It seems to be possibly "rooting" onto other programs, before i did the whole reset to my computer it "rooted" onto the program Steam (for games) and I had to remove that...now I believe its getting ahold of my NetGear wireless adapter. It keeps spreading (from what it seems) and will not go away at all. I can follow all instructions, provide more info if needed and everything. someone pleease help me!
svchost.exe Virus [Solved]
#1
Posted 08 October 2012 - 01:14 AM
It seems to be possibly "rooting" onto other programs, before i did the whole reset to my computer it "rooted" onto the program Steam (for games) and I had to remove that...now I believe its getting ahold of my NetGear wireless adapter. It keeps spreading (from what it seems) and will not go away at all. I can follow all instructions, provide more info if needed and everything. someone pleease help me!
#2
Posted 08 October 2012 - 01:49 AM
Welcome to Geekstogo.
svhost.exe is a system file, essential to the running of your computer. Having said that there are some infections out there that masquerade as svhost.exe which are bad and which we need to do something about.
Have you been to the preparation section?
You need to go there before you come here.
If you read that thread you will learn how to download OTL and run the scans needed to help us assess your computers problem.
If your machine is in such a condition that you can't do this tell me.
Otherwise go to the link below.
http://www.geekstogo...-Log-t2852.html
Regards
emeraldnzl
#3
Posted 08 October 2012 - 03:28 PM
Hello AustinJG,
Welcome to Geekstogo.
svhost.exe is a system file, essential to the running of your computer. Having said that there are some infections out there that masquerade as svhost.exe which are bad and which we need to do something about.
Have you been to the preparation section?
You need to go there before you come here.
If you read that thread you will learn how to download OTL and run the scans needed to help us assess your computers problem.
If your machine is in such a condition that you can't do this tell me.
Otherwise go to the link below.
http://www.geekstogo...-Log-t2852.html
Regards
emeraldnzl
OTL logfile created on: 10/8/2012 5:22:46 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Austin\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.80 Gb Total Physical Memory | 2.56 Gb Available Physical Memory | 67.25% Memory free
7.60 Gb Paging File | 6.19 Gb Available in Paging File | 81.40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 270.69 Gb Total Space | 242.75 Gb Free Space | 89.68% Space Free | Partition Type: NTFS
Drive D: | 27.20 Gb Total Space | 1.16 Gb Free Space | 4.25% Space Free | Partition Type: NTFS
Computer Name: AUSTIN-PC | User Name: Austin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2012/10/08 17:22:11 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Austin\Desktop\OTL.exe
PRC - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/09/07 17:04:44 | 000,766,536 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/08/21 05:12:25 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/08/09 23:43:02 | 000,316,840 | ---- | M] (Razer USA Ltd) -- C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
PRC - [2011/05/27 16:23:00 | 001,300,264 | ---- | M] (Synaptics, Inc.) -- C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe
PRC - [2010/08/27 09:32:50 | 004,577,760 | ---- | M] () -- C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe
========== Modules (No Company Name) ==========
MOD - [2012/10/07 15:02:24 | 001,159,168 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\6a6f4be744ed5bc5273cbcf0fcf303e3\System.Management.ni.dll
MOD - [2012/10/07 15:00:52 | 001,011,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Dura#\f3989d3e9cb8904e4edf23ede5adb6c1\System.Runtime.DurableInstancing.ni.dll
MOD - [2012/10/07 15:00:52 | 000,142,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\4d2a51c03b27e615ff9f1c430f2014ba\SMDiagnostics.ni.dll
MOD - [2012/10/07 15:00:51 | 002,625,024 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Seri#\e9f8a45b1063d6c6a62718c88a5623d1\System.Runtime.Serialization.ni.dll
MOD - [2012/10/07 15:00:50 | 000,391,680 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\8eca92a64c232f34b5b559625b022369\System.Xml.Linq.ni.dll
MOD - [2012/10/07 15:00:32 | 001,776,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\035910922f160d304fb834aae41f45a6\System.Xaml.ni.dll
MOD - [2012/10/07 13:26:49 | 013,006,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\17e020ae92d7fab33bcc1c98b25019d0\System.Windows.Forms.ni.dll
MOD - [2012/10/07 13:26:41 | 001,651,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\dd57bc19f5807c6dbe8f88d4a23277f6\System.Drawing.ni.dll
MOD - [2012/10/07 13:22:00 | 017,629,184 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\7f91eecda3ff7ce478146b6458580c98\PresentationFramework.ni.dll
MOD - [2012/10/07 13:22:00 | 000,450,048 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\3555f5f74c56fa92c0ab7a635af91bfa\PresentationFramework.Aero.ni.dll
MOD - [2012/10/07 13:21:48 | 011,057,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\3963e9ce8d44f50e8367e92a8e3e42e6\PresentationCore.ni.dll
MOD - [2012/10/07 13:21:40 | 003,779,072 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\d17606e813f01376bd0def23726ecc62\WindowsBase.ni.dll
MOD - [2012/10/07 13:21:36 | 005,571,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\e997d0200c25f7db6bd32313d50b729d\System.Xml.ni.dll
MOD - [2012/10/07 13:21:32 | 000,973,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ac18c2dcd06bd2a0589bac94ccae5716\System.Configuration.ni.dll
MOD - [2012/10/07 13:21:30 | 007,025,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\713647b987b140a17e3c4ffe4c721f85\System.Core.ni.dll
MOD - [2012/10/07 13:21:24 | 009,000,960 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\964da027ebca3b263a05cadb8eaa20a3\System.ni.dll
MOD - [2012/10/07 13:21:20 | 014,415,872 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\246f1a5abb686b9dcdf22d3505b08cea\mscorlib.ni.dll
MOD - [2010/08/27 09:32:50 | 004,577,760 | ---- | M] () -- C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe
MOD - [2010/07/08 11:24:42 | 000,258,048 | ---- | M] () -- C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvcLib.dll
========== Services (SafeList) ==========
SRV:64bit: - [2012/08/21 05:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2010/09/09 18:26:44 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2011/05/27 16:23:00 | 001,300,264 | ---- | M] (Synaptics, Inc.) [Auto | Running] -- C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe -- (ScrybeUpdater)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
========== Driver Services (SafeList) ==========
DRV:64bit: - [2012/10/07 13:16:36 | 001,310,720 | ---- | M] (C-Media Electronics Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CM10864.sys -- (USBPNPA)
DRV:64bit: - [2012/09/07 17:04:46 | 000,025,928 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/08/21 05:13:13 | 000,969,200 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2012/08/21 05:13:13 | 000,359,464 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2012/08/21 05:13:13 | 000,059,728 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2012/08/21 05:13:12 | 000,071,600 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2012/08/21 05:13:12 | 000,054,072 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:64bit: - [2012/08/21 05:13:11 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2012/08/17 03:01:28 | 000,025,600 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rzdaendpt.sys -- (rzdaendpt)
DRV:64bit: - [2012/08/17 03:01:26 | 000,022,528 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rzvkeyboard.sys -- (rzvkeyboard)
DRV:64bit: - [2012/08/17 03:01:22 | 000,110,592 | ---- | M] (Razer USA Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rzudd.sys -- (rzudd)
DRV:64bit: - [2011/03/31 19:32:00 | 001,424,944 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2010/09/09 18:45:34 | 007,767,552 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2010/09/09 17:52:50 | 000,279,040 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2010/07/28 18:10:40 | 010,610,400 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdpmd64.sys -- (intelkmd)
DRV:64bit: - [2010/02/03 11:20:32 | 000,047,632 | ---- | M] (CACE Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF)
DRV:64bit: - [2009/11/06 08:40:26 | 000,838,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bcmwlhigh664.sys -- (BCMH43XX)
DRV:64bit: - [2009/09/17 19:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)
DRV:64bit: - [2009/07/13 21:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 21:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 21:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 16:35:42 | 000,187,392 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2007/01/19 18:24:24 | 000,025,312 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\SCMNdisP.sys -- (SCMNdisP)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = AD B3 F7 BA AD A4 CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@raidcall.en/RCplugin: C:\Users\Austin\AppData\Roaming\raidcall\plugins\nprcplugin.dll (Raidcall)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Austin\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O4:64bit: - HKLM..\Run: [Cm108Sound] C:\Windows\Syswow64\cm108.dll (C-Media Corporation)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Razer Synapse] C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe (Razer USA Ltd)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{02E1940E-D548-441B-A48A-811F2551CB41}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A5C1DD3B-AB74-4EFF-B83E-7AB395E18404}: DhcpNameServer = 192.168.1.1
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
========== Files/Folders - Created Within 30 Days ==========
[2012/10/08 17:22:11 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Austin\Desktop\OTL.exe
[2012/10/08 02:58:47 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Austin\Desktop\tdsskiller.exe
[2012/10/08 02:49:47 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/10/07 23:01:02 | 000,359,464 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2012/10/07 23:01:02 | 000,025,232 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2012/10/07 23:01:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2012/10/07 23:01:00 | 000,969,200 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2012/10/07 23:01:00 | 000,059,728 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2012/10/07 23:01:00 | 000,054,072 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2012/10/07 23:00:59 | 000,285,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2012/10/07 23:00:59 | 000,071,600 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2012/10/07 23:00:53 | 000,227,648 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2012/10/07 23:00:53 | 000,041,224 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2012/10/07 23:00:44 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2012/10/07 23:00:44 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/10/07 22:52:29 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/10/07 22:46:03 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\Malwarebytes
[2012/10/07 22:45:55 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/10/07 22:45:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/10/07 22:45:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/10/07 22:45:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/10/07 20:51:44 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\LolClient
[2012/10/07 18:40:43 | 000,000,000 | ---D | C] -- C:\Riot Games
[2012/10/07 18:40:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Riot Games
[2012/10/07 16:11:54 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2012/10/07 15:35:24 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\Synaptics
[2012/10/07 15:32:42 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\Unity
[2012/10/07 15:22:40 | 000,000,000 | ---D | C] -- C:\Program Files\Synaptics
[2012/10/07 15:21:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Synaptics
[2012/10/07 15:21:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Synaptics
[2012/10/07 15:21:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Scrybe
[2012/10/07 15:21:47 | 001,424,944 | ---- | C] (Synaptics Incorporated) -- C:\Windows\SysNative\drivers\SynTP.sys
[2012/10/07 15:21:47 | 000,411,432 | ---- | C] (Synaptics Incorporated) -- C:\Windows\SysNative\SynCOM.dll
[2012/10/07 15:21:47 | 000,274,728 | ---- | C] (Synaptics Incorporated) -- C:\Windows\SysNative\SynCtrl.dll
[2012/10/07 15:21:47 | 000,225,576 | ---- | C] (Synaptics Incorporated) -- C:\Windows\SysNative\SynTPAPI.dll
[2012/10/07 15:21:47 | 000,218,408 | ---- | C] (Synaptics Incorporated) -- C:\Windows\SysWow64\SynCtrl.dll
[2012/10/07 15:21:47 | 000,173,352 | ---- | C] (Synaptics Incorporated) -- C:\Windows\SysWow64\SynCOM.dll
[2012/10/07 15:21:47 | 000,148,264 | ---- | C] (Synaptics Incorporated) -- C:\Windows\SysNative\SynTPCo9.dll
[2012/10/07 15:14:10 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Local\Unity
[2012/10/07 15:14:00 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Local\Apps
[2012/10/07 15:13:59 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Local\Deployment
[2012/10/07 15:12:49 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2012/10/07 15:12:18 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2012/10/07 14:12:33 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\Macromedia
[2012/10/07 14:12:32 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\Adobe
[2012/10/07 14:12:28 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2012/10/07 14:12:26 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2012/10/07 14:10:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2012/10/07 13:49:27 | 000,000,000 | ---D | C] -- C:\League of legends
[2012/10/07 13:48:29 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Local\PMB Files
[2012/10/07 13:48:28 | 000,000,000 | ---D | C] -- C:\ProgramData\PMB Files
[2012/10/07 13:47:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Pando Networks
[2012/10/07 13:39:43 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\raidcall
[2012/10/07 13:39:42 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RaidCall
[2012/10/07 13:39:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RaidCall
[2012/10/07 13:39:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\RaidCall
[2012/10/07 13:24:04 | 000,000,000 | ---D | C] -- C:\Users\Austin\Desktop\Ewokese
[2012/10/07 13:19:17 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Local\Razer
[2012/10/07 13:19:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Razer
[2012/10/07 13:19:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Razer
[2012/10/07 13:19:17 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Razer
[2012/10/07 13:17:15 | 008,757,248 | ---- | C] (C-Media Corporation) -- C:\Windows\SysWow64\CM108.dll
[2012/10/07 13:17:15 | 000,200,704 | ---- | C] (C-Media) -- C:\Windows\SysWow64\cmpa108.dll
[2012/10/07 13:15:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2012/10/07 12:23:55 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2012/10/07 12:23:53 | 000,281,104 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\SysWow64\wpcap.dll
[2012/10/07 12:23:53 | 000,096,784 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\SysWow64\Packet.dll
[2012/10/07 12:23:53 | 000,047,632 | ---- | C] (CACE Technologies, Inc.) -- C:\Windows\SysNative\drivers\npf.sys
[2012/10/07 12:23:53 | 000,025,312 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\Windows\SysNative\drivers\SCMNdisP.sys
[2012/10/07 12:23:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NETGEAR WNDA3100v2 Smart Wizard
[2012/10/07 12:23:52 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\InstallShield Installation Information
[2012/10/07 12:23:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NETGEAR
[2012/10/07 12:23:37 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\InstallShield
[2012/10/07 12:18:19 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2012/10/07 12:17:31 | 000,000,000 | R--D | C] -- C:\Users\Austin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012/10/07 12:17:31 | 000,000,000 | R--D | C] -- C:\Users\Austin\Searches
[2012/10/07 12:17:31 | 000,000,000 | R--D | C] -- C:\Users\Austin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/10/07 12:17:31 | 000,000,000 | -H-D | C] -- C:\Users\Austin\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/10/07 12:17:23 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\Identities
[2012/10/07 12:17:21 | 000,000,000 | R--D | C] -- C:\Users\Austin\Contacts
[2012/10/07 12:17:19 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Local\VirtualStore
[2012/10/07 12:17:12 | 000,000,000 | --SD | C] -- C:\Users\Austin\AppData\Roaming\Microsoft
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\Videos
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\Saved Games
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\Pictures
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\Music
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\Links
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\Favorites
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\Downloads
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\Documents
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\Desktop
[2012/10/07 12:17:12 | 000,000,000 | R--D | C] -- C:\Users\Austin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\AppData\Local\Temporary Internet Files
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\Templates
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\Start Menu
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\SendTo
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\Recent
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\PrintHood
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\NetHood
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\Documents\My Videos
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\Documents\My Pictures
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\Documents\My Music
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\My Documents
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\Local Settings
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\AppData\Local\History
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\Cookies
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\Application Data
[2012/10/07 12:17:12 | 000,000,000 | -HSD | C] -- C:\Users\Austin\AppData\Local\Application Data
[2012/10/07 12:17:12 | 000,000,000 | -H-D | C] -- C:\Users\Austin\AppData
[2012/10/07 12:17:12 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Local\Temp
[2012/10/07 12:17:12 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Local\Microsoft
[2012/10/07 12:17:12 | 000,000,000 | ---D | C] -- C:\Users\Austin\AppData\Roaming\Media Center Programs
[2012/10/07 12:17:04 | 000,000,000 | -HSD | C] -- C:\Recovery
========== Files - Modified Within 30 Days ==========
[2012/10/08 17:22:11 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Austin\Desktop\OTL.exe
[2012/10/08 17:19:37 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/10/08 17:19:27 | 3062,059,008 | -HS- | M] () -- C:\hiberfil.sys
[2012/10/08 02:59:23 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Austin\Desktop\tdsskiller.exe
[2012/10/08 02:41:02 | 000,014,608 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/10/08 02:41:02 | 000,014,608 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/10/08 02:38:13 | 000,778,150 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/10/08 02:38:13 | 000,659,818 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/10/08 02:38:13 | 000,120,714 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/10/08 00:46:44 | 000,000,699 | ---- | M] () -- C:\Windows\Cm108.ini.imi
[2012/10/08 00:42:57 | 000,000,338 | ---- | M] () -- C:\Windows\Cm108.ini.cfl
[2012/10/08 00:42:56 | 000,000,133 | ---- | M] () -- C:\Windows\System\Dlap.pfx
[2012/10/08 00:42:53 | 000,000,152 | ---- | M] () -- C:\Windows\System\Cm108.ini
[2012/10/07 23:01:02 | 000,001,922 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/10/07 23:00:59 | 000,000,350 | -H-- | M] () -- C:\Windows\tasks\avast! Emergency Update.job
[2012/10/07 23:00:59 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2012/10/07 22:48:35 | 000,000,033 | ---- | M] () -- C:\Users\Austin\AppData\Roaming\mbam.context.scan
[2012/10/07 22:45:56 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/07 18:42:36 | 000,001,720 | ---- | M] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2012/10/07 15:22:44 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/10/07 15:14:45 | 000,041,962 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2012/10/07 15:14:45 | 000,041,962 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2012/10/07 13:39:42 | 000,001,007 | ---- | M] () -- C:\Users\Austin\Desktop\RaidCall.lnk
[2012/10/07 13:28:22 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_rzudd_01009.Wdf
[2012/10/07 13:27:39 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_rzdaendpt_01009.Wdf
[2012/10/07 13:23:07 | 000,291,368 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/10/07 13:16:46 | 000,772,430 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/10/07 13:16:37 | 000,001,353 | ---- | M] () -- C:\Windows\cm108.ini
[2012/10/07 13:16:36 | 008,757,248 | ---- | M] (C-Media Corporation) -- C:\Windows\SysWow64\CM108.dll
[2012/10/07 13:16:36 | 001,310,720 | ---- | M] (C-Media Electronics Inc) -- C:\Windows\SysNative\drivers\CM10864.sys
[2012/10/07 13:16:36 | 000,389,120 | ---- | M] () -- C:\Windows\SysNative\CM108.cpl
[2012/10/07 13:16:36 | 000,315,392 | ---- | M] (C-Media Electronics Inc.) -- C:\Windows\System\fltr108.dll
[2012/10/07 13:16:36 | 000,200,704 | ---- | M] (C-Media) -- C:\Windows\SysWow64\cmpa108.dll
[2012/10/07 13:16:36 | 000,143,360 | ---- | M] () -- C:\Windows\Vmix108.dll
[2012/10/07 13:16:35 | 000,804,352 | ---- | M] () -- C:\Windows\SysNative\Cmeau108.exe
[2012/10/07 13:16:35 | 000,359,424 | ---- | M] () -- C:\Windows\SysNative\CmiInstallResAll64.dll
[2012/10/07 13:16:35 | 000,002,029 | ---- | M] () -- C:\Windows\Cm108.ini.cfg
[2012/10/07 13:03:49 | 000,001,437 | ---- | M] () -- C:\Users\Austin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/10/07 13:03:00 | 000,000,000 | ---- | M] () -- C:\Windows\ativpsrm.bin
[2012/10/07 12:58:06 | 000,072,822 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/10/07 12:58:06 | 000,072,822 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2012/10/07 12:24:46 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_bcmwlhigh664_01009.Wdf
[2012/10/07 12:23:53 | 000,000,946 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Smart Wizard.lnk
========== Files Created - No Company Name ==========
[2012/10/07 23:01:02 | 000,001,922 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2012/10/07 23:00:59 | 000,000,350 | -H-- | C] () -- C:\Windows\tasks\avast! Emergency Update.job
[2012/10/07 23:00:59 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2012/10/07 22:48:35 | 000,000,033 | ---- | C] () -- C:\Users\Austin\AppData\Roaming\mbam.context.scan
[2012/10/07 22:45:56 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/07 18:42:36 | 000,001,720 | ---- | C] () -- C:\Users\Public\Desktop\Play League of Legends.lnk
[2012/10/07 15:22:44 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_SynTP_01009.Wdf
[2012/10/07 15:21:47 | 000,066,856 | ---- | C] () -- C:\Windows\SysWow64\SynTPEnhPS.dll
[2012/10/07 15:14:40 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2012/10/07 15:14:37 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2012/10/07 15:12:18 | 3062,059,008 | -HS- | C] () -- C:\hiberfil.sys
[2012/10/07 13:39:42 | 000,001,007 | ---- | C] () -- C:\Users\Austin\Desktop\RaidCall.lnk
[2012/10/07 13:28:22 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_rzudd_01009.Wdf
[2012/10/07 13:27:39 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_rzdaendpt_01009.Wdf
[2012/10/07 13:17:16 | 000,389,120 | ---- | C] () -- C:\Windows\SysNative\CM108.cpl
[2012/10/07 13:17:16 | 000,143,360 | ---- | C] () -- C:\Windows\Vmix108.dll
[2012/10/07 13:17:15 | 000,804,352 | ---- | C] () -- C:\Windows\SysNative\Cmeau108.exe
[2012/10/07 13:17:15 | 000,000,338 | ---- | C] () -- C:\Windows\Cm108.ini.cfl
[2012/10/07 13:17:15 | 000,000,133 | ---- | C] () -- C:\Windows\System\Dlap.pfx
[2012/10/07 13:17:01 | 000,359,424 | ---- | C] () -- C:\Windows\SysNative\CmiInstallResAll64.dll
[2012/10/07 13:17:01 | 000,002,029 | ---- | C] () -- C:\Windows\Cm108.ini.cfg
[2012/10/07 13:17:01 | 000,000,699 | ---- | C] () -- C:\Windows\Cm108.ini.imi
[2012/10/07 13:17:01 | 000,000,152 | ---- | C] () -- C:\Windows\System\Cm108.ini
[2012/10/07 13:17:00 | 000,001,353 | ---- | C] () -- C:\Windows\cm108.ini
[2012/10/07 13:16:45 | 000,772,430 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/10/07 13:03:49 | 000,001,437 | ---- | C] () -- C:\Users\Austin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/10/07 13:03:00 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012/10/07 12:58:06 | 000,072,822 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2012/10/07 12:58:06 | 000,072,822 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2012/10/07 12:24:46 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_bcmwlhigh664_01009.Wdf
[2012/10/07 12:23:53 | 000,053,299 | ---- | C] () -- C:\Windows\SysWow64\pthreadVC.dll
[2012/10/07 12:23:53 | 000,000,946 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Smart Wizard.lnk
[2012/10/07 12:17:37 | 000,001,409 | ---- | C] () -- C:\Users\Austin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2012/10/07 12:17:33 | 000,001,443 | ---- | C] () -- C:\Users\Austin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2012/10/07 12:17:12 | 000,000,290 | ---- | C] () -- C:\Users\Austin\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2012/10/07 12:17:12 | 000,000,272 | ---- | C] () -- C:\Users\Austin\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
========== ZeroAccess Check ==========
[2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2009/07/13 21:41:54 | 014,161,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2009/07/13 21:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/13 21:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
========== LOP Check ==========
[2012/10/07 20:51:44 | 000,000,000 | ---D | M] -- C:\Users\Austin\AppData\Roaming\LolClient
[2012/10/07 13:39:43 | 000,000,000 | ---D | M] -- C:\Users\Austin\AppData\Roaming\raidcall
[2012/10/07 15:35:24 | 000,000,000 | ---D | M] -- C:\Users\Austin\AppData\Roaming\Synaptics
[2012/10/07 15:32:42 | 000,000,000 | ---D | M] -- C:\Users\Austin\AppData\Roaming\Unity
========== Purity Check ==========
< End of report >
#4
Posted 08 October 2012 - 04:06 PM
There should have been an Extras.txt generated at the same time as the OTL.txt. Would have been saved in the same place. Please post it when you return.
Now
Nothing to much leaping out at me there.
I see you used TDSSKiller. What reason led you to use that one?
Turning to the multiple running of svchost.exe, see this link . It explains about svchost and why you often see multiple instances of it running.
Next
- Please go to VirSCAN.org FREE on-line scan service
- Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- C:\Windows\SysNative\drivers\npf.sys
- Click on the Upload button
- Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
- Paste the contents of the Clipboard in your next reply.
Step 2
Please run OTL.exe
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O4 - HKLM..\Run: [] File not found :Files ipconfig /flushdns /c :Commands [ResetHosts] [emptyflash] [emptyjava] [CreateRestorePoint] [Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- It will produce a log for you on reboot, please post that log in your next reply. The log is saved in the same location as OTL.
- Extras.txt
- Virscan report
- OTL fix.txt
- and tell me about TDSSKiller
#5
Posted 08 October 2012 - 04:50 PM
Hello AustinJG,
Well the virusscan.org thing did not seem to work, could not find the file and when the OTL got finished it only left otl.int and did not leave an OTL.fix but i'll post both of those anyways (there are 2 OTL.ints) and I was reading a similar post like this and someone used tddskiller and there was an exact file that was the same that he had and he was told to delete it and so did i, i forget the name of hte file though but it only found 1 file at the time...i thought that would fix it but i was wrong but anyways heres what I was able to get out of all of those steps...
OTL Extras logfile created on: 10/8/2012 5:22:46 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Austin\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.80 Gb Total Physical Memory | 2.56 Gb Available Physical Memory | 67.25% Memory free
7.60 Gb Paging File | 6.19 Gb Available in Paging File | 81.40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 270.69 Gb Total Space | 242.75 Gb Free Space | 89.68% Space Free | Partition Type: NTFS
Drive D: | 27.20 Gb Total Space | 1.16 Gb Free Space | 4.25% Space Free | Partition Type: NTFS
Computer Name: AUSTIN-PC | User Name: Austin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
========== Shell Spawning ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
========== Authorized Applications List ==========
========== Vista Active Open Ports Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
========== Vista Active Application Exception List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{8C0DA038-0AA3-44A4-B721-778570566D97}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{98ECC7C8-42D5-4BD4-9F77-BCDD5416D8D8}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{9E9DA4E6-796A-482A-8F44-91F3FDB8D7BA}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{D1DD082E-C095-43EF-8422-B952B4545DEB}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{D348B560-7EC2-4459-ADCF-6BB43C26CDF6}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
========== HKEY_LOCAL_MACHINE Uninstall List ==========
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"C-Media CM108 Like Sound Driver" = USB PnP Sound Device
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"SynTPDeinstKey" = Synaptics Pointing Device Driver
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}" = Razer Synapse 2.0
"{147DFAD8-34C3-4DE1-9FCA-ACEFDE9EF810}" = Synaptics Gesture Suite featuring SYNAPTICS | Scrybe
"{3C7839E7-21F4-49E0-B4D5-AC8ED818CCB0}" = NETGEAR WNDA3100v2 wireless USB 2.0 adapter
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"avast" = avast! Free Antivirus
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.0.1400
"RaidCall" = RaidCall
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"UnityWebPlayer" = Unity Web Player
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 10/8/2012 2:58:47 AM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 10/8/2012 2:58:47 AM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 10/8/2012 3:20:04 AM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 10/8/2012 3:37:50 AM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 10/8/2012 5:19:45 PM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 10/8/2012 5:20:15 PM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 10/8/2012 5:20:24 PM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 10/8/2012 5:22:09 PM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 10/8/2012 5:22:09 PM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
Error - 10/8/2012 5:22:09 PM | Computer Name = Austin-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\AVAST Software\Avast\AvastUI.exe".
Dependent
Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"
could not be found. Please use sxstrace.exe for detailed diagnosis.
[ System Events ]
Error - 10/8/2012 1:08:51 AM | Computer Name = Austin-PC | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
2 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.
Error - 10/8/2012 1:09:21 AM | Computer Name = Austin-PC | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Search service, but
this action failed with the following error: %%1056
Error - 10/8/2012 1:14:02 AM | Computer Name = Austin-PC | Source = Service Control Manager | ID = 7034
Description = The Windows Search service terminated unexpectedly. It has done this
3 time(s).
Error - 10/8/2012 1:14:20 AM | Computer Name = Austin-PC | Source = Service Control Manager | ID = 7031
Description = The Microsoft .NET Framework NGEN v4.0.30319_X64 service terminated
unexpectedly. It has done this 2 time(s). The following corrective action will
be taken in 300000 milliseconds: Restart the service.
Error - 10/8/2012 2:30:19 AM | Computer Name = Austin-PC | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10003
Description = WLAN Extensibility Module has stopped unexpectedly. Module Path: C:\Windows\System32\bcmihvsrv64.dll
Error - 10/8/2012 2:30:20 AM | Computer Name = Austin-PC | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10003
Description = WLAN Extensibility Module has stopped unexpectedly. Module Path: C:\Windows\System32\bcmihvsrv64.dll
Error - 10/8/2012 2:30:20 AM | Computer Name = Austin-PC | Source = Microsoft-Windows-WLAN-AutoConfig | ID = 10003
Description = WLAN Extensibility Module has stopped unexpectedly. Module Path: C:\Windows\System32\bcmihvsrv64.dll
Error - 10/8/2012 2:31:32 AM | Computer Name = Austin-PC | Source = Service Control Manager | ID = 7000
Description = The WSWNDA3100 service failed to start due to the following error:
%%2
Error - 10/8/2012 2:33:54 AM | Computer Name = Austin-PC | Source = Service Control Manager | ID = 7000
Description = The WSWNDA3100 service failed to start due to the following error:
%%2
Error - 10/8/2012 5:20:00 PM | Computer Name = Austin-PC | Source = Service Control Manager | ID = 7000
Description = The WSWNDA3100 service failed to start due to the following error:
%%2
< End of report >
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183
#6
Posted 08 October 2012 - 05:17 PM
did not leave an OTL.fix
Should be in a notepad where you save OTL.
If the log doesn't appear where you saved OTL when you downloaded it then a copy of the OTL fix log is saved in a text file at
C:\_OTL\MovedFiles
Well the virusscan.org thing did not seem to work
Maybe you got the forum software got in the way, try copying and pasting the file path from the quote box below into the panel in VirScan:
C:\Windows\SysNative\drivers\npf.sys
See how you go.
When you return then please post
- OTL log from the fix
- VirScan results
#7
Posted 08 October 2012 - 05:30 PM
did not leave an OTL.fix
Should be in a notepad where you save OTL.
If the log doesn't appear where you saved OTL when you downloaded it then a copy of the OTL fix log is saved in a text file at
C:\_OTL\MovedFilesWell the virusscan.org thing did not seem to work
Maybe you got the forum software got in the way, try copying and pasting the file path from the quote box below into the panel in VirScan:C:\Windows\SysNative\drivers\npf.sys
See how you go.
When you return then please post
- OTL log from the fix
- VirScan results
Well the virscan still won't work for me, "can't find file" although I found the file but it won't upload for some reason but i found the otl notepad
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Austin\Desktop\cmd.bat deleted successfully.
C:\Users\Austin\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYFLASH]
User: All Users
User: Austin
->Flash cache emptied: 4744 bytes
User: Default
User: Default User
User: Public
Total Flash Files Cleaned = 0.00 mb
[EMPTYJAVA]
User: All Users
User: Austin
User: Default
User: Default User
User: Public
Total Java Files Cleaned = 0.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.69.0 log created on 10082012_184339
#8
Posted 08 October 2012 - 05:37 PM
Well the virscan still won't work for me
No problem, let's try another site and a different file but from the same program.
Please go to Virus Total
Click on the button Choose File
Copy/paste this file and path into the white box beside File Name in the window that pops up:
C:\Windows\SysWow64\Packet.dll
Press Scan it- this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
Also when you come back please tell me as much as you can about the svchost problem. Is it just that you are seeing it running multiple times or is it being flagged to you somehow?
#9
Posted 08 October 2012 - 05:52 PM
Well the virscan still won't work for me
No problem, let's try another site and a different file but from the same program.
Please go to Virus Total
Click on the button Choose File
Copy/paste this file and path into the white box beside File Name in the window that pops up:C:\Windows\SysWow64\Packet.dll
Press Scan it- this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
Also when you come back please tell me as much as you can about the svchost problem. Is it just that you are seeing it running multiple times or is it being flagged to you somehow?
It's was scene multiple times and before i did the reset to factory thing, it was being flagged by avast but i dont have avast working anymore and it would freeze up my computer at times and then it would restart it multiple times. it wouldn't let some programs run either...um my brother tried fixing it (with little knowledge of the virus/svchost) he went in with a CD before windows started (used ubunto or whatever its called) to delete the svchost and replaced it with one from my other computer because file assassin/malware/avast could not detect it or delete it, spent 1-2days trying to remove it but we couldn't so we ended up doing the reset to factory thing and that still didn't remove it. we made a partition to keep a folder of mine with notepads of important information I wanted to keep but that was about it, maybe it "rooted" onto the partition and got back onto the computer after the whole reset?? I'm very unsure but anyways heres the virustotal scan... said it detected 0/42 or something
nProtect
-
20120816
CAT-QuickHeal
-
20120814
McAfee
-
20120817
K7AntiVirus
-
20120816
TheHacker
-
20120816
VirusBuster
-
20120816
F-Prot
-
20120817
Symantec
-
20120817
Norman
-
20120816
TotalDefense
-
20120816
TrendMicro-HouseCall
-
20120817
Avast
-
20120816
eSafe
-
20120816
ClamAV
-
20120817
Kaspersky
-
20120816
BitDefender
-
20120817
ViRobot
-
20120816
Emsisoft
-
20120817
Comodo
-
20120817
F-Secure
-
20120817
DrWeb
-
20120817
VIPRE
-
20120816
AntiVir
-
20120816
TrendMicro
-
20120817
McAfee-GW-Edition
-
20120816
Sophos
-
20120817
Jiangmin
-
20120816
Antiy-AVL
-
20120816
Microsoft
-
20120817
SUPERAntiSpyware
-
20120816
AhnLab-V3
-
20120816
GData
-
20120817
Commtouch
-
20120817
ByteHero
-
20120814
VBA32
-
20120814
PCTools
-
20120813
ESET-NOD32
-
20120816
Rising
-
20120815
Ikarus
-
20120816
Fortinet
-
20120816
AVG
-
20120817
Panda
-
20120816
Edited by AustinJG, 08 October 2012 - 05:54 PM.
#10
Posted 08 October 2012 - 06:29 PM
It's was scene multiple times and before i did the reset to factory thing, it was being flagged by avast but i dont have avast working anymore and it would freeze up my computer at times and then it would restart it multiple times. it wouldn't let some programs run either...um my brother tried fixing it (with little knowledge of the virus/svchost) he went in with a CD before windows started (used ubunto or whatever its called) to delete the svchost and replaced it with one from my other computer because file assassin/malware/avast could not detect it or delete it, spent 1-2days trying to remove it but we couldn't so we ended up doing the reset to factory thing and that still didn't remove it. we made a partition to keep a folder of mine with notepads of important information I wanted to keep but that was about it, maybe it "rooted" onto the partition and got back onto the computer after the whole reset??
That is helpful, thank you.
We will see if there is a rootkit there. If it is a partition one, then it is difficult to find and wouldn't show up in the normal scans.
Now
Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
Next
Please download and run ListParts by Farbar (for 32-bit system)
Please download and run ListParts64 by Farbar (for 64-bit system)
Click on Scan button.
Scan result will open in Notepad.
Post the log (Result.txt) in your next reply.
When you return please post
- aswMBR log
- Result.txt
#11
Posted 08 October 2012 - 06:49 PM
It's was scene multiple times and before i did the reset to factory thing, it was being flagged by avast but i dont have avast working anymore and it would freeze up my computer at times and then it would restart it multiple times. it wouldn't let some programs run either...um my brother tried fixing it (with little knowledge of the virus/svchost) he went in with a CD before windows started (used ubunto or whatever its called) to delete the svchost and replaced it with one from my other computer because file assassin/malware/avast could not detect it or delete it, spent 1-2days trying to remove it but we couldn't so we ended up doing the reset to factory thing and that still didn't remove it. we made a partition to keep a folder of mine with notepads of important information I wanted to keep but that was about it, maybe it "rooted" onto the partition and got back onto the computer after the whole reset??
That is helpful, thank you.
We will see if there is a rootkit there. If it is a partition one, then it is difficult to find and wouldn't show up in the normal scans.
Now
Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
Next
Please download and run ListParts by Farbar (for 32-bit system)
Please download and run ListParts64 by Farbar (for 64-bit system)
Click on Scan button.
Scan result will open in Notepad.
Post the log (Result.txt) in your next reply.
When you return please post
- aswMBR log
- Result.txt
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-08 20:44:01
-----------------------------
20:44:01.726 OS Version: Windows x64 6.1.7600
20:44:01.726 Number of processors: 4 586 0x2505
20:44:01.728 ComputerName: AUSTIN-PC UserName: Austin
20:44:02.480 Initialize success
20:44:02.600 AVAST engine defs: 12100801
20:44:09.659 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:44:09.661 Disk 0 Vendor: WDC_WD3200BEKT-75PVMT0 01.01A01 Size: 305245MB BusType: 11
20:44:09.679 Disk 0 MBR read successfully
20:44:09.681 Disk 0 MBR scan
20:44:09.684 Disk 0 Windows 7 default MBR code
20:44:09.687 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:44:09.697 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 277191 MB offset 206848
20:44:09.725 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 27849 MB offset 567894016
20:44:09.731 Disk 0 scanning C:\Windows\system32\drivers
20:44:13.004 Service scanning
20:44:23.750 Modules scanning
20:44:23.757 Disk 0 trace - called modules:
20:44:23.767 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
20:44:24.097 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800526d060]
20:44:24.102 3 CLASSPNP.SYS[fffff8800188d43f] -> nt!IofCallDriver -> [0xfffffa8004fb73f0]
20:44:24.106 5 ACPI.sys[fffff88000f3c781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004fe1060]
20:44:24.707 AVAST engine scan C:\Windows
20:44:26.291 AVAST engine scan C:\Windows\system32
20:45:17.338 AVAST engine scan C:\Windows\system32\drivers
20:45:21.053 AVAST engine scan C:\Users\Austin
20:47:13.222 AVAST engine scan C:\ProgramData
20:47:20.778 Scan finished successfully
20:47:33.753 Disk 0 MBR has been saved successfully to "C:\Users\Austin\Desktop\MBR.dat"
20:47:33.758 The log file has been saved successfully to "C:\Users\Austin\Desktop\aswMBR.txt"
ListParts by Farbar Version: 02-10-2012
Ran by Austin (administrator) on 08-10-2012 at 20:48:18
Windows 7 (X64)
Running From: C:\Users\Austin\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 32%
Total physical RAM: 3893.61 MB
Available physical RAM: 2647.3 MB
Total Pagefile: 7785.37 MB
Available Pagefile: 6330.75 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:270.69 GB) (Free:242.6 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:27.2 GB) (Free:1.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 103 MB
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 270 GB 101 MB
Partition 3 Primary 27 GB 270 GB
======================================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 System Rese NTFS Partition 100 MB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 270 GB Healthy Boot
======================================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D RECOVERY NTFS Partition 27 GB Healthy
======================================================================================================
****** End Of Log ******
#12
Posted 08 October 2012 - 07:02 PM
Let's do this:
Please run the following scan for me.
Open OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following:
/md5start
svchost.exe
/md5stop - Click the None button at the top.
- Click the Run Scan button.
#13
Posted 08 October 2012 - 07:06 PM
Well I am not seeing anything there.
Let's do this:
Please run the following scan for me.
Open OTLPost the log it produces in your next reply.
- Under the Custom Scans/Fixes box at the bottom, paste in the following:
/md5start
svchost.exe
/md5stop- Click the None button at the top.
- Click the Run Scan button.
OTL logfile created on: 10/8/2012 9:05:19 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Austin\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.80 Gb Total Physical Memory | 2.63 Gb Available Physical Memory | 69.16% Memory free
7.60 Gb Paging File | 6.21 Gb Available in Paging File | 81.67% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 270.69 Gb Total Space | 242.55 Gb Free Space | 89.60% Space Free | Partition Type: NTFS
Drive D: | 27.20 Gb Total Space | 1.16 Gb Free Space | 4.25% Space Free | Partition Type: NTFS
Computer Name: AUSTIN-PC | User Name: Austin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
========== Custom Scans ==========
< MD5 for: SVCHOST.EXE >
[2012/09/07 17:04:42 | 000,218,696 | ---- | M] () MD5=4E0D8C9F83B7FD82393F7D8CCC27E7AE -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\SysWOW64\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009/07/13 21:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\SysNative\svchost.exe
[2009/07/13 21:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe
< End of report >
#14
Posted 08 October 2012 - 07:48 PM
Question: Did the svchost problem become noticable to you after you installed Malwarebytes? Tell me when you come back.
For now
Please run a free online scan with the ESET Online Scanner
Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.
Note: This scan works with Internet Explorer or Mozilla FireFox.
If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
- Click the green ESET Online Scanner box
- Tick the box next to YES, I accept the Terms of Use
then click on: Start - You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
- Make sure that the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Click on Start
- The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically. The scan may take several hours.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed select Uninstall application on close, make sure you copy the logfile first!
- Then click on: Finish
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.
#15
Posted 08 October 2012 - 08:36 PM
Hello again AustinJG,
Question: Did the svchost problem become noticable to you after you installed Malwarebytes? Tell me when you come back.
For now
Please run a free online scan with the ESET Online Scanner
Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.
Note: This scan works with Internet Explorer or Mozilla FireFox.
If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
- Click the green ESET Online Scanner box
- Tick the box next to YES, I accept the Terms of Use
then click on: Start- You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
- Make sure that the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Click on Start
- The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically. The scan may take several hours.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed select Uninstall application on close, make sure you copy the logfile first!
- Then click on: Finish
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.
C:\TDSSKiller_Quarantine\08.10.2012_02.48.48\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_02.48.48\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_02.48.48\tdlfs0001\tsk0000.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_02.48.48\tdlfs0001\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_02.48.48\tdlfs0002\tsk0000.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_02.48.48\tdlfs0002\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_02.59.24\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\08.10.2012_02.59.24\tdlfs0000\tsk0001.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
Oh and I noticed the "threats" and my computer restarting without me telling it to along with my mouse being "turned off" and all that stuff when I had Avast working before I did the factory reset. Avast was saying there were 2 threats or something over and over again it would pop up on my screen. malwarebytes did not notice anything and the scans on both malware and avast did not notice anyting although avast knew something was trying to attack me and tried blocking it I suppose but nothing seemed to work
Edited by AustinJG, 08 October 2012 - 08:45 PM.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users