Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

consrv.dll/ zero access viruses /win32:DNSchanger-VJ [Closed]

Started by ETFoster , Feb 29 2012 12:10 PM

  • This topic is locked This topic is locked

#31
ETFoster
Posted 08 March 2012 - 06:54 PM

ETFoster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Avast says it is located at C:\Windows\SYSTEM32\consrv.dll and is infecting svchost.exe
  • 0

Advertisements

#32
Crag_Hack
Posted 08 March 2012 - 07:35 PM

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hello ETFoster. Will we now run Combofix again to see if it can remove the remaining infection the second time around. Please do the following then give me an update as to the status of your computer. Most importantly if Avast still detects consrv.dll. Also make sure to reboot when Combofix is done.

Download and Install Combofix - you can temporarily connect to the Internet for this procedure

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
Also please make sure to take note of anything ComboFix says during the course of its run especially if related to your infection and report to me in your next post.

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks - if the update succeeds combofix will restart - if not it will continue with the current copy

    Posted Image

    Posted Image

    Posted Image
  • Answer yes to install the Recovery Console if it asks and yes to scan for malware afterwards if prompted

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#33
ETFoster
Posted 08 March 2012 - 11:33 PM

ETFoster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here is the combofix log. No avast notifications yet. A few performance issues remain such as program stalls that last for a second or so. Typically just firefox, but a few others hiccup sometimes.



ComboFix 12-03-04.02 - User 03/08/2012 23:13:32.3.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6069.4477 [GMT -6:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Emsisoft Anti-Malware *Disabled/Outdated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Emsisoft Anti-Malware *Disabled/Outdated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
SP: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\consrv.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
2012-03-09 05:22 . 2012-03-09 05:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-03-09 05:22 . 2012-03-09 05:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-09 02:23 . 2012-03-09 02:23 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-08 17:39 . 2012-03-08 17:39 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-08 17:38 . 2012-03-08 17:38 -------- d-----w- c:\windows\system32\Macromed
2012-03-05 05:46 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0F2CAD16-507A-48A6-B119-1A4E3ACBF790}\mpengine.dll
2012-03-04 03:48 . 2012-03-05 07:37 -------- d-----w- c:\program files (x86)\ERUNT
2012-03-03 15:22 . 2012-03-03 15:22 -------- d-----w- C:\_OTL
2012-02-28 00:57 . 2012-02-28 00:57 -------- d-----w- c:\program files\ATI Technologies
2012-02-28 00:56 . 2012-03-04 05:03 -------- d-----w- C:\AMD
2012-02-27 21:34 . 2012-03-04 05:06 -------- d-----w- c:\program files (x86)\Battlelog Web Plugins
2012-02-27 21:29 . 2012-02-27 21:43 -------- d-----w- c:\programdata\EA Logs
2012-02-27 20:20 . 2012-02-27 20:48 -------- d-----w- c:\users\User\AppData\Roaming\Origin
2012-02-27 20:20 . 2012-02-27 20:20 -------- d-----w- c:\users\User\AppData\Local\Origin
2012-02-27 20:18 . 2012-02-27 20:18 -------- d-----w- c:\program files (x86)\Origin Games
2012-02-27 20:14 . 2012-02-27 20:22 -------- d-----w- c:\program files (x86)\Origin
2012-02-23 04:56 . 2012-02-23 04:56 -------- d-----w- c:\program files (x86)\Remedy Entertainment
2012-02-21 00:08 . 2012-03-04 05:03 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller
2012-02-20 23:29 . 2012-02-20 23:29 -------- d-----w- c:\program files (x86)\Battlefield3
2012-02-16 20:09 . 2012-03-09 01:37 -------- d-----w- c:\program files (x86)\Steam
2012-02-15 16:21 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-15 16:21 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-15 16:21 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 16:21 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-15 16:21 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 16:21 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-15 16:21 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 16:21 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-11 00:55 . 2012-02-11 00:55 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-27 21:10 . 2010-11-07 00:31 189248 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-02-27 21:10 . 2010-11-07 00:31 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2012-02-23 10:43 . 2011-03-06 05:51 45056 ----a-w- c:\windows\system32\acovcnt.exe
2012-01-29 11:10 . 2011-11-11 21:53 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-04 18:52 . 2012-01-04 18:52 279616 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-12-10 21:24 . 2011-11-10 23:27 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-05_19.57.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 05:10 . 2012-03-09 04:00 35670 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-10-01 12:00 . 2012-03-09 04:00 14558 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3616840139-1723339709-2196021708-1000_UserData.bin
- 2010-09-06 20:07 . 2012-03-05 19:57 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-06 20:07 . 2012-03-09 03:58 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-06 20:07 . 2012-03-09 03:58 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-06 20:07 . 2012-03-05 19:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-05 19:57 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-09 03:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-03-05 19:56 . 2012-03-05 19:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-09 02:41 . 2012-03-09 03:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-05 19:56 . 2012-03-05 19:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-09 02:41 . 2012-03-09 03:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-08 17:39 . 2012-03-08 17:39 250528 c:\windows\SysWOW64\Macromed\Flash\FlashUtil11g_Plugin.exe
- 2009-07-14 04:54 . 2012-03-05 19:56 409600 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-09 03:56 409600 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-10-01 11:30 . 2012-03-08 23:41 431664 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-02-18 19:07 639768 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-09 04:08 639768 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-09 04:08 111824 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-02-18 19:07 111824 c:\windows\system32\perfc009.dat
+ 2012-03-08 17:39 . 2012-03-08 17:39 465568 c:\windows\system32\Macromed\Flash\FlashUtil64_11_1_102_Plugin.exe
+ 2011-11-10 21:20 . 2012-03-09 02:40 636120 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-11-10 21:20 . 2012-03-05 19:55 636120 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-07-14 05:01 . 2012-03-09 02:40 486480 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-03-05 19:55 486480 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-18 03:21 . 2012-03-08 17:39 8527520 c:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
+ 2009-07-14 04:54 . 2012-03-09 03:56 3620864 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-05 19:56 3620864 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-05 19:56 8634368 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-09 03:56 8634368 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-12-20 19:30 . 2012-03-05 19:55 3191686 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3616840139-1723339709-2196021708-1000-12288.dat
+ 2010-12-20 19:30 . 2012-03-09 02:40 3191686 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3616840139-1723339709-2196021708-1000-12288.dat
+ 2012-03-08 17:39 . 2012-03-08 17:39 11350176 c:\windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\Vuze_Remote\prxtbVuz2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files (x86)\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeBridge"="" [BU]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-12-17 98304]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-06-25 6806144]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-05-03 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"VolPanel"="c:\program files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe" [2008-12-29 237693]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"DeleteEngineAfterUpdate"="reg DELETE HKCU\Software\AppDataLow\Software\ConduitEngine" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe [2011-4-23 12862]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-6-24 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wireless Console 3]
2010-04-26 16:37 1597440 ----a-w- c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe
.
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2011-05-19 23208]
S1 a2injectiondriver;a2injectiondriver;c:\program files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2011-11-02 41728]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files (x86)\Emsisoft Anti-Malware\a2util64.sys [2010-05-05 14720]
S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe [2011-12-09 2996272]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [2011-11-02 63880]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-19 16:04]
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-19 16:04]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-05-03 324096]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2009-07-14 45568]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
aic78xx
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://mercury.hend...endrix.edu/OWA/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files (x86)\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files (x86)\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3m7wbqsg.default\
FF - prefs.js: browser.startup.homepage - hxxps://mercury.hendrix.edu/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2fmercury.hendrix.edu%2fOWA%2f
FF - prefs.js: network.proxy.ftp - 207.36.231.28
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.http - 207.36.231.28
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - 207.36.231.28
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - 207.36.231.28
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-combofix - c:\combofix\CF4227.3XE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{21FA44EF-376D-4D53-9B0F-8A89D3229068}"=hex:51,66,7a,6c,4c,1d,38,12,81,47,e9,
25,5f,79,3d,08,e4,19,c9,c9,d6,7c,d4,7c
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"=hex:51,66,7a,6c,4c,1d,38,12,f0,31,07,
be,62,db,e7,0c,cc,e4,d4,72,ec,73,53,d8
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=hex:51,66,7a,6c,4c,1d,38,12,7b,ba,ea,
34,67,f9,48,0d,fd,1d,4b,bb,a3,e3,60,89
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}"=hex:51,66,7a,6c,4c,1d,38,12,68,40,25,
2b,77,e4,db,02,e0,8b,7a,e8,bc,10,3a,e3
"{6EBF7485-159F-4BFF-A14F-B9E3AAC4465B}"=hex:51,66,7a,6c,4c,1d,38,12,eb,77,ac,
6a,ad,5b,91,0e,de,59,fa,a3,af,9a,02,4f
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}"=hex:51,66,7a,6c,4c,1d,38,12,ae,8e,49,
e5,24,cb,cf,07,fe,fc,9f,d4,e9,44,8b,04
"{F156768E-81EF-470C-9057-481BA8380DBA}"=hex:51,66,7a,6c,4c,1d,38,12,e0,75,45,
f5,dd,cf,62,02,ef,41,0b,5b,ad,66,49,ae
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,38,12,70,05,61,
f9,ec,d1,23,0d,da,9c,48,eb,44,0f,8e,cc
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:d8,c9,03,c8,f0,7e,cc,01
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-08 23:25:30
ComboFix-quarantined-files.txt 2012-03-09 05:25
ComboFix2.txt 2012-03-05 20:15
ComboFix3.txt 2011-12-10 23:11
.
Pre-Run: 193,470,570,496 bytes free
Post-Run: 193,178,525,696 bytes free
.
- - End Of File - - 41B89465C96FEB665BEAD74717EA3CEF
  • 0

#34
Crag_Hack
Posted 09 March 2012 - 12:20 AM

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hello ETFoster. It looks like we might have succeeded this time around. Let's run another OTL scan and aswMBR to make sure things are clean. Also it looks like the proxy server settings are still present in Firefox. Are you sure you got rid of them? Please do the following:

Step 1

  • Run OTL
  • Click the Quick Scan button. Post the log it produces in your next reply.

Step 2

  • Double click the aswMBR.exe to run it
  • It will ask you if you want to download the latest Avast! virus definitions, answer no

    Posted Image
  • Click the Scan button to start scan

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply

Things to see in your next log:
OTL quick scan log
aswMBR log
  • 0

#35
ETFoster
Posted 09 March 2012 - 11:47 AM

ETFoster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here are the logs, I thought I should tell you I am not using a proxy, firefox says there isn't one but on the OTL logs is shows some. I don't know what is going on with that, makes me kinda paranoid someone is watching what I do all the time.


OTL logfile created on: 3/9/2012 10:51:51 AM - Run 2
OTL by OldTimer - Version 3.2.35.1 Folder = C:\Users\User\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.93 Gb Total Physical Memory | 3.79 Gb Available Physical Memory | 63.96% Memory free
11.85 Gb Paging File | 9.42 Gb Available in Paging File | 79.47% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 576.64 Gb Total Space | 180.12 Gb Free Space | 31.24% Space Free | Partition Type: NTFS

Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/07 18:00:48 | 000,584,704 | ---- | M] (OldTimer Tools) -- C:\Users\User\Downloads\OTL.exe
PRC - [2012/02/27 15:23:07 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2012/02/27 15:10:33 | 000,189,248 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrB.exe
PRC - [2012/02/27 15:10:18 | 000,075,136 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/01/13 14:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/12/09 07:24:55 | 002,996,272 | ---- | M] (Emsi Software GmbH) -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
PRC - [2011/11/28 12:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/11/28 12:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2011/10/13 17:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
PRC - [2010/09/06 14:40:10 | 003,058,304 | ---- | M] (ASUS) -- C:\Windows\AsScrPro.exe
PRC - [2010/06/24 18:50:50 | 006,806,144 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
PRC - [2010/05/17 10:06:10 | 001,079,936 | ---- | M] (asus) -- C:\Program Files (x86)\ASUS\ControlDeck\ControlDeck.exe
PRC - [2010/05/03 15:45:50 | 000,182,912 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
PRC - [2010/05/03 15:41:46 | 000,170,624 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
PRC - [2010/03/06 04:04:24 | 000,310,224 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
PRC - [2009/12/15 11:39:38 | 000,096,896 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
PRC - [2009/11/02 15:21:26 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2009/09/30 20:34:22 | 002,314,240 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2009/09/30 20:33:08 | 000,262,144 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2009/07/31 09:38:24 | 000,305,720 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
PRC - [2009/06/19 11:29:42 | 000,105,016 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
PRC - [2009/06/19 11:29:26 | 002,488,888 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
PRC - [2009/06/15 18:30:42 | 000,084,536 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
PRC - [2008/12/29 17:32:54 | 000,237,693 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe
PRC - [2008/12/22 18:15:34 | 000,174,648 | ---- | M] (ASUS) -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/08 11:39:26 | 008,527,520 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
MOD - [2012/02/27 15:23:07 | 001,911,768 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2012/02/23 22:16:06 | 001,051,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\cb5bd98ffa4c82327b0e4db02bb58d2d\System.Management.ni.dll
MOD - [2012/02/22 21:19:04 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\74fcc0f56435d0396f9524cd4293d3e5\PresentationFramework.Aero.ni.dll
MOD - [2012/02/22 21:18:26 | 014,339,072 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\02f7846cbc5c02a5dbf50fd34325eb61\PresentationFramework.ni.dll
MOD - [2012/02/22 21:18:11 | 012,433,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6c51e152e7404188914c9fa4d8503ff9\System.Windows.Forms.ni.dll
MOD - [2012/02/22 21:18:04 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\ab87129c2b603f218e4aa5300c9b1bdd\System.Drawing.ni.dll
MOD - [2012/02/22 21:18:01 | 012,234,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\f4b2424c1b32fbd11130482bb899b7ae\PresentationCore.ni.dll
MOD - [2012/02/22 21:17:49 | 003,347,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\47b9e7f070271ff50f988f75ea68fa3e\WindowsBase.ni.dll
MOD - [2012/02/22 21:17:40 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\9866d1f6178e1cde25642f1ac293ff8d\System.Xml.ni.dll
MOD - [2012/02/22 21:17:36 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e620323cacb5b6bfd93fd28d263440e4\System.Configuration.ni.dll
MOD - [2012/02/22 21:17:33 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\faf4e8730ecbd07570111bb7c3b20565\System.ni.dll
MOD - [2012/01/22 15:59:56 | 000,071,680 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3m7wbqsg.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\gecko10\WINNT_x86-msvc\SSSLauncher.dll
MOD - [2011/10/17 15:50:04 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2010/08/09 23:01:06 | 000,067,872 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2010/02/23 14:14:22 | 000,071,680 | ---- | M] () -- C:\Program Files (x86)\ASUS\ControlDeck\Brightness.dll
MOD - [2010/02/23 14:14:10 | 000,050,688 | ---- | M] () -- C:\Program Files (x86)\ASUS\ControlDeck\P4GControl.dll
MOD - [2010/02/23 14:12:22 | 000,186,880 | ---- | M] () -- C:\Program Files (x86)\ASUS\ControlDeck\Resolution.dll
MOD - [2010/02/23 14:11:46 | 000,076,288 | ---- | M] () -- C:\Program Files (x86)\ASUS\ControlDeck\Volume.dll
MOD - [2009/11/02 15:23:36 | 000,013,096 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll
MOD - [2009/11/02 15:20:10 | 000,619,816 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll
MOD - [2009/03/26 15:46:42 | 000,148,480 | ---- | M] () -- C:\Windows\SysWOW64\APOMngr.DLL
MOD - [2009/02/06 19:52:24 | 000,073,728 | ---- | M] () -- C:\Windows\SysWOW64\CmdRtr.DLL


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/11/28 12:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2010/06/07 16:39:40 | 000,911,872 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe -- (WiMAXAppSrv)
SRV:64bit: - [2010/06/07 16:34:20 | 000,408,576 | ---- | M] (Red Bend Ltd.) [Auto | Running] -- C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe -- (DMAgent)
SRV:64bit: - [2009/12/17 03:18:07 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/12/07 17:16:34 | 000,379,520 | ---- | M] (ASUSTeK Computer Inc.) [Auto | Running] -- C:\Windows\SysNative\FBAgent.exe -- (AFBAgent)
SRV:64bit: - [2009/08/06 15:17:46 | 000,118,672 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\TurboBoost\TurboBoost.exe -- (TurboBoost)
SRV:64bit: - [2009/07/13 19:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/02/27 15:10:33 | 000,189,248 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrB.exe -- (PnkBstrB)
SRV - [2012/02/27 15:10:18 | 000,075,136 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/12/09 07:24:55 | 002,996,272 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe -- (a2AntiMalware)
SRV - [2011/10/21 15:23:42 | 000,196,176 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/10/13 17:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
SRV - [2011/03/16 10:42:06 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/10/01 09:01:45 | 003,066,528 | ---- | M] (Webroot Software, Inc. ) [Auto | Stopped] -- C:\Program Files (x86)\Webroot\Security\Current\Framework\WRConsumerService.exe -- (WRConsumerService)
SRV - [2010/09/22 12:41:50 | 003,872,776 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Stopped] -- C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\AEI.exe -- (WebrootSpySweeperService)
SRV - [2010/09/06 14:36:27 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe -- (Creative ALchemy AL6 Licensing Service)
SRV - [2010/09/06 14:36:23 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/12/15 11:39:38 | 000,096,896 | ---- | M] (ASUS) [Auto | Running] -- C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe -- (ATKGFNEXSrv)
SRV - [2009/09/30 20:34:22 | 002,314,240 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2009/09/30 20:33:08 | 000,262,144 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2009/06/15 18:30:42 | 000,084,536 | ---- | M] (ASUS) [Auto | Running] -- C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe -- (ASLDRService)
SRV - [2009/06/10 15:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/01/04 12:52:22 | 000,279,616 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2011/12/10 15:24:08 | 000,023,152 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2011/11/28 11:54:06 | 000,591,192 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2011/11/28 11:53:58 | 000,304,472 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2011/11/28 11:52:22 | 000,042,328 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (aswRdr)
DRV:64bit: - [2011/11/28 11:52:20 | 000,058,712 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2011/11/28 11:52:11 | 000,066,904 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2011/11/28 11:51:53 | 000,024,408 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2011/03/11 00:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 00:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 07:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 05:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/10/03 04:01:00 | 000,314,016 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\atksgt.sys -- (atksgt)
DRV:64bit: - [2010/10/03 04:01:00 | 000,043,680 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\lirsgt.sys -- (lirsgt)
DRV:64bit: - [2010/06/23 20:05:31 | 007,689,216 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64) Intel®
DRV:64bit: - [2010/06/17 13:49:12 | 000,136,224 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\ssidrv.sys -- (ssidrv)
DRV:64bit: - [2010/06/17 13:49:10 | 000,055,360 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\ssfmonm.sys -- (ssfmonm)
DRV:64bit: - [2010/05/16 18:28:38 | 000,175,104 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bpmp.sys -- (bpmp) Intel® Centrino®
DRV:64bit: - [2010/05/16 18:28:30 | 000,081,920 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bpusb.sys -- (bpusb)
DRV:64bit: - [2010/05/16 18:28:28 | 000,071,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bpenum.sys -- (bpenum)
DRV:64bit: - [2010/03/04 21:19:45 | 000,316,464 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/12/17 03:52:59 | 006,177,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/11/18 04:30:55 | 000,123,408 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2009/09/17 13:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel®
DRV:64bit: - [2009/08/06 15:24:13 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/08/06 15:17:34 | 000,013,784 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\TurboB.sys -- (TurboB)
DRV:64bit: - [2009/07/20 03:29:39 | 000,015,416 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\kbfiltr.sys -- (kbfiltr)
DRV:64bit: - [2009/07/13 19:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 19:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 19:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009/07/13 19:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/19 20:09:57 | 001,394,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/06/10 14:35:57 | 000,056,832 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SiSG664.sys -- (SiSGbeLH)
DRV:64bit: - [2009/06/10 14:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 14:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 14:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 14:34:18 | 000,057,344 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C) NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20)
DRV:64bit: - [2009/06/10 14:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/05 04:16:29 | 001,806,400 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
DRV:64bit: - [2009/05/18 12:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/13 10:07:20 | 000,015,928 | ---- | M] (ASUS) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ATK64AMD.sys -- (MTsensor)
DRV:64bit: - [2008/12/08 18:35:52 | 000,061,792 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2008/05/23 18:27:28 | 000,154,168 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2011/11/02 10:13:26 | 000,041,728 | ---- | M] (Emsi Software GmbH) [File_System | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys -- (a2injectiondriver)
DRV - [2011/11/02 10:13:12 | 000,063,880 | ---- | M] (Emsi Software GmbH) [File_System | On_Demand | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys -- (a2acc)
DRV - [2011/10/07 18:33:10 | 000,019,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys -- (RivaTuner64)
DRV - [2011/05/19 13:10:34 | 000,023,208 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys -- (A2DDA)
DRV - [2011/03/18 10:08:56 | 000,029,592 | ---- | M] (Almico Software) [Kernel | Boot | Running] -- C:\Windows\SysWOW64\speedfan.sys -- (speedfan)
DRV - [2010/05/05 08:40:54 | 000,014,720 | ---- | M] (Emsi Software GmbH) [Kernel | System | Running] -- C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys -- (a2util)
DRV - [2009/07/13 19:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/02 18:36:14 | 000,015,416 | ---- | M] (ASUS) [Kernel | Auto | Running] -- C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys -- (ASMMAP64)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://mercury.hend...endrix.edu/OWA/
IE - HKCU\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "https://mercury.hend...ndrix.edu/OWA/"
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:4.0
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.6
FF - prefs.js..extensions.enabledItems: [email protected]:0.9
FF - prefs.js..extensions.enabledItems: [email protected]:1.2
FF - prefs.js..extensions.enabledItems: screencaptureelite@plugin:1.0.0.12
FF - prefs.js..extensions.enabledItems: {394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B}:1.1.4
FF - prefs.js..extensions.enabledItems: [email protected]:0.6.8
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {ba14329e-9550-4989-b3f2-9732e92d17cc}:2.7.2.0
FF - prefs.js..extensions.enabledItems: flvripper@harsha:1.9.9
FF - prefs.js..extensions.enabledItems: [email protected]:2.8
FF - prefs.js..extensions.enabledItems: [email protected]:1.2
FF - prefs.js..extensions.enabledItems: [email protected]:3.11.3.15590
FF - prefs.js..extensions.enabledItems: [email protected]:1.10.01
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..network.proxy.backup.ftp: "58.246.200.114"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.socks: "58.246.200.114"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "58.246.200.114"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "207.36.231.28"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.http: "207.36.231.28"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "207.36.231.28"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "207.36.231.28"
FF - prefs.js..network.proxy.ssl_port: 80
FF - prefs.js..network.proxy.type: 0

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_1_102.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/11/30 18:25:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/03/03 23:06:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/11/11 10:36:42 | 000,000,000 | ---D | M]

[2010/12/03 19:52:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\mozilla\Extensions
[2010/12/03 19:52:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\mozilla\Extensions\[email protected]
[2012/03/03 23:04:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\3m7wbqsg.default\extensions
[2012/01/27 12:24:59 | 000,000,000 | ---D | M] (Screenshot Pimp) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\3m7wbqsg.default\extensions\{056d0610-e44d-11df-bccf-0800200c9a66}
[2012/01/31 19:16:17 | 000,000,000 | ---D | M] (FireShot) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\3m7wbqsg.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
[2012/01/30 10:17:10 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\3m7wbqsg.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2012/01/30 10:17:10 | 000,000,000 | ---D | M] (Bazzacuda Image Saver Plus) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\3m7wbqsg.default\extensions\{FF2FA6A4-B3B1-11DD-B910-6C9A55D89593}
[2012/01/04 11:57:13 | 000,000,000 | ---D | M] (Screen Capture Elite) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\3m7wbqsg.default\extensions\screencaptureelite@plugin
[2012/03/03 23:06:32 | 000,000,000 | ---D | M] (Download Youtube Videos +) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\3m7wbqsg.default\extensions\[email protected]
[2012/02/15 18:03:18 | 000,002,418 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3m7wbqsg.default\searchplugins\s-amazon-byskipity.xml
[2012/01/29 20:20:44 | 000,002,281 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3m7wbqsg.default\searchplugins\s-amazon.xml
[2012/01/29 20:18:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/11/11 10:36:42 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
() (No name found) -- C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3M7WBQSG.DEFAULT\EXTENSIONS\{19503E42-CA3C-4C27-B1E2-9CDB2170EE34}.XPI
() (No name found) -- C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3M7WBQSG.DEFAULT\EXTENSIONS\{62B958B4-9962-4FC2-9983-01A9A42D6F2D}.XPI
() (No name found) -- C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3M7WBQSG.DEFAULT\EXTENSIONS\{C0C9A2C7-2E5C-4447-BC53-97718BC91E1B}.XPI
() (No name found) -- C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3M7WBQSG.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3M7WBQSG.DEFAULT\EXTENSIONS\[email protected]
() (No name found) -- C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3M7WBQSG.DEFAULT\EXTENSIONS\[email protected]
() (No name found) -- C:\USERS\USER\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3M7WBQSG.DEFAULT\EXTENSIONS\[email protected]
[2012/02/27 15:23:08 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/02/02 20:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2012/02/27 15:23:04 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/02/27 15:23:04 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - Extension: avast! WebRep = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\6.0.1289_0\
CHR - Extension: Skype Click to Call = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\

O1 HOSTS File: ([2012/03/08 20:43:01 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Windows Live Family Safety Browser Helper Class) - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll (Microsoft Corporation)
O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files (x86)\FlashGet\jccatch.dll (www.flashget.com)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files (x86)\FlashGet\getflash.dll (www.flashget.com)
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe (Alcor Micro Corp.)
O4:64bit: - HKLM..\Run: [RunDLLEntry] C:\Windows\SysNative\AmbRunE.DLL (Creative Technology Ltd.)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe (ASUS)
O4 - HKLM..\Run: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe (ASUS)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe (ASUS)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdReg] C:\Windows\UpdReg.EXE (Creative Technology Ltd.)
O4 - HKLM..\Run: [VolPanel] C:\Program Files (x86)\Creative\SB Audigy\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [AdobeBridge] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: &Download All with FlashGet - C:\Program Files (x86)\FlashGet\JC_ALL.HTM ()
O8:64bit: - Extra context menu item: &Download with FlashGet - C:\Program Files (x86)\FlashGet\JC_LINK.HTM ()
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files (x86)\FlashGet\JC_ALL.HTM ()
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files (x86)\FlashGet\JC_LINK.HTM ()
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files (x86)\FlashGet\flashget.exe (FlashGet.com)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.14.1.1 10.14.1.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C955B5C-3A61-4740-AAB6-F5A918D4C247}: DhcpNameServer = 10.14.1.1 10.14.1.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3EA7F630-95C0-4461-BBFD-0F5CB0221D31}: DhcpNameServer = 10.14.1.1 10.14.1.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D5FC1BD8-A104-4674-840C-0743DDB249FA}: DhcpNameServer = 10.14.1.1 10.14.1.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F0356013-A75E-4D49-8003-544CF90B3A9E}: DhcpNameServer = 10.14.1.1 10.14.1.2
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/08 23:25:33 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/03/08 11:38:55 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2012/03/07 17:08:24 | 004,730,880 | ---- | C] (AVAST Software) -- C:\Users\User\Desktop\aswMBR.exe
[2012/03/05 13:43:17 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/03/05 13:43:17 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/03/05 13:43:17 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/03/05 10:08:19 | 004,427,148 | R--- | C] (Swearware) -- C:\Users\User\Desktop\ComboFix.exe
[2012/03/03 21:48:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
[2012/03/03 09:22:55 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/02/27 21:49:42 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2012/02/27 21:20:38 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\Battlefield 3
[2012/02/27 18:57:36 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2012/02/27 18:56:26 | 000,000,000 | ---D | C] -- C:\AMD
[2012/02/27 15:34:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Battlelog Web Plugins
[2012/02/27 15:29:49 | 000,000,000 | ---D | C] -- C:\ProgramData\EA Logs
[2012/02/27 15:11:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Battlefield 3
[2012/02/27 14:20:11 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Origin
[2012/02/27 14:20:08 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Origin
[2012/02/27 14:19:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Origin
[2012/02/27 14:18:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Origin Games
[2012/02/27 14:14:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Origin
[2012/02/27 12:37:44 | 000,000,000 | ---D | C] -- C:\Users\User\Desktop\Battlefield 3
[2012/02/22 23:19:45 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\Remedy
[2012/02/22 23:13:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Remedy Entertainment
[2012/02/22 22:56:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Remedy Entertainment
[2012/02/20 18:08:42 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\Common Files\EAInstaller
[2012/02/20 17:29:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Battlefield3
[2012/02/16 18:11:59 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
[2012/02/16 14:09:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
[2012/02/16 14:09:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Steam
[2012/02/10 18:55:31 | 000,000,000 | ---D | C] -- C:\found.000
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/09 10:51:05 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/09 10:51:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/03/08 22:08:10 | 000,747,484 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/03/08 22:08:10 | 000,639,768 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/03/08 22:08:10 | 000,111,824 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/03/08 22:05:57 | 000,010,240 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/03/08 22:05:57 | 000,010,240 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/03/08 22:01:56 | 001,008,141 | ---- | M] () -- C:\Users\User\Desktop\rkill.exe
[2012/03/08 21:58:07 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/03/08 21:56:01 | 477,532,159 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/08 20:43:01 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/03/08 20:23:07 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd
[2012/03/08 17:14:01 | 000,838,070 | ---- | M] () -- C:\Users\User\Documents\20.pdf
[2012/03/08 17:13:42 | 000,792,418 | ---- | M] () -- C:\Users\User\Documents\19.pdf
[2012/03/08 17:13:31 | 000,610,745 | ---- | M] () -- C:\Users\User\Documents\18.pdf
[2012/03/08 17:12:27 | 000,748,028 | ---- | M] () -- C:\Users\User\Documents\Day13Poverty1.pdf
[2012/03/08 17:12:07 | 001,359,038 | ---- | M] () -- C:\Users\User\Documents\Day14Poverty1.pdf
[2012/03/08 17:11:19 | 000,811,285 | ---- | M] () -- C:\Users\User\Documents\Day15PovertyOnline.pdf
[2012/03/08 17:11:07 | 000,743,848 | ---- | M] () -- C:\Users\User\Documents\Day161Poverty.pdf
[2012/03/08 17:10:55 | 000,405,009 | ---- | M] () -- C:\Users\User\Documents\Day17Poverty.pdf
[2012/03/08 17:10:42 | 000,735,517 | ---- | M] () -- C:\Users\User\Documents\Lecture21.pdf
[2012/03/07 17:59:15 | 000,000,512 | ---- | M] () -- C:\Users\User\Desktop\MBR.dat
[2012/03/07 17:08:34 | 004,730,880 | ---- | M] (AVAST Software) -- C:\Users\User\Desktop\aswMBR.exe
[2012/03/05 17:28:13 | 000,462,406 | ---- | M] () -- C:\Users\User\Documents\Mini_Soul_Scope-190315.pdf
[2012/03/05 10:08:24 | 004,427,148 | R--- | M] (Swearware) -- C:\Users\User\Desktop\ComboFix.exe
[2012/03/04 23:19:12 | 000,049,842 | ---- | M] () -- C:\Users\User\Desktop\www.geekstogo.com screen capture 2012-3-4-23-19-11.png
[2012/03/04 21:03:45 | 000,007,598 | ---- | M] () -- C:\Users\User\AppData\Local\Resmon.ResmonCfg
[2012/03/04 16:12:27 | 001,454,552 | ---- | M] () -- C:\Users\User\Documents\resource curse in africa.pdf
[2012/03/04 16:10:43 | 000,197,602 | ---- | M] () -- C:\Users\User\Documents\neocolonialism and neoliberalism in south africa and zambia.pdf
[2012/03/04 16:05:59 | 000,030,523 | ---- | M] () -- C:\Users\User\Documents\projectcensored.org-19_American_Companies_Exploit_the_Congo.pdf
[2012/03/04 15:48:04 | 000,185,032 | ---- | M] () -- C:\Users\User\Documents\_data_Revista_No_70_ColombiaInternacional70-03-Analisis-Basedau_Wegenast.pdf
[2012/03/04 15:47:51 | 000,108,866 | ---- | M] () -- C:\Users\User\Documents\ENVIRONMENTAL INJUSTICE AND HUMAN RIGHTS ABUSE.pdf
[2012/03/04 15:47:07 | 000,112,622 | ---- | M] () -- C:\Users\User\Documents\impact of globilization on african continents.pdf
[2012/03/04 12:18:30 | 004,256,620 | ---- | M] () -- C:\Users\User\Documents\somalia.pdf
[2012/02/29 17:12:53 | 010,122,625 | ---- | M] () -- C:\Users\User\Documents\southern-exposure-catalog-2012-web.pdf
[2012/02/27 15:23:14 | 000,002,050 | ---- | M] () -- C:\Users\User\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/02/27 15:11:04 | 000,001,197 | ---- | M] () -- C:\Users\Public\Desktop\Battlefield 3.lnk
[2012/02/27 15:10:33 | 000,189,248 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012/02/27 15:10:18 | 000,075,136 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012/02/27 14:22:24 | 000,000,985 | ---- | M] () -- C:\Users\Public\Desktop\Origin.lnk
[2012/02/23 04:43:49 | 000,045,056 | ---- | M] () -- C:\Windows\SysNative\acovcnt.exe
[2012/02/22 23:13:10 | 000,002,157 | ---- | M] () -- C:\Users\Public\Desktop\Alan Wake.lnk
[2012/02/22 21:09:55 | 004,988,816 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/02/18 17:26:30 | 000,104,107 | ---- | M] () -- C:\Users\User\Documents\Grad_School_Guide_update_ 2008.pdf
[2012/02/16 22:35:53 | 000,000,132 | ---- | M] () -- C:\Users\User\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2012/02/16 18:11:59 | 000,000,219 | ---- | M] () -- C:\Users\User\Desktop\Team Fortress 2.url
[2012/02/16 14:09:21 | 000,000,919 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2012/02/14 22:23:21 | 000,726,047 | ---- | M] () -- C:\Users\User\Documents\Day12Poverty1.pdf
[2012/02/09 16:06:09 | 000,959,385 | ---- | M] () -- C:\Users\User\Documents\Day7PovertyOnlineVersion.pdf
[2012/02/09 16:05:52 | 000,780,459 | ---- | M] () -- C:\Users\User\Documents\Day8PovertyOnline.pdf
[2012/02/09 16:05:16 | 000,893,329 | ---- | M] () -- C:\Users\User\Documents\DAY9POVERTY.pdf
[2012/02/09 16:04:32 | 001,202,523 | ---- | M] () -- C:\Users\User\Documents\DayFivePoverty2Online.pdf
[2012/02/09 16:04:20 | 000,459,285 | ---- | M] () -- C:\Users\User\Documents\DayFourPovertyOnline2.pdf
[2012/02/09 16:04:07 | 000,930,098 | ---- | M] () -- C:\Users\User\Documents\DayOnePovertyOnline.pdf
[2012/02/09 16:03:50 | 000,517,094 | ---- | M] () -- C:\Users\User\Documents\Day6PovertyOnline.pdf
[2012/02/09 16:03:33 | 000,645,983 | ---- | M] () -- C:\Users\User\Documents\DayThreePoverty1Online.pdf
[2012/02/09 16:03:15 | 000,497,362 | ---- | M] () -- C:\Users\User\Documents\DayTwoPovertyOnlineVersion.pdf
[2012/02/09 16:03:01 | 000,758,829 | ---- | M] () -- C:\Users\User\Documents\Day10Poverty-Exam1Overview.pdf
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/08 22:05:34 | 001,008,141 | ---- | C] () -- C:\Users\User\Desktop\rkill.exe
[2012/03/08 20:23:07 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_trash_log.cmd
[2012/03/08 17:14:00 | 000,838,070 | ---- | C] () -- C:\Users\User\Documents\20.pdf
[2012/03/08 17:13:42 | 000,792,418 | ---- | C] () -- C:\Users\User\Documents\19.pdf
[2012/03/08 17:13:31 | 000,610,745 | ---- | C] () -- C:\Users\User\Documents\18.pdf
[2012/03/08 17:12:27 | 000,748,028 | ---- | C] () -- C:\Users\User\Documents\Day13Poverty1.pdf
[2012/03/08 17:12:06 | 001,359,038 | ---- | C] () -- C:\Users\User\Documents\Day14Poverty1.pdf
[2012/03/08 17:11:19 | 000,811,285 | ---- | C] () -- C:\Users\User\Documents\Day15PovertyOnline.pdf
[2012/03/08 17:11:07 | 000,743,848 | ---- | C] () -- C:\Users\User\Documents\Day161Poverty.pdf
[2012/03/08 17:10:54 | 000,405,009 | ---- | C] () -- C:\Users\User\Documents\Day17Poverty.pdf
[2012/03/08 17:10:42 | 000,735,517 | ---- | C] () -- C:\Users\User\Documents\Lecture21.pdf
[2012/03/05 17:28:13 | 000,462,406 | ---- | C] () -- C:\Users\User\Documents\Mini_Soul_Scope-190315.pdf
[2012/03/05 13:43:17 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/03/05 13:43:17 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/03/05 13:43:17 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/03/05 13:43:17 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/03/05 13:43:17 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/03/04 23:19:12 | 000,049,842 | ---- | C] () -- C:\Users\User\Desktop\www.geekstogo.com screen capture 2012-3-4-23-19-11.png
[2012/03/04 16:12:27 | 001,454,552 | ---- | C] () -- C:\Users\User\Documents\resource curse in africa.pdf
[2012/03/04 16:10:43 | 000,197,602 | ---- | C] () -- C:\Users\User\Documents\neocolonialism and neoliberalism in south africa and zambia.pdf
[2012/03/04 16:05:48 | 000,030,523 | ---- | C] () -- C:\Users\User\Documents\projectcensored.org-19_American_Companies_Exploit_the_Congo.pdf
[2012/03/04 15:48:03 | 000,185,032 | ---- | C] () -- C:\Users\User\Documents\_data_Revista_No_70_ColombiaInternacional70-03-Analisis-Basedau_Wegenast.pdf
[2012/03/04 15:47:51 | 000,108,866 | ---- | C] () -- C:\Users\User\Documents\ENVIRONMENTAL INJUSTICE AND HUMAN RIGHTS ABUSE.pdf
[2012/03/04 15:47:07 | 000,112,622 | ---- | C] () -- C:\Users\User\Documents\impact of globilization on african continents.pdf
[2012/03/04 15:41:36 | 000,000,512 | ---- | C] () -- C:\Users\User\Desktop\MBR.dat
[2012/03/04 12:18:30 | 004,256,620 | ---- | C] () -- C:\Users\User\Documents\somalia.pdf
[2012/02/29 17:12:53 | 010,122,625 | ---- | C] () -- C:\Users\User\Documents\southern-exposure-catalog-2012-web.pdf
[2012/02/27 15:11:04 | 000,001,197 | ---- | C] () -- C:\Users\Public\Desktop\Battlefield 3.lnk
[2012/02/27 14:19:26 | 000,000,985 | ---- | C] () -- C:\Users\Public\Desktop\Origin.lnk
[2012/02/22 23:13:10 | 000,002,157 | ---- | C] () -- C:\Users\Public\Desktop\Alan Wake.lnk
[2012/02/18 17:26:30 | 000,104,107 | ---- | C] () -- C:\Users\User\Documents\Grad_School_Guide_update_ 2008.pdf
[2012/02/16 18:11:57 | 000,000,219 | ---- | C] () -- C:\Users\User\Desktop\Team Fortress 2.url
[2012/02/16 14:09:21 | 000,000,919 | ---- | C] () -- C:\Users\Public\Desktop\Steam.lnk
[2012/02/14 22:23:21 | 000,726,047 | ---- | C] () -- C:\Users\User\Documents\Day12Poverty1.pdf
[2012/02/09 16:06:08 | 000,959,385 | ---- | C] () -- C:\Users\User\Documents\Day7PovertyOnlineVersion.pdf
[2012/02/09 16:05:52 | 000,780,459 | ---- | C] () -- C:\Users\User\Documents\Day8PovertyOnline.pdf
[2012/02/09 16:05:16 | 000,893,329 | ---- | C] () -- C:\Users\User\Documents\DAY9POVERTY.pdf
[2012/02/09 16:04:32 | 001,202,523 | ---- | C] () -- C:\Users\User\Documents\DayFivePoverty2Online.pdf
[2012/02/09 16:04:20 | 000,459,285 | ---- | C] () -- C:\Users\User\Documents\DayFourPovertyOnline2.pdf
[2012/02/09 16:04:07 | 000,930,098 | ---- | C] () -- C:\Users\User\Documents\DayOnePovertyOnline.pdf
[2012/02/09 16:03:50 | 000,517,094 | ---- | C] () -- C:\Users\User\Documents\Day6PovertyOnline.pdf
[2012/02/09 16:03:33 | 000,645,983 | ---- | C] () -- C:\Users\User\Documents\DayThreePoverty1Online.pdf
[2012/02/09 16:03:14 | 000,497,362 | ---- | C] () -- C:\Users\User\Documents\DayTwoPovertyOnlineVersion.pdf
[2012/02/09 16:03:01 | 000,758,829 | ---- | C] () -- C:\Users\User\Documents\Day10Poverty-Exam1Overview.pdf
[2012/02/04 09:45:29 | 000,000,112 | ---- | C] () -- C:\ProgramData\p6N6d7.dat
[2012/01/20 19:22:52 | 000,005,632 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/12/23 13:19:09 | 000,000,272 | ---- | C] () -- C:\Users\User\AppData\Roaming\.backup.dm
[2011/10/12 17:49:22 | 000,000,000 | ---- | C] () -- C:\Users\User\AppData\Local\{058E71F9-096C-4F24-86D8-07CBF60D2085}
[2011/09/20 17:49:58 | 000,000,395 | ---- | C] () -- C:\Windows\Sniffy.ini
[2011/09/05 20:33:58 | 000,007,598 | ---- | C] () -- C:\Users\User\AppData\Local\Resmon.ResmonCfg
[2011/05/11 16:44:42 | 000,000,000 | ---- | C] () -- C:\Users\User\AppData\Local\{2FD53952-2E4E-4235-AA61-1F91CD0FB239}
[2011/04/24 18:25:04 | 000,000,132 | ---- | C] () -- C:\Users\User\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2011/04/09 17:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2010/12/09 22:21:45 | 000,743,534 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/11/06 18:31:53 | 000,189,248 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2010/11/06 18:31:45 | 000,075,136 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2010/11/06 18:31:44 | 002,434,856 | ---- | C] () -- C:\Windows\SysWow64\pbsvc_bc2.exe
[2010/11/03 18:02:24 | 000,196,828 | ---- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2010/10/03 03:17:44 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/10/02 08:12:08 | 000,000,070 | ---- | C] () -- C:\Windows\sbwin.ini
[2010/10/02 08:02:03 | 000,000,024 | ---- | C] () -- C:\Windows\ATKPF.ini
[2010/10/01 05:34:00 | 000,030,424 | ---- | C] () -- C:\Windows\SysWow64\wrLZMA.dll
[2010/09/06 14:36:30 | 000,148,480 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
[2010/09/06 14:36:30 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL
[2010/09/06 14:36:30 | 000,000,735 | ---- | C] () -- C:\Windows\FF05_Render_Spk_Hp.ini
[2010/09/06 14:36:30 | 000,000,508 | ---- | C] () -- C:\Windows\FF05_not_Spk_Hp.ini
[2010/09/06 14:28:29 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin

========== LOP Check ==========

[2011/08/09 22:54:12 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\.minecraft
[2012/03/07 19:56:42 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Azureus
[2012/03/07 19:56:43 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\DAEMON Tools Lite
[2010/12/13 13:41:31 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\FlashGet
[2011/10/01 13:17:41 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\FrostWire
[2012/02/27 14:48:19 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Origin
[2011/11/10 17:09:02 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\OtzPNcuDoF
[2011/11/11 10:35:45 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\PunkBuster
[2011/11/10 15:38:36 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\rCCCIrONP
[2011/11/10 15:38:36 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\rCCwIrOtx
[2011/11/11 10:35:45 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\RIFT
[2011/11/10 17:35:07 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\RoonnaHs7EL
[2011/06/23 20:35:38 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Rovio
[2012/01/04 16:05:25 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\runic games
[2011/01/05 23:58:09 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2011/12/23 13:19:49 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Systweak
[2010/12/03 21:46:19 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\The Creative Assembly
[2011/11/11 10:35:45 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Ubisoft
[2011/11/03 18:22:02 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Wing IDE 4
[2012/03/08 20:42:51 | 000,032,574 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >






aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-09 11:02:54
-----------------------------
11:02:54.053 OS Version: Windows x64 6.1.7601 Service Pack 1
11:02:54.053 Number of processors: 8 586 0x1E05
11:02:54.054 ComputerName: USER-PC UserName: User
11:02:56.789 Initialize success
11:02:57.025 AVAST engine defs: 12030900
11:03:00.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:03:00.739 Disk 0 Vendor: ST964032 0002 Size: 610480MB BusType: 3
11:03:00.758 Disk 0 MBR read successfully
11:03:00.764 Disk 0 MBR scan
11:03:00.771 Disk 0 Windows 7 default MBR code
11:03:00.779 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 20002 MB offset 63
11:03:00.792 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 590476 MB offset 40965750
11:03:00.821 Disk 0 scanning C:\Windows\system32\drivers
11:03:13.539 Service scanning
11:03:37.836 Modules scanning
11:03:37.853 Disk 0 trace - called modules:
11:03:37.912 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
11:03:37.922 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065ec790]
11:03:37.933 3 CLASSPNP.SYS[fffff88001bcd43f] -> nt!IofCallDriver -> [0xfffffa8006367b20]
11:03:37.943 5 ACPI.sys[fffff88000ec87a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800639d050]
11:03:39.433 AVAST engine scan C:\Windows
11:03:44.016 AVAST engine scan C:\Windows\system32
11:05:25.721 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
11:05:28.343 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
11:06:43.156 AVAST engine scan C:\Windows\system32\drivers
11:06:58.323 AVAST engine scan C:\Users\User
11:36:30.644 AVAST engine scan C:\ProgramData
11:41:17.447 Scan finished successfully
11:46:07.092 Disk 0 MBR has been saved successfully to "C:\Users\User\Desktop\MBR.dat"
11:46:07.101 The log file has been saved successfully to "C:\Users\User\Desktop\aswMBR4.txt"

Edited by ETFoster, 09 March 2012 - 11:59 AM.

  • 0

#36
Crag_Hack
Posted 10 March 2012 - 02:13 PM

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hello ETFoster. Your OTL log looks pretty good and so does your aswMBR log. There are three random folders left to get rid of, if you don't mind I'm gonna nuke the Firefox proxy settings, and also we need to get rid of two infection remnants from the aswMBR log. Then we will do another aswMBR scan to be safe. After all this test out your computer for a while and let me know if you have any more symptoms.

Step 1

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL

[2011/11/10 17:09:02 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\OtzPNcuDoF
[2011/11/10 15:38:36 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\rCCCIrONP
[2011/11/10 15:38:36 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\rCCwIrOtx

FF - prefs.js..network.proxy.backup.ftp: "58.246.200.114"
FF - prefs.js..network.proxy.backup.ftp_port: 80
FF - prefs.js..network.proxy.backup.socks: "58.246.200.114"
FF - prefs.js..network.proxy.backup.socks_port: 80
FF - prefs.js..network.proxy.backup.ssl: "58.246.200.114"
FF - prefs.js..network.proxy.backup.ssl_port: 80
FF - prefs.js..network.proxy.ftp: "207.36.231.28"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.http: "207.36.231.28"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "207.36.231.28"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "207.36.231.28"
FF - prefs.js..network.proxy.ssl_port: 80
FF - prefs.js..network.proxy.type: 0

:Files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

:Commands
[purity]
[resethosts]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Then post the produced log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply as well.

Step 2

  • Download aswMBR.exe ( 1870KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • It will ask you if you want to download the latest Avast! virus definitions, answer no

    Posted Image
  • Click the Scan button to start scan

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply

Things to see in your next post:
OTL fix log (it will be in C:\_OTL\MovedFiles with a filename beginning with the date)
OTL.txt
aswMBR log
  • 0

#37
ETFoster
Posted 11 March 2012 - 07:15 PM

ETFoster

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here are the logs, computer is doing a lot better but still hangs up periodically, as in I see the loading cursor for a few seconds and then the program picks up where it left off. Svchost is still going crazy but I stop the process in task manager and it goes away for a while. Avast isn't detecting consrv.dll but when I ran the OTL fix it said it blocked a dropper from dropping a file. I was able to update my computer and update my graphics card, and things are doing good besides the periodic hangups. Thank you very much for getting me this cleaned up, I was at my wits end with the mess. It only took us two weeks haha.


========== OTL ==========
C:\Users\User\AppData\Roaming\OtzPNcuDoF folder moved successfully.
C:\Users\User\AppData\Roaming\rCCCIrONP folder moved successfully.
C:\Users\User\AppData\Roaming\rCCwIrOtx folder moved successfully.
Prefs.js: "58.246.200.114" removed from network.proxy.backup.ftp
Prefs.js: 80 removed from network.proxy.backup.ftp_port
Prefs.js: "58.246.200.114" removed from network.proxy.backup.socks
Prefs.js: 80 removed from network.proxy.backup.socks_port
Prefs.js: "58.246.200.114" removed from network.proxy.backup.ssl
Prefs.js: 80 removed from network.proxy.backup.ssl_port
Prefs.js: "207.36.231.28" removed from network.proxy.ftp
Prefs.js: 80 removed from network.proxy.ftp_port
Prefs.js: "207.36.231.28" removed from network.proxy.http
Prefs.js: 80 removed from network.proxy.http_port
Prefs.js: true removed from network.proxy.share_proxy_settings
Prefs.js: "207.36.231.28" removed from network.proxy.socks
Prefs.js: 80 removed from network.proxy.socks_port
Prefs.js: "207.36.231.28" removed from network.proxy.ssl
Prefs.js: 80 removed from network.proxy.ssl_port
Prefs.js: 0 removed from network.proxy.type
========== FILES ==========
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.35.1 log created on 03112012_184945





aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-11 18:55:07
-----------------------------
18:55:07.337 OS Version: Windows x64 6.1.7601 Service Pack 1
18:55:07.337 Number of processors: 8 586 0x1E05
18:55:07.337 ComputerName: USER-PC UserName: User
18:55:20.597 Initialize success
18:55:21.548 AVAST engine defs: 12031101
18:55:27.383 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:55:27.383 Disk 0 Vendor: ST964032 0002 Size: 610480MB BusType: 3
18:55:27.414 Disk 0 MBR read successfully
18:55:27.414 Disk 0 MBR scan
18:55:27.430 Disk 0 Windows 7 default MBR code
18:55:27.445 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 20002 MB offset 63
18:55:27.445 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 590476 MB offset 40965750
18:55:27.461 Disk 0 scanning C:\Windows\system32\drivers
18:55:59.613 Service scanning
18:56:51.514 Modules scanning
18:56:51.514 Disk 0 trace - called modules:
18:56:51.529 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
18:56:51.545 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065ce790]
18:56:52.060 3 CLASSPNP.SYS[fffff88001b7443f] -> nt!IofCallDriver -> [0xfffffa8006381e40]
18:56:52.060 5 ACPI.sys[fffff88000f0e7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8006384050]
18:56:54.493 AVAST engine scan C:\Windows
18:57:12.605 AVAST engine scan C:\Windows\system32
19:04:11.060 AVAST engine scan C:\Windows\system32\drivers
19:04:47.347 AVAST engine scan C:\Users\User
19:31:29.027 AVAST engine scan C:\ProgramData
19:35:46.969 Scan finished successfully
19:59:20.106 Disk 0 MBR has been saved successfully to "C:\Users\User\Desktop\MBR.dat"
19:59:20.113 The log file has been saved successfully to "C:\Users\User\Desktop\aswMBR.txt"
  • 0

#38
Crag_Hack
Posted 12 March 2012 - 11:38 PM

Crag_Hack

    Trusted Helper

  • Malware Removal
  • 1,839 posts
Hello ETFoster. We are approaching completion! :) I think the dropper detection was Avast catching OTL deleting a couple dropper files I instructed it to that aswMBR detected. I'd like to do one last OTL quick scan to make sure everything is clean. Then a defrag to see if that speeds up your computer at all. And then if you want we can use process explorer to determine which processes running under svchost are hogging all your resources. Please do the following:

Step 1

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply as well.

Step 2

  • Download MyDefrag from here.
  • Run the downloaded program and follow the instructions to install on your computer
  • Check the Create scheduled tasks for automatic optimization option in the install if you want MyDefrag to automatically defrag at 5 am
  • Run MyDefrag from its start menu entry
  • Select the System Disk Monthly option in the Select a script section
  • Check the disk(s) you want to defrag (C: is probably your main disk)
  • Click the Run button
  • Let the program run unhindered until it finishes

Step 3

Download Process Explorer from here. Extract then run the procexp exe file. Agree to the agreement (rhetorical! :) ). Under the process list on the left look for svchost.exe entries. Under the tree view it will show you which processes are running under each svchost.exe process. It will also show you the CPU usage in the CPU column on the right. Try and find what exe files are running under the relevant svchost branch in which svchost is using all the resources. Let me know if you have any questions.

Things to see in your next post:
OTL quick scan log
Process Explorer info on naughty svchost process
  • 0

#39
NeonFx
Posted 17 March 2012 - 02:23 PM

NeonFx

    Malware Removal Dude

  • Expert
  • 3,798 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP