Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Strange Malware

Started by Matthew Davis , Sep 16 2011 10:06 PM

Please log in to reply

#1
Matthew Davis

Posted 16 September 2011 - 10:06 PM

New Member

Member
7 posts

Hello, my first time here on GTG. Anyway, I am experiencing some strange system behavior that I think may be malware related. I noticed that my task manager was disabled, and re-enabled it through regedit, but afterwards I ran a Malwarebytes scan and a hijackthis log and had mixed results. A full malwarebytes scan only picked up MyWebSearch, which I removed. Hijackthis picked up an altered homepage for windows explorer, and an Unknown Owner for several system services. In the task manager the services that are in question have no entry for Group. Not N/A but a black space. This seems weird to me, I think it might be a boot sector virus. Could you take a look at my OTL log and let me know if you see anything suspicious?

OTL logfile created on: 9/16/2011 11:45:37 PM - Run 2
OTL by OldTimer - Version 3.2.28.0 Folder = C:\Users\Matt\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.75 Gb Total Physical Memory | 2.26 Gb Available Physical Memory | 60.36% Memory free
7.49 Gb Paging File | 5.76 Gb Available in Paging File | 76.93% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 241.00 Gb Total Space | 111.50 Gb Free Space | 46.27% Space Free | Partition Type: NTFS
Drive D: | 38.06 Gb Total Space | 37.97 Gb Free Space | 99.76% Space Free | Partition Type: NTFS

Computer Name: MATT-PC | User Name: Matt | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/16 14:14:43 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\Users\Matt\Downloads\OTL.exe
PRC - [2011/09/07 13:59:20 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/09/04 12:45:26 | 003,398,736 | ---- | M] (SAMSUNG Electronics) -- C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
PRC - [2011/08/12 10:21:23 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files (x86)\Steam\Steam.exe
PRC - [2011/05/26 14:14:52 | 000,477,080 | ---- | M] () -- C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\StartHelper.exe
PRC - [2011/03/29 00:15:54 | 004,399,696 | ---- | M] (SEC) -- C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
PRC - [2011/02/24 21:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
PRC - [2011/01/04 09:06:42 | 007,060,560 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe
PRC - [2010/12/23 02:07:58 | 000,945,232 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
PRC - [2010/11/29 01:42:38 | 000,775,848 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
PRC - [2010/11/10 01:03:52 | 000,136,488 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
PRC - [2010/09/19 23:24:42 | 000,087,336 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
PRC - [2010/08/26 21:52:12 | 002,782,064 | ---- | M] (Samsung Electronics) -- C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe
PRC - [2010/07/01 10:38:26 | 000,083,512 | ---- | M] (ArcSoft, Inc.) -- C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe
PRC - [2009/11/02 01:21:26 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe

========== Modules (No Company Name) ==========

MOD - [2011/09/14 12:55:13 | 014,407,976 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\libcef.dll
MOD - [2011/09/14 12:55:12 | 000,914,216 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avcodec-52.dll
MOD - [2011/09/14 12:55:12 | 000,190,248 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\chromehtml.dll
MOD - [2011/09/14 12:55:12 | 000,155,432 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avformat-52.dll
MOD - [2011/09/14 12:55:12 | 000,091,432 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avutil-50.dll
MOD - [2011/09/07 13:59:18 | 001,846,232 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2011/08/12 10:20:00 | 006,277,280 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/05/26 14:14:52 | 000,477,080 | ---- | M] () -- C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\StartHelper.exe
MOD - [2010/07/05 06:42:58 | 000,203,776 | ---- | M] () -- C:\Program Files (x86)\Samsung\Movie Color Enhancer\WinCRT.dll
MOD - [2010/05/07 10:22:18 | 001,636,864 | ---- | M] () -- C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\Resdll.dll
MOD - [2009/11/02 01:23:36 | 000,013,096 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll
MOD - [2009/11/02 01:20:10 | 000,619,816 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll
MOD - [2006/08/11 23:48:40 | 000,049,152 | ---- | M] () -- C:\Program Files (x86)\Samsung\Easy Display Manager\HookDllPS2.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/04/27 17:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2011/04/27 17:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2011/02/27 15:48:30 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2010/09/22 05:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2010/08/09 15:04:12 | 000,166,704 | ---- | M] (Samsung Electronics CO., LTD.) [On_Demand | Stopped] -- C:\windows\SysNative\SUPDSvc.exe -- (Samsung UPD Service)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/03/16 10:42:06 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/03/01 08:23:36 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/24 21:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/07/01 10:38:26 | 000,083,512 | ---- | M] (ArcSoft, Inc.) [Auto | Running] -- C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe -- (BackupService)
SRV - [2010/06/03 13:48:28 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildGames\Game Console - WildGames\GameConsoleService.exe -- (GameConsoleService)
SRV - [2010/06/01 02:31:28 | 002,804,568 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe -- (NOBU)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/05/27 07:20:32 | 002,750,464 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2011/05/10 08:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2011/04/27 15:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/27 17:07:42 | 009,079,808 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/02/27 15:11:32 | 000,299,520 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/01/27 01:35:26 | 000,425,064 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/01/15 12:21:04 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone)
DRV:64bit: - [2010/12/16 18:58:14 | 000,040,816 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2010/12/16 16:06:46 | 000,047,232 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/18 01:04:32 | 000,115,216 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2010/11/12 18:23:38 | 000,138,024 | ---- | M] (ELAN Microelectronics Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ETD.sys -- (ETD)
DRV:64bit: - [2010/11/12 10:16:00 | 000,037,504 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_xata.sys -- (amd_xata)
DRV:64bit: - [2010/11/12 10:15:58 | 000,077,952 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_sata.sys -- (amd_sata)
DRV:64bit: - [2010/11/10 01:04:14 | 000,031,088 | ---- | M] (CyberLink Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\clwvd.sys -- (clwvd)
DRV:64bit: - [2010/10/06 22:59:00 | 000,013,824 | ---- | M] (SAMSUNG ELECTRONICS) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\SABI.sys -- (SABI)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:35:32 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\serscan.sys -- (StillCam)
DRV:64bit: - [2009/06/10 16:37:05 | 006,108,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2011/05/19 11:03:32 | 000,015,144 | ---- | M] (Windows ® 2003 DDK 3790 provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\rtport.sys -- (rtport)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://samsung.msn.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://samsung.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D8 DF 8D 74 B3 95 CB 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Search-Results"
FF - prefs.js..browser.search.defaultenginename: "Search-Results"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...4DF&PC=DCF4&q="
FF - prefs.js..browser.search.order.1: "Search-Results"
FF - prefs.js..browser.search.selectedEngine: "Search-Results"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {66E978CD-981F-47DF-AC42-E3CF417C1467}:0.4.3
FF - prefs.js..extensions.enabledItems: {89f8dde0-010a-11da-8cd6-0800200c9a66}:1.0.0.21
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.6
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.2
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.3
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [email protected]:1.2.1
FF - prefs.js..extensions.enabledItems: {35379F86-8CCB-4724-AE33-4278DE266C70}:1.0.5
FF - prefs.js..extensions.enabledItems: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca}:1.2.5
FF - prefs.js..extensions.enabledItems: [email protected]:2.22.6
FF - prefs.js..extensions.enabledItems: {AE93811A-5C9A-4d34-8462-F7B864FC4696}:3.81
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: [email protected]:1.3.3
FF - prefs.js..extensions.enabledItems: {4a1a0a40-7d27-11dd-ad8b-0800200c9a66}:1.3.1
FF - prefs.js..keyword.URL: "http://www.google.co...ient&gfns=1&q="
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8118
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"
FF - prefs.js..network.proxy.socks: "127.0.0.1"
FF - prefs.js..network.proxy.socks_port: 9050
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8118
FF - prefs.js..network.proxy.type: 4

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Matt\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/09/07 13:59:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/09/07 14:06:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2011/08/19 11:57:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 6.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2011/06/30 12:40:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matt\AppData\Roaming\Mozilla\Extensions
[2011/06/30 12:40:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matt\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/09/13 02:12:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\extensions
[2011/08/25 01:42:52 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2011/06/30 12:39:36 | 000,000,000 | ---D | M] (MonoChrome) -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\extensions\{4a1a0a40-7d27-11dd-ad8b-0800200c9a66}
[2011/06/30 12:39:36 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2011/06/30 12:39:36 | 000,000,000 | ---D | M] (Yahoo! Mail Notifier) -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\extensions\{89f8dde0-010a-11da-8cd6-0800200c9a66}
[2011/06/30 12:39:37 | 000,000,000 | ---D | M] (Torbutton) -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
[2011/09/08 17:10:44 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/06/30 12:39:31 | 000,000,000 | ---D | M] ("FacebookBlocker") -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\extensions\[email protected]
[2011/09/10 10:59:59 | 000,000,000 | ---D | M] (FoxyProxy Standard) -- C:\Users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\extensions\[email protected]
[2011/06/28 12:50:17 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/06/28 12:50:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
() (No name found) -- C:\USERS\MATT\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\P2Q0IST5.DEFAULT\EXTENSIONS\{AE93811A-5C9A-4D34-8462-F7B864FC4696}.XPI
() (No name found) -- C:\USERS\MATT\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\P2Q0IST5.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\USERS\MATT\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\P2Q0IST5.DEFAULT\EXTENSIONS\[email protected]
() (No name found) -- C:\USERS\MATT\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\P2Q0IST5.DEFAULT\EXTENSIONS\[email protected]
[2011/09/07 13:59:21 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3:64bit: - HKCU\..\Toolbar\WebBrowser - No CLSID value found.
O3: - HKCU\..\Toolbar\WebBrowser - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4:64bit: - HKLM..\Run: [ETDCtrl] C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronics Corp.)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - Startup: C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HP SimpleSave Monitor.lnk = C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\StartHelper.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1
O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\windows\system32\GPhotos.scr/200 File not found
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\windows\SysWow64\GPhotos.scr (Google Inc.)
O9 - Extra Button: Samsung AnyWeb Print - {328ECD19-C167-40eb-A0C7-16FE7634105E} - C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll File not found
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{44FD186D-1BAF-4569-8BB1-F0C21BBA06DE}: DhcpNameServer = 24.224.95.205 24.224.127.143
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5941D309-FB7E-4C49-90AC-13ED27A44807}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{2be0dff6-adea-11e0-b2aa-e811325ca25b}\Shell - "" = AutoRun
O33 - MountPoints2\{2be0dff6-adea-11e0-b2aa-e811325ca25b}\Shell\AutoRun\command - "" = F:\SETUP.EXE
O33 - MountPoints2\{2be0dff6-adea-11e0-b2aa-e811325ca25b}\Shell\configure\command - "" = F:\SETUP.EXE
O33 - MountPoints2\{2be0dff6-adea-11e0-b2aa-e811325ca25b}\Shell\install\command - "" = F:\SETUP.EXE
O33 - MountPoints2\{72a17bdf-d589-11e0-bc70-e811325ca25b}\Shell - "" = AutoRun
O33 - MountPoints2\{72a17bdf-d589-11e0-bc70-e811325ca25b}\Shell\AutoRun\command - "" = G:\HPLauncher.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/16 23:46:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
[2011/09/16 23:46:51 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2011/09/16 23:45:19 | 004,087,040 | ---- | C] (Piriform Ltd) -- C:\Users\Matt\Desktop\spsetup112.exe
[2011/09/16 12:25:06 | 000,000,000 | ---D | C] -- C:\Users\Matt\Desktop\backups
[2011/09/16 12:16:18 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Matt\Desktop\HijackThis.exe
[2011/09/16 12:14:43 | 001,404,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Matt\Desktop\TDSSKiller.exe
[2011/09/16 12:08:13 | 004,846,880 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Matt\Desktop\procexp.exe
[2011/09/16 03:04:26 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2011/09/14 09:59:41 | 000,000,000 | ---D | C] -- C:\Users\Matt\Desktop\role_and_qualities_of_the_mediator_the_peacemaker_approach_to_mediation(br)(electronic)
[2011/09/14 09:59:40 | 000,000,000 | ---D | C] -- C:\Users\Matt\Desktop\mediation_process_caucus_method(br)(electronic)
[2011/09/13 01:56:16 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Roaming\Abine
[2011/09/07 14:04:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2011/09/05 03:36:20 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Roaming\Media Player Classic
[2011/09/04 01:55:31 | 000,000,000 | ---D | C] -- C:\ProgramData\HPSS
[2011/09/04 01:55:20 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Roaming\HPSS
[2011/09/04 01:50:24 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Roaming\ArcSoft
[2011/09/04 01:50:10 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Roaming\HP SimpleSave Application
[2011/08/31 12:55:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Respondus
[2011/08/31 12:55:46 | 001,410,704 | ---- | C] (FarPoint Technologies, Inc.) -- C:\windows\SysWow64\FPSPR70.ocx
[2011/08/31 12:55:46 | 000,729,161 | ---- | C] (FarPoint Technologies, Inc.) -- C:\windows\SysWow64\fpimage.dll
[2011/08/31 12:55:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Respondus LockDown Browser
[2011/08/28 14:26:22 | 000,000,000 | ---D | C] -- C:\Users\Matt\Desktop\Flash drive
[2011/08/26 16:58:51 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Roaming\.minecraft
[2011/08/26 02:32:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/08/26 02:31:48 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/08/26 02:31:47 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/08/26 02:31:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2011/08/24 19:08:10 | 000,000,000 | ---D | C] -- C:\Users\Matt\Documents\A Game Of Thrones
[2011/08/24 18:42:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Jack Claw
[2011/08/24 18:39:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Jack Claw
[2011/08/24 18:26:04 | 000,000,000 | ---D | C] -- C:\Users\Matt\Desktop\Comics
[2011/08/22 22:18:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emulators
[2011/08/22 22:17:58 | 000,000,000 | ---D | C] -- C:\Users\Matt\Desktop\ZNES
[2011/08/22 22:15:53 | 000,000,000 | ---D | C] -- C:\Users\Matt\Desktop\Earthbound
[2011/08/18 14:19:26 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Roaming\Unity
[2011/08/18 14:17:57 | 000,000,000 | ---D | C] -- C:\Users\Matt\AppData\Local\Unity
[4 C:\Users\Matt\Documents\*.tmp files -> C:\Users\Matt\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/16 23:46:58 | 000,000,796 | ---- | M] () -- C:\Users\Public\Desktop\Speccy.lnk
[2011/09/16 23:46:26 | 004,087,040 | ---- | M] (Piriform Ltd) -- C:\Users\Matt\Desktop\spsetup112.exe
[2011/09/16 23:41:46 | 000,021,200 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/16 23:41:46 | 000,021,200 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/16 23:33:31 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2011/09/16 23:33:23 | 4022,468,608 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/16 12:16:24 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Matt\Desktop\HijackThis.exe
[2011/09/16 12:14:10 | 001,388,161 | ---- | M] () -- C:\Users\Matt\Desktop\tdsskiller.zip
[2011/09/15 15:32:00 | 000,002,114 | ---- | M] () -- C:\Users\Public\Desktop\Samsung Support Center.lnk
[2011/09/14 18:37:34 | 000,735,882 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2011/09/14 18:37:34 | 000,630,420 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2011/09/14 18:37:34 | 000,109,466 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2011/09/13 15:56:28 | 001,404,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Matt\Desktop\TDSSKiller.exe
[2011/09/13 13:58:57 | 006,552,259 | ---- | M] () -- C:\Users\Matt\Desktop\CJUS3114_-_Mediation_Conflict_Resolution.zip
[2011/09/07 14:06:40 | 000,002,014 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/09/07 13:59:44 | 000,002,052 | ---- | M] () -- C:\Users\Matt\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/09/07 13:59:43 | 000,002,118 | ---- | M] () -- C:\Users\Matt\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2011/09/05 01:55:45 | 000,001,882 | ---- | M] () -- C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HP SimpleSave Monitor.lnk
[2011/08/31 17:00:50 | 000,025,416 | ---- | M] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2011/08/31 15:16:50 | 004,846,880 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Matt\Desktop\procexp.exe
[2011/08/31 12:55:52 | 000,001,951 | ---- | M] () -- C:\Users\Public\Desktop\LockDown Browser.lnk
[2011/08/31 12:54:26 | 004,129,888 | ---- | M] () -- C:\Users\Matt\Desktop\LockDownSFX.exe
[2011/08/29 11:52:07 | 000,001,310 | ---- | M] () -- C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2011/08/26 16:58:40 | 000,270,142 | ---- | M] () -- C:\Users\Matt\Desktop\Minecraft.exe
[2011/08/26 02:32:46 | 000,001,783 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/08/24 14:28:26 | 000,000,635 | ---- | M] () -- C:\Users\Matt\Desktop\zsnesw - Shortcut.lnk
[4 C:\Users\Matt\Documents\*.tmp files -> C:\Users\Matt\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/16 23:46:58 | 000,000,796 | ---- | C] () -- C:\Users\Public\Desktop\Speccy.lnk
[2011/09/16 12:13:34 | 001,388,161 | ---- | C] () -- C:\Users\Matt\Desktop\tdsskiller.zip
[2011/09/16 12:08:13 | 000,072,268 | ---- | C] () -- C:\Users\Matt\Desktop\procexp.chm
[2011/09/15 15:32:00 | 000,002,114 | ---- | C] () -- C:\Users\Public\Desktop\Samsung Support Center.lnk
[2011/09/13 13:58:04 | 006,552,259 | ---- | C] () -- C:\Users\Matt\Desktop\CJUS3114_-_Mediation_Conflict_Resolution.zip
[2011/09/07 14:04:52 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2011/09/07 14:04:52 | 000,002,014 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/09/04 01:55:40 | 000,001,882 | ---- | C] () -- C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HP SimpleSave Monitor.lnk
[2011/08/31 12:55:52 | 000,001,951 | ---- | C] () -- C:\Users\Public\Desktop\LockDown Browser.lnk
[2011/08/31 12:53:40 | 004,129,888 | ---- | C] () -- C:\Users\Matt\Desktop\LockDownSFX.exe
[2011/08/29 11:52:07 | 000,001,310 | ---- | C] () -- C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2011/08/26 16:58:38 | 000,270,142 | ---- | C] () -- C:\Users\Matt\Desktop\Minecraft.exe
[2011/08/26 02:32:46 | 000,001,783 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/08/24 14:28:26 | 000,000,635 | ---- | C] () -- C:\Users\Matt\Desktop\zsnesw - Shortcut.lnk
[2011/08/10 15:57:23 | 000,003,584 | ---- | C] () -- C:\Users\Matt\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/29 02:12:06 | 000,000,000 | ---- | C] () -- C:\windows\nsreg.dat
[2011/06/28 12:59:45 | 001,564,496 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/06/28 12:55:32 | 000,175,616 | ---- | C] () -- C:\windows\SysWow64\unrar.dll
[2011/06/28 12:55:31 | 000,000,038 | ---- | C] () -- C:\windows\avisplitter.ini
[2011/06/28 12:55:30 | 000,644,608 | ---- | C] () -- C:\windows\SysWow64\xvidcore.dll
[2011/06/28 12:55:30 | 000,243,200 | ---- | C] () -- C:\windows\SysWow64\xvidvfw.dll
[2011/06/28 12:55:30 | 000,073,216 | ---- | C] () -- C:\windows\SysWow64\ff_vfw.dll
[2011/05/02 15:02:02 | 000,258,864 | ---- | C] () -- C:\windows\SUPDRun.exe
[2011/05/02 14:59:57 | 000,003,143 | ---- | C] () -- C:\windows\SysWow64\atipblag.dat
[2011/04/30 00:59:35 | 000,307,200 | ---- | C] () -- C:\windows\SetDisplayResolution.exe
[2011/04/30 00:24:57 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin
[2011/04/30 00:12:53 | 000,000,378 | ---- | C] () -- C:\windows\HotFixList.ini
[2011/04/30 00:05:58 | 000,142,128 | ---- | C] () -- C:\windows\wiainst64.exe
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:59:36 | 000,982,196 | ---- | C] () -- C:\windows\SysWow64\igkrng500.bin
[2009/07/13 17:59:36 | 000,139,824 | ---- | C] () -- C:\windows\SysWow64\igfcg500.bin
[2009/07/13 17:59:36 | 000,097,448 | ---- | C] () -- C:\windows\SysWow64\igfcg500m.bin
[2009/07/13 17:59:35 | 000,417,344 | ---- | C] () -- C:\windows\SysWow64\igcompkrng500.bin
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\windows\SysWow64\mlang.dat

========== LOP Check ==========

[2011/08/26 17:00:06 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\.minecraft
[2011/09/13 02:00:46 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\Abine
[2011/07/20 08:40:27 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\GARMIN
[2011/06/30 12:40:19 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\Thunderbird
[2011/08/18 14:19:26 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\Unity
[2011/09/11 17:20:13 | 000,000,000 | ---D | M] -- C:\Users\Matt\AppData\Roaming\uTorrent
[2009/07/14 01:08:49 | 000,009,398 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

< End of report >

Edited by Matthew Davis, 16 September 2011 - 10:30 PM.

#2
RKinner

Posted 17 September 2011 - 11:59 AM

Malware Expert

Expert
24,625 posts

Since you have foxyproxy I assume you have a reason for the proxy settings in FF:

FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8118
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"
FF - prefs.js..network.proxy.socks: "127.0.0.1"
FF - prefs.js..network.proxy.socks_port: 9050
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8118

If one of the following will not run then just skip to the next one then go back and try the things that wouldn't run again after finishing the others.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

Rightclick on Malwarebytes' Anti-Malware and select Run As Administrator and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.

* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.

* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
change the a-v scan to None.
uncheck trace disk IO calls
Click the "Scan" button to start scan
On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

Ron

#3
Matthew Davis

Posted 17 September 2011 - 10:19 PM

New Member

Topic Starter
Member
7 posts

Alright, FoxyProxy was installed by my brother, so I will remove that, I don't need it. All three scans have been run; however, during the Malwarebytes scan, my antivirus, Microsoft security essentials, picked up something."TrojanDownloader:Java/OpenConnection.OU", it was found at, containerfile:C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\34a0e572-151151b2
file:C:\Users\Matt\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\34a0e572-151151b2->datas/wall$1.class
and I had it removed. Additionally, the service for my webcam was also on, without me having activated it. This is slightly disconcerting.

Here are the other scans, though I think something went wrong with the MBR one.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7736

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

9/17/2011 11:02:38 PM
mbam-log-2011-09-17 (23-02-27).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 347233
Time elapsed: 1 hour(s), 1 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Matt\downloads\Isos\windows xp keygen+validation pack\wga-fix.exe (Hacktool.WGAFix) -> No action taken.
c:\Users\Matt\downloads\Isos\windows xp keygen+validation pack\windows xp keygen.exe (Malware.Tool) -> No action taken.

ComboFix 11-09-17.03 - Matt 09/17/2011 23:06:35.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2460 [GMT -4:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files (x86)\Skype\Plugin Manager\SkypePM.exe
c:\users\Matt\Documents\~WRL0005.tmp
c:\users\Matt\Documents\~WRL2431.tmp
c:\users\Matt\Documents\~WRL3126.tmp
c:\users\Matt\Documents\~WRL3512.tmp
c:\windows\pl
c:\windows\pl\WLXPGSS.SCR.mui
.
.
((((((((((((((((((((((((( Files Created from 2011-08-18 to 2011-09-18 )))))))))))))))))))))))))))))))
.
.
2011-09-18 03:21 . 2011-09-18 03:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-18 02:35 . 2011-09-18 02:35 -------- d-----w- c:\users\Public\CyberLink
2011-09-18 02:35 . 2011-09-18 02:35 -------- d-----w- c:\users\Matt\AppData\Roaming\CyberLink
2011-09-18 02:35 . 2011-09-18 02:35 -------- d-----w- c:\users\Matt\AppData\Local\CyberLink
2011-09-17 07:25 . 2011-09-17 07:25 35712 ----a-w- c:\windows\SysWow64\drivers\BlackBox.sys
2011-09-17 03:47 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7D31D1F8-83A0-4134-A3A8-BB0DFD26EA9A}\mpengine.dll
2011-09-17 03:46 . 2011-09-17 03:46 -------- d-----w- c:\program files\Speccy
2011-09-13 05:56 . 2011-09-13 06:00 -------- d-----w- c:\users\Matt\AppData\Roaming\Abine
2011-09-08 20:42 . 2011-06-28 17:19 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F7BF054E-6E9E-41DF-A5C7-D9FE0CBF710E}\gapaengine.dll
2011-09-07 18:04 . 2011-09-07 18:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2011-09-05 07:36 . 2011-09-05 07:36 -------- d-----w- c:\users\Matt\AppData\Roaming\Media Player Classic
2011-09-04 16:45 . 2011-09-04 16:45 103760 ----a-w- c:\windows\SysWow64\mfcm100d.dll
2011-09-04 16:45 . 2011-09-04 16:45 743760 ----a-w- c:\windows\SysWow64\msvcp100d.dll
2011-09-04 16:45 . 2011-09-04 16:45 7124304 ----a-w- c:\windows\SysWow64\mfc100ud.dll
2011-09-04 16:45 . 2011-09-04 16:45 7055696 ----a-w- c:\windows\SysWow64\mfc100d.dll
2011-09-04 16:45 . 2011-09-04 16:45 105296 ----a-w- c:\windows\SysWow64\mfcm100ud.dll
2011-09-04 05:55 . 2011-09-04 05:55 -------- d-----w- c:\programdata\HPSS
2011-09-04 05:55 . 2011-09-04 05:55 -------- d-----w- c:\users\Matt\AppData\Roaming\HPSS
2011-09-04 05:54 . 2001-09-05 08:18 225280 ----a-w- c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
2011-09-04 05:54 . 2001-09-05 08:14 176128 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-09-04 05:54 . 2001-09-05 08:13 32768 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-09-04 05:54 . 2001-09-05 08:18 77824 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-09-04 05:54 . 2003-04-16 22:26 614532 ----a-w- c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-09-04 05:50 . 2011-09-04 05:50 -------- d-----w- c:\users\Matt\AppData\Roaming\ArcSoft
2011-09-04 05:50 . 2011-09-04 05:55 -------- d-----w- c:\users\Matt\AppData\Roaming\HP SimpleSave Application
2011-08-31 16:55 . 2006-01-04 17:04 729161 ----a-w- c:\windows\SysWow64\fpimage.dll
2011-08-31 16:55 . 2006-01-04 17:04 1410704 ----a-w- c:\windows\SysWow64\FPSPR70.ocx
2011-08-31 16:55 . 2011-08-31 16:55 -------- d-----w- c:\program files (x86)\Respondus LockDown Browser
2011-08-26 20:58 . 2011-08-26 21:00 -------- d-----w- c:\users\Matt\AppData\Roaming\.minecraft
2011-08-26 06:31 . 2011-08-26 06:31 -------- d-----w- c:\program files\iPod
2011-08-26 06:31 . 2011-08-26 06:32 -------- d-----w- c:\program files\iTunes
2011-08-26 06:31 . 2011-08-26 06:32 -------- d-----w- c:\program files (x86)\iTunes
2011-08-24 22:43 . 2006-11-29 17:06 469264 ----a-w- c:\windows\system32\d3dx10.dll
2011-08-24 22:39 . 2011-08-24 22:42 -------- d-----w- c:\program files (x86)\Jack Claw
2011-08-24 03:10 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-24 03:10 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-31 21:00 . 2011-06-28 16:59 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-12 14:20 . 2011-06-28 16:44 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-12 04:10 . 2011-06-29 19:38 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-03 02:02 . 2011-08-03 02:02 255352 ----a-w- c:\windows\SysWow64\awrdscdc.ax
2011-07-22 05:42 . 2011-08-12 07:01 2303488 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 05:36 . 2011-08-12 07:01 1389056 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 05:32 . 2011-08-12 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-22 02:54 . 2011-08-12 07:01 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-07-22 02:48 . 2011-08-12 07:01 1126912 ----a-w- c:\windows\SysWow64\wininet.dll
2011-07-22 02:44 . 2011-08-12 07:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-07-16 05:41 . 2011-08-10 07:48 362496 ----a-w- c:\windows\system32\wow64win.dll
2011-07-16 05:41 . 2011-08-10 07:48 243200 ----a-w- c:\windows\system32\wow64.dll
2011-07-16 05:41 . 2011-08-10 07:48 13312 ----a-w- c:\windows\system32\wow64cpu.dll
2011-07-16 05:39 . 2011-08-10 07:48 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2011-07-16 05:37 . 2011-08-10 07:48 421888 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 05:21 . 2011-08-10 07:48 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 05:21 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 04:29 . 2011-08-10 07:48 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2011-07-16 04:26 . 2011-08-10 07:48 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-07-16 04:25 . 2011-08-10 07:48 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2011-07-16 04:24 . 2011-08-10 07:48 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2011-07-16 04:24 . 2011-08-10 07:48 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll
2011-07-16 04:15 . 2011-08-10 07:48 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:15 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 07:48 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2011-07-16 02:21 . 2011-08-10 07:48 2048 ----a-w- c:\windows\SysWow64\user.exe
2011-07-16 02:17 . 2011-08-10 07:48 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 07:48 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 07:48 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17 . 2011-08-10 07:48 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-12 15:34 . 2011-07-12 15:34 96104 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:34 . 2011-07-12 15:34 85864 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:34 . 2011-07-12 15:34 61288 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:34 . 2011-07-12 15:34 212840 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-07-09 02:46 . 2011-08-10 07:48 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-07-01 14:05 . 2011-07-01 14:05 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-07-01 14:05 . 2011-07-01 14:05 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-07-01 14:05 . 2011-07-01 14:05 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-07-01 14:05 . 2011-07-01 14:05 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-07-01 14:05 . 2011-07-01 14:05 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-07-01 14:05 . 2011-07-01 14:05 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-07-01 14:05 . 2011-07-01 14:05 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-07-01 14:05 . 2011-07-01 14:05 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-07-01 14:05 . 2011-07-01 14:05 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-07-01 14:05 . 2011-07-01 14:05 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-07-01 14:05 . 2011-07-01 14:05 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
HP SimpleSave Monitor.lnk - c:\users\Matt\AppData\Roaming\HP SimpleSave Application\StartHelper.exe [2011-9-4 477080]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 BackupService;BackupService;c:\users\Matt\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe [2010-07-01 83512]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 69074497
*NewlyCreated* - CPUZ135
*Deregistered* - 69074497
*Deregistered* - cpuz135
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-02-27 11780712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://samsung.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{328ECD19-C167-40eb-A0C7-16FE7634105E} - {94BB0C4C-B957-479A-85E4-42F53B89F681} - c:\program files\Samsung AnyWeb Print\W2PBrowser.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\p2q0ist5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF4DF&PC=DCF4&q=
FF - prefs.js: browser.search.selectedEngine - Search-Results
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 8118
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 8118
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-09-17 23:44:20
ComboFix-quarantined-files.txt 2011-09-18 03:44
.
Pre-Run: 119,780,847,616 bytes free
Post-Run: 119,743,283,200 bytes free
.
- - End Of File - - AD7A21907890561065A969EAB732E3B2

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-18 00:10:29
-----------------------------
00:10:29.653 OS Version: Windows x64 6.1.7601 Service Pack 1
00:10:29.653 Number of processors: 2 586 0x100
00:10:29.653 ComputerName: MATT-PC UserName: Matt
00:10:31.011 Initialze error C000010E - driver not loaded
00:10:36.876 AVAST engine defs: 11091701
00:10:44.895 Service scanning
00:10:45.441 Service MpNWMon C:\windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
00:10:46.174 Modules scanning
00:10:46.174 Disk 0 trace - called modules:
00:10:46.174
00:10:46.174 Scan finished successfully
00:10:53.958 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"

Edit: Ran it again, but this time it seems to have had initialized.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-18 00:10:29
-----------------------------
00:10:29.653 OS Version: Windows x64 6.1.7601 Service Pack 1
00:10:29.653 Number of processors: 2 586 0x100
00:10:29.653 ComputerName: MATT-PC UserName: Matt
00:10:31.011 Initialze error C000010E - driver not loaded
00:10:36.876 AVAST engine defs: 11091701
00:10:44.895 Service scanning
00:10:45.441 Service MpNWMon C:\windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
00:10:46.174 Modules scanning
00:10:46.174 Disk 0 trace - called modules:
00:10:46.174
00:10:46.174 Scan finished successfully
00:10:53.958 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-18 00:24:04
-----------------------------
00:24:04.104 OS Version: Windows x64 6.1.7601 Service Pack 1
00:24:04.104 Number of processors: 2 586 0x100
00:24:04.104 ComputerName: MATT-PC UserName: Matt
00:24:05.586 Initialize success
00:24:12.669 AVAST engine defs: 11091701
00:24:16.834 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
00:24:16.834 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 11
00:24:18.862 Disk 0 MBR read successfully
00:24:18.862 Disk 0 MBR scan
00:24:18.877 Disk 0 unknown MBR code
00:24:18.877 Service scanning
00:24:19.486 Service MpNWMon C:\windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
00:24:20.313 Modules scanning
00:24:20.313 Scan finished successfully
00:24:34.119 Disk 0 MBR has been saved successfully to "C:\Users\Matt\Desktop\MBR.dat"
00:24:34.119 The log file has been saved successfully to "C:\Users\Matt\Desktop\aswMBR.txt"

Edited by Matthew Davis, 17 September 2011 - 10:29 PM.

#4
RKinner

Posted 17 September 2011 - 11:37 PM

Malware Expert

Expert
24,625 posts

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

Submit the file C:\Users\Matt\Desktop\MBR.dat to http://virustotal.com and let's see if they find anything wrong with it. IF they don't sey 0/43 or so then copy the report and paste it into a reply.

Let's get rid of the proxy stuff and some deadwood:

Copy the text in the code box by highlighting and Ctrl + c


:processes
killallprocesses

:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8118
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"
FF - prefs.js..network.proxy.socks: "127.0.0.1"
FF - prefs.js..network.proxy.socks_port: 9050
FF - prefs.js..network.proxy.socks_remote_dns: true
FF - prefs.js..network.proxy.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8118
FF - prefs.js..network.proxy.type: 4
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.

     
:Commands
[RESETHOSTS]
[purity]
[Reboot]

then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.

Ron

#5
Matthew Davis

Posted 18 September 2011 - 12:26 AM

New Member

Topic Starter
Member
7 posts

Cleared Java Cache, used JavaRa to delete old versions as well. Virus total found something, now I am doing the other steps.

Antivirus Version Last Update Result
AhnLab-V3 2011.09.17.00 2011.09.17 -
AntiVir 7.11.14.223 2011.09.16 -
Antiy-AVL 2.0.3.7 2011.09.18 -
Avast 4.8.1351.0 2011.09.17 -
Avast5 5.0.677.0 2011.09.17 -
AVG 10.0.0.1190 2011.09.17 -
BitDefender 7.2 2011.09.18 -
ByteHero 1.0.0.1 2011.09.13 -
CAT-QuickHeal 11.00 2011.09.16 -
ClamAV 0.97.0.0 2011.09.18 -
Commtouch 5.3.2.6 2011.09.17 -
Comodo 10153 2011.09.18 -
DrWeb 5.0.2.03300 2011.09.18 -
Emsisoft 5.1.0.11 2011.09.18 -
eSafe 7.0.17.0 2011.09.15 -
eTrust-Vet 36.1.8566 2011.09.17 -
F-Prot 4.6.2.117 2011.09.17 -
F-Secure 9.0.16440.0 2011.09.18 -
Fortinet 4.3.370.0 2011.09.18 -
GData 22 2011.09.18 -
Ikarus T3.1.1.107.0 2011.09.17 -
Jiangmin 13.0.900 2011.09.17 -
K7AntiVirus 9.113.5150 2011.09.17 -
Kaspersky 9.0.0.837 2011.09.18 -
McAfee 5.400.0.1158 2011.09.18 -
McAfee-GW-Edition 2010.1D 2011.09.17 -
Microsoft 1.7604 2011.09.18 -
NOD32 6472 2011.09.18 -
Norman 6.07.11 2011.09.17 -
nProtect 2011-09-17.01 2011.09.17 -
Panda 10.0.3.5 2011.09.17 -
PCTools 8.0.0.5 2011.09.18 -
Prevx 3.0 2011.09.18 -
Rising 23.75.04.02 2011.09.16 -
Sophos 4.69.0 2011.09.18 -
SUPERAntiSpyware 4.40.0.1006 2011.09.17 -
Symantec 20111.2.0.82 2011.09.18 -
TheHacker 6.7.0.1.298 2011.09.17 -
TrendMicro 9.500.0.1008 2011.09.18 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.18 -
VBA32 3.12.16.4 2011.09.16 suspected of Unknown.BootVirus
VIPRE 10509 2011.09.18 -
ViRobot 2011.9.17.4674 2011.09.17 -
VirusBuster 14.0.218.0 2011.09.17 -

#6
RKinner

Posted 18 September 2011 - 01:10 AM

Malware Expert

Expert
24,625 posts

When you get done with the other stuff:

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator. Then type (with an Enter after each line).

sfc /scannow

(SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.)

sigverif

Press Start in the new window. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning

Then use the 'Number of events' as follows:

1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.

Please post the Output log in your next reply then repeat but select Application.

Ron
(Bedtime for me)

#7
Matthew Davis

Posted 18 September 2011 - 11:49 AM

New Member

Topic Starter
Member
7 posts

Alright, got all of the log files here,

C:\Users\Matt\Downloads\Computer-Repair-Utility-Kit-V2.zip probably a variant of Win32/Agent.BLBJFEG trojan deleted - quarantined

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: SAMSUNG ELECTRONICS CO., LTD.
System Product Name: RV415/RV515
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 191):
0x02E13000 \SystemRoot\system32\ntoskrnl.exe
0x033FC000 \SystemRoot\system32\hal.dll
0x00B97000 \SystemRoot\system32\kdcom.dll
0x00CB6000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00CC3000 \SystemRoot\system32\PSHED.dll
0x00CD7000 \SystemRoot\system32\CLFS.SYS
0x00D35000 \SystemRoot\system32\CI.dll
0x00C00000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00CA4000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E22000 \SystemRoot\system32\drivers\ACPI.sys
0x00E79000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00E82000 \SystemRoot\system32\drivers\msisadrv.sys
0x00E8C000 \SystemRoot\system32\drivers\pci.sys
0x00EBF000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00ECC000 \SystemRoot\System32\drivers\partmgr.sys
0x00EE1000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00EEA000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00EF6000 \SystemRoot\system32\drivers\volmgr.sys
0x00F0B000 \SystemRoot\System32\drivers\volmgrx.sys
0x00F67000 \SystemRoot\System32\drivers\mountmgr.sys
0x00F81000 \SystemRoot\system32\drivers\atapi.sys
0x00F8A000 \SystemRoot\system32\drivers\ataport.SYS
0x00FB4000 \SystemRoot\system32\drivers\msahci.sys
0x00FBF000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x00FCF000 \SystemRoot\system32\DRIVERS\amd_sata.sys
0x010A6000 \SystemRoot\system32\DRIVERS\storport.sys
0x01109000 \SystemRoot\system32\DRIVERS\amd_xata.sys
0x01116000 \SystemRoot\system32\drivers\amdxata.sys
0x01121000 \SystemRoot\system32\drivers\fltmgr.sys
0x0116D000 \SystemRoot\system32\drivers\fileinfo.sys
0x01244000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01181000 \SystemRoot\System32\Drivers\msrpc.sys
0x01200000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01000000 \SystemRoot\System32\Drivers\cng.sys
0x0121B000 \SystemRoot\System32\drivers\pcw.sys
0x0122C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x014EE000 \SystemRoot\system32\drivers\ndis.sys
0x01400000 \SystemRoot\system32\drivers\NETIO.SYS
0x01460000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x0169C000 \SystemRoot\System32\drivers\tcpip.sys
0x018A0000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x018EA000 \SystemRoot\system32\drivers\volsnap.sys
0x01936000 \SystemRoot\System32\Drivers\spldr.sys
0x0193E000 \SystemRoot\System32\drivers\rdyboost.sys
0x01978000 \SystemRoot\System32\Drivers\mup.sys
0x0198A000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01993000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x019CD000 \SystemRoot\system32\drivers\disk.sys
0x01600000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x01672000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x0148B000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x019E3000 \SystemRoot\System32\Drivers\Null.SYS
0x019EC000 \SystemRoot\System32\Drivers\Beep.SYS
0x014BC000 \SystemRoot\System32\drivers\vga.sys
0x01072000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x014CA000 \SystemRoot\System32\drivers\watchdog.sys
0x019F3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x014DA000 \SystemRoot\system32\drivers\rdpencdd.sys
0x014E3000 \SystemRoot\system32\drivers\rdprefmp.sys
0x015E1000 \SystemRoot\System32\Drivers\Msfs.SYS
0x015EC000 \SystemRoot\System32\Drivers\Npfs.SYS
0x00E00000 \SystemRoot\system32\DRIVERS\tdx.sys
0x01236000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x03CB9000 \SystemRoot\system32\drivers\afd.sys
0x03D42000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03D87000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03D90000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03DB6000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x03DCC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03DDB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03C00000 \SystemRoot\system32\DRIVERS\termdd.sys
0x03C14000 \??\C:\windows\system32\Drivers\SABI.sys
0x03C1E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03C6F000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03C7B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03C86000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0x03C92000 \SystemRoot\System32\drivers\discache.sys
0x011DF000 \SystemRoot\System32\Drivers\dfsc.sys
0x03CA1000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03A87000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x03AAD000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x0488E000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x03AFB000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x05189000 \SystemRoot\System32\drivers\dxgmms1.sys
0x051CF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x051F3000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x04800000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x0480B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x04861000 \SystemRoot\system32\DRIVERS\usbfilter.sys
0x04870000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x03A00000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x03A1E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x03A2D000 \SystemRoot\system32\DRIVERS\ETD.sys
0x03A51000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x0402F000 \SystemRoot\system32\DRIVERS\athrx.sys
0x042D8000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x042E5000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x0434F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x04354000 \SystemRoot\system32\DRIVERS\amdppm.sys
0x04369000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x04379000 \SystemRoot\system32\DRIVERS\serscan.sys
0x04381000 \SystemRoot\system32\drivers\ksthunk.sys
0x04387000 \SystemRoot\system32\drivers\ks.sys
0x043CA000 \SystemRoot\system32\DRIVERS\clwvd.sys
0x043D0000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x04000000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x043E6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04461000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04490000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x044AB000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x044CC000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x044E6000 \SystemRoot\system32\DRIVERS\VClone.sys
0x044F5000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0x04524000 \SystemRoot\system32\DRIVERS\swenum.sys
0x04526000 \SystemRoot\system32\DRIVERS\umbus.sys
0x04538000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x04592000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x045A7000 \SystemRoot\system32\drivers\AtihdW76.sys
0x04400000 \SystemRoot\system32\drivers\portcls.sys
0x0443D000 \SystemRoot\system32\drivers\drmk.sys
0x064D8000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x0677F000 \SystemRoot\System32\Drivers\crashdmp.sys
0x0678D000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x06797000 \SystemRoot\System32\Drivers\dump_amd_sata.sys
0x067AE000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x067C1000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x067DE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x00070000 \SystemRoot\System32\win32k.sys
0x067E0000 \SystemRoot\System32\drivers\Dxapi.sys
0x06400000 \SystemRoot\System32\Drivers\usbvideo.sys
0x0642E000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00540000 \SystemRoot\System32\TSDDD.dll
0x006E0000 \SystemRoot\System32\cdd.dll
0x0643C000 \SystemRoot\system32\drivers\luafv.sys
0x0645F000 \SystemRoot\system32\drivers\WudfPf.sys
0x06480000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x046D2000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x04725000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x04738000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x04600000 \SystemRoot\system32\drivers\HTTP.sys
0x04750000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0476E000 \SystemRoot\System32\drivers\mpsdrv.sys
0x04786000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x07033000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x07081000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x070A5000 \SystemRoot\system32\drivers\peauth.sys
0x0714B000 \SystemRoot\System32\Drivers\secdrv.SYS
0x07156000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x07187000 \SystemRoot\System32\drivers\tcpipreg.sys
0x07437000 \SystemRoot\System32\DRIVERS\srv2.sys
0x074A0000 \SystemRoot\System32\DRIVERS\srv.sys
0x07538000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
0x770C0000 \Windows\System32\ntdll.dll
0x48570000 \Windows\System32\smss.exe
0xFF3E0000 \Windows\System32\apisetschema.dll
0xFF9B0000 \Windows\System32\autochk.exe
0xFF350000 \Windows\System32\difxapi.dll
0xFF300000 \Windows\System32\ws2_32.dll
0xFF1D0000 \Windows\System32\rpcrt4.dll
0xFF0F0000 \Windows\System32\oleaut32.dll
0x76F60000 \Windows\System32\wininet.dll
0x76E40000 \Windows\System32\kernel32.dll
0xFE360000 \Windows\System32\shell32.dll
0x77290000 \Windows\System32\psapi.dll
0xFE280000 \Windows\System32\advapi32.dll
0x76C30000 \Windows\System32\iertutil.dll
0xFE270000 \Windows\System32\lpk.dll
0xFE1D0000 \Windows\System32\comdlg32.dll
0xFE1B0000 \Windows\System32\sechost.dll
0xFE0E0000 \Windows\System32\usp10.dll
0xFE0C0000 \Windows\System32\imagehlp.dll
0xFE050000 \Windows\System32\gdi32.dll
0xFDFF0000 \Windows\System32\Wldap32.dll
0xFDE10000 \Windows\System32\setupapi.dll
0xFDD70000 \Windows\System32\clbcatq.dll
0xFDD40000 \Windows\System32\imm32.dll
0xFDC30000 \Windows\System32\msctf.dll
0x76B30000 \Windows\System32\user32.dll
0x77280000 \Windows\System32\normaliz.dll
0x769E0000 \Windows\System32\urlmon.dll
0xFDC20000 \Windows\System32\nsi.dll
0xFDB80000 \Windows\System32\msvcrt.dll
0xFD970000 \Windows\System32\ole32.dll
0xFD8F0000 \Windows\System32\shlwapi.dll
0xFD880000 \Windows\System32\KernelBase.dll
0xFD840000 \Windows\System32\wintrust.dll
0xFD7A0000 \Windows\System32\comctl32.dll
0xFD630000 \Windows\System32\crypt32.dll
0xFD5F0000 \Windows\System32\cfgmgr32.dll
0xFD5D0000 \Windows\System32\devobj.dll
0xFD5C0000 \Windows\System32\msasn1.dll

Processes (total 72):
0 System Idle Process
4 System
272 C:\Windows\System32\smss.exe
464 csrss.exe
544 C:\Windows\System32\wininit.exe
564 csrss.exe
604 C:\Windows\System32\services.exe
620 C:\Windows\System32\lsass.exe
628 C:\Windows\System32\lsm.exe
704 C:\Windows\System32\winlogon.exe
764 C:\Windows\System32\svchost.exe
844 C:\Windows\System32\svchost.exe
900 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
992 C:\Windows\System32\atiesrxx.exe
292 C:\Windows\System32\svchost.exe
472 C:\Windows\System32\svchost.exe
452 C:\Windows\System32\svchost.exe
1136 C:\Windows\System32\svchost.exe
1172 C:\Windows\System32\atieclxx.exe
1316 C:\Windows\System32\svchost.exe
1624 C:\Windows\System32\spoolsv.exe
1676 C:\Windows\System32\svchost.exe
1784 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1940 C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe
1960 C:\Program Files (x86)\Bonjour\mDNSResponder.exe
2044 C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
1084 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
2028 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2176 C:\Windows\System32\taskhost.exe
2340 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2620 C:\Windows\System32\dwm.exe
2668 C:\Windows\explorer.exe
2720 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
2792 C:\Windows\System32\svchost.exe
1848 C:\Windows\System32\rundll32.exe
2396 C:\Windows\System32\taskeng.exe
792 C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
2956 C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
1576 C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe
1844 C:\Windows\notepad.exe
1340 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
780 C:\Program Files\Elantech\ETDCtrl.exe
1000 C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\StartHelper.exe
1108 C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
1856 C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
1812 C:\Program Files (x86)\iTunes\iTunesHelper.exe
3080 C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
3104 C:\Program Files\Elantech\ETDCtrlHelper.exe
3312 C:\Program Files\Windows Media Player\wmpnetwk.exe
3356 C:\Windows\System32\svchost.exe
3860 C:\Program Files\iPod\bin\iPodService.exe
4032 C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
3800 C:\Program Files\Internet Explorer\iexplore.exe
756 C:\Program Files\Internet Explorer\iexplore.exe
4316 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
4824 C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
4908 C:\Program Files\Samsung\SamsungFastStart\SmartRestarter.exe
5028 C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
5116 C:\Windows\System32\svchost.exe
572 C:\Program Files\Microsoft Security Client\msseces.exe
4676 C:\Program Files (x86)\Samsung\EasySpeedUpManager\EasySpeedUpManager.exe
4400 C:\Program Files\Internet Explorer\iexplore.exe
4512 C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
2648 C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
4896 C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe
2128 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
3972 C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
4976 C:\Windows\System32\SearchIndexer.exe
3016 C:\Windows\System32\audiodg.exe
176 C:\Windows\notepad.exe
4192 C:\Users\Matt\Desktop\MBRCheck.exe
3748 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000003c`46600000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BPVT-35ZEST0, Rev: 01.01A01

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: F5C09ACABD4A5370BDD907E8EDFE0C1DA0F9D3F5

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit): 0Dumping \\.\PhysicalDisk0...
Enter filename to dump to: MBRdumpDumped successfully!

Enter the physical disk number to dump (0-99, -1 to exit): -1

Done!

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-09-18 11:05:21
# local_time=2011-09-18 07:05:21 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 11043698 67872756 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=185893
# found=1
# cleaned=1
# scan_time=14616
C:\Users\Matt\Downloads\Computer-Repair-Utility-Kit-V2.zip probably a variant of Win32/Agent.BLBJFEG trojan (deleted - quarantined) 00000000000000000000000000000000 C

========== PROCESSES ==========
All processes killed
========== OTL ==========
Prefs.js: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22 removed from extensions.enabledItems
Prefs.js: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 removed from extensions.enabledItems
Prefs.js: "127.0.0.1" removed from network.proxy.http
Prefs.js: 8118 removed from network.proxy.http_port
Prefs.js: "127.0.0.1" removed from network.proxy.no_proxies_on
Prefs.js: "127.0.0.1" removed from network.proxy.socks
Prefs.js: 9050 removed from network.proxy.socks_port
Prefs.js: true removed from network.proxy.socks_remote_dns
Prefs.js: "127.0.0.1" removed from network.proxy.ssl
Prefs.js: 8118 removed from network.proxy.ssl_port
Prefs.js: 4 removed from network.proxy.type
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
========== COMMANDS ==========
C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.28.0 log created on 09182011_022707

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Signature Verification Results
vclone.sys c:\windows\system32\drivers modified 1/15/2011 System file version 5.4.4.3

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 18/09/2011 1:27:10 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 18/09/2011 3:57:37 PM
Type: Error Category: 0
Event: 4199 Source: Tcpip
The system detected an address conflict for IP address 0.0.0.0 with the system having network hardware address 84-2B-2B-A4-C3-5B. Network operations on this system may be disrupted as a result.

Log: 'System' Date/Time: 18/09/2011 3:40:16 PM
Type: Error Category: 0
Event: 3002 Source: Microsoft Antimalware
Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 18/09/2011 2:16:24 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 18/09/2011 1:27:59 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 18/09/2011 3:40:56 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 18/09/2011 2:09:40 PM
Type: Error Category: 0
Event: 80 Source: SideBySide
Activation context generation failed for "C:\Program Files (x86)\ESET\ESET Online Scanner\ESETSmartInstaller.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Component 2: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Log: 'Application' Date/Time: 18/09/2011 6:33:20 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program Steam.exe version 1.0.1065.11 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 10e4 Start Time: 01cc75cc627df549 Termination Time: 312 Application Path: C:\Program Files (x86)\Steam\Steam.exe Report Id: 157675a0-e1c0-11e0-af40-e811325ca25b

Log: 'Application' Date/Time: 18/09/2011 6:29:40 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 18/09/2011 6:09:56 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 18/09/2011 4:47:42 AM
Type: Error Category: 0
Event: 72 Source: SideBySide
Activation context generation failed for "c:\program files\microsoft security client\MSESysprep.dll".Error in manifest or policy file "c:\program files\microsoft security client\MSESysprep.dll" on line 10. The element imaging appears as a child of element urn:schemas-microsoft-com:asm.v1^assembly which is not supported by this version of Windows.

Log: 'Application' Date/Time: 17/09/2011 7:23:58 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0xc90 Faulting application start time: 0x01cc750ac2408a3f Faulting application path: C:\Users\Matt\Desktop\RootkitRevealer.exe Faulting module path: C:\Users\Matt\Desktop\RootkitRevealer.exe Report Id: 01d80c08-e0fe-11e0-ab2e-e811325ca25b

Log: 'Application' Date/Time: 17/09/2011 7:13:31 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0xad8 Faulting application start time: 0x01cc75094d638a47 Faulting application path: C:\Users\Matt\Desktop\RootkitRevealer.exe Faulting module path: C:\Users\Matt\Desktop\RootkitRevealer.exe Report Id: 8bd4b031-e0fc-11e0-ab2e-e811325ca25b

Log: 'Application' Date/Time: 17/09/2011 7:13:04 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0x12b0 Faulting application start time: 0x01cc75093d6426ef Faulting application path: C:\Users\Matt\Desktop\RootkitRevealer.exe Faulting module path: C:\Users\Matt\Desktop\RootkitRevealer.exe Report Id: 7be308ad-e0fc-11e0-ab2e-e811325ca25b

Log: 'Application' Date/Time: 17/09/2011 6:09:22 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: florbaladl.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: florbaladl.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0x1008 Faulting application start time: 0x01cc750056dab1b7 Faulting application path: C:\Users\Matt\Desktop\florbaladl.exe Faulting module path: C:\Users\Matt\Desktop\florbaladl.exe Report Id: 95f5fccf-e0f3-11e0-ab2e-e811325ca25b

Log: 'Application' Date/Time: 17/09/2011 6:03:52 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: florbaladl.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: florbaladl.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0xfbc Faulting application start time: 0x01cc74ff92c964c4 Faulting application path: C:\Users\Matt\Desktop\florbaladl.exe Faulting module path: C:\Users\Matt\Desktop\florbaladl.exe Report Id: d13bea43-e0f2-11e0-ab2e-e811325ca25b

Log: 'Application' Date/Time: 17/09/2011 6:03:30 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0xdfc Faulting application start time: 0x01cc74ff8545e02c Faulting application path: C:\Users\Matt\Desktop\RootkitRevealer.exe Faulting module path: C:\Users\Matt\Desktop\RootkitRevealer.exe Report Id: c3bcd28c-e0f2-11e0-ab2e-e811325ca25b

Log: 'Application' Date/Time: 17/09/2011 6:03:18 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0x940 Faulting application start time: 0x01cc74ff7e758b32 Faulting application path: C:\Users\Matt\Desktop\RootkitRevealer.exe Faulting module path: C:\Users\Matt\Desktop\RootkitRevealer.exe Report Id: bce10bb7-e0f2-11e0-ab2e-e811325ca25b

Log: 'Application' Date/Time: 17/09/2011 6:01:55 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0xff8 Faulting application start time: 0x01cc74ff4cf4b322 Faulting application path: C:\Users\Matt\Desktop\RootkitRevealer.exe Faulting module path: C:\Users\Matt\Desktop\RootkitRevealer.exe Report Id: 8b8129a3-e0f2-11e0-ab2e-e811325ca25b

Log: 'Application' Date/Time: 17/09/2011 6:01:45 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0x1028 Faulting application start time: 0x01cc74ff44d51cef Faulting application path: C:\Users\Matt\Desktop\RootkitRevealer.exe Faulting module path: C:\Users\Matt\Desktop\RootkitRevealer.exe Report Id: 859bad48-e0f2-11e0-ab2e-e811325ca25b

Log: 'Application' Date/Time: 17/09/2011 3:35:15 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 16/09/2011 4:37:38 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log: 'Application' Date/Time: 16/09/2011 4:34:01 PM
Type: Error Category: 0
Event: 1015 Source: Microsoft-Windows-Wininit
A critical system process, C:\windows\system32\lsass.exe, failed with status code 1. The machine must now be restarted.

Log: 'Application' Date/Time: 16/09/2011 7:54:54 AM
Type: Error Category: 0
Event: 72 Source: SideBySide
Activation context generation failed for "c:\program files\microsoft security client\MSESysprep.dll".Error in manifest or policy file "c:\program files\microsoft security client\MSESysprep.dll" on line 10. The element imaging appears as a child of element urn:schemas-microsoft-com:asm.v1^assembly which is not supported by this version of Windows.

Log: 'Application' Date/Time: 16/09/2011 7:23:23 AM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 18/09/2011 6:07:26 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 30 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000:
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\trust
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\trust
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\Root
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\Root
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\My
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\My
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\CA
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\CA
Process 1104 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 452 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 18/09/2011 5:44:29 AM
Type: Warning Category: 0
Event: 10010 Source: Microsoft-Windows-RestartManager
Application 'C:\Windows\explorer.exe' (pid 2936) cannot be restarted - Application SID does not match Conductor SID..

Log: 'Application' Date/Time: 17/09/2011 3:32:58 AM
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 17/09/2011 3:32:58 AM
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 16/09/2011 4:36:07 PM
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/09/2011 5:31:13 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000_Classes:
Process 11152 (\Device\HarddiskVolume2\Program Files (x86)\VideoLAN\VLC\vlc.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000_CLASSES

Log: 'Application' Date/Time: 02/09/2011 5:31:13 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 3 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000:
Process 11152 (\Device\HarddiskVolume2\Program Files (x86)\VideoLAN\VLC\vlc.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 11152 (\Device\HarddiskVolume2\Program Files (x86)\VideoLAN\VLC\vlc.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Control Panel\International
Process 11152 (\Device\HarddiskVolume2\Program Files (x86)\VideoLAN\VLC\vlc.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\Windows\CurrentVersion\Explorer

Log: 'Application' Date/Time: 12/08/2011 7:31:49 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000_Classes:
Process 3976 (\Device\HarddiskVolume2\Program Files (x86)\VideoLAN\VLC\vlc.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000_CLASSES

Log: 'Application' Date/Time: 12/08/2011 7:31:46 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 3 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000:
Process 3976 (\Device\HarddiskVolume2\Program Files (x86)\VideoLAN\VLC\vlc.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 3976 (\Device\HarddiskVolume2\Program Files (x86)\VideoLAN\VLC\vlc.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Control Panel\International
Process 3976 (\Device\HarddiskVolume2\Program Files (x86)\VideoLAN\VLC\vlc.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\Windows\CurrentVersion\Explorer

Log: 'Application' Date/Time: 06/08/2011 11:56:44 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 15 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000:
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\trust
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\Root
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\My
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\CA
Process 2004 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 28/07/2011 6:10:50 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, OffProv12, has been registered in the Windows Management Instrumentation namespace Root\MSAPPS12 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 28/07/2011 6:10:50 AM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, OffProv12, has been registered in the Windows Management Instrumentation namespace Root\MSAPPS12 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Log: 'Application' Date/Time: 14/07/2011 7:21:53 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 6 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000:
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\Internet Explorer\Main
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1088 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies

Log: 'Application' Date/Time: 02/07/2011 1:45:23 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 0 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000:

Log: 'Application' Date/Time: 01/07/2011 4:23:34 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 15 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000:
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\trust
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Policies\Microsoft\SystemCertificates
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\TrustedPeople
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\Root
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\My
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\CA
Process 2040 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000\Software\Microsoft\SystemCertificates\Disallowed

Log: 'Application' Date/Time: 30/06/2011 4:00:02 PM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Application Requested}.

Log: 'Application' Date/Time: 29/06/2011 6:38:31 PM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Indexer Settings Migration}.

Log: 'Application' Date/Time: 29/06/2011 5:51:53 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2670036315-4148557095-3311392361-1000:
Process 488 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2670036315-4148557095-3311392361-1000

Log: 'Application' Date/Time: 29/06/2011 3:16:51 AM
Type: Warning Category: 3
Event: 4879 Source: Microsoft-Windows-MSDTC Client 2
MSDTC encountered an error (HR=0x80000171) while attempting to establish a secure connection with system MATT-PC.

Log: 'Application' Date/Time: 29/06/2011 2:33:48 AM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Indexer Settings Migration}.

I think that has got everything, let me know if anything is missing.

#8
RKinner

Posted 18 September 2011 - 12:10 PM

Malware Expert

Expert
24,625 posts

The MBR is just a special version from Samsung. Nothing to worry about. I'm not seeing anything bad in the logs. Could you do a print screen shot of your task manager?
To do a print screen:
http://www.ehow.com/...windows-xp.html
Save it as .jpg and then attach it to your next post. You can also copy and paste your Hijackthis log with the unknown services.

Ron

#9
RKinner

Posted 18 September 2011 - 12:16 PM

Malware Expert

Expert
24,625 posts

MSSE is not working right.

Download and Save the free Avast installer.
http://www.avast.com...ivirus-download

Uninstall Microsoft Security Essentials

Reboot

Install Avast. (Register when it asks you - they will try to talk you in to buying the full product but the free version is what we want.)

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

You didn't clear all of the events. Do this step again:

Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application. Reboot.

Then run Vino's Event Viewer as before.

#10
Matthew Davis

Posted 18 September 2011 - 09:26 PM

New Member

Topic Starter
Member
7 posts

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:09:15 PM, on 9/18/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\StartHelper.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files (x86)\Samsung\Easy Display Manager\WifiManager.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
C:\Program Files (x86)\Samsung\Movie Color Enhancer\MovieColorEnhancer.exe
C:\Program Files (x86)\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files (x86)\Samsung\Samsung Update Plus\SUPBackground.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Matt\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://samsung.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (filesize 75200 bytes, MD5 203A74767EB81F96A5166B1933DB46D0)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (filesize 439168 bytes, MD5 6BF01E200063D7274F3AF06D226671F5)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (filesize 42272 bytes, MD5 E7D55E121FF1951CB86C7E0DC6A33877)
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s (filesize 89456 bytes, MD5 2A21FE60A9BC5247BD8C57409A2B97F8)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime (filesize 421888 bytes, MD5 73430E79D6DF4DE9055E2A7742B881D3)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" (filesize 421736 bytes, MD5 879D74337173A6D630D3D06184D354C1)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" (filesize 37296 bytes, MD5 826DDBBCA98F2E6CD1DFE33CEF33994C)
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" (filesize 937920 bytes, MD5 47C1DE0A890613FFCFF1D67648EEDF90)
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (filesize 1475584 bytes, MD5 E3BF29CED96790CDAAFA981FFDDF53A3)
O4 - Startup: HP SimpleSave Monitor.lnk = C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\StartHelper.exe (filesize 477080 bytes, MD5 FB7680DC6B75024E74DC4876A184638C)
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (filesize 97680 bytes, MD5 32C26797AB646074A2BB562F9D10ADB5)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (filesize 188256 bytes, MD5 317F04A0FD73780557DD3D7FADDB169B)
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (filesize 188256 bytes, MD5 317F04A0FD73780557DD3D7FADDB169B)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (filesize 603040 bytes, MD5 79F7DB36E67B9E8365FA824AD96DF400)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll (filesize 603040 bytes, MD5 79F7DB36E67B9E8365FA824AD96DF400)
O9 - Extra button: Samsung AnyWeb Print - {328ECD19-C167-40eb-A0C7-16FE7634105E} - C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL (filesize 39464 bytes, MD5 AEF204E782BFA2C8448CB43A58960744)
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (filesize 2135336 bytes, MD5 028FF74DAFDC7BB45C956A5EC8926CEE)
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (filesize 42864 bytes, MD5 DF07358FDA177F70DE329D627D838F95)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BackupService - ArcSoft, Inc. - C:\Users\Matt\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exeC:\Users\Matt\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exeC:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\WildGames\Game Console - WildGames\GameConsoleService.exeC:\Program Files (x86)\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeC:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Norton Online Backup (NOBU) - Symantec Corporation - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exeC:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exeC:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Samsung UPD Service - Unknown owner - C:\windows\System32\SUPDSvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exeC:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10746 bytes

Attached Thumbnails

#11
RKinner

Posted 18 September 2011 - 10:01 PM

Malware Expert

Expert
24,625 posts

The unknown owner service in HJT are OK. The blank owners are the same on mine. So I think you are barking up the wrong tree there.

Ron
PS Going on a trip tomorrow. May not have Internet every night so replies may be delayed. Definitely back by Friday.

#12
Matthew Davis

Posted 19 September 2011 - 12:20 AM

New Member

Topic Starter
Member
7 posts

Well, I've got nothing, both of the log scans came up clear, as did the avast scan. I have no idea what it was that locked my task manager, presumably the Java exploit, but it looks like things are clear on my end. Thanks for the help, but it looks like I am in the clear, I guess.

#13
RKinner

Posted 19 September 2011 - 12:33 AM

Malware Expert

Expert
24,625 posts

Toggle System Restore Off and On to clear the old restore points:

http://forums.majorg...ead.php?t=31668

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.
then right click, Paste, then hit Enter.

OTL has a cleanup tab if you go there it will remove itself and its logs.

To hide hidden files again (OTL may do it for you):

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. Exception is MSN messenger which appears to be part of Windows.)

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron

#14
Matthew Davis

Posted 28 September 2011 - 10:10 PM

New Member

Topic Starter
Member
7 posts

Thank you for all the help. I believe that I found the problem.UNCC Moodle uses a program called Respondus Lock Down Browser. That program uses several registry changes to keep students from accessing any other resources on their computer except for the immediate browser window. If it s terminated improperly then those registry changes stay in place. I believe that is what caused the initial confusion related to my task manager being disabled. Anyway, everything is fixed now. I hope you can use this information in the future.