Malware that keeps transforming

**Kinseyftw** · 2011-05-12, 06:34

This afternoon a Windows recovery notice popped up along, with a bunch of very scary notices, and an unidentified program wanting access to my computer alert popup. It didn't look familiar so I ignored it and googled. The first hit was Windows Recovery Virus. Before I knew it my comp was restarting and I found all my files and icons gone.

I went into safemode with networking and did more research; found a tutorial (http://www.bleepingcomputer.com/viru...ndows-recovery) for removal on 'bleepingcomputer.com" and followed the steps, which were:
-to install and use Rkill
http://www.bleepingcomputer.com/down...ti-virus/rkill

- install and use
Malwarebytes' Anti-Malware
http://www.bleepingcomputer.com/down...s-anti-malware

-restart

- and then to use Unhide
to un-mask my files and icons

upon restart vista requested permission for malwarebytes to finish the process. Right after Vista user account controls start alerting me over and over that and unidentified program wants access to my computer: "setup4130643320.exe" ( in each new pop up the #'s before the '.exe' change). The moment I cance; or x out of one another pops up in it's place.

Thinking I flubbed the 'fix' I click on Rkill to see if it'll pick up something else. The moment I tap in instead of rkill opening there's something called "Vista Security 2011" it looks like the brother of "windows recovery" it auto starts scaning, then boom same scary warnings, and every time I close the vista security 2011 popup the the same setup####.exe things as before start popping up but multiple at a time now. the security 2011 popup blocks any attempt to open a program malware related or no, or and internet browser.

I had some sensitive video files I need to edit and I knew I needed to be able to post hjt or dss to get assistance here, I went back into safe mode with networking, saved just the most important files to my external harddrive and found a correlating tutorial on bleepingcomputer.com. Which was pretty much the same exact steps Rkill, Malwarebytes, then restart ( no unhide this go round). So I could log onto the forum and download the registry backup tool + dss tool. the same setup####.exe popups from the beginning is flashing at the bottom of the screen. I'm currently avoiding clicking it all together in case that just further exacerbates the issue. And I've noticed that if I ignore it for long enough flashing in the bottom of the screen the #'s in the setup###.exe seems to change on it's own ( or at least the 5digits of it I can see). I appreciate any help you can give. Also I'm my system runs Vista and it's a 64bt; and my antivirus is Avira.

P.S. while I was writing this post and ignoring the popup it stared messing with my browser. It would allow me to post, then everything froze, ten everyting ufroe with the except of the tab with this forum. it didn't unfreeze until I engaged the setup###.exe popup by canceling it again.

here's my DSS:

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Savage at 23:30:29.03 on Wed 05/11/2011
Internet Explorer: 8.0.6001.19048
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4060.2589 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Users\Savage\nueqow.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\SysWOW64\conime.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\Savage\k.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\consent.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Savage\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Savage\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.dell.com
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
uRun: [googletalk] C:\Users\Savage\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
uRun: [Google Update] "C:\Users\Savage\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [nueqow] C:\Users\Savage\nueqow.exe /r
uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
StartupFolder: C:\Users\Savage\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe
mRun-x64: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Savage\AppData\Roaming\Mozilla\Firefox\Profiles\pbvqhpfy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Users\Savage\AppData\Local\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Users\Savage\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Savage\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [2011-3-28 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-3-28 203264]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-5-11 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-5-11 269480]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2011-5-11 83120]
R2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\CyberLink\Shared files\RichVideo64.exe [2011-5-10 386344]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-3-30 36392]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\System32\drivers\itecir.sys [2011-3-28 59392]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-3-28 252928]
R3 NETw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw5v64.sys [2011-3-28 4735488]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;C:\Windows\System32\drivers\OA001Ufd.sys [2009-3-6 159840]
R3 OA001Vid;Creative Camera OA001 Function Driver;C:\Windows\System32\drivers\OA001Vid.sys [2009-3-8 319840]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-12-13 36720]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-2-18 51712]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-4-24 93184]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-05-12 03:16:25 451650 ----a-w- C:\Users\Savage\pidun.exe
2011-05-12 03:10:24 86528 ----a-w- C:\Users\Savage\l.exe
2011-05-12 03:10:24 451650 ----a-w- C:\Users\Savage\cixu.exe
2011-05-12 01:32:07 451650 ----a-w- C:\Users\Savage\fiosum.exe
2011-05-12 01:28:01 451650 ----a-w- C:\Users\Savage\naicuy.exe
2011-05-12 00:04:43 451650 ----a-w- C:\Users\Savage\muimot.exe
2011-05-11 22:11:58 451650 ----a-w- C:\Users\Savage\piehoh.exe
2011-05-11 21:22:33 274432 ----a-w- C:\Users\Savage\J0GZWo455FY3.exe
2011-05-11 21:22:32 451650 ----a-w- C:\Users\Savage\yaufad.exe
2011-05-11 19:44:49 -------- d-----w- C:\Users\Savage\AppData\Roaming\Malwarebytes
2011-05-11 19:44:37 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-11 19:44:37 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-05-11 19:44:34 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-11 19:44:34 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-05-11 19:05:17 -------- d-----w- C:\Users\Savage\AppData\Roaming\Avira
2011-05-11 18:58:23 83120 ---ha-w- C:\Windows\System32\drivers\avgntflt.sys
2011-05-11 18:58:23 -------- d-----w- C:\Program Files (x86)\Avira
2011-05-11 18:58:23 -------- d-----w- C:\PROGRA~3\Avira
2011-05-11 18:47:14 -------- d-----w- C:\PROGRA~3\Protexis
2011-05-11 18:46:26 0 ----a-w- C:\Users\Savage\AppData\Local\Uhejagakusadiyu.bin
2011-05-11 18:46:24 -------- d-----w- C:\Users\Savage\AppData\Local\{F0F48CD4-F8AF-49D0-B49F-CC0BBFDC4A7C}
2011-05-11 18:45:13 274432 --sh--r- C:\Users\Savage\nueqow.exe
2011-05-11 18:35:46 -------- d-----w- C:\Windows\RegisteredPackages
2011-05-11 18:35:45 -------- d-----w- C:\Windows\msdownld.tmp
2011-05-11 18:35:32 212992 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2011-05-11 18:34:33 -------- d-----w- C:\PROGRA~3\Corel
2011-05-11 18:28:59 506728 ----a-w- C:\Windows\System32\d3dx10_33.dll
2011-05-11 18:15:48 -------- d-----w- C:\Windows\System32\EventProviders
2011-05-11 06:11:21 -------- d-----w- C:\Program Files (x86)\Lame For Audacity
2011-05-11 05:37:06 -------- d-----w- C:\Program Files (x86)\Audacity 1.3 Beta (Unicode)
2011-05-10 20:34:32 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-05-10 20:34:32 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-05-10 19:45:59 -------- d-----w- C:\My Works
2011-05-10 19:43:52 -------- d-----w- C:\PROGRA~3\SmartSound Software Inc
2011-05-10 19:43:48 -------- d-----w- C:\Program Files (x86)\SmartSound Software
2011-05-10 19:43:48 -------- d-----w- C:\PROGRA~3\eSellerate
2011-05-10 06:00:13 8802128 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{BA8FC602-B0F1-46AB-941E-A174B564E33D}\mpengine.dll
2011-05-10 03:07:20 -------- d-----w- C:\Users\Savage\AppData\Local\DDMSettings
2011-05-10 03:06:09 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2011-05-10 03:05:55 -------- d-----w- C:\Program Files\DivX
2011-05-10 03:05:45 -------- d-----w- C:\Program Files (x86)\Common Files\DivX Shared
2011-05-10 03:04:38 -------- d-----w- C:\Program Files (x86)\DivX
2011-05-10 03:04:08 -------- d-----w- C:\PROGRA~3\DivX
2011-05-05 04:39:43 -------- d-----w- C:\Program Files (x86)\Dell Webcam
2011-05-05 04:39:40 -------- d-----w- C:\Program Files (x86)\Creative Live! Cam
2011-05-05 04:15:19 -------- d-----w- C:\Users\Savage\AppData\Local\Apps
2011-05-05 04:15:18 -------- d-----w- C:\Users\Savage\AppData\Local\Deployment
2011-05-05 04:09:22 -------- d-----w- C:\PROGRA~3\Citrix
2011-05-05 04:08:49 -------- d-----w- C:\Program Files (x86)\Citrix
2011-05-05 04:08:44 -------- d-----w- C:\Users\Savage\AppData\Local\Citrix
2011-05-05 04:08:43 103784 ----a-w- C:\Users\Savage\GoToAssistDownloadHelper.exe
2011-05-04 20:31:41 -------- d-----w- C:\Users\Savage\{befeeee5-fdec-4428-994d-4baafe718423}
2011-05-04 20:30:16 49152 ----a-w- C:\Windows\System32\OA001Pin.dll
2011-05-04 20:30:16 32768 ----a-w- C:\Windows\OA001Cfg.exe
2011-05-04 20:30:16 31256 ----a-w- C:\Windows\SysWow64\OA001Pin.crl
2011-05-04 20:30:16 22040 ----a-w- C:\Windows\System32\OA001Pin.crl
2011-05-04 20:30:16 219544 ----a-w- C:\Windows\System32\drivers\OA001Afx.sys
2011-05-04 20:30:16 11264 ----a-w- C:\Windows\System32\OA001Srv.exe
2011-05-04 20:13:03 45056 ----a-r- C:\Users\Savage\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2011-05-04 20:12:55 -------- d-----w- C:\Windows\SysWow64\vmm32
2011-05-04 20:12:55 -------- d-----w- C:\Program Files (x86)\Dell
2011-05-04 15:24:35 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-05-04 15:24:35 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-04-29 03:50:01 -------- d-----w- C:\Program Files (x86)\Veetle
2011-04-27 03:43:32 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll
2011-04-27 03:43:32 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll
2011-04-27 03:43:31 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll
2011-04-27 03:43:31 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll
2011-04-26 19:06:36 57436 ----a-w- C:\Windows\DASShp.dll
2011-04-26 19:06:35 217174 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ClearType\ctras.dll
2011-04-26 19:06:35 -------- d-----w- C:\Program Files (x86)\Microsoft Reader
2011-04-26 19:06:29 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-04-26 19:06:29 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-04-26 19:06:29 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll
2011-04-26 19:06:29 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-04-26 19:06:28 614532 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-04-26 05:05:24 -------- d-----w- C:\PROGRA~3\Fugazo
2011-04-26 05:05:23 -------- d-----w- C:\PROGRA~3\Trymedia
2011-04-25 16:40:19 -------- d-----w- C:\Users\Savage\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-04-25 16:40:15 -------- d-----w- C:\Program Files (x86)\TweetDeck
2011-04-25 04:06:00 -------- d-----w- C:\Program Files\iPod
2011-04-25 04:05:59 -------- d-----w- C:\Program Files\iTunes
2011-04-25 04:05:59 -------- d-----w- C:\Program Files (x86)\iTunes
2011-04-25 04:04:41 -------- d-----w- C:\Program Files\Bonjour
2011-04-25 01:30:50 -------- d-----w- C:\Users\Savage\AppData\Roaming\.anki
2011-04-25 01:30:09 -------- d-----w- C:\Program Files (x86)\Anki
2011-04-25 00:56:37 -------- d-----w- C:\Program Files\Microsoft LifeCam
2011-04-25 00:56:37 -------- d-----w- C:\Program Files (x86)\Microsoft LifeCam
2011-04-25 00:56:33 1974616 ----a-w- C:\Windows\SysWow64\D3DCompiler_42.dll
2011-04-25 00:56:33 1892184 ----a-w- C:\Windows\SysWow64\D3DX9_42.dll
2011-04-25 00:49:34 -------- d-----w- C:\PROGRA~3\Xerox
2011-04-24 04:26:29 -------- d-----w- C:\Users\Savage\AppData\Roaming\Ph03nixNewMedia
2011-04-24 04:16:10 -------- d-----w- C:\Users\Savage\AppData\Roaming\Jane s Hotel 3
2011-04-24 04:15:00 -------- d-----w- C:\Program Files (x86)\Janes Hotel Mania
2011-04-24 04:13:44 -------- d-----w- C:\Program Files (x86)\LeeGT-Games
2011-04-22 06:04:04 -------- d-----w- C:\Users\Savage\AppData\Roaming\cYo
2011-04-22 06:04:04 -------- d-----w- C:\Users\Savage\AppData\Local\cYo
2011-04-20 08:05:34 -------- d-----w- C:\Users\Savage\AppData\Local\Adobe
2011-04-19 00:54:33 -------- d-----w- C:\PROGRA~3\Giraffic
2011-04-19 00:54:27 -------- d-----w- C:\Program Files (x86)\Veoh Networks
2011-04-15 18:14:52 2760704 ----a-w- C:\Windows\System32\win32k.sys
2011-04-15 07:27:08 -------- d-----w- C:\Program Files (x86)\VideoLAN
2011-04-14 07:17:33 -------- d-----w- C:\Program Files (x86)\Stanza
.
==================== Find3M ====================
.
2011-04-06 20:26:58 96544 ----a-w- C:\Windows\System32\dnssd.dll
2011-04-06 20:26:58 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-04-06 20:26:58 237856 ----a-w- C:\Windows\System32\dnssdX.dll
2011-04-06 20:26:58 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2011-04-06 20:20:16 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-03-30 20:07:04 521448 ----a-w- C:\Windows\System32\deployJava1.dll
2011-03-30 20:06:33 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-03-30 19:50:20 0 ----a-w- C:\Windows\ativpsrm.bin
2011-03-29 00:19:11 95744 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2011-03-29 00:19:11 7680 ----a-w- C:\Windows\System32\drivers\usbd.sys
2011-03-29 00:19:11 49664 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2011-03-29 00:19:11 29184 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2011-03-29 00:19:11 274944 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2011-03-29 00:19:11 262144 ----a-w- C:\Windows\System32\drivers\usbport.sys
2011-03-29 00:19:11 17920 ----a-w- C:\Windows\System32\hcrstco.dll
2011-03-29 00:19:11 10752 ----a-w- C:\Windows\System32\hccoin.dll
2011-03-29 00:18:02 28160 ----a-w- C:\Windows\System32\drivers\tunnel.sys
2011-03-29 00:18:02 236544 ----a-w- C:\Windows\System32\iphlpsvc.dll
2011-03-29 00:18:02 18432 ----a-w- C:\Windows\System32\drivers\TUNMP.SYS
2011-03-29 00:16:44 693760 ----a-w- C:\Windows\System32\drivers\bthport.sys
2011-03-29 00:16:44 35328 ----a-w- C:\Windows\System32\drivers\BTHUSB.SYS
2011-03-29 00:16:44 26624 ----a-w- C:\Windows\System32\drivers\bthenum.sys
2011-03-29 00:16:44 204288 ----a-w- C:\Windows\System32\fsquirt.exe
2011-03-29 00:09:29 718336 ----a-w- C:\Windows\System32\rpcss.dll
2011-03-29 00:08:03 97792 ----a-w- C:\Windows\System32\wlanhlp.dll
2011-03-29 00:08:03 86528 ----a-w- C:\Windows\System32\wlanapi.dll
2011-03-29 00:08:03 615936 ----a-w- C:\Windows\System32\wlansvc.dll
2011-03-29 00:08:03 376832 ----a-w- C:\Windows\System32\wlansec.dll
2011-03-29 00:08:03 353280 ----a-w- C:\Windows\System32\wlanmsm.dll
2011-03-29 00:08:03 302592 ----a-w- C:\Windows\SysWow64\wlansec.dll
2011-03-29 00:08:03 293376 ----a-w- C:\Windows\SysWow64\wlanmsm.dll
2011-03-29 00:08:03 157184 ----a-w- C:\Windows\System32\L2SecHC.dll
2011-03-29 00:08:03 127488 ----a-w- C:\Windows\SysWow64\L2SecHC.dll
2011-03-29 00:05:41 1399296 ----a-w- C:\Windows\SysWow64\msxml6.dll
2011-03-29 00:05:40 1794560 ----a-w- C:\Windows\System32\msxml6.dll
2011-03-28 23:59:57 40960 ----a-w- C:\Windows\apppatch\apihex86.dll
2011-03-28 23:59:57 25600 ----a-w- C:\Windows\System32\amxread.dll
2011-03-28 23:59:57 24064 ----a-w- C:\Windows\SysWow64\amxread.dll
2011-03-28 23:59:57 13824 ----a-w- C:\Windows\SysWow64\apilogen.dll
2011-03-28 23:59:56 55296 ----a-w- C:\Windows\apppatch\AppPatch64\apihex64.dll
2011-03-28 23:59:56 15872 ----a-w- C:\Windows\System32\apilogen.dll
2011-03-28 23:58:48 437248 ----a-w- C:\Windows\System32\WSDApi.dll
2011-03-28 23:58:48 351232 ----a-w- C:\Windows\SysWow64\WSDApi.dll
2011-03-28 23:57:44 880640 ----a-w- C:\Windows\System32\timedate.cpl
2011-03-28 23:57:44 714240 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-03-28 23:56:40 72192 ----a-w- C:\Windows\System32\l3codeca.acm
2011-03-28 23:56:40 62464 ----a-w- C:\Windows\SysWow64\l3codeca.acm
2011-03-28 23:55:37 96256 ----a-w- C:\Windows\System32\fontsub.dll
2011-03-28 23:55:37 72704 ----a-w- C:\Windows\SysWow64\fontsub.dll
2011-03-28 23:53:12 656384 ----a-w- C:\Windows\System32\kerberos.dll
2011-03-28 23:53:12 499712 ----a-w- C:\Windows\SysWow64\kerberos.dll
2011-03-28 23:51:56 854528 ----a-w- C:\Windows\System32\schedsvc.dll
2011-03-28 23:51:56 655872 ----a-w- C:\Windows\System32\taskschd.dll
2011-03-28 23:51:56 499712 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2011-03-28 23:51:56 410112 ----a-w- C:\Windows\System32\taskcomp.dll
2011-03-28 23:51:56 357376 ----a-w- C:\Windows\SysWow64\taskschd.dll
2011-03-28 23:51:56 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2011-03-28 23:51:56 267776 ----a-w- C:\Windows\System32\taskeng.exe
2011-03-28 23:51:56 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe
2011-03-28 23:49:30 82944 ----a-w- C:\Windows\System32\msasn1.dll
2011-03-28 23:49:30 61440 ----a-w- C:\Windows\SysWow64\msasn1.dll
2011-03-28 23:48:18 80896 ----a-w- C:\Windows\SysWow64\MSNP.ax
2011-03-28 23:48:18 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-03-28 23:48:18 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
2011-03-28 23:48:18 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-03-28 23:48:18 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-03-28 23:48:18 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-03-28 23:48:18 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-03-28 23:48:18 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-03-28 23:48:18 101376 ----a-w- C:\Windows\System32\MSNP.ax
2011-03-28 23:48:18 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-03-28 23:43:29 3547136 ----a-w- C:\Windows\System32\mf.dll
2011-03-28 23:43:29 2868224 ----a-w- C:\Windows\SysWow64\mf.dll
2011-03-28 23:42:17 98304 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-03-28 23:42:17 104960 ----a-w- C:\Windows\System32\cabview.dll
2011-03-28 23:41:16 818688 ----a-w- C:\Windows\System32\WMSPDMOD.DLL
2011-03-28 23:41:16 604672 ----a-w- C:\Windows\SysWow64\WMSPDMOD.DLL
2011-03-28 23:39:50 87552 ----a-w- C:\Windows\System32\consent.exe
2011-03-28 23:36:23 677376 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2011-03-28 23:36:23 1320448 ----a-w- C:\Windows\System32\rpcrt4.dll
2011-03-28 23:35:16 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-03-28 23:35:15 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-03-28 23:33:56 10240 ----a-w- C:\Windows\SysWow64\dciman32.dll
2011-03-28 23:29:45 84480 ----a-w- C:\Windows\System32\asycfilt.dll
2011-03-28 23:29:45 67072 ----a-w- C:\Windows\SysWow64\asycfilt.dll
2011-03-28 23:21:52 295936 ----a-w- C:\Windows\System32\raschap.dll
2011-03-28 23:21:52 281600 ----a-w- C:\Windows\SysWow64\raschap.dll
2011-03-28 23:21:52 280576 ----a-w- C:\Windows\System32\rastls.dll
2011-03-28 23:21:52 244224 ----a-w- C:\Windows\SysWow64\rastls.dll
2011-03-28 23:20:19 43520 ----a-w- C:\Windows\System32\msdxm.tlb
2011-03-28 23:20:19 368128 ----a-w- C:\Windows\System32\wmpdxm.dll
2011-03-28 23:20:19 313344 ----a-w- C:\Windows\SysWow64\wmpdxm.dll
2011-03-28 23:20:19 18432 ----a-w- C:\Windows\SysWow64\amcompat.tlb
2011-03-28 23:20:19 18432 ----a-w- C:\Windows\System32\amcompat.tlb
2011-03-28 23:20:18 43520 ----a-w- C:\Windows\SysWow64\msdxm.tlb
2011-03-28 23:17:36 378368 ----a-w- C:\Windows\SysWow64\winhttp.dll
2011-03-28 23:17:35 442368 ----a-w- C:\Windows\System32\winhttp.dll
.
============= FINISH: 23:31:35.51 ===============

**Blade81** · 2011-05-17, 08:39

Hi,

If help still needed post fresh dds logs (dds.txt & attach.txt contents) and let me know about the remaining issues.

**Kinseyftw** · 2011-05-18, 06:36

The issue has continued to escalate with the rkill/malwarebytes/ & unhide combo making the comp barely functional but it only lasts for a short while.
The hijack like faux antivirus app/notice and the pop ups that a program is trying to install are getting more aggressive. Today it popped up again crashed the hard drive and when I restarted I could no longer go online because the proxy setting were rejected on both browsers ( firefox IE). and rkill picked up that windows had been configure to use proxy . Server http=127.0.0.1:57172. I had to set the borwoser connection to 'no proxy' to go online .After the crash I remember seeing a 'windows recovery' logo on my desktop. Before the most recent flare that took over, reset the proxy, and made all my icons and files disappear again about an hour ago.

Here's my updated DSS:

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Savage at 0:26:34.64 on Wed 05/18/2011
Internet Explorer: 8.0.6001.19048
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4060.2045 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Microsoft LifeCam\MSCamS64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\SysWOW64\conime.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Savage\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Users\Savage\Downloads\dds(1).scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.dell.com
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:57172
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll
uRun: [googletalk] C:\Users\Savage\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
uRun: [Google Update] "C:\Users\Savage\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
uRun: [wKMVjdeSmCkruFe] C:\ProgramData\wKMVjdeSmCkruFe.exe
uRun: [jeuru] C:\Users\Savage\jeuru.exe /O
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [LifeCam] "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
mRun-x64: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe
mRun-x64: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Savage\AppData\Roaming\Mozilla\Firefox\Profiles\pbvqhpfy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 57172
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Users\Savage\AppData\Local\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Users\Savage\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Savage\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe [2011-3-28 89600]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-3-28 203264]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-5-11 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-5-11 269480]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2011-5-11 83120]
R2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\CyberLink\Shared files\RichVideo64.exe [2011-5-10 386344]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2011-3-30 36392]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\System32\drivers\itecir.sys [2011-3-28 59392]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-3-28 252928]
R3 NETw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw5v64.sys [2011-3-28 4735488]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;C:\Windows\System32\drivers\OA001Ufd.sys [2009-3-6 159840]
R3 OA001Vid;Creative Camera OA001 Function Driver;C:\Windows\System32\drivers\OA001Vid.sys [2009-3-8 319840]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;C:\Windows\System32\drivers\nx6000.sys [2010-12-13 36720]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2011-2-18 51712]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-4-24 93184]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-05-18 04:21:28 -------- d-----w- C:\Users\Savage\EurekaLog
2011-05-18 03:32:01 253952 --sh--r- C:\Users\Savage\jeuru.exe
2011-05-18 03:31:54 455917 ---ha-w- C:\Users\Savage\hiukip.exe
2011-05-18 03:31:21 350720 ---ha-w- C:\PROGRA~3\44359416.exe
2011-05-18 00:54:10 452327 ---ha-w- C:\Users\Savage\xiagol.exe
2011-05-17 19:37:27 463360 ---ha-w- C:\PROGRA~3\wKMVjdeSmCkruFe.exe
2011-05-17 19:37:17 135168 ---ha-w- C:\Users\Savage\svc32.exe
2011-05-17 19:37:16 452327 ---ha-w- C:\Users\Savage\beelod.exe
2011-05-16 21:13:02 489362 ---ha-w- C:\Users\Savage\dsoc.exe
2011-05-16 19:48:11 -------- d-----w- C:\Program Files (x86)\Search Toolbar
2011-05-16 19:22:50 -------- d--h--w- C:\Users\Savage\AppData\Roaming\URSoft
2011-05-16 19:22:44 -------- d-----w- C:\Program Files (x86)\Your Uninstaller 2010
2011-05-16 17:43:05 489362 ---ha-w- C:\Users\Savage\maivip.exe
2011-05-16 17:43:05 126976 ---ha-w- C:\Users\Savage\uu.exe
2011-05-16 01:18:25 463513 ---ha-w- C:\Users\Savage\wousow.exe
2011-05-15 22:03:27 -------- d-----w- C:\Program Files (x86)\ASIO4ALL v2
2011-05-15 22:03:00 225280 ----a-w- C:\Windows\SysWow64\rewire.dll
2011-05-15 22:01:54 -------- d-----w- C:\Program Files (x86)\VstPlugins
2011-05-15 22:01:47 -------- d-----w- C:\Program Files (x86)\Outsim
2011-05-15 21:59:47 -------- d-----w- C:\Program Files (x86)\Image-Line
2011-05-15 17:27:27 463513 ---ha-w- C:\Users\Savage\geyup.exe
2011-05-15 04:24:43 465646 ---ha-w- C:\Users\Savage\teoqeh.exe
2011-05-14 20:22:53 465646 ---ha-w- C:\Users\Savage\deusig.exe
2011-05-14 12:37:45 465646 ---ha-w- C:\Users\Savage\baisw.exe
2011-05-13 17:45:48 450179 ---ha-w- C:\Users\Savage\xeilow.exe
2011-05-11 19:44:49 -------- d--h--w- C:\Users\Savage\AppData\Roaming\Malwarebytes
2011-05-11 19:44:37 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-11 19:44:37 -------- d--h--w- C:\PROGRA~3\Malwarebytes
2011-05-11 19:44:34 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-11 19:44:34 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-05-11 19:05:17 -------- d--h--w- C:\Users\Savage\AppData\Roaming\Avira
2011-05-11 18:58:23 83120 ---ha-w- C:\Windows\System32\drivers\avgntflt.sys
2011-05-11 18:58:23 -------- d--h--w- C:\PROGRA~3\Avira
2011-05-11 18:58:23 -------- d-----w- C:\Program Files (x86)\Avira
2011-05-11 18:47:14 -------- d--h--w- C:\PROGRA~3\Protexis
2011-05-11 18:46:26 0 ---ha-w- C:\Users\Savage\AppData\Local\Uhejagakusadiyu.bin
2011-05-11 18:46:24 -------- d--h--w- C:\Users\Savage\AppData\Local\{F0F48CD4-F8AF-49D0-B49F-CC0BBFDC4A7C}
2011-05-11 18:35:46 -------- d-----w- C:\Windows\RegisteredPackages
2011-05-11 18:35:45 -------- d--h--w- C:\Windows\msdownld.tmp
2011-05-11 18:35:32 212992 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2011-05-11 18:34:33 -------- d--h--w- C:\PROGRA~3\Corel
2011-05-11 18:28:59 506728 ----a-w- C:\Windows\System32\d3dx10_33.dll
2011-05-11 18:15:48 -------- d-----w- C:\Windows\System32\EventProviders
2011-05-11 06:11:21 -------- d-----w- C:\Program Files (x86)\Lame For Audacity
2011-05-11 05:37:06 -------- d-----w- C:\Program Files (x86)\Audacity 1.3 Beta (Unicode)
2011-05-10 20:34:32 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2011-05-10 20:34:32 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-05-10 19:45:59 -------- d--h--w- C:\My Works
2011-05-10 19:43:52 -------- d--h--w- C:\PROGRA~3\SmartSound Software Inc
2011-05-10 19:43:48 -------- d--h--w- C:\PROGRA~3\eSellerate
2011-05-10 19:43:48 -------- d-----w- C:\Program Files (x86)\SmartSound Software
2011-05-10 06:00:13 8802128 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{BA8FC602-B0F1-46AB-941E-A174B564E33D}\mpengine.dll
2011-05-10 03:07:20 -------- d--h--w- C:\Users\Savage\AppData\Local\DDMSettings
2011-05-10 03:06:09 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2011-05-10 03:05:55 -------- d-----w- C:\Program Files\DivX
2011-05-10 03:05:45 -------- d-----w- C:\Program Files (x86)\Common Files\DivX Shared
2011-05-10 03:04:38 -------- d-----w- C:\Program Files (x86)\DivX
2011-05-10 03:04:08 -------- d--h--w- C:\PROGRA~3\DivX
2011-05-05 04:39:43 -------- d-----w- C:\Program Files (x86)\Dell Webcam
2011-05-05 04:39:40 -------- d-----w- C:\Program Files (x86)\Creative Live! Cam
2011-05-05 04:15:19 -------- d--h--w- C:\Users\Savage\AppData\Local\Apps
2011-05-05 04:15:18 -------- d--h--w- C:\Users\Savage\AppData\Local\Deployment
2011-05-05 04:09:22 -------- d--h--w- C:\PROGRA~3\Citrix
2011-05-05 04:08:49 -------- d-----w- C:\Program Files (x86)\Citrix
2011-05-05 04:08:44 -------- d--h--w- C:\Users\Savage\AppData\Local\Citrix
2011-05-05 04:08:43 103784 ---ha-w- C:\Users\Savage\GoToAssistDownloadHelper.exe
2011-05-04 20:31:41 -------- d--h--w- C:\Users\Savage\{befeeee5-fdec-4428-994d-4baafe718423}
2011-05-04 20:30:16 49152 ----a-w- C:\Windows\System32\OA001Pin.dll
2011-05-04 20:30:16 32768 ----a-w- C:\Windows\OA001Cfg.exe
2011-05-04 20:30:16 31256 ----a-w- C:\Windows\SysWow64\OA001Pin.crl
2011-05-04 20:30:16 22040 ----a-w- C:\Windows\System32\OA001Pin.crl
2011-05-04 20:30:16 219544 ----a-w- C:\Windows\System32\drivers\OA001Afx.sys
2011-05-04 20:30:16 11264 ----a-w- C:\Windows\System32\OA001Srv.exe
2011-05-04 20:13:03 45056 ---ha-r- C:\Users\Savage\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2011-05-04 20:12:55 -------- d-----w- C:\Windows\SysWow64\vmm32
2011-05-04 20:12:55 -------- d-----w- C:\Program Files (x86)\Dell
2011-05-04 15:24:35 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-05-04 15:24:35 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-04-29 03:50:01 -------- d-----w- C:\Program Files (x86)\Veetle
2011-04-27 03:43:32 32256 ----a-w- C:\Windows\System32\Apphlpdm.dll
2011-04-27 03:43:32 28672 ----a-w- C:\Windows\SysWow64\Apphlpdm.dll
2011-04-27 03:43:31 4240384 ----a-w- C:\Windows\SysWow64\GameUXLegacyGDFs.dll
2011-04-27 03:43:31 4240384 ----a-w- C:\Windows\System32\GameUXLegacyGDFs.dll
2011-04-26 19:06:36 57436 ----a-w- C:\Windows\DASShp.dll
2011-04-26 19:06:35 217174 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ClearType\ctras.dll
2011-04-26 19:06:35 -------- d-----w- C:\Program Files (x86)\Microsoft Reader
2011-04-26 19:06:29 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2011-04-26 19:06:29 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2011-04-26 19:06:29 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll
2011-04-26 19:06:29 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2011-04-26 19:06:28 614532 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2011-04-26 05:05:24 -------- d--h--w- C:\PROGRA~3\Fugazo
2011-04-26 05:05:23 -------- d--h--w- C:\PROGRA~3\Trymedia
2011-04-25 16:40:19 -------- d--h--w- C:\Users\Savage\AppData\Roaming\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
2011-04-25 16:40:15 -------- d-----w- C:\Program Files (x86)\TweetDeck
2011-04-25 04:06:00 -------- d-----w- C:\Program Files\iPod
2011-04-25 04:05:59 -------- d-----w- C:\Program Files\iTunes
2011-04-25 04:05:59 -------- d-----w- C:\Program Files (x86)\iTunes
2011-04-25 04:04:41 -------- d-----w- C:\Program Files\Bonjour
2011-04-25 01:30:50 -------- d--h--w- C:\Users\Savage\AppData\Roaming\.anki
2011-04-25 01:30:09 -------- d-----w- C:\Program Files (x86)\Anki
2011-04-25 00:56:37 -------- d-----w- C:\Program Files\Microsoft LifeCam
2011-04-25 00:56:37 -------- d-----w- C:\Program Files (x86)\Microsoft LifeCam
2011-04-25 00:56:33 1974616 ----a-w- C:\Windows\SysWow64\D3DCompiler_42.dll
2011-04-25 00:56:33 1892184 ----a-w- C:\Windows\SysWow64\D3DX9_42.dll
2011-04-25 00:49:34 -------- d-----w- C:\PROGRA~3\Xerox
2011-04-24 04:26:29 -------- d--h--w- C:\Users\Savage\AppData\Roaming\Ph03nixNewMedia
2011-04-24 04:16:10 -------- d--h--w- C:\Users\Savage\AppData\Roaming\Jane s Hotel 3
2011-04-24 04:15:00 -------- d-----w- C:\Program Files (x86)\Janes Hotel Mania
2011-04-24 04:13:44 -------- d-----w- C:\Program Files (x86)\LeeGT-Games
2011-04-22 06:04:04 -------- d--h--w- C:\Users\Savage\AppData\Roaming\cYo
2011-04-22 06:04:04 -------- d--h--w- C:\Users\Savage\AppData\Local\cYo
2011-04-20 08:05:34 -------- d--h--w- C:\Users\Savage\AppData\Local\Adobe
2011-04-19 00:54:33 -------- d--h--w- C:\PROGRA~3\Giraffic
2011-04-19 00:54:27 -------- d-----w- C:\Program Files (x86)\Veoh Networks
.
==================== Find3M ====================
.
2011-04-06 20:26:58 96544 ----a-w- C:\Windows\System32\dnssd.dll
2011-04-06 20:26:58 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
2011-04-06 20:26:58 237856 ----a-w- C:\Windows\System32\dnssdX.dll
2011-04-06 20:26:58 119584 ----a-w- C:\Windows\System32\dns-sd.exe
2011-04-06 20:20:16 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-03-30 20:07:04 521448 ----a-w- C:\Windows\System32\deployJava1.dll
2011-03-30 20:06:33 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-03-30 19:50:20 0 ----a-w- C:\Windows\ativpsrm.bin
2011-03-29 00:19:11 95744 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2011-03-29 00:19:11 7680 ----a-w- C:\Windows\System32\drivers\usbd.sys
2011-03-29 00:19:11 49664 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2011-03-29 00:19:11 29184 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2011-03-29 00:19:11 274944 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2011-03-29 00:19:11 262144 ----a-w- C:\Windows\System32\drivers\usbport.sys
2011-03-29 00:19:11 17920 ----a-w- C:\Windows\System32\hcrstco.dll
2011-03-29 00:19:11 10752 ----a-w- C:\Windows\System32\hccoin.dll
2011-03-29 00:18:02 28160 ----a-w- C:\Windows\System32\drivers\tunnel.sys
2011-03-29 00:18:02 236544 ----a-w- C:\Windows\System32\iphlpsvc.dll
2011-03-29 00:18:02 18432 ----a-w- C:\Windows\System32\drivers\TUNMP.SYS
2011-03-29 00:16:44 693760 ----a-w- C:\Windows\System32\drivers\bthport.sys
2011-03-29 00:16:44 35328 ----a-w- C:\Windows\System32\drivers\BTHUSB.SYS
2011-03-29 00:16:44 26624 ----a-w- C:\Windows\System32\drivers\bthenum.sys
2011-03-29 00:16:44 204288 ----a-w- C:\Windows\System32\fsquirt.exe
2011-03-29 00:09:29 718336 ----a-w- C:\Windows\System32\rpcss.dll
2011-03-29 00:08:03 97792 ----a-w- C:\Windows\System32\wlanhlp.dll
2011-03-29 00:08:03 86528 ----a-w- C:\Windows\System32\wlanapi.dll
2011-03-29 00:08:03 615936 ----a-w- C:\Windows\System32\wlansvc.dll
2011-03-29 00:08:03 376832 ----a-w- C:\Windows\System32\wlansec.dll
2011-03-29 00:08:03 353280 ----a-w- C:\Windows\System32\wlanmsm.dll
2011-03-29 00:08:03 302592 ----a-w- C:\Windows\SysWow64\wlansec.dll
2011-03-29 00:08:03 293376 ----a-w- C:\Windows\SysWow64\wlanmsm.dll
2011-03-29 00:08:03 157184 ----a-w- C:\Windows\System32\L2SecHC.dll
2011-03-29 00:08:03 127488 ----a-w- C:\Windows\SysWow64\L2SecHC.dll
2011-03-29 00:05:41 1399296 ----a-w- C:\Windows\SysWow64\msxml6.dll
2011-03-29 00:05:40 1794560 ----a-w- C:\Windows\System32\msxml6.dll
2011-03-28 23:59:57 40960 ----a-w- C:\Windows\apppatch\apihex86.dll
2011-03-28 23:59:57 25600 ----a-w- C:\Windows\System32\amxread.dll
2011-03-28 23:59:57 24064 ----a-w- C:\Windows\SysWow64\amxread.dll
2011-03-28 23:59:57 13824 ----a-w- C:\Windows\SysWow64\apilogen.dll
2011-03-28 23:59:56 55296 ----a-w- C:\Windows\apppatch\AppPatch64\apihex64.dll
2011-03-28 23:59:56 15872 ----a-w- C:\Windows\System32\apilogen.dll
2011-03-28 23:58:48 437248 ----a-w- C:\Windows\System32\WSDApi.dll
2011-03-28 23:58:48 351232 ----a-w- C:\Windows\SysWow64\WSDApi.dll
2011-03-28 23:57:44 880640 ----a-w- C:\Windows\System32\timedate.cpl
2011-03-28 23:57:44 714240 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-03-28 23:56:40 72192 ----a-w- C:\Windows\System32\l3codeca.acm
2011-03-28 23:56:40 62464 ----a-w- C:\Windows\SysWow64\l3codeca.acm
2011-03-28 23:55:37 96256 ----a-w- C:\Windows\System32\fontsub.dll
2011-03-28 23:55:37 72704 ----a-w- C:\Windows\SysWow64\fontsub.dll
2011-03-28 23:53:12 656384 ----a-w- C:\Windows\System32\kerberos.dll
2011-03-28 23:53:12 499712 ----a-w- C:\Windows\SysWow64\kerberos.dll
2011-03-28 23:51:56 854528 ----a-w- C:\Windows\System32\schedsvc.dll
2011-03-28 23:51:56 655872 ----a-w- C:\Windows\System32\taskschd.dll
2011-03-28 23:51:56 499712 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2011-03-28 23:51:56 410112 ----a-w- C:\Windows\System32\taskcomp.dll
2011-03-28 23:51:56 357376 ----a-w- C:\Windows\SysWow64\taskschd.dll
2011-03-28 23:51:56 270336 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2011-03-28 23:51:56 267776 ----a-w- C:\Windows\System32\taskeng.exe
2011-03-28 23:51:56 171520 ----a-w- C:\Windows\SysWow64\taskeng.exe
2011-03-28 23:49:30 82944 ----a-w- C:\Windows\System32\msasn1.dll
2011-03-28 23:49:30 61440 ----a-w- C:\Windows\SysWow64\msasn1.dll
2011-03-28 23:48:18 80896 ----a-w- C:\Windows\SysWow64\MSNP.ax
2011-03-28 23:48:18 73216 ----a-w- C:\Windows\System32\MSDvbNP.ax
2011-03-28 23:48:18 69632 ----a-w- C:\Windows\SysWow64\Mpeg2Data.ax
2011-03-28 23:48:18 57856 ----a-w- C:\Windows\SysWow64\MSDvbNP.ax
2011-03-28 23:48:18 375808 ----a-w- C:\Windows\System32\psisdecd.dll
2011-03-28 23:48:18 293376 ----a-w- C:\Windows\SysWow64\psisdecd.dll
2011-03-28 23:48:18 289792 ----a-w- C:\Windows\System32\psisrndr.ax
2011-03-28 23:48:18 217088 ----a-w- C:\Windows\SysWow64\psisrndr.ax
2011-03-28 23:48:18 101376 ----a-w- C:\Windows\System32\MSNP.ax
2011-03-28 23:48:18 100352 ----a-w- C:\Windows\System32\Mpeg2Data.ax
2011-03-28 23:43:29 3547136 ----a-w- C:\Windows\System32\mf.dll
2011-03-28 23:43:29 2868224 ----a-w- C:\Windows\SysWow64\mf.dll
2011-03-28 23:42:17 98304 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-03-28 23:42:17 104960 ----a-w- C:\Windows\System32\cabview.dll
2011-03-28 23:41:16 818688 ----a-w- C:\Windows\System32\WMSPDMOD.DLL
2011-03-28 23:41:16 604672 ----a-w- C:\Windows\SysWow64\WMSPDMOD.DLL
2011-03-28 23:39:50 87552 ----a-w- C:\Windows\System32\consent.exe
2011-03-28 23:36:23 677376 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2011-03-28 23:36:23 1320448 ----a-w- C:\Windows\System32\rpcrt4.dll
2011-03-28 23:35:16 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-03-28 23:35:15 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-03-28 23:33:56 10240 ----a-w- C:\Windows\SysWow64\dciman32.dll
2011-03-28 23:29:45 84480 ----a-w- C:\Windows\System32\asycfilt.dll
2011-03-28 23:29:45 67072 ----a-w- C:\Windows\SysWow64\asycfilt.dll
2011-03-28 23:21:52 295936 ----a-w- C:\Windows\System32\raschap.dll
2011-03-28 23:21:52 281600 ----a-w- C:\Windows\SysWow64\raschap.dll
2011-03-28 23:21:52 280576 ----a-w- C:\Windows\System32\rastls.dll
2011-03-28 23:21:52 244224 ----a-w- C:\Windows\SysWow64\rastls.dll
2011-03-28 23:20:19 43520 ----a-w- C:\Windows\System32\msdxm.tlb
2011-03-28 23:20:19 368128 ----a-w- C:\Windows\System32\wmpdxm.dll
2011-03-28 23:20:19 313344 ----a-w- C:\Windows\SysWow64\wmpdxm.dll
2011-03-28 23:20:19 18432 ----a-w- C:\Windows\SysWow64\amcompat.tlb
2011-03-28 23:20:19 18432 ----a-w- C:\Windows\System32\amcompat.tlb
2011-03-28 23:20:18 43520 ----a-w- C:\Windows\SysWow64\msdxm.tlb
2011-03-28 23:17:36 378368 ----a-w- C:\Windows\SysWow64\winhttp.dll
2011-03-28 23:17:35 442368 ----a-w- C:\Windows\System32\winhttp.dll
.
============= FINISH: 0:28:58.12 ===============

**Blade81** · 2011-05-18, 07:04

Hi,

Download and run this copy of Unhide.

Then do the following:

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**Kinseyftw** · 2011-05-18, 21:06

Hey Blade,

I dl'd and ran unhide with out problems. But after dl'ing Combo fix, reading the instructions, and diabling my antivirus. When I ran it it froze then closed then the entire comp froze. I tried restarting but after I login whether on safe mode or regular, there is only a black screen and cursor no icons, no start menu, no toolbar at the bottom. ctrl alt delete still brings up the windows menu where I can choose the task window, but it never loads anything.

Finally after a bunch of restarts. my desktop loads. With the windows Recovery malware program active in the center of the screen the the system crashed. I reload I started combo fix and the system crashed again (blue crash dump screen)

On another restart in safe mode I started combo fox, but it stated that Antivir was still active even though it was showing as disabled. So I uninstalled antivir. When I restarted comp and re-tryed combofix the system crashed again and now it's back to having only the black screen + white cursor.

**Blade81** · 2011-05-19, 16:12

Hi,

Any progress or does it still stop with that white cursor only visible? Task manager available?

**Kinseyftw** · 2011-05-19, 22:04

Hey Blade,
No luck, after many rest and restart attempts. Still only the black screen/white cursor of safe or regular modes = * (. I used f12 on startup to run system diagnostics, it didn't alert me to anything physically off with the system. I have the operating system and drivers/utilities discs that came with the laptop. Would restoring to factory settings help? Or is there another way to address the issue? (At this point I dont mind losing my files and programs in exchange for a functioning comp.)

**Blade81** · 2011-05-20, 06:42

Hi,

Please press F8 before the windows loading screen appears and select "Repair Your Computer" option. In the following "System Recovery Options" screen select "Startup Repair" option. Let's see if that helps.

**Kinseyftw** · 2011-05-20, 09:21

I pressed f8 as directed. After the repair your computer option the blueish greenish windows background loads with one user option in the middle "Other User". When I click it, it requires me to fill in a username and password, but it doesnt accept mine nor the standard "admin/password" that sometimes works. After it rejects that username/pass combo it states "the specified domain either does not exist or coul not be contacted" and after a few mins of displaying this reverts back to initial blue/green "Other User" screen. I restarted and tried again a few times, but either the same thing happens or the menu resulting from pressing f8 doesnt give me the "repair your computer" option at all and just the different safe mode options.

**Blade81** · 2011-05-20, 15:34

Hi,

If you have the Windows installation disc there reboot the system with the disc and try to launch startup repair from it:
1. boot from the disc
2. enter language and other preferences and click next
3. click repair your computer and follow instructions shown

Thread: Malware that keeps transforming

Thread Tools

Display

Malware that keeps transforming

Posting Permissions