a2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:9016] 00000000034a2f10

 

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485d6021838a

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15@fca13e3af15d 0x25 0x2F 0x5C 0x8F ...

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15@fca13e9e093f 0x9D 0x4E 0x37 0x29 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15@c819f70d1d17 0x80 0xC7 0xF4 0x09 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15@7c8ee4a06798 0x8C 0x3C 0x31 0xD5 ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485d6021838a (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15@fca13e3af15d 0x25 0x2F 0x5C 0x8F ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15@fca13e9e093f 0x9D 0x4E 0x37 0x29 ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15@c819f70d1d17 0x80 0xC7 0xF4 0x09 ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15@7c8ee4a06798 0x8C 0x3C 0x31 0xD5 ...

---- EOF - GMER 2.1 ----

attach.txt

Link to post
Share on other sites

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe



When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

Link to post
Share on other sites

ComboFix 13-11-10.02 - Nick 11/11/2013  10:35:48.1.8 - x64

 

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.12265.9197 [GMT -5:00]

 

Running from: c:\users\Nick\Desktop\ComboFix.exe

 

AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}

 

SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

 

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

* Created a new restore point

 

.

 

.

 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

 

.

 

c:\windows\AsPatch10430001.exe

 

.

 

.

 

(((((((((((((((((((((((((   Files Created from 2013-10-11 to 2013-11-11  )))))))))))))))))))))))))))))))

 

.

 

.

 

2013-11-11 15:42 . 2013-11-11 15:42 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

 

2013-11-11 15:42 . 2013-11-11 15:42 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

 

2013-11-11 15:42 . 2013-11-11 15:42 -------- d-----w- c:\users\Nick\AppData\Local\temp

 

2013-11-11 15:42 . 2013-11-11 15:42 -------- d-----w- c:\users\Default\AppData\Local\temp

 

2013-11-11 14:25 . 2013-11-11 14:25 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\offreg.dll

 

2013-11-11 14:25 . 2013-11-11 14:25 46768 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\MpKsl36b90f39.sys

 

2013-11-11 04:58 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\mpengine.dll

 

2013-11-10 00:34 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

 

2013-11-08 16:53 . 2013-11-08 17:06 -------- d-----w- c:\users\Nick\AppData\Local\Bgtion

 

2013-11-07 02:36 . 2013-10-18 06:58 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69F15E0A-4EC0-4FB0-8EF6-C33DB3315AFD}\gapaengine.dll

 

2013-10-31 11:05 . 2013-10-31 11:05 -------- d-----w- c:\users\Nick\AppData\Roaming\Guild Wars 2

 

.

 

.

 

.

 

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

.

 

2013-11-11 14:28 . 2012-03-29 06:45 376 ----a-w- c:\users\Nick\AppData\Roaming\sp_data.sys

 

2013-10-18 06:58 . 2012-06-13 15:45 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

 

2013-10-15 15:48 . 2012-03-29 05:01 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

 

2013-10-15 15:48 . 2012-02-17 21:58 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

 

2013-10-04 19:09 . 2011-08-24 03:54 45056 ----a-w- c:\windows\SysWow64\acovcnt.exe

 

2013-09-26 06:46 . 2012-02-18 06:47 80541720 ----a-w- c:\windows\system32\MRT.exe

 

2013-09-22 23:28 . 2013-10-10 00:07 1767936 ----a-w- c:\windows\SysWow64\wininet.dll

 

2013-09-22 23:27 . 2013-10-10 00:07 2876928 ----a-w- c:\windows\SysWow64\jscript9.dll

 

2013-09-22 23:27 . 2013-10-10 00:07 61440 ----a-w- c:\windows\SysWow64\iesetup.dll

 

2013-09-22 23:27 . 2013-10-10 00:07 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll

 

2013-09-22 22:55 . 2013-10-10 00:07 51712 ----a-w- c:\windows\system32\ie4uinit.exe

 

2013-09-22 22:55 . 2013-10-10 00:07 2241024 ----a-w- c:\windows\system32\wininet.dll

 

2013-09-22 22:55 . 2013-10-10 00:07 1365504 ----a-w- c:\windows\system32\urlmon.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 603136 ----a-w- c:\windows\system32\msfeeds.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 19252224 ----a-w- c:\windows\system32\mshtml.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 855552 ----a-w- c:\windows\system32\jscript.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 3959296 ----a-w- c:\windows\system32\jscript9.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 53248 ----a-w- c:\windows\system32\jsproxy.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 526336 ----a-w- c:\windows\system32\ieui.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 67072 ----a-w- c:\windows\system32\iesetup.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 39936 ----a-w- c:\windows\system32\iernonce.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 2647552 ----a-w- c:\windows\system32\iertutil.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 136704 ----a-w- c:\windows\system32\iesysprep.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 15404544 ----a-w- c:\windows\system32\ieframe.dll

 

2013-09-21 03:38 . 2013-10-10 00:07 2706432 ----a-w- c:\windows\system32\mshtml.tlb

 

2013-09-21 03:30 . 2013-10-10 00:07 2706432 ----a-w- c:\windows\SysWow64\mshtml.tlb

 

2013-09-21 02:48 . 2013-10-10 00:07 89600 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

 

2013-09-21 02:39 . 2013-10-10 00:07 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe

 

2013-09-14 01:10 . 2013-10-09 23:20 497152 ----a-w- c:\windows\system32\drivers\afd.sys

 

2013-09-08 02:30 . 2013-10-09 23:20 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys

 

2013-09-08 02:27 . 2013-10-09 23:20 327168 ----a-w- c:\windows\system32\mswsock.dll

 

2013-09-08 02:03 . 2013-10-09 23:20 231424 ----a-w- c:\windows\SysWow64\mswsock.dll

 

2013-09-04 12:12 . 2013-10-11 05:14 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 325120 ----a-w- c:\windows\system32\drivers\usbport.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 7808 ----a-w- c:\windows\system32\drivers\usbd.sys

 

2013-08-29 02:17 . 2013-10-09 23:20 5549504 ----a-w- c:\windows\system32\ntoskrnl.exe

 

2013-08-29 02:16 . 2013-10-09 23:20 1732032 ----a-w- c:\windows\system32\ntdll.dll

 

2013-08-29 02:16 . 2013-10-09 23:20 243712 ----a-w- c:\windows\system32\wow64.dll

 

2013-08-29 02:16 . 2013-10-09 23:20 859648 ----a-w- c:\windows\system32\tdh.dll

 

2013-08-29 02:13 . 2013-10-09 23:20 878080 ----a-w- c:\windows\system32\advapi32.dll

 

2013-08-29 01:51 . 2013-10-09 23:20 3969472 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

 

2013-08-29 01:51 . 2013-10-09 23:20 3914176 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

 

2013-08-29 01:50 . 2013-10-09 23:20 5120 ----a-w- c:\windows\SysWow64\wow32.dll

 

2013-08-29 01:50 . 2013-10-09 23:20 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll

 

2013-08-29 01:50 . 2013-10-09 23:20 619520 ----a-w- c:\windows\SysWow64\tdh.dll

 

2013-08-29 01:48 . 2013-10-09 23:20 640512 ----a-w- c:\windows\SysWow64\advapi32.dll

 

2013-08-29 01:48 . 2013-10-09 23:20 44032 ----a-w- c:\windows\apppatch\acwow64.dll

 

2013-08-29 00:49 . 2013-10-09 23:20 25600 ----a-w- c:\windows\SysWow64\setup16.exe

 

2013-08-29 00:49 . 2013-10-09 23:20 7680 ----a-w- c:\windows\SysWow64\instnm.exe

 

2013-08-29 00:49 . 2013-10-09 23:20 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

 

2013-08-29 00:49 . 2013-10-09 23:20 2048 ----a-w- c:\windows\SysWow64\user.exe

 

2013-08-28 01:21 . 2013-10-09 23:20 3155968 ----a-w- c:\windows\system32\win32k.sys

 

2013-08-28 01:12 . 2013-10-09 23:20 461312 ----a-w- c:\windows\system32\scavengeui.dll

 

.

 

.

 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

 

.

 

.

 

*Note* empty entries & legit default entries are not shown

 

REGEDIT4

 

.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

"SearchProtection"="c:\users\Nick\AppData\Roaming\Search Protection\SearchProtection.EXE" [2013-09-03 832360]

 

"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\x64\3\E_IATILBE.EXE" [2013-01-24 297024]

 

"Bgtion Update"="c:\users\Nick\AppData\Local\Bgtion\pkcs11-helper-1.dll" [2013-11-08 795136]

 

.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

 

"Nuance PDF Reader-reminder"="c:\program files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" [2008-11-03 328992]

 

"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2011-04-02 2018032]

 

"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe" [2011-02-23 731472]

 

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2011-08-24 3058304]

 

"THX TruStudio NB Settings"="c:\program files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe" [2011-03-17 909312]

 

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

 

"VAWinAgent"="c:\expressgateutil\VAWinAgent.exe" [2011-04-08 45448]

 

"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2011-12-22 318080]

 

"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2011-10-24 174720]

 

"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]

 

"ACMON"="c:\program files (x86)\ASUS\Splendid\ACMON.exe" [2012-02-06 102568]

 

"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2012-02-02 2321072]

 

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

 

"FLxHCIm64"="c:\program files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe" [2012-07-19 48128]

 

"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2013-03-28 1058880]

 

.

 

c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

 

Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]

 

.

 

c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

 

Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]

 

.

 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

 

AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe /start [2011-4-1 548528]

 

.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

 

"ConsentPromptBehaviorAdmin"= 0 (0x0)

 

"ConsentPromptBehaviorUser"= 3 (0x3)

 

"EnableLUA"= 0 (0x0)

 

"EnableUIADesktopToggle"= 0 (0x0)

 

"PromptOnSecureDesktop"= 0 (0x0)

 

.

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

 

@="Service"

 

.

 

R1 elzurman;elzurman;c:\windows\system32\drivers\elzurman.sys;c:\windows\SYSNATIVE\drivers\elzurman.sys [x]

 

R1 jrpkxolv;jrpkxolv;c:\windows\system32\drivers\jrpkxolv.sys;c:\windows\SYSNATIVE\drivers\jrpkxolv.sys [x]

 

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

 

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

 

R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]

 

R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x]

 

R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x]

 

R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x]

 

R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x]

 

R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x]

 

R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]

 

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS;c:\windows\SYSNATIVE\drivers\BVRPMPR5a64.SYS [x]

 

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]

 

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]

 

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]

 

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]

 

R3 HawkesUpdater;Hawkes Unattended Updater;c:\program files (x86)\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe;c:\program files (x86)\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe [x]

 

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]

 

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]

 

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]

 

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

 

R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUVStor.sys [x]

 

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys;c:\windows\SYSNATIVE\DRIVERS\SiSG664.sys [x]

 

R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]

 

R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]

 

R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]

 

R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]

 

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

 

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

 

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

 

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

 

S1 ATKWMIACPIIO_;ATKWMIACPI Driver_;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [x]

 

S1 MpKsl36b90f39;MpKsl36b90f39;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\MpKsl36b90f39.sys;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\MpKsl36b90f39.sys [x]

 

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [x]

 

S2 AsusUacSvc;Asus process privilege adjust service;c:\program files\Asus\Rotation Desktop for G Series\AsusUacSvc.exe;c:\program files\Asus\Rotation Desktop for G Series\AsusUacSvc.exe [x]

 

S2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [x]

 

S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Bluetooth Suite\adminservice.exe [x]

 

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]

 

S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]

 

S2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc64.exe;c:\windows\SYSNATIVE\EscSvc64.exe [x]

 

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]

 

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

 

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]

 

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]

 

S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe;c:\expressgateutil\VAWinService.exe [x]

 

S3 AiCharger;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AiCharger.sys [x]

 

S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x]

 

S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\DRIVERS\FLxHCIc.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIc.sys [x]

 

S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\DRIVERS\FLxHCIh.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIh.sys [x]

 

S3 fspad_win764;Finger Sensing Pad Driver for Windows 2000/XP/Vista/Win7_win764;c:\windows\system32\DRIVERS\fspad_win764.sys;c:\windows\SYSNATIVE\DRIVERS\fspad_win764.sys [x]

 

S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]

 

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

 

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]

 

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]

 

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]

 

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]

 

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]

 

S3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]

 

.

 

.

 

--- Other Services/Drivers In Memory ---

 

.

 

*NewlyCreated* - MPKSL36B90F39

 

*NewlyCreated* - PXLDQPOC

 

*Deregistered* - pxldqpoc

 

.

 

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

 

2013-10-16 07:15 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe

 

.

 

Contents of the 'Scheduled Tasks' folder

 

.

 

2013-11-11 c:\windows\Tasks\EPSON XP-310 Series Invitation {000F3676-290B-4C0B-BEB2-A06E917FD94D}.job

 

- c:\windows\system32\spool\DRIVERS\x64\3\E_ITSLBE.EXE [2013-10-04 05:20]

 

.

 

2013-11-11 c:\windows\Tasks\EPSON XP-310 Series Update {000F3676-290B-4C0B-BEB2-A06E917FD94D}.job

 

- c:\windows\system32\spool\DRIVERS\x64\3\E_ITSLBE.EXE [2013-10-04 05:20]

 

.

 

2013-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

 

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-15 21:54]

 

.

 

2013-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

 

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-15 21:54]

 

.

 

.

 

--------- X64 Entries -----------

 

.

 

.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]

 

@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"

 

[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]

 

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

 

.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]

 

@="{64174815-8D98-4CE6-8646-4C039977D808}"

 

[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]

 

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

 

.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-01-31 12446824]

 

"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2011-03-13 617120]

 

"AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2011-03-13 379552]

 

"IntelTBRunOnce"="wscript.exe" [2009-07-14 168960]

 

"THXCfg64"="c:\windows\system32\THXCfg64.dll" [2010-09-14 25600]

 

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 1356240]

 

.

 

------- Supplementary Scan -------

 

.

 

uLocal Page = c:\windows\system32\blank.htm

 

 

mLocal Page = c:\windows\SysWOW64\blank.htm

 

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

 

TCP: DhcpNameServer = 192.168.1.1

 

.

 

- - - - ORPHANS REMOVED - - - -

 

.

 

Toolbar-Locked - (no file)

 

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

 

Toolbar-Locked - (no file)

 

HKLM-Run-fspuip - c:\program files (x86)\FSP\fspuip.exe

 

HKLM-Run-Setwallpaper - c:\programdata\SetWallpaper.cmd

 

.

 

.

 

.

 

--------------------- LOCKED REGISTRY KEYS ---------------------

 

.

 

[HKEY_USERS\S-1-5-21-1909249093-874876743-655935046-1000\Software\SecuROM\License information*]

 

"datasecu"=hex:44,12,e0,d6,5a,52,4c,3c,1c,84,41,41,52,11,4d,df,3c,38,35,ca,1c,

 

   72,90,d0,9c,13,63,04,68,f8,f1,df,7a,cb,98,03,08,64,27,52,96,6e,e6,65,cc,4c,\

 

"rkeysecu"=hex:ac,c1,19,fa,90,50,f6,03,d2,b5,8b,39,8c,ad,6d,6d

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="FlashBroker"

 

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

 

"Enabled"=dword:00000001

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

 

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="IFlashBroker5"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

 

@="{00020424-0000-0000-C000-000000000046}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

"Version"="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="FlashBroker"

 

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

 

"Enabled"=dword:00000001

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

 

@Denied: (A 2) (Everyone)

 

@="Shockwave Flash Object"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

 

"ThreadingModel"="Apartment"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

 

@="0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

 

@="ShockwaveFlash.ShockwaveFlash.11"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

 

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

 

@="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

 

@="ShockwaveFlash.ShockwaveFlash"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

 

@Denied: (A 2) (Everyone)

 

@="Macromedia Flash Factory Object"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

 

"ThreadingModel"="Apartment"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

 

@="FlashFactory.FlashFactory.1"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

 

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

 

@="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

 

@="FlashFactory.FlashFactory"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="IFlashBroker5"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

 

@="{00020424-0000-0000-C000-000000000046}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

"Version"="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

 

@Denied: (Full) (Everyone)

 

.

 

Completion time: 2013-11-11  10:51:31

 

ComboFix-quarantined-files.txt  2013-11-11 15:51

 

.

 

Pre-Run: 118,543,765,504 bytes free

 

Post-Run: 120,662,986,752 bytes free

 

.

 

- - End Of File - - 0D420C39E08FE3FD4751DEEE62FD6B88

Link to post
Share on other sites

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

CFScript.txt

Link to post
Share on other sites

I got it to work, ComboFix said it had an update available but I ran it without updating. Partway though the process I got a notification saying "pev.3XE" has stopped working. After closing the window on that the process continued and then while it was preparing the logs my laptop restarted and presented me with an Asus application error to which I closed and continued to wait for the logs. ComboFix asked that I send a submission of my logs but I didn't, it did save the submission form. Here is what I got...

 

ComboFix 13-11-10.02 - Nick 11/12/2013  10:00:17.2.8 - x64

 

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.12265.10252 [GMT -5:00]

 

Running from: c:\users\Nick\Desktop\ComboFix.exe

 

Command switches used :: c:\users\Nick\Desktop\CFScript.txt

 

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

* Created a new restore point

 

.

 

.

 

.

 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

 

.

 

c:\users\Nick\AppData\Roaming\Search Protection

 

c:\users\Nick\AppData\Roaming\Search Protection\SearchProtection.exe

 

c:\users\Nick\AppData\Roaming\Search Protection\Uninstall.exe

 

c:\windows\assembly\GAC_32\Desktop.ini

 

c:\windows\assembly\GAC_64\Desktop.ini

 

.

 

.

 

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

 

.

 

-------\Service_elzurman

 

-------\Service_jrpkxolv

 

.

 

.

 

(((((((((((((((((((((((((   Files Created from 2013-10-12 to 2013-11-12  )))))))))))))))))))))))))))))))

 

.

 

.

 

2013-11-12 15:19 . 2013-11-12 15:19 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

 

2013-11-12 15:19 . 2013-11-12 15:19 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

 

2013-11-12 15:19 . 2013-11-12 15:19 -------- d-----w- c:\users\Default\AppData\Local\temp

 

2013-11-11 19:08 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3C1FFEF-567D-4384-890A-2CA52D550EA0}\mpengine.dll

 

2013-11-11 15:51 . 2013-11-12 15:21 -------- d-----w- c:\users\Nick\AppData\Local\temp

 

2013-11-10 00:34 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

 

2013-11-08 16:53 . 2013-11-08 17:06 -------- d-----w- c:\users\Nick\AppData\Local\Bgtion

 

2013-11-07 02:36 . 2013-10-18 06:58 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69F15E0A-4EC0-4FB0-8EF6-C33DB3315AFD}\gapaengine.dll

 

2013-10-31 11:05 . 2013-10-31 11:05 -------- d-----w- c:\users\Nick\AppData\Roaming\Guild Wars 2

 

.

 

.

 

.

 

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

.

 

2013-11-12 14:43 . 2012-03-29 06:45 376 ----a-w- c:\users\Nick\AppData\Roaming\sp_data.sys

 

2013-10-18 06:58 . 2012-06-13 15:45 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

 

2013-10-15 15:48 . 2012-03-29 05:01 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

 

2013-10-15 15:48 . 2012-02-17 21:58 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

 

2013-10-04 19:09 . 2011-08-24 03:54 45056 ----a-w- c:\windows\SysWow64\acovcnt.exe

 

2013-09-26 06:46 . 2012-02-18 06:47 80541720 ----a-w- c:\windows\system32\MRT.exe

 

2013-09-22 23:28 . 2013-10-10 00:07 1767936 ----a-w- c:\windows\SysWow64\wininet.dll

 

2013-09-22 23:27 . 2013-10-10 00:07 2876928 ----a-w- c:\windows\SysWow64\jscript9.dll

 

2013-09-22 23:27 . 2013-10-10 00:07 61440 ----a-w- c:\windows\SysWow64\iesetup.dll

 

2013-09-22 23:27 . 2013-10-10 00:07 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll

 

2013-09-22 22:55 . 2013-10-10 00:07 51712 ----a-w- c:\windows\system32\ie4uinit.exe

 

2013-09-22 22:55 . 2013-10-10 00:07 2241024 ----a-w- c:\windows\system32\wininet.dll

 

2013-09-22 22:55 . 2013-10-10 00:07 1365504 ----a-w- c:\windows\system32\urlmon.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 603136 ----a-w- c:\windows\system32\msfeeds.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 19252224 ----a-w- c:\windows\system32\mshtml.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 855552 ----a-w- c:\windows\system32\jscript.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 3959296 ----a-w- c:\windows\system32\jscript9.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 53248 ----a-w- c:\windows\system32\jsproxy.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 526336 ----a-w- c:\windows\system32\ieui.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 67072 ----a-w- c:\windows\system32\iesetup.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 39936 ----a-w- c:\windows\system32\iernonce.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 2647552 ----a-w- c:\windows\system32\iertutil.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 136704 ----a-w- c:\windows\system32\iesysprep.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 15404544 ----a-w- c:\windows\system32\ieframe.dll

 

2013-09-21 03:38 . 2013-10-10 00:07 2706432 ----a-w- c:\windows\system32\mshtml.tlb

 

2013-09-21 03:30 . 2013-10-10 00:07 2706432 ----a-w- c:\windows\SysWow64\mshtml.tlb

 

2013-09-21 02:48 . 2013-10-10 00:07 89600 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

 

2013-09-21 02:39 . 2013-10-10 00:07 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe

 

2013-09-14 01:10 . 2013-10-09 23:20 497152 ----a-w- c:\windows\system32\drivers\afd.sys

 

2013-09-08 02:30 . 2013-10-09 23:20 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys

 

2013-09-08 02:27 . 2013-10-09 23:20 327168 ----a-w- c:\windows\system32\mswsock.dll

 

2013-09-08 02:03 . 2013-10-09 23:20 231424 ----a-w- c:\windows\SysWow64\mswsock.dll

 

2013-09-04 12:12 . 2013-10-11 05:14 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 325120 ----a-w- c:\windows\system32\drivers\usbport.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 7808 ----a-w- c:\windows\system32\drivers\usbd.sys

 

2013-08-29 02:17 . 2013-10-09 23:20 5549504 ----a-w- c:\windows\system32\ntoskrnl.exe

 

2013-08-29 02:16 . 2013-10-09 23:20 1732032 ----a-w- c:\windows\system32\ntdll.dll

 

2013-08-29 02:16 . 2013-10-09 23:20 243712 ----a-w- c:\windows\system32\wow64.dll

 

2013-08-29 02:16 . 2013-10-09 23:20 859648 ----a-w- c:\windows\system32\tdh.dll

 

2013-08-29 02:13 . 2013-10-09 23:20 878080 ----a-w- c:\windows\system32\advapi32.dll

 

2013-08-29 01:51 . 2013-10-09 23:20 3969472 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

 

2013-08-29 01:51 . 2013-10-09 23:20 3914176 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

 

2013-08-29 01:50 . 2013-10-09 23:20 5120 ----a-w- c:\windows\SysWow64\wow32.dll

 

2013-08-29 01:50 . 2013-10-09 23:20 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll

 

2013-08-29 01:50 . 2013-10-09 23:20 619520 ----a-w- c:\windows\SysWow64\tdh.dll

 

2013-08-29 01:48 . 2013-10-09 23:20 640512 ----a-w- c:\windows\SysWow64\advapi32.dll

 

2013-08-29 01:48 . 2013-10-09 23:20 44032 ----a-w- c:\windows\apppatch\acwow64.dll

 

2013-08-29 00:49 . 2013-10-09 23:20 25600 ----a-w- c:\windows\SysWow64\setup16.exe

 

2013-08-29 00:49 . 2013-10-09 23:20 7680 ----a-w- c:\windows\SysWow64\instnm.exe

 

2013-08-29 00:49 . 2013-10-09 23:20 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

 

2013-08-29 00:49 . 2013-10-09 23:20 2048 ----a-w- c:\windows\SysWow64\user.exe

 

2013-08-28 01:21 . 2013-10-09 23:20 3155968 ----a-w- c:\windows\system32\win32k.sys

 

2013-08-28 01:12 . 2013-10-09 23:20 461312 ----a-w- c:\windows\system32\scavengeui.dll

 

.

 

.

 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

 

.

 

.

 

*Note* empty entries & legit default entries are not shown

 

REGEDIT4

 

.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\x64\3\E_IATILBE.EXE" [2013-01-24 297024]

 

"Bgtion Update"="c:\users\Nick\AppData\Local\Bgtion\pkcs11-helper-1.dll" [2013-11-08 795136]

 

.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

 

"Nuance PDF Reader-reminder"="c:\program files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" [2008-11-03 328992]

 

"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2011-04-02 2018032]

 

"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe" [2011-02-23 731472]

 

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2011-08-24 3058304]

 

"THX TruStudio NB Settings"="c:\program files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe" [2011-03-17 909312]

 

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

 

"VAWinAgent"="c:\expressgateutil\VAWinAgent.exe" [2011-04-08 45448]

 

"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2011-12-22 318080]

 

"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2011-10-24 174720]

 

"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]

 

"ACMON"="c:\program files (x86)\ASUS\Splendid\ACMON.exe" [2012-02-06 102568]

 

"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2012-02-02 2321072]

 

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

 

"FLxHCIm64"="c:\program files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe" [2012-07-19 48128]

 

"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2013-03-28 1058880]

 

.

 

c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

 

Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]

 

.

 

c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

 

Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]

 

.

 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

 

AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe /start [2011-4-1 548528]

 

.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

 

"ConsentPromptBehaviorAdmin"= 0 (0x0)

 

"ConsentPromptBehaviorUser"= 3 (0x3)

 

"EnableLUA"= 0 (0x0)

 

"EnableUIADesktopToggle"= 0 (0x0)

 

"PromptOnSecureDesktop"= 0 (0x0)

 

.

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

 

@="Service"

 

.

 

R1 hgqiglzk;hgqiglzk;c:\windows\system32\drivers\hgqiglzk.sys;c:\windows\SYSNATIVE\drivers\hgqiglzk.sys [x]

 

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

 

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

 

R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]

 

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS;c:\windows\SYSNATIVE\drivers\BVRPMPR5a64.SYS [x]

 

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]

 

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]

 

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]

 

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]

 

R3 HawkesUpdater;Hawkes Unattended Updater;c:\program files (x86)\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe;c:\program files (x86)\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe [x]

 

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]

 

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]

 

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]

 

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

 

R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUVStor.sys [x]

 

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys;c:\windows\SYSNATIVE\DRIVERS\SiSG664.sys [x]

 

R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]

 

R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]

 

R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]

 

R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]

 

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

 

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

 

R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]

 

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

 

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

 

S1 ATKWMIACPIIO_;ATKWMIACPI Driver_;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [x]

 

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [x]

 

S2 AsusUacSvc;Asus process privilege adjust service;c:\program files\Asus\Rotation Desktop for G Series\AsusUacSvc.exe;c:\program files\Asus\Rotation Desktop for G Series\AsusUacSvc.exe [x]

 

S2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [x]

 

S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Bluetooth Suite\adminservice.exe [x]

 

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]

 

S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]

 

S2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc64.exe;c:\windows\SYSNATIVE\EscSvc64.exe [x]

 

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]

 

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

 

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]

 

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]

 

S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe;c:\expressgateutil\VAWinService.exe [x]

 

S3 AiCharger;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AiCharger.sys [x]

 

S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x]

 

S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x]

 

S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x]

 

S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x]

 

S3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x]

 

S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x]

 

S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]

 

S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\DRIVERS\FLxHCIc.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIc.sys [x]

 

S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\DRIVERS\FLxHCIh.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIh.sys [x]

 

S3 fspad_win764;Finger Sensing Pad Driver for Windows 2000/XP/Vista/Win7_win764;c:\windows\system32\DRIVERS\fspad_win764.sys;c:\windows\SYSNATIVE\DRIVERS\fspad_win764.sys [x]

 

S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]

 

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

 

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]

 

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]

 

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]

 

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]

 

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]

 

.

 

.

 

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

 

2013-10-16 07:15 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe

 

.

 

Contents of the 'Scheduled Tasks' folder

 

.

 

2013-11-12 c:\windows\Tasks\EPSON XP-310 Series Invitation {000F3676-290B-4C0B-BEB2-A06E917FD94D}.job

 

- c:\windows\system32\spool\DRIVERS\x64\3\E_ITSLBE.EXE [2013-10-04 05:20]

 

.

 

2013-11-12 c:\windows\Tasks\EPSON XP-310 Series Update {000F3676-290B-4C0B-BEB2-A06E917FD94D}.job

 

- c:\windows\system32\spool\DRIVERS\x64\3\E_ITSLBE.EXE [2013-10-04 05:20]

 

.

 

2013-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

 

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-15 21:54]

 

.

 

2013-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

 

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-15 21:54]

 

.

 

.

 

--------- X64 Entries -----------

 

.

 

.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]

 

@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"

 

[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]

 

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

 

.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]

 

@="{64174815-8D98-4CE6-8646-4C039977D808}"

 

[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]

 

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

 

.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-01-31 12446824]

 

"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2011-03-13 617120]

 

"AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2011-03-13 379552]

 

"fspuip"="c:\program files (x86)\FSP\fspuip.exe" [bU]

 

"IntelTBRunOnce"="wscript.exe" [2009-07-14 168960]

 

"THXCfg64"="c:\windows\system32\THXCfg64.dll" [2010-09-14 25600]

 

"Setwallpaper"="c:\programdata\SetWallpaper.cmd" [bU]

 

.

 

------- Supplementary Scan -------

 

.

 

uLocal Page = c:\windows\system32\blank.htm

 

 

mLocal Page = c:\windows\SysWOW64\blank.htm

 

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

 

LSP: mswsock.dll

 

TCP: DhcpNameServer = 192.168.1.1

 

.

 

- - - - ORPHANS REMOVED - - - -

 

.

 

Toolbar-Locked - (no file)

 

HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe

 

AddRemove-Search Protection - c:\users\Nick\AppData\Roaming\Search Protection\uninstall.exe

 

.

 

.

 

.

 

--------------------- LOCKED REGISTRY KEYS ---------------------

 

.

 

[HKEY_USERS\S-1-5-21-1909249093-874876743-655935046-1000\Software\SecuROM\License information*]

 

"datasecu"=hex:44,12,e0,d6,5a,52,4c,3c,1c,84,41,41,52,11,4d,df,3c,38,35,ca,1c,

 

   72,90,d0,9c,13,63,04,68,f8,f1,df,7a,cb,98,03,08,64,27,52,96,6e,e6,65,cc,4c,\

 

"rkeysecu"=hex:ac,c1,19,fa,90,50,f6,03,d2,b5,8b,39,8c,ad,6d,6d

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="FlashBroker"

 

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

 

"Enabled"=dword:00000001

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

 

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="IFlashBroker5"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

 

@="{00020424-0000-0000-C000-000000000046}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

"Version"="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="FlashBroker"

 

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

 

"Enabled"=dword:00000001

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

 

@Denied: (A 2) (Everyone)

 

@="Shockwave Flash Object"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

 

"ThreadingModel"="Apartment"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

 

@="0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

 

@="ShockwaveFlash.ShockwaveFlash.11"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

 

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

 

@="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

 

@="ShockwaveFlash.ShockwaveFlash"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

 

@Denied: (A 2) (Everyone)

 

@="Macromedia Flash Factory Object"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

 

"ThreadingModel"="Apartment"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

 

@="FlashFactory.FlashFactory.1"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

 

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

 

@="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

 

@="FlashFactory.FlashFactory"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="IFlashBroker5"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

 

@="{00020424-0000-0000-C000-000000000046}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

"Version"="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

 

@Denied: (Full) (Everyone)

 

.

 

------------------------ Other Running Processes ------------------------

 

.

 

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe

 

c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe

 

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

 

c:\windows\syswow64\dllhost.exe

 

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe

 

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe

 

c:\program files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe

 

c:\program files (x86)\ASUS\FaceLogon\sensorsrv.exe

 

c:\program files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe

 

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe

 

c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe

 

c:\windows\SysWOW64\regsvr32.exe

 

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

 

.

 

**************************************************************************

 

.

 

Completion time: 2013-11-12  10:26:54 - machine was rebooted

 

ComboFix-quarantined-files.txt  2013-11-12 15:26

 

ComboFix2.txt  2013-11-11 15:51

 

.

 

Pre-Run: 118,799,007,744 bytes free

 

Post-Run: 119,084,711,936 bytes free

 

.

 

- - End Of File - - CFE42F50934DEF8CE65ACE8DC04FD103

 

Link to post
Share on other sites

OK, I´ve got the file.

 

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

CFScript.txt

Link to post
Share on other sites

Here is the log from ComboFix

 

ComboFix 13-11-12.01 - Nick 11/13/2013  14:49:50.4.8 - x64

 

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.12265.10404 [GMT -5:00]

 

Running from: c:\users\Nick\Desktop\ComboFix.exe

 

Command switches used :: c:\users\Nick\Desktop\CFScript.txt

 

AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}

 

SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

 

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

* Created a new restore point

 

.

 

FILE ::

 

"c:\windows\system32\drivers\hgqiglzk.sys"

 

"c:\windows\system32\drivers\hgqiglzk.sys"

 

.

 

.

 

(((((((((((((((((((((((((   Files Created from 2013-10-13 to 2013-11-13  )))))))))))))))))))))))))))))))

 

.

 

.

 

2013-11-13 19:56 . 2013-11-13 19:56 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

 

2013-11-13 19:56 . 2013-11-13 19:56 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

 

2013-11-13 19:56 . 2013-11-13 19:56 -------- d-----w- c:\users\Default\AppData\Local\temp

 

2013-11-13 19:40 . 2013-11-13 19:40 46768 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\MpKslfe149707.sys

 

2013-11-13 13:42 . 2013-11-13 13:42 46768 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\MpKslc95a29de.sys

 

2013-11-13 13:23 . 2013-11-13 19:40 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\offreg.dll

 

2013-11-13 13:23 . 2013-11-13 13:23 46768 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\MpKsl89426992.sys

 

2013-11-13 12:24 . 2013-11-13 19:56 -------- d-----w- c:\users\Nick\AppData\Local\temp

 

2013-11-12 22:56 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\mpengine.dll

 

2013-11-11 19:08 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

 

2013-11-08 16:53 . 2013-11-08 17:06 -------- d-----w- c:\users\Nick\AppData\Local\Bgtion

 

2013-11-07 02:36 . 2013-10-18 06:58 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69F15E0A-4EC0-4FB0-8EF6-C33DB3315AFD}\gapaengine.dll

 

2013-10-31 11:05 . 2013-10-31 11:05 -------- d-----w- c:\users\Nick\AppData\Roaming\Guild Wars 2

 

.

 

.

 

.

 

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

.

 

2013-11-13 19:41 . 2012-03-29 06:45 376 ----a-w- c:\users\Nick\AppData\Roaming\sp_data.sys

 

2013-10-18 06:58 . 2012-06-13 15:45 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

 

2013-10-15 15:48 . 2012-02-17 21:58 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

 

2013-10-04 19:09 . 2011-08-24 03:54 45056 ----a-w- c:\windows\SysWow64\acovcnt.exe

 

2013-09-26 06:46 . 2012-02-18 06:47 80541720 ----a-w- c:\windows\system32\MRT.exe

 

2013-09-22 23:28 . 2013-10-10 00:07 1767936 ----a-w- c:\windows\SysWow64\wininet.dll

 

2013-09-22 23:27 . 2013-10-10 00:07 2876928 ----a-w- c:\windows\SysWow64\jscript9.dll

 

2013-09-22 23:27 . 2013-10-10 00:07 61440 ----a-w- c:\windows\SysWow64\iesetup.dll

 

2013-09-22 23:27 . 2013-10-10 00:07 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll

 

2013-09-22 22:55 . 2013-10-10 00:07 51712 ----a-w- c:\windows\system32\ie4uinit.exe

 

2013-09-22 22:55 . 2013-10-10 00:07 2241024 ----a-w- c:\windows\system32\wininet.dll

 

2013-09-22 22:55 . 2013-10-10 00:07 1365504 ----a-w- c:\windows\system32\urlmon.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 603136 ----a-w- c:\windows\system32\msfeeds.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 19252224 ----a-w- c:\windows\system32\mshtml.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 855552 ----a-w- c:\windows\system32\jscript.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 3959296 ----a-w- c:\windows\system32\jscript9.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 53248 ----a-w- c:\windows\system32\jsproxy.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 526336 ----a-w- c:\windows\system32\ieui.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 67072 ----a-w- c:\windows\system32\iesetup.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 39936 ----a-w- c:\windows\system32\iernonce.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 2647552 ----a-w- c:\windows\system32\iertutil.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 136704 ----a-w- c:\windows\system32\iesysprep.dll

 

2013-09-22 22:54 . 2013-10-10 00:07 15404544 ----a-w- c:\windows\system32\ieframe.dll

 

2013-09-21 03:38 . 2013-10-10 00:07 2706432 ----a-w- c:\windows\system32\mshtml.tlb

 

2013-09-21 03:30 . 2013-10-10 00:07 2706432 ----a-w- c:\windows\SysWow64\mshtml.tlb

 

2013-09-21 02:48 . 2013-10-10 00:07 89600 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

 

2013-09-21 02:39 . 2013-10-10 00:07 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe

 

2013-09-14 01:10 . 2013-10-09 23:20 497152 ----a-w- c:\windows\system32\drivers\afd.sys

 

2013-09-08 02:30 . 2013-10-09 23:20 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys

 

2013-09-08 02:27 . 2013-10-09 23:20 327168 ----a-w- c:\windows\system32\mswsock.dll

 

2013-09-08 02:03 . 2013-10-09 23:20 231424 ----a-w- c:\windows\SysWow64\mswsock.dll

 

2013-09-04 12:12 . 2013-10-11 05:14 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 325120 ----a-w- c:\windows\system32\drivers\usbport.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys

 

2013-09-04 12:11 . 2013-10-11 05:14 7808 ----a-w- c:\windows\system32\drivers\usbd.sys

 

2013-08-29 02:17 . 2013-10-09 23:20 5549504 ----a-w- c:\windows\system32\ntoskrnl.exe

 

2013-08-29 02:16 . 2013-10-09 23:20 1732032 ----a-w- c:\windows\system32\ntdll.dll

 

2013-08-29 02:16 . 2013-10-09 23:20 243712 ----a-w- c:\windows\system32\wow64.dll

 

2013-08-29 02:16 . 2013-10-09 23:20 859648 ----a-w- c:\windows\system32\tdh.dll

 

2013-08-29 02:13 . 2013-10-09 23:20 878080 ----a-w- c:\windows\system32\advapi32.dll

 

2013-08-29 01:51 . 2013-10-09 23:20 3969472 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

 

2013-08-29 01:51 . 2013-10-09 23:20 3914176 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

 

2013-08-29 01:50 . 2013-10-09 23:20 5120 ----a-w- c:\windows\SysWow64\wow32.dll

 

2013-08-29 01:50 . 2013-10-09 23:20 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll

 

2013-08-29 01:50 . 2013-10-09 23:20 619520 ----a-w- c:\windows\SysWow64\tdh.dll

 

2013-08-29 01:48 . 2013-10-09 23:20 640512 ----a-w- c:\windows\SysWow64\advapi32.dll

 

2013-08-29 01:48 . 2013-10-09 23:20 44032 ----a-w- c:\windows\apppatch\acwow64.dll

 

2013-08-29 00:49 . 2013-10-09 23:20 25600 ----a-w- c:\windows\SysWow64\setup16.exe

 

2013-08-29 00:49 . 2013-10-09 23:20 7680 ----a-w- c:\windows\SysWow64\instnm.exe

 

2013-08-29 00:49 . 2013-10-09 23:20 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

 

2013-08-29 00:49 . 2013-10-09 23:20 2048 ----a-w- c:\windows\SysWow64\user.exe

 

2013-08-28 01:21 . 2013-10-09 23:20 3155968 ----a-w- c:\windows\system32\win32k.sys

 

2013-08-28 01:12 . 2013-10-09 23:20 461312 ----a-w- c:\windows\system32\scavengeui.dll

 

.

 

.

 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

 

.

 

.

 

*Note* empty entries & legit default entries are not shown

 

REGEDIT4

 

.

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\x64\3\E_IATILBE.EXE" [2013-01-24 297024]

 

"Bgtion Update"="c:\users\Nick\AppData\Local\Bgtion\pkcs11-helper-1.dll" [2013-11-08 795136]

 

.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

 

"Nuance PDF Reader-reminder"="c:\program files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" [2008-11-03 328992]

 

"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2011-04-02 2018032]

 

"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe" [2011-02-23 731472]

 

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2011-08-24 3058304]

 

"THX TruStudio NB Settings"="c:\program files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe" [2011-03-17 909312]

 

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

 

"VAWinAgent"="c:\expressgateutil\VAWinAgent.exe" [2011-04-08 45448]

 

"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2011-12-22 318080]

 

"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2011-10-24 174720]

 

"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]

 

"ACMON"="c:\program files (x86)\ASUS\Splendid\ACMON.exe" [2012-02-06 102568]

 

"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2012-02-02 2321072]

 

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

 

"FLxHCIm64"="c:\program files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe" [2012-07-19 48128]

 

"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2013-03-28 1058880]

 

.

 

c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

 

Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]

 

.

 

c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

 

Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]

 

.

 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

 

AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe /start [2011-4-1 548528]

 

.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

 

"ConsentPromptBehaviorAdmin"= 0 (0x0)

 

"ConsentPromptBehaviorUser"= 3 (0x3)

 

"EnableLUA"= 0 (0x0)

 

"EnableUIADesktopToggle"= 0 (0x0)

 

"PromptOnSecureDesktop"= 0 (0x0)

 

.

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

 

@="Service"

 

.

 

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

 

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

 

R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]

 

R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x]

 

R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x]

 

R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x]

 

R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x]

 

R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x]

 

R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]

 

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS;c:\windows\SYSNATIVE\drivers\BVRPMPR5a64.SYS [x]

 

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]

 

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]

 

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]

 

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]

 

R3 HawkesUpdater;Hawkes Unattended Updater;c:\program files (x86)\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe;c:\program files (x86)\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe [x]

 

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]

 

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]

 

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]

 

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

 

R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUVStor.sys [x]

 

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys;c:\windows\SYSNATIVE\DRIVERS\SiSG664.sys [x]

 

R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]

 

R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]

 

R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]

 

R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]

 

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

 

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

 

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

 

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

 

S1 ATKWMIACPIIO_;ATKWMIACPI Driver_;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [x]

 

S1 MpKsl89426992;MpKsl89426992;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\MpKsl89426992.sys;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\MpKsl89426992.sys [x]

 

S1 MpKslc95a29de;MpKslc95a29de;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\MpKslc95a29de.sys;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\MpKslc95a29de.sys [x]

 

S1 MpKslfe149707;MpKslfe149707;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\MpKslfe149707.sys;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF71AD65-1930-4BFD-8650-162D36210323}\MpKslfe149707.sys [x]

 

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [x]

 

S2 AsusUacSvc;Asus process privilege adjust service;c:\program files\Asus\Rotation Desktop for G Series\AsusUacSvc.exe;c:\program files\Asus\Rotation Desktop for G Series\AsusUacSvc.exe [x]

 

S2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [x]

 

S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Bluetooth Suite\adminservice.exe [x]

 

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]

 

S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]

 

S2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc64.exe;c:\windows\SYSNATIVE\EscSvc64.exe [x]

 

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]

 

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

 

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]

 

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]

 

S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe;c:\expressgateutil\VAWinService.exe [x]

 

S3 AiCharger;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AiCharger.sys [x]

 

S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x]

 

S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\DRIVERS\FLxHCIc.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIc.sys [x]

 

S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\DRIVERS\FLxHCIh.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIh.sys [x]

 

S3 fspad_win764;Finger Sensing Pad Driver for Windows 2000/XP/Vista/Win7_win764;c:\windows\system32\DRIVERS\fspad_win764.sys;c:\windows\SYSNATIVE\DRIVERS\fspad_win764.sys [x]

 

S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]

 

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

 

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]

 

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]

 

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]

 

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]

 

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]

 

S3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]

 

.

 

.

 

--- Other Services/Drivers In Memory ---

 

.

 

*NewlyCreated* - MPKSLFE149707

 

.

 

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

 

2013-10-16 07:15 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe

 

.

 

Contents of the 'Scheduled Tasks' folder

 

.

 

2013-11-12 c:\windows\Tasks\EPSON XP-310 Series Invitation {000F3676-290B-4C0B-BEB2-A06E917FD94D}.job

 

- c:\windows\system32\spool\DRIVERS\x64\3\E_ITSLBE.EXE [2013-10-04 05:20]

 

.

 

2013-11-12 c:\windows\Tasks\EPSON XP-310 Series Update {000F3676-290B-4C0B-BEB2-A06E917FD94D}.job

 

- c:\windows\system32\spool\DRIVERS\x64\3\E_ITSLBE.EXE [2013-10-04 05:20]

 

.

 

2013-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

 

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-15 21:54]

 

.

 

2013-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

 

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-15 21:54]

 

.

 

.

 

--------- X64 Entries -----------

 

.

 

.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]

 

@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"

 

[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]

 

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

 

.

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]

 

@="{64174815-8D98-4CE6-8646-4C039977D808}"

 

[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]

 

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

 

.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

 

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-01-31 12446824]

 

"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2011-03-13 617120]

 

"AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2011-03-13 379552]

 

"fspuip"="c:\program files (x86)\FSP\fspuip.exe" [bU]

 

"IntelTBRunOnce"="wscript.exe" [2009-07-14 168960]

 

"THXCfg64"="c:\windows\system32\THXCfg64.dll" [2010-09-14 25600]

 

"Setwallpaper"="c:\programdata\SetWallpaper.cmd" [bU]

 

"MSC"="c:\program files\Microsoft Security Client\mssecex.exe" [bU]

 

.

 

------- Supplementary Scan -------

 

.

 

uLocal Page = c:\windows\system32\blank.htm

 

 

mLocal Page = c:\windows\SysWOW64\blank.htm

 

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

 

TCP: DhcpNameServer = 192.168.1.1

 

.

 

- - - - ORPHANS REMOVED - - - -

 

.

 

Toolbar-Locked - (no file)

 

.

 

.

 

.

 

--------------------- LOCKED REGISTRY KEYS ---------------------

 

.

 

[HKEY_USERS\S-1-5-21-1909249093-874876743-655935046-1000\Software\SecuROM\License information*]

 

"datasecu"=hex:44,12,e0,d6,5a,52,4c,3c,1c,84,41,41,52,11,4d,df,3c,38,35,ca,1c,

 

   72,90,d0,9c,13,63,04,68,f8,f1,df,7a,cb,98,03,08,64,27,52,96,6e,e6,65,cc,4c,\

 

"rkeysecu"=hex:ac,c1,19,fa,90,50,f6,03,d2,b5,8b,39,8c,ad,6d,6d

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="FlashBroker"

 

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

 

"Enabled"=dword:00000001

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

 

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="IFlashBroker5"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

 

@="{00020424-0000-0000-C000-000000000046}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

"Version"="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="FlashBroker"

 

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

 

"Enabled"=dword:00000001

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

 

@Denied: (A 2) (Everyone)

 

@="Shockwave Flash Object"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

 

"ThreadingModel"="Apartment"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

 

@="0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

 

@="ShockwaveFlash.ShockwaveFlash.11"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

 

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

 

@="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

 

@="ShockwaveFlash.ShockwaveFlash"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

 

@Denied: (A 2) (Everyone)

 

@="Macromedia Flash Factory Object"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

 

"ThreadingModel"="Apartment"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

 

@="FlashFactory.FlashFactory.1"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

 

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

 

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

 

@="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

 

@="FlashFactory.FlashFactory"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

 

@Denied: (A 2) (Everyone)

 

@="IFlashBroker5"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

 

@="{00020424-0000-0000-C000-000000000046}"

 

.

 

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

 

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

 

"Version"="1.0"

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

 

@Denied: (A) (Users)

 

@Denied: (A) (Everyone)

 

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

 

"BlindDial"=dword:00000000

 

.

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

 

@Denied: (Full) (Everyone)

 

.

 

Completion time: 2013-11-13  14:57:20

 

ComboFix-quarantined-files.txt  2013-11-13 19:57

 

ComboFix2.txt  2013-11-13 12:18

 

ComboFix3.txt  2013-11-12 15:26

 

ComboFix4.txt  2013-11-11 15:51

 

.

 

Pre-Run: 117,389,119,488 bytes free

 

Post-Run: 117,481,771,008 bytes free

 

.

 

- - End Of File - - 9DFE9A56B32C11D116D7EF3BF2945CC2

 

Link to post
Share on other sites

Malwarebytes Anti-Malware 1.75.0.1300

 

www.malwarebytes.org

 

 

Database version: v2013.11.13.08

 

 

Windows 7 Service Pack 1 x64 NTFS

 

Internet Explorer 10.0.9200.16721

 

Nick :: NICK-PC [administrator]

 

 

11/13/2013 3:02:32 PM

 

mbam-log-2013-11-13 (15-02-32).txt

 

 

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|Q:\|)

 

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

 

Scan options disabled: P2P

 

Objects scanned: 773125

 

Time elapsed: 1 hour(s), 8 minute(s), 1 second(s)

 

 

Memory Processes Detected: 0

 

(No malicious items detected)

 

 

Memory Modules Detected: 1

 

C:\Users\Nick\AppData\Local\Bgtion\pkcs11-helper-1.dll (VirTool.Vbcrypt) -> Delete on reboot.

 

 

Registry Keys Detected: 3

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48d2-9061-8BBD4899EB08} (PUP.Optional.Iminent.A) -> No action taken.

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE (Rootkit.0Access.EM) -> Quarantined and deleted successfully.

 

HKCU\SOFTWARE\IMINENT (PUP.Optional.Iminent.A) -> Quarantined and deleted successfully.

 

 

Registry Values Detected: 1

 

HKCU\Software\Iminent|SearchEngineOptin (PUP.Optional.Iminent.A) -> Data: 0 -> Quarantined and deleted successfully.

 

 

Registry Data Items Detected: 0

 

(No malicious items detected)

 

 

Folders Detected: 0

 

(No malicious items detected)

 

 

Files Detected: 6

 

C:\Users\Nick\AppData\Local\Bgtion\pkcs11-helper-1.dll (VirTool.Vbcrypt) -> Delete on reboot.

 

c:\program files (x86)\google\desktop\install\{80aa28bd-953b-0d79-ac52-59b01480de54}\   \...\‮ﯹ๛\{80aa28bd-953b-0d79-ac52-59b01480de54}\googleupdate.exe (Rootkit.0Access.EM) -> Quarantined and deleted successfully.

 

C:\Qoobox\Quarantine\[156]-Submit_2013-11-12_10.00.01.zip (VirTool.Vbcrypt) -> Quarantined and deleted successfully.

 

C:\Qoobox\Quarantine\[156]-Submit_2013-11-13_07.04.41.zip (VirTool.Vbcrypt) -> Quarantined and deleted successfully.

 

C:\Qoobox\Quarantine\C\Windows\assembly\GAC_32\Desktop.ini.vir (Rootkit.0Access) -> Quarantined and deleted successfully.

 

C:\Users\Nick\AppData\Local\Google\Desktop\Install\{80aa28bd-953b-0d79-ac52-59b01480de54}\❤≸⋙\Ⱒ☠⍨\‮ﯹ๛\{80aa28bd-953b-0d79-ac52-59b01480de54}\GoogleUpdate.exe (Rootkit.0Access.EM) -> Quarantined and deleted successfully.

 

 

(end)

Link to post
Share on other sites

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Skip that.

 

 

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

  • Click the "Windows Orb" Start button, then click Computer.
  • Right-click on the drive that you wish to check > Properties > Tools tab
  • In the "Error checking" section, click on Check now.
  • Place a checkmark in both boxes > Start.
  • If the disk you have chosen is the Windows system disk:
  • A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
  • Click Schedule disk check > OK and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
  • This will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.


A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

  • Click the "Windows Orb" Start button -> type "eventvwr" without the quotes -> press the key.
  • The Event Viewer window will open.
  • In the left pane, expand "Windows Logs" and then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Wininit", with an entry corresponding to the date and time of the disk check.
  • Click on that Wininit entry to select it.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.

Link to post
Share on other sites

Log Name:      Application

Source:        Microsoft-Windows-Wininit

Date:          11/14/2013 1:51:30 PM

Event ID:      1001

Task Category: None

Level:         Information

Keywords:      Classic

User:          N/A

Computer:      Nick-PC

Description:

 

Checking file system on C:

The type of the file system is NTFS.

Volume label is OS.

 

A disk check has been scheduled.

Windows will now check the disk.                        

CHKDSK is verifying files (stage 1 of 5)...

  403200 file records processed.                                        

 

File verification completed.

  524 large file records processed.                                  

  0 bad file records processed.                                    

  4 EA records processed.                                          

  60 reparse records processed.                                     

CHKDSK is verifying indexes (stage 2 of 5)...

  459790 index entries processed.                                       

 

Index verification completed.

  0 unindexed files scanned.                                       

  0 unindexed files recovered.                                     

CHKDSK is verifying security descriptors (stage 3 of 5)...

  403200 file SDs/SIDs processed.                                       

 

Cleaning up 806 unused index entries from index $SII of file 0x9.

Cleaning up 806 unused index entries from index $SDH of file 0x9.

Cleaning up 806 unused security descriptors.

Security descriptor verification completed.

  28296 data files processed.                                          

 

CHKDSK is verifying Usn Journal...

  37419488 USN bytes processed.                                           

Usn Journal verification completed.

CHKDSK is verifying file data (stage 4 of 5)...

  403184 files processed.                                               

File data verification completed.

CHKDSK is verifying free space (stage 5 of 5)...

  28081939 free clusters processed.                                       

Free space verification is complete.

CHKDSK discovered free space marked as allocated in the

master file table (MFT) bitmap.

CHKDSK discovered free space marked as allocated in the volume bitmap.

Windows has made corrections to the file system.

293028863 KB total disk space.

179979908 KB in 374209 files.

    204688 KB in 28297 indexes.

         4 KB in bad sectors.

    516503 KB in use by the system.

     65536 KB occupied by the log file.

112327760 KB available on disk.

      4096 bytes in each allocation unit.

  73257215 total allocation units on disk.

  28081940 allocation units available on disk.

Internal Info:

00 27 06 00 50 24 06 00 14 dc 0b 00 00 00 00 00  .'..P$..........

dc 05 00 00 3c 00 00 00 00 00 00 00 00 00 00 00  ....<...........

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

 

Windows has finished checking your disk.

Please wait while your computer restarts.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />

    <EventID Qualifiers="16384">1001</EventID>

    <Version>0</Version>

    <Level>4</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2013-11-14T18:51:30.000000000Z" />

    <EventRecordID>34526</EventRecordID>

    <Correlation />

    <Execution ProcessID="0" ThreadID="0" />

    <Channel>Application</Channel>

    <Computer>Nick-PC</Computer>

    <Security />

  </System>

  <EventData>

    <Data>

 

Checking file system on C:

The type of the file system is NTFS.

Volume label is OS.

 

A disk check has been scheduled.

Windows will now check the disk.                        

CHKDSK is verifying files (stage 1 of 5)...

  403200 file records processed.                                        

 

File verification completed.

  524 large file records processed.                                  

  0 bad file records processed.                                    

  4 EA records processed.                                          

  60 reparse records processed.                                     

CHKDSK is verifying indexes (stage 2 of 5)...

  459790 index entries processed.                                       

 

Index verification completed.

  0 unindexed files scanned.                                       

  0 unindexed files recovered.                                     

CHKDSK is verifying security descriptors (stage 3 of 5)...

  403200 file SDs/SIDs processed.                                       

 

Cleaning up 806 unused index entries from index $SII of file 0x9.

Cleaning up 806 unused index entries from index $SDH of file 0x9.

Cleaning up 806 unused security descriptors.

Security descriptor verification completed.

  28296 data files processed.                                          

 

CHKDSK is verifying Usn Journal...

  37419488 USN bytes processed.                                           

Usn Journal verification completed.

CHKDSK is verifying file data (stage 4 of 5)...

  403184 files processed.                                               

File data verification completed.

CHKDSK is verifying free space (stage 5 of 5)...

  28081939 free clusters processed.                                       

Free space verification is complete.

CHKDSK discovered free space marked as allocated in the

master file table (MFT) bitmap.

CHKDSK discovered free space marked as allocated in the volume bitmap.

Windows has made corrections to the file system.

293028863 KB total disk space.

179979908 KB in 374209 files.

    204688 KB in 28297 indexes.

         4 KB in bad sectors.

    516503 KB in use by the system.

     65536 KB occupied by the log file.

112327760 KB available on disk.

      4096 bytes in each allocation unit.

  73257215 total allocation units on disk.

  28081940 allocation units available on disk.

Internal Info:

00 27 06 00 50 24 06 00 14 dc 0b 00 00 00 00 00  .'..P$..........

dc 05 00 00 3c 00 00 00 00 00 00 00 00 00 00 00  ....<...........

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

 

Windows has finished checking your disk.

Please wait while your computer restarts.

</Data>

  </EventData>

</Event>

Link to post
Share on other sites

System File Check

For Windows XP:

  • Press the Windows- and the R-key simultanously.
  • Within the text box that jus opened, write cmd and hit Enter.


For Windows Vista/7:

  • Press the Windows key to open the start menu.
  • Don´t highlight anything, just write cmd.
  • The start menu will offer you an entry named cmd.
  • Right click it and select "run as administrator"




Within the opening window, write the following:

sfc /scannow
(See the blank within).


  • Hit enter. Your system will be checked for damaged system files.
  • Tell me the result of that scan in here (as the tool produces no log).

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.