Tech Support Forum banner

Backdoor:Win32/Fynloski.A Virus Help!

Jump to Latest Follow
Status
Not open for further replies.
1 - 20 of 31 Posts
N

·
Registered
Joined
·
17 Posts
Discussion Starter · #1 ·
Uhm well i downloaded something thinking it was from my friend and it was some stupid runescape thing well i suspect its this file but i may be wrong becouse it doesnt open anything and it wont let me delete it says... You require permission from TrustedInstaller to make changes from this folder. There is several of them and the one i suspect has the virus is called Twunk_32 and Twunk_12... So my anti-virus picks it up and i remove it but when ever i restart my computer the anti-virus pops up again soo yah idk how to remove it and i can use teamviewer for any of you only mods or admins though so you can manualy help me soo yah please help . :pray:
 
chemist

·
Premium Member
Joined
·
29,790 Posts
#2 ·
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We don't do TeamViewer.

We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

------------------------------------------------------
 
Save Share
N

·
Registered
Joined
·
17 Posts
Discussion Starter · #3 ·
Ok i have done everything before the dds thing... when i run it says what do you want to open pev something with and well i clicked something and now everytime i run it says some file was damaged or delted in temp file or something idk... sooo i was assuming to open it up in notepad but i clicked my winwar so yah thats what screwed it up sooo ive tried to redowanload and theres no option to open with something else if you understand what im saying lol :p...
 
chemist

·
Premium Member
Joined
·
29,790 Posts
#5 ·
Delete all copies of dds from your desktop. Are you saving dds to your desktop?

Download dds from here or here and save it to your desktop.

Run dds again. If you get an error message, stop and let me know the options available.
 
Save Share
N

·
Registered
Joined
·
17 Posts
Discussion Starter · #6 ·
Yes im saving it to desktop and it says once it runs a little it stops and then says this C:\Users\Nevan\AppData\Local\Temp\E77.tmp\PEV.DAT The archive is either in unknown format or damaged...
 
chemist

·
Premium Member
Joined
·
29,790 Posts
#7 ·
Are there any options available? Continue, ignore, etc.
 
Save Share
chemist

·
Premium Member
Joined
·
29,790 Posts
#9 ·
See if RSIT will run:
  • Download RSIT by random/random and Save it to your Desktop.
  • Double-click RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
  • Please copy/paste the contents of log.txt and info.txt in your next reply.
------------------------------------------------------
 
Save Share
chemist

·
Premium Member
Joined
·
29,790 Posts
#10 ·
Still with us, Nmky? Any trouble with those last instructions?
 
Save Share
N

·
Registered
Joined
·
17 Posts
Discussion Starter · #12 ·
log.txt:
Logfile of random's system information tool 1.08 (written by random/random)
Run by Josh at 2011-04-22 11:00:51
Microsoft Windows 7 Home Premium
System drive C: has 886 GB (93%) free of 954 GB
Total RAM: 3071 MB (69% free)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:01:08 AM, on 4/22/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files\Logitech\G930\G930.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Nevan\AppData\Local\Apps\2.0\OCVHKJ3G.9MC\YZZ4P7OZ.T37\curs..tion_eee711038731a406_0004.0000_efb506202a7c3b08\CurseClient.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Nevan\Desktop\RSIT.exe
C:\Program Files\trend micro\Josh.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 67.215.252.163:9939->United States
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O4 - HKLM\..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [Logitech G930] C:\Program Files\Logitech\G930\G930.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [OpenDNS Updater] "C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2984364502-1858729684-3063578369-1003\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Nevan')
O4 - S-1-5-21-2984364502-1858729684-3063578369-1003 Startup: CurseClientStartup.ccip (User 'Nevan')
O4 - S-1-5-21-2984364502-1858729684-3063578369-1003 User Startup: CurseClientStartup.ccip (User 'Nevan')
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F2FAB80-13DA-4803-B665-B1584A5AD25B}: NameServer = 8.8.8.8,8.8.8.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F2FAB80-13DA-4803-B665-B1584A5AD25B}: NameServer = 8.8.8.8,8.8.8.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{4F2FAB80-13DA-4803-B665-B1584A5AD25B}: NameServer = 8.8.8.8,8.8.8.0
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
--
End of file - 8734 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-01-30 62376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21 439168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457}]
Search Toolbar - C:\Program Files\Search Toolbar\SearchToolbar.dll [2010-04-08 271024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-01-14 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{9D425283-D487-4337-BAB6-AB8354A81457} - Search Toolbar - C:\Program Files\Search Toolbar\SearchToolbar.dll [2010-04-08 271024]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LWS"=C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [2010-05-07 165208]
"RtHDVCpl"=C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [2010-12-28 7600672]
"Skytel"=C:\Program Files\Realtek\Audio\HDA\Skytel.exe [2010-12-28 1833504]
"MSC"=c:\Program Files\Microsoft Security Client\msseces.exe [2010-11-30 997408]
"NVRaidService"=C:\Windows\system32\nvraidservice.exe [2009-06-30 163872]
"Logitech G930"=C:\Program Files\Logitech\G930\G930.exe [2010-11-02 1516888]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-11-29 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-12-13 421160]
"Logitech Download Assistant"=C:\Windows\System32\LogiLDA.dll [2010-11-03 1246544]
"EvtMgr6"=C:\Program Files\Logitech\SetPointP\SetPoint.exe [2010-06-25 1311312]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe [2011-01-30 35736]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-11-10 932288]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Updater"=C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe [2010-06-16 839680]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2010-11-10 4240760]
"Steam"=C:\Program Files\Steam\Steam.exe [2010-12-30 1242448]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2011-01-26 15026056]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe [2010-12-27 233936]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jomantha]
C:\Program Files\n52te\n52teHid.exe [2008-06-13 159744]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2009-10-26 1458176]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Josh^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
C:\PROGRA~1\Logitech\Ereg\eReg.exe [2009-11-16 517384]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Josh^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech blank Product Registration.lnk]
C:\PROGRA~1\Logitech\G930\eReg.exe [2009-11-16 517384]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2010-05-06 64592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"LogonHoursAction"=2
"DontDisplayLogonHoursWarnings"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
======File associations======
.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*
======List of files/folders created in the last 2 months======
2011-04-22 11:00:51 ----D---- C:\rsit
2011-04-22 11:00:51 ----D---- C:\Program Files\trend micro
2011-04-15 18:25:14 ----D---- C:\Windows\New folder
2011-04-15 17:44:53 ----D---- C:\Windows\pss
2011-04-15 15:46:46 ----A---- C:\Windows\system32\drivers\srv2.sys
2011-04-15 15:46:45 ----A---- C:\Windows\system32\drivers\srvnet.sys
2011-04-15 15:46:45 ----A---- C:\Windows\system32\drivers\srv.sys
2011-04-15 15:46:44 ----A---- C:\Windows\system32\vbscript.dll
2011-04-15 15:46:44 ----A---- C:\Windows\system32\jscript.dll
2011-04-15 15:46:43 ----A---- C:\Windows\system32\dnsrslvr.dll
2011-04-15 15:46:43 ----A---- C:\Windows\system32\dnscacheugc.exe
2011-04-15 15:46:43 ----A---- C:\Windows\system32\dnsapi.dll
2011-04-15 15:46:42 ----A---- C:\Windows\system32\atmlib.dll
2011-04-15 15:46:42 ----A---- C:\Windows\system32\atmfd.dll
2011-04-15 15:46:40 ----A---- C:\Windows\system32\mshtml.dll
2011-04-15 15:46:39 ----A---- C:\Windows\system32\ieframe.dll
2011-04-15 15:46:38 ----A---- C:\Windows\system32\urlmon.dll
2011-04-15 15:46:36 ----A---- C:\Windows\system32\wininet.dll
2011-04-15 15:46:36 ----A---- C:\Windows\system32\iedkcs32.dll
2011-04-15 15:46:35 ----A---- C:\Windows\system32\mstime.dll
2011-04-15 15:46:35 ----A---- C:\Windows\system32\mshtmled.dll
2011-04-15 15:46:35 ----A---- C:\Windows\system32\msfeedsbs.dll
2011-04-15 15:46:35 ----A---- C:\Windows\system32\msfeeds.dll
2011-04-15 15:46:35 ----A---- C:\Windows\system32\licmgr10.dll
2011-04-15 15:46:35 ----A---- C:\Windows\system32\ieui.dll
2011-04-15 15:46:35 ----A---- C:\Windows\system32\iertutil.dll
2011-04-15 15:46:35 ----A---- C:\Windows\system32\iepeers.dll
2011-04-15 15:46:34 ----A---- C:\Windows\system32\msfeedssync.exe
2011-04-15 15:46:34 ----A---- C:\Windows\system32\jsproxy.dll
2011-04-15 15:46:25 ----A---- C:\Windows\system32\win32k.sys
2011-04-15 15:46:24 ----A---- C:\Windows\system32\FXSCOVER.exe
2011-04-15 15:46:23 ----A---- C:\Windows\system32\XpsGdiConverter.dll
2011-04-15 15:46:22 ----A---- C:\Windows\system32\mfc42.dll
2011-04-15 15:46:22 ----A---- C:\Windows\system32\inetcomm.dll
2011-04-15 15:46:21 ----A---- C:\Windows\system32\mfc42u.dll
2011-04-15 15:46:20 ----A---- C:\Windows\system32\drivers\mrxsmb20.sys
2011-04-15 15:46:20 ----A---- C:\Windows\system32\drivers\mrxsmb10.sys
2011-04-15 15:46:20 ----A---- C:\Windows\system32\drivers\mrxsmb.sys
2011-04-15 15:46:20 ----A---- C:\Windows\system32\drivers\bowser.sys
2011-03-28 05:45:57 ----D---- C:\Windows\system32\QuickTime
2011-03-28 05:45:40 ----D---- C:\Program Files\Common Files\TechSmith Shared
2011-03-28 05:45:39 ----D---- C:\Program Files\TechSmith
2011-03-25 10:51:30 ----D---- C:\Windows\Prefetch
2011-03-25 02:31:47 ----D---- C:\ProgramData\NCH Software
2011-03-21 12:41:15 ----D---- C:\Windows\TEMP
2011-03-14 23:01:16 ----A---- C:\Windows\system32\frapsvid.dll
2011-03-09 18:16:38 ----A---- C:\Windows\system32\FntCache.dll
2011-03-09 18:16:38 ----A---- C:\Windows\system32\DWrite.dll
2011-03-09 18:16:38 ----A---- C:\Windows\system32\d2d1.dll
2011-03-09 18:16:37 ----A---- C:\Windows\system32\CPFilters.dll
2011-03-09 18:16:36 ----A---- C:\Windows\system32\sbe.dll
2011-03-09 18:16:36 ----A---- C:\Windows\system32\EncDec.dll
2011-03-09 18:16:35 ----A---- C:\Windows\system32\mstscax.dll
2011-03-09 18:16:34 ----A---- C:\Windows\system32\mstsc.exe
2011-03-07 01:18:27 ----D---- C:\Users\Josh\AppData\Roaming\Mouse Recorder Pro
2011-03-07 00:28:35 ----D---- C:\ProgramData\TEMP
2011-03-07 00:04:09 ----D---- C:\Users\Josh\AppData\Roaming\RobotSoft
2011-03-06 23:51:54 ----D---- C:\Program Files\Nemex
2011-03-06 23:08:46 ----A---- C:\Windows\system32\PCProxyOff.ini
2011-03-06 23:08:40 ----A---- C:\Windows\system32\SpOrder.dll
2011-03-06 23:08:38 ----A---- C:\Windows\system32\VistaInfo32.dll
2011-03-02 22:39:43 ----RASH---- C:\MSDOS.SYS
2011-03-02 22:39:43 ----RASH---- C:\IO.SYS
2011-03-02 22:38:25 ----D---- C:\Users\Josh\AppData\Roaming\Apple Computer
2011-02-27 03:38:56 ----D---- C:\Users\Josh\AppData\Roaming\WinRAR
2011-02-23 04:00:26 ----A---- C:\Windows\system32\wcncsvc.dll
======List of files/folders modified in the last 2 months======
2011-04-22 11:00:51 ----RD---- C:\Program Files
2011-04-22 10:59:24 ----D---- C:\ProgramData\NVIDIA
2011-04-22 10:59:23 ----D---- C:\Windows\system32\logishrd
2011-04-19 21:55:33 ----D---- C:\Windows\system32\config
2011-04-19 16:03:18 ----D---- C:\Windows\System32
2011-04-19 16:03:18 ----D---- C:\Windows\inf
2011-04-19 16:03:18 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-04-18 21:36:09 ----SHD---- C:\System Volume Information
2011-04-17 11:15:50 ----HD---- C:\ProgramData
2011-04-15 19:02:07 ----RSD---- C:\Windows\assembly
2011-04-15 19:02:07 ----D---- C:\Windows\Microsoft.NET
2011-04-15 18:25:26 ----D---- C:\Windows
2011-04-15 18:08:26 ----D---- C:\Windows\winsxs
2011-04-15 18:07:08 ----D---- C:\Windows\system32\migration
2011-04-15 18:07:08 ----D---- C:\Windows\system32\drivers
2011-04-15 18:07:08 ----D---- C:\Program Files\Internet Explorer
2011-04-15 18:05:51 ----D---- C:\Windows\system32\catroot
2011-04-15 18:05:06 ----SHD---- C:\Windows\Installer
2011-04-15 18:02:12 ----A---- C:\Windows\system32\MRT.exe
2011-04-15 17:52:10 ----SD---- C:\ProgramData\Microsoft
2011-04-15 15:46:12 ----D---- C:\Windows\system32\catroot2
2011-04-12 15:34:28 ----D---- C:\Program Files\Steam
2011-04-12 15:17:09 ----D---- C:\Windows\system32\NDF
2011-03-28 17:09:54 ----RD---- C:\Users
2011-03-28 05:45:49 ----D---- C:\ProgramData\TechSmith
2011-03-28 05:45:40 ----D---- C:\Program Files\Common Files
2011-03-25 02:31:47 ----D---- C:\Windows\system32\Tasks
2011-03-24 03:18:42 ----D---- C:\Program Files\World of Warcraft
2011-03-21 12:56:20 ----SD---- C:\Users\Josh\AppData\Roaming\Microsoft
2011-03-21 12:38:09 ----D---- C:\Users\Josh\AppData\Roaming\Skype
2011-03-20 11:08:52 ----D---- C:\Program Files\Microsoft Silverlight
2011-03-09 22:06:12 ----D---- C:\Windows\debug
2011-03-07 00:45:00 ----D---- C:\Windows\ShellNew
2011-03-07 00:30:55 ----D---- C:\Program Files\Pando Networks
2011-03-02 22:39:53 ----RD---- C:\Program Files\Skype
2011-03-02 22:39:39 ----D---- C:\ProgramData\SwiftKit
2011-03-02 22:38:55 ----D---- C:\Program Files\Common Files\Steam
2011-02-25 00:56:24 ----D---- C:\Program Files\Common Files\FreeCause
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R0 nvrd32;NVIDIA nForce RAID Driver; C:\Windows\system32\DRIVERS\nvrd32.sys [2009-08-04 139296]
R0 nvstor32;nvstor32; C:\Windows\system32\DRIVERS\nvstor32.sys [2009-08-04 213024]
R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-13 12368]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-13 173648]
R1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2010-10-24 165264]
R1 MpKsl0f912a62;MpKsl0f912a62; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7A3C3640-CB99-4729-8163-9DA34A7DE311}\MpKsl0f912a62.sys [2011-04-22 28752]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2010-12-28 2657120]
R3 LADF_BakerCOnly;BakerC Filter Driver; C:\Windows\system32\DRIVERS\ladfBakerCi386.sys [2010-10-17 331608]
R3 LADF_BakerROnly;BakerR Filter Driver; C:\Windows\system32\DRIVERS\ladfBakerRi386.sys [2010-10-17 310872]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter; C:\Windows\System32\Drivers\LEqdUsb.Sys [2010-03-18 40912]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter; C:\Windows\System32\Drivers\LHidEqd.Sys [2010-03-18 10448]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\Windows\system32\DRIVERS\LHidFilt.Sys [2010-03-18 38864]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\Windows\system32\DRIVERS\LMouFilt.Sys [2010-03-18 37328]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\Windows\system32\DRIVERS\LVPr2Mon.sys [2010-05-07 25824]
R3 LVRS;Logitech RightSound Filter Driver; C:\Windows\system32\DRIVERS\lvrs.sys [2010-11-10 283744]
R3 LVUVC;Logitech QuickCam Pro 9000(UVC); C:\Windows\system32\DRIVERS\lvuvc.sys [2010-11-10 4323040]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\Windows\system32\drivers\MODEMCSA.sys [2009-07-13 18432]
R3 MpNWMon;Microsoft Malware Protection Network Driver; C:\Windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver; C:\Windows\system32\drivers\nvhda32v.sys [2010-12-28 30752]
R3 NVNET;NVIDIA nForce 10/100/1000 Mbps Ethernet ; C:\Windows\system32\DRIVERS\nvmf6232.sys [2009-07-30 287392]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2009-06-29 17920]
R3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2009-10-26 1095936]
R3 vhidmini;Virtual Hid Device; C:\Windows\system32\DRIVERS\vhidmini.sys [2007-09-19 12672]
S2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\Windows\system32\DRIVERS\amdagp.sys [2009-07-13 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2009-03-18 26176]
S3 JmtFltr;n52te; C:\Windows\System32\Drivers\JmtFltr.sys [2007-09-27 48896]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvm62x32.sys [2009-07-13 347264]
S3 Point32;Microsoft IntelliPoint Filter Driver; C:\Windows\system32\DRIVERS\point32.sys [2010-07-21 40848]
S3 sisagp;SIS AGP Bus Filter; C:\Windows\system32\DRIVERS\sisagp.sys [2009-07-13 52304]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2010-09-28 41984]
S3 viaagp;VIA AGP Bus Filter; C:\Windows\system32\DRIVERS\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
S3 WinUsb;WinUsb; C:\Windows\system32\DRIVERS\WinUsb.sys [2009-07-13 34944]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-10-16 37664]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-10-07 345376]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [2010-05-07 162648]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [2010-11-11 11736]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-07-14 215584]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2010-09-21 1710464]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-12-13 820008]
R3 NisSrv;@c:\Program Files\Microsoft Security Client\Antimalware\MpAsDesc.dll,-243; c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe [2010-05-06 293456]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2011-04-12 403240]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2010-12-28 1343400]
-----------------EOF-----------------
 
N

·
Registered
Joined
·
17 Posts
Discussion Starter · #13 ·
info.txt:
info.txt logfile of random's system information tool 1.08 2011-04-22 11:01:10
======Uninstall list======
-->MsiExec /X{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -maintain activex
Adobe Reader X (10.0.1)-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-AA0000000001}
Apple Application Support-->MsiExec.exe /I{EE6097DD-05F4-4178-9719-D3170BF098E8}
Apple Mobile Device Support-->MsiExec.exe /I{308B6AEA-DE50-4666-996D-0FA461719D6B}
Apple Software Update-->MsiExec.exe /I{C41300B9-185D-475E-BFEC-39EF732F19B1}
Bonjour-->MsiExec.exe /X{2A981294-F14C-4F0F-9627-D793270922F8}
Call of Duty: Black Ops - Multiplayer-->"C:\Program Files\Steam\steam.exe" steam://uninstall/42710
Call of Duty: Black Ops-->"C:\Program Files\Steam\steam.exe" steam://uninstall/42700
CameraHelperMsi-->MsiExec.exe /I{15634701-BACE-4449-8B25-1567DA8C9FD3}
Camtasia Studio 7-->MsiExec.exe /I{49471DB8-7F3C-42DB-89C2-AC50FA0C5290}
D3DX10-->MsiExec.exe /X{E09C4DB7-630C-4F06-A631-8EA7239923AF}
eReg-->MsiExec.exe /I{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}
iTunes-->MsiExec.exe /I{881F5DE8-9367-4B81-A325-E91BBC6472F9}
Java(TM) 6 Update 23-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216023FF}
Junk Mail filter update-->MsiExec.exe /I{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}
Logitech G930-->MsiExec.exe /X{5AB2DCE8-CDF5-4E73-A6A5-BAF93B0FC6B0}
Logitech SetPoint 6.15-->C:\Program Files\Common Files\LogiShrd\SP6_Uninstall\setup.exe
Logitech Webcam Software-->"C:\Program Files\Common Files\LogiShrd\Installer\{D40EB009-0499-459c-A8AF-C9C110766215}\setup.exe" /lang=ENU /guid="{D40EB009-0499-459c-A8AF-C9C110766215}"
LWS Facebook-->MsiExec.exe /I{FF167195-9EE4-46C0-8CD7-FBA3457E88AB}
LWS Gallery-->MsiExec.exe /I{6F76EC3C-34B1-436E-97FB-48C58D7BEDCD}
LWS Help_main-->MsiExec.exe /I{1651216E-E7AD-4250-92A1-FB8ED61391C9}
LWS Launcher-->MsiExec.exe /I{83C8FA3C-F4EA-46C4-8392-D3CE353738D6}
LWS Motion Detection-->MsiExec.exe /I{71E66D3F-A009-44AB-8784-75E2819BA4BA}
LWS Pictures And Video-->MsiExec.exe /I{08610298-29AE-445B-B37D-EFBE05802967}
LWS Twitter-->MsiExec.exe /I{174A3B31-4C43-43DD-866F-73C9DB887B48}
LWS Video Mask Maker-->MsiExec.exe /I{EED027B7-0DB6-404B-8F45-6DFEE34A0441}
LWS VideoEffects-->MsiExec.exe /I{138A4072-9E64-46BD-B5F9-DB2BB395391F}
LWS Webcam Software-->MsiExec.exe /I{8937D274-C281-42E4-8CDB-A0B2DF979189}
LWS WLM Plugin-->MsiExec.exe /I{9DAEA76B-E50F-4272-A595-0124E826553D}
LWS YouTube Plugin-->MsiExec.exe /I{21DF0294-6B9D-4741-AB6F-B2ABFBD2387E}
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Microsoft Antimalware-->MsiExec.exe /X{774088D4-0777-4D78-904D-E435B318F5D2}
Microsoft Security Client-->MsiExec.exe /I{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}
Microsoft Security Essentials-->C:\Program Files\Microsoft Security Client\Setup.exe /x
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Motorola SM56 Speakerphone Modem-->rundll32.exe sm56co85.dll,SM56UnInstaller
MSVCRT-->MsiExec.exe /I{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}
n52te Editor-->C:\Program Files\InstallShield Installation Information\{0AC8162B-5175-41D7-B963-8307A40BD456}\n52te_win_driver_v2.1.2.exe -runfromtemp -l0x0009 -removeonly
NVIDIA 3D Vision Driver 260.99-->"C:\Windows\system32\RunDll32.EXE" "C:\Program Files\NVIDIA Corporation\Installer2\installer.0\NVI2.DLL",UninstallPackage Display.3DVision
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
NVIDIA Graphics Driver 260.99-->"C:\Windows\system32\RunDll32.EXE" "C:\Program Files\NVIDIA Corporation\Installer2\installer.0\NVI2.DLL",UninstallPackage Display.Driver
NVIDIA HD Audio Driver 1.1.9.0-->"C:\Windows\system32\RunDll32.EXE" "C:\Program Files\NVIDIA Corporation\Installer2\installer.0\NVI2.DLL",UninstallPackage HDAudio.Driver
NVIDIA PhysX System Software 9.10.0514-->"C:\Windows\system32\RunDll32.EXE" "C:\Program Files\NVIDIA Corporation\Installer2\installer.0\NVI2.DLL",UninstallPackage Display.PhysX
NVIDIA PhysX-->MsiExec.exe /X{B9DB4C76-01A4-46D5-8910-F7AA6376DBAF}
NVIDIA Stereoscopic 3D Driver-->"C:\Program Files\NVIDIA Corporation\3D Vision\nvStInst.exe" /uninstall /ask
OpenDNS Updater 2.2.1-->"C:\Program Files\OpenDNS Updater\Uninstall.exe"
PVSonyDll-->MsiExec.exe /I{3D3E663D-4E7E-4577-A560-7ECDDD45548A}
QuickTime-->MsiExec.exe /I{57752979-A1C9-4C02-856B-FBB27AC4E02C}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly
RuneScape Launcher 1.0.4-->MsiExec.exe /X{5D87C09F-512F-474A-A306-0FE3B89C396F}
Search Toolbar-->C:\Program Files\Search Toolbar\SearchToolbarUninstall.exe
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)-->c:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {3E0806DB-3085-378A-840A-F0D3AE3609D1} /parameterfolder Client
Skype™ 5.1-->MsiExec.exe /X{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Stronghold-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C917BA70-28A3-4C74-B163-41FD8C8E1A5A}\Setup.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Unreal Tournament-->C:\UnrealTournament\System\Setup.exe uninstall "UnrealTournament"
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Windows Live Communications Platform-->MsiExec.exe /I{D45240D3-B6B3-4FF9-B243-54ECE3E10066}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}
Windows Live ID Sign-in Assistant-->MsiExec.exe /I{61AD15B2-50DB-4686-A739-14FE180D4429}
Windows Live Installer-->MsiExec.exe /I{0B0F231F-CE6A-483D-AA23-77B364F75917}
Windows Live Mail-->MsiExec.exe /I{9D56775A-93F3-44A3-8092-840E3826DE30}
Windows Live Mail-->MsiExec.exe /I{C66824E4-CBB3-4851-BB3F-E8CFD6350923}
Windows Live Messenger-->MsiExec.exe /X{80956555-A512-4190-9CAD-B000C36D6B6B}
Windows Live Messenger-->MsiExec.exe /X{EB4DF488-AAEF-406F-A341-CB2AAA315B90}
Windows Live MIME IFilter-->MsiExec.exe /I{AF844339-2F8A-4593-81B3-9F4C54038C4E}
Windows Live Movie Maker-->MsiExec.exe /X{19BA08F7-C728-469C-8A35-BFBD3633BE08}
Windows Live Movie Maker-->MsiExec.exe /X{92EA4134-10D1-418A-91E1-5A0453131A38}
Windows Live Photo Common-->MsiExec.exe /X{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}
Windows Live Photo Common-->MsiExec.exe /X{D436F577-1695-4D2F-8B44-AC76C99E0002}
Windows Live Photo Gallery-->MsiExec.exe /X{3336F667-9049-4D46-98B6-4C743EEBC5B1}
Windows Live Photo Gallery-->MsiExec.exe /X{34F4D9A4-42C2-4348-BEF4-E553C84549E7}
Windows Live PIMT Platform-->MsiExec.exe /I{83C292B7-38A5-440B-A731-07070E81A64F}
Windows Live SOXE Definitions-->MsiExec.exe /I{200FEC62-3C34-4D60-9CE8-EC372E01C08F}
Windows Live SOXE-->MsiExec.exe /I{682B3E4F-696A-42DE-A41C-4C07EA1678B4}
Windows Live UX Platform Language Pack-->MsiExec.exe /I{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}
Windows Live UX Platform-->MsiExec.exe /I{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}
Windows Live Writer Resources-->MsiExec.exe /X{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}
Windows Live Writer-->MsiExec.exe /X{A726AE06-AAA3-43D1-87E3-70F510314F04}
Windows Live Writer-->MsiExec.exe /X{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}
Windows Live Writer-->MsiExec.exe /X{AAF454FC-82CA-4F29-AB31-6A109485E76E}
WinRAR 4.00 (32-bit)-->C:\Users\Nevan\Downloads\New folder\uninstall.exe
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
======System event log======
Computer Name: Desktop-01
Event Code: 5
Message: AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
Record Number: 591
Source Name: ACPI
Time Written: 20101228053723.656000-000
Event Type: Error
User:
Computer Name: Desktop-01
Event Code: 4
Message: AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
Record Number: 411
Source Name: ACPI
Time Written: 20101228062430.702800-000
Event Type: Error
User:
Computer Name: Desktop-01
Event Code: 5
Message: AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
Record Number: 410
Source Name: ACPI
Time Written: 20101228062430.640400-000
Event Type: Error
User:
Computer Name: 37L4247D28-05
Event Code: 4
Message: AMLI: ACPI BIOS is attempting to read from an illegal IO port address (0x71), which lies in the 0x70 - 0x71 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
Record Number: 25
Source Name: ACPI
Time Written: 20101228062033.624800-000
Event Type: Error
User:
Computer Name: 37L4247D28-05
Event Code: 5
Message: AMLI: ACPI BIOS is attempting to write to an illegal IO port address (0x70), which lies in the 0x70 - 0x71 protected address range. This could lead to system instability. Please contact your system vendor for technical assistance.
Record Number: 24
Source Name: ACPI
Time Written: 20101228062033.562400-000
Event Type: Error
User:
=====Application event log=====
Computer Name: Desktop-01
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
5 user registry handles leaked from \Registry\User\S-1-5-21-2984364502-1858729684-3063578369-1001:
Process 504 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2984364502-1858729684-3063578369-1001
Process 504 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2984364502-1858729684-3063578369-1001
Process 504 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2984364502-1858729684-3063578369-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 504 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2984364502-1858729684-3063578369-1001\Software\Microsoft\SystemCertificates\My
Process 504 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2984364502-1858729684-3063578369-1001\Software\Microsoft\SystemCertificates\CA
Record Number: 376
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20101228060713.796000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: Desktop-01
Event Code: 11935
Message: Product: Microsoft Application Error Reporting -- Error 1935. An error occurred during the installation of assembly 'Microsoft.VC80.CRT,version="8.0.50727.42",type="win32",processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b"'. Please refer to Help and Support for more information. HRESULT: 0x80070BC9. assembly interface: IAssemblyCacheItem, function: Commit, component: {98CB24AD-52FB-DB5F-A01F-C8B3B9A1E18E}
Record Number: 307
Source Name: MsiInstaller
Time Written: 20101228055709.000000-000
Event Type: Error
User: Desktop-01\Josh
Computer Name: Desktop-01
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2984364502-1858729684-3063578369-1001:
Process 472 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2984364502-1858729684-3063578369-1001
Record Number: 179
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20101228053645.561200-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM
Computer Name: Desktop-01
Event Code: 11
Message: Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 1008) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3F31C91E-2545-4B7B-9311-9529E8BFFEF6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Record Number: 159
Source Name: Microsoft-Windows-RPC-Events
Time Written: 20101228053312.647200-000
Event Type: Warning
User: NT AUTHORITY\LOCAL SERVICE
Computer Name: Desktop-01
Event Code: 1008
Message: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.
Record Number: 114
Source Name: Microsoft-Windows-Search
Time Written: 20101228052852.000000-000
Event Type: Warning
User:
=====Security event log=====
Computer Name: Desktop-01
Event Code: 4634
Message: An account was logged off.
Subject:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x18cd2b9d
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Record Number: 15563
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110129081141.503350-000
Event Type: Audit Success
User:
Computer Name: Desktop-01
Event Code: 4624
Message: An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x18cd2c38
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: DESKTOP-03
Source Network Address: 192.168.1.6
Source Port: 54631
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 15562
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110129080938.574350-000
Event Type: Audit Success
User:
Computer Name: Desktop-01
Event Code: 4624
Message: An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x18cd2b9d
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: DESKTOP-03
Source Network Address: 192.168.1.6
Source Port: 54630
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 15561
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110129080938.477350-000
Event Type: Audit Success
User:
Computer Name: Desktop-01
Event Code: 5061
Message: Cryptographic operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: 61843c84-c0e3-4869-966f-69a426f11d9f
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x0
Record Number: 15560
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110129080908.450350-000
Event Type: Audit Success
User:
Computer Name: Desktop-01
Event Code: 5058
Message: Key file operation.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: Not Available.
Key Name: 61843c84-c0e3-4869-966f-69a426f11d9f
Key Type: Machine key.
Key File Operation Information:
File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f03512155e46334e945696820a8054ab_83833c8e-bdf1-46d4-aec2-c1478415fcec
Operation: Read persisted key from file.
Return Code: 0x0
Record Number: 15559
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20110129080908.450350-000
Event Type: Audit Success
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files\NVIDIA Corporation\PhysX\Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Windows Live\Shared;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=2
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"asl.log"=Destination=file
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
-----------------EOF-----------------
 
chemist

·
Premium Member
Joined
·
29,790 Posts
#14 ·
Hello Nmky. I need to see a gmer log in order to help you:

Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php and Save it to your Desktop.
  • Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

------------------------------------------------------
 
Save Share
N

·
Registered
Joined
·
17 Posts
Discussion Starter · #15 ·
GMER 1.0.15.15570 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-04-22 15:18:03
Windows 6.1.7600 Harddisk0\DR0 -> \Device\0000005c WDC_WD10 rev.05.0
Running: tb1woylz.exe; Driver: C:\Users\Josh\AppData\Local\Temp\fxliypoc.sys

---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E45589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E6A092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[1544] USER32.dll!CreateWindowExW 76B00E51 5 Bytes JMP 6C8D8197 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1544] USER32.dll!DialogBoxIndirectParamW 76B24AA7 5 Bytes JMP 6C9FFED8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1544] USER32.dll!DialogBoxParamW 76B2564A 5 Bytes JMP 6C7F4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1544] USER32.dll!DialogBoxParamA 76B3CF6A 5 Bytes JMP 6C9FFE75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1544] USER32.dll!DialogBoxIndirectParamA 76B3D29C 5 Bytes JMP 6C9FFF3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1544] USER32.dll!MessageBoxIndirectA 76B4E8C9 5 Bytes JMP 6C9FFE0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1544] USER32.dll!MessageBoxIndirectW 76B4E9C3 5 Bytes JMP 6C9FFD9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1544] USER32.dll!MessageBoxExA 76B4EA29 5 Bytes JMP 6C9FFD3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1544] USER32.dll!MessageBoxExW 76B4EA4D 5 Bytes JMP 6C9FFCDB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!CreateDialogParamW 76AF9BFF 5 Bytes JMP 6C82C5A8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!EnableWindow 76AFA72E 5 Bytes JMP 6C82C523 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!GetAsyncKeyState 76AFC09A 5 Bytes JMP 6C7ED6E9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!UnhookWindowsHookEx 76AFCC7B 5 Bytes JMP 6C8E83A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!CallNextHookEx 76AFCC8F 5 Bytes JMP 6C8C9D94 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!CreateWindowExW 76B00E51 5 Bytes JMP 6C8D8197 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!SetWindowsHookExW 76B0210A 5 Bytes JMP 6C88463B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!GetKeyState 76B04FDA 5 Bytes JMP 6C82D79A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!IsDialogMessageW 76B06F06 5 Bytes JMP 6C7F4284 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!CreateDialogParamA 76B13E79 5 Bytes JMP 6CA00ACE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!IsDialogMessage 76B1407A 5 Bytes JMP 6CA0036F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!CreateDialogIndirectParamA 76B19110 5 Bytes JMP 6CA00B05 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!CreateDialogIndirectParamW 76B208AD 5 Bytes JMP 6CA00B3C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!DialogBoxIndirectParamW 76B24AA7 5 Bytes JMP 6C9FFED8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!EndDialog 76B2555C 5 Bytes JMP 6C7F5AE9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!DialogBoxParamW 76B2564A 5 Bytes JMP 6C7F4BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!SetKeyboardState 76B26B52 5 Bytes JMP 6CA006D4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!SendInput 76B27055 5 Bytes JMP 6CA01298 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!SetCursorPos 76B3C1D8 5 Bytes JMP 6CA012F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!DialogBoxParamA 76B3CF6A 5 Bytes JMP 6C9FFE75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!DialogBoxIndirectParamA 76B3D29C 5 Bytes JMP 6C9FFF3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!MessageBoxIndirectA 76B4E8C9 5 Bytes JMP 6C9FFE0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!MessageBoxIndirectW 76B4E9C3 5 Bytes JMP 6C9FFD9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!MessageBoxExA 76B4EA29 5 Bytes JMP 6C9FFD3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!MessageBoxExW 76B4EA4D 5 Bytes JMP 6C9FFCDB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] USER32.dll!keybd_event 76B4EC9B 5 Bytes JMP 6CA01623 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] SHELL32.dll!SHChangeNotification_Lock + 45BA 76DBB440 4 Bytes [11, 36, E8, 73]
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] SHELL32.dll!SHChangeNotification_Lock + 45C2 76DBB448 8 Bytes CALL 5E4F84C0
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] ole32.dll!OleLoadFromStream 76BC5BF6 5 Bytes JMP 6CA0022B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4352] ole32.dll!CoCreateInstance 76C1590C 5 Bytes JMP 6C8D8C85 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
 
chemist

·
Premium Member
Joined
·
29,790 Posts
#16 ·
Hello Nmky.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Due to the restrictions on Windows 7, all tools should be started by right-click > Run as Administrator

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

A guide and tutorial on using ComboFix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
 
Save Share
N

·
Registered
Joined
·
17 Posts
Discussion Starter · #17 ·
Well i restarted my computer after doing combofix and well the virus is still there.... to be honest i have no pastience lol.... soo i am still willing to do teamviewr even if its not allowed :/:sigh:
 
chemist

·
Premium Member
Joined
·
29,790 Posts
#18 ·
Hello again, Nmky. If it's not allowed, it's not allowed. LOL.

If you post the ComboFix.txt log as per my instructions, I could help you.
 
Save Share
N

·
Registered
Joined
·
17 Posts
Discussion Starter · #19 ·
Alright, Fair enough ok here it is...
ComboFix 11-04-22.01 - Josh 04/22/2011 17:41:17.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3071.2084 [GMT -6:00]
Running from: c:\users\Nevan\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-22 23:45 . 2011-04-22 23:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-22 23:37 . 2011-04-22 23:37 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{542E6881-537E-4A2B-A82E-EBB92396B06A}\MpKsl20659df3.sys
2011-04-22 23:32 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{542E6881-537E-4A2B-A82E-EBB92396B06A}\mpengine.dll
2011-04-22 23:17 . 2011-04-22 23:43 -------- d-----w- c:\users\Josh\AppData\Local\temp
2011-04-22 17:00 . 2011-04-22 21:50 -------- d-----w- C:\rsit
2011-04-22 17:00 . 2011-04-22 21:50 -------- d-----w- c:\program files\trend micro
2011-04-16 00:25 . 2011-04-16 00:25 -------- d-----w- c:\windows\New folder
2011-04-16 00:09 . 2011-04-16 00:09 -------- d-----w- c:\users\Nevan\AppData\Local\{9A0D24F6-11F0-4397-97CD-8C280629160A}
2011-04-15 02:26 . 2011-04-15 02:26 -------- d-----w- c:\users\Nevan\AppData\Local\Microsoft Games
2011-04-15 02:06 . 2011-04-15 02:06 -------- d-----w- c:\users\Nevan\AppData\Local\{26C503E9-A3BB-4289-AC00-F95A8286763E}
2011-04-09 22:30 . 2010-12-28 06:23 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AE5B2CD1-6B55-4BA6-B084-57AA0A62E04A}\gapaengine.dll
2011-04-09 03:13 . 2011-04-09 03:13 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-04-04 23:17 . 2011-04-04 23:17 -------- d-----w- c:\users\Nevan\AppData\Local\{00BC8D0A-1E9F-4A21-8016-58CCA0A28757}
2011-04-02 17:28 . 2011-04-03 05:29 -------- d-----w- c:\users\Nevan\AppData\Local\{BD1E081A-50B6-4632-A36F-6643B60ECC5F}
2011-03-31 02:07 . 2011-03-31 02:07 -------- d-----w- c:\users\Nevan\AppData\Local\{E5263A24-8C0E-4D8A-9051-D285FCDA4F02}
2011-03-29 01:23 . 2011-03-29 01:30 -------- d-----w- c:\users\Nevan\AppData\Roaming\.minecraft
2011-03-29 00:39 . 2011-03-29 00:40 -------- d-----w- c:\users\Nevan\AppData\Local\{F33151E9-6AF1-4A4D-ACA7-B2D3C37B0123}
2011-03-28 11:45 . 2011-03-28 11:45 -------- d-----w- c:\windows\system32\QuickTime
2011-03-28 11:45 . 2011-03-28 11:45 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2011-03-28 11:45 . 2011-03-28 11:45 -------- d-----w- c:\program files\TechSmith
2011-03-28 11:34 . 2011-03-28 11:35 -------- d-----w- c:\users\Nevan\AppData\Local\{BEA272A9-9D62-481E-B784-96C618A7F1BE}
2011-03-26 02:21 . 2011-04-12 21:19 -------- d-----w- c:\users\Nevan\AppData\Local\LogMeIn Hamachi
2011-03-25 17:03 . 2010-12-28 06:23 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-03-25 16:53 . 2011-03-25 16:53 -------- d-----w- c:\users\Nevan\AppData\Local\{ABEC8836-A5D2-4AA9-A416-78F1FDC9B8E8}
2011-03-25 08:31 . 2011-03-25 08:31 -------- d-----w- c:\programdata\NCH Software
2011-03-25 03:20 . 2011-03-25 03:20 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-7\Microsoft.MediaCenter.Sports.UI.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-13 03:43 . 2011-03-21 05:02 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-04-13 03:43 . 2011-02-18 04:19 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-04-11 07:04 . 2010-12-29 01:19 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-09 03:13 . 2011-02-18 04:20 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-04-09 03:13 . 2011-02-18 05:23 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-04-09 03:13 . 2011-02-18 04:19 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-03-21 05:01 . 2011-03-21 05:01 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-03-20 17:09 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-15 05:01 . 2011-03-15 05:01 86016 ----a-w- c:\windows\system32\frapsvid.dll
2011-03-10 00:15 . 2011-03-10 00:15 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-7\markup.dll
2011-03-07 05:08 . 2011-03-07 05:08 8704 ----a-w- c:\windows\system32\SpOrder.dll
2011-03-07 05:08 . 2011-03-07 05:08 73728 ----a-w- c:\windows\system32\VistaInfo32.dll
2011-02-19 05:33 . 2011-03-10 00:16 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32 . 2011-03-10 00:16 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32 . 2011-03-10 00:16 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-03 05:45 . 2011-02-09 22:15 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-01-28 02:55 . 2011-01-28 02:55 112128 ----a-w- c:\users\Nevan\AppData\Roaming\Microsoft\Windows\Templates\fROMOHIO Auth Gen.exe
2011-01-28 02:36 . 2011-01-28 02:36 181248 ----a-w- c:\users\Nevan\AppData\Roaming\Rsbot.Net Authorization Code Generator v1.4.exe
2011-01-28 01:02 . 2011-01-28 01:02 112128 ----a-w- c:\users\Nevan\AppData\Roaming\Rsbots.net auth generator1.exe
2011-01-28 00:37 . 2011-01-28 00:37 1602 ----a-w- c:\users\Nevan\AppData\Roaming\run-RAM1000MB.bat
2011-01-28 00:30 . 2011-01-28 00:30 2174584 ----a-w- c:\users\Nevan\AppData\Roaming\epicbot_520.exe
2011-01-28 00:26 . 2011-01-28 00:26 191488 ----a-w- c:\users\Nevan\AppData\Roaming\Microsoft\Windows\Templates\TURSH Tool.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"Steam"="c:\program files\Steam\Steam.exe" [2010-12-31 1242448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-27 15026056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-12-28 7600672]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2010-12-28 1833504]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2009-07-01 163872]
"Logitech G930"="c:\program files\Logitech\G930\G930.exe" [2010-11-02 1516888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-04 1246544]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\users\Nevan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-12-28 0]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Josh^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Josh^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech blank Product Registration.lnk]
path=c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech blank Product Registration.lnk
backup=c:\windows\pss\Logitech blank Product Registration.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jomantha]
2008-06-13 18:19 159744 ----a-w- c:\program files\n52te\n52teHid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2009-10-26 21:46 1458176 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 JmtFltr;n52te;c:\windows\system32\Drivers\JmtFltr.sys [2007-09-27 48896]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-28 1343400]
S1 MpKsl20659df3;MpKsl20659df3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{542E6881-537E-4A2B-A82E-EBB92396B06A}\MpKsl20659df3.sys [2011-04-22 28752]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]
S3 LADF_BakerCOnly;BakerC Filter Driver;c:\windows\system32\DRIVERS\ladfBakerCi386.sys [2010-10-18 331608]
S3 LADF_BakerROnly;BakerR Filter Driver;c:\windows\system32\DRIVERS\ladfBakerRi386.sys [2010-10-18 310872]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [2010-03-18 40912]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [2010-03-18 10448]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-12-28 30752]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL20659DF3
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 67.215.252.163:9939->United States
TCP: {4F2FAB80-13DA-4803-B665-B1584A5AD25B} = 8.8.8.8,8.8.8.0
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2984364502-1858729684-3063578369-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (S-1-5-21-2984364502-1858729684-3063578369-1001)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-2984364502-1858729684-3063578369-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (S-1-5-21-2984364502-1858729684-3063578369-1001)
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-22 17:47:27
ComboFix-quarantined-files.txt 2011-04-22 23:47
ComboFix2.txt 2011-04-22 23:17
ComboFix3.txt 2011-04-22 22:05
.
Pre-Run: 931,157,061,632 bytes free
Post-Run: 930,756,296,704 bytes free
.
- - End Of File - - 553F0FB60056F516ACD1D323452B6C40
 
chemist

·
Premium Member
Joined
·
29,790 Posts
#20 ·
It's not showing in your logs. Can you give me the filename/filepath of what Security Essentials detects?

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Right-click mbam-setup.exe and choose 'Run as administrator' to install it.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

------------------------------------------------------
 
Save Share
1 - 20 of 31 Posts
Status
Not open for further replies.
About this Discussion
30 Replies
2 Participants
Last post:
chemist
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Recommended Communities
Community avatar for Overclocking
Overclocking
612K+ members
Community avatar for Toyota Nation Forum
Toyota Nation Forum
525K+ members
Community avatar for Tesla Bot Forum
Tesla Bot Forum
60+ members
Top