View Full Version : Click.GiftLoad found on spybot scan
aspengrove22
2011-03-25, 21:29
My computer has been acting strangely the last couple of weeks, so I ran the spybot program and found the Click.GiftLoad which could not be removed. I found a post online about the problem and was following the solution, then later realized it was individualized for the specific dds.txt, etc.
So I ran combofix before I realized that I shouldn't do that.
Anyway, here is the dds.txt file
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Nathan at 15:20:31.58 on Fri 03/25/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2036 [GMT -4:00]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Kaspersky Anti-Virus *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Program Files\ZyXEL G-220v2\ZyXEL G-220 v2.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtblfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Nathan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\picturemover\bin\PictureMover.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel g-220v2\ZyXEL G-220 v2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\nathan\appdata\roaming\mozilla\firefox\profiles\e6ivt07i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2010-4-22 22104]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19984]
R3 XG762_VS;ZyXEL 802.11g XG762 1211 Vista Driver;c:\windows\system32\drivers\WlanGZG.sys [2010-12-11 873472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-2 136176]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2010-3-26 319488]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2010-3-26 51456]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ZDCNDIS5;ZDCNDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2010-12-11 20736]
.
=============== Created Last 30 ================
.
2011-03-25 11:08:47 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{1bd9d4a6-96fc-4c67-8f1c-10f8a844cf5c}\mpengine.dll
2011-03-24 13:46:32 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-03-24 13:46:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-23 22:19:02 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-23 22:00:07 98816 ----a-w- c:\windows\sed.exe
2011-03-23 22:00:07 89088 ----a-w- c:\windows\MBR.exe
2011-03-23 22:00:07 256512 ----a-w- c:\windows\PEV.exe
2011-03-23 22:00:07 161792 ----a-w- c:\windows\SWREG.exe
2011-03-23 22:00:00 -------- d-----w- C:\rain
2011-03-22 19:57:38 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-22 19:57:38 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-22 19:57:38 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-13 15:32:20 -------- d-----w- c:\program files\vso
2011-03-12 23:51:20 -------- d-----w- c:\users\nathan\appdata\roaming\uTorrent
2011-03-11 20:12:27 -------- d-----w- c:\windows\system32\Adobe
2011-03-10 00:45:54 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-10 00:45:46 -------- d-----w- C:\Of Great Worth
2011-03-09 04:42:43 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 04:42:43 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 04:42:43 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 04:42:43 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 04:42:42 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 04:42:41 677888 ----a-w- c:\windows\system32\mstsc.exe
.
==================== Find3M ====================
.
2011-02-15 02:46:27 695926 ----a-w- c:\windows\system32\unins001.exe
2011-02-03 02:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-31 20:41:15 28672 ----a-w- c:\windows\system32\qttask.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
============= FINISH: 15:21:58.72 ===============
I also attached the attacth.txt file.
I read that it was a backdoor infection which scared me, so I would really appreciate any help on this.
Thanks!
Blottedisk
2011-03-26, 03:21
Hi aspengrove22,
Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.
Please follow these steps in order:
Step 1 | Have you run any other tool apart from Combofix? Please post the contents of the Combofix log, which is located at: C.\Combofix.txt
Step 2 | Please download GMER from one of the following locations and save it to your desktop:
Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
--------------------------------------------------------------------
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:
IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)
http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).
Step 3 | Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe ) to your desktop.
Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.
aspengrove22
2011-03-27, 18:24
Step 1:
I also ran Eusing registry cleaner. I ran Malwarebytes Anti-Malware and AVG but the scans did not detect anything.
Combofix log below:
ComboFix 11-03-23.03 - Nathan 03/23/2011 18:02:24.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1889 [GMT -4:00]
Running from: c:\users\Nathan\Desktop\rain.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Kaspersky Anti-Virus *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Downloaded Installers
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\users\Nathan\AppData\Roaming\Microsoft\Windows\Recent\VideoLAN Website.url
I:\AUTORUN.INF
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-23 22:15 . 2011-03-23 22:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-22 19:57 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-22 19:57 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-22 19:57 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-17 00:21 . 2011-03-17 03:19 -------- d-----w- c:\users\Nathan\AppData\Roaming\dvdcss
2011-03-13 15:32 . 2011-03-13 15:32 -------- d-----w- c:\program files\vso
2011-03-12 23:51 . 2011-03-12 23:51 -------- d-----w- c:\program files\uTorrent
2011-03-12 23:51 . 2011-03-23 22:11 -------- d-----w- c:\users\Nathan\AppData\Roaming\uTorrent
2011-03-11 20:12 . 2011-03-11 20:12 -------- d-----w- c:\windows\system32\Adobe
2011-03-10 00:45 . 2011-03-10 00:45 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-10 00:45 . 2011-03-10 00:56 -------- d-----w- C:\Of Great Worth
2011-03-09 04:42 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 04:42 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 04:42 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 04:42 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 04:42 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 04:42 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-15 02:46 . 2011-02-15 02:46 695926 ----a-w- c:\windows\system32\unins001.exe
2011-02-03 02:40 . 2010-12-13 14:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-31 20:41 . 2011-01-31 20:41 28672 ----a-w- c:\windows\system32\qttask.exe
2011-01-26 20:03 . 2011-01-26 20:03 3584 ----a-r- c:\users\Nathan\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2011-01-20 16:37 . 2011-02-09 07:15 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 07:15 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 07:15 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 07:15 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 07:15 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 07:15 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 07:15 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 07:15 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 07:15 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 07:15 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 07:15 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 07:15 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 07:15 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 07:15 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 07:15 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 07:15 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 07:15 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 07:15 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 07:15 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 07:15 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 07:15 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 07:15 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 07:15 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 07:15 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 07:15 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-09 07:15 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 07:15 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 07:15 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55 . 2011-01-13 18:36 413696 ----a-w- c:\windows\system32\odbc32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-03-12 399224]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-03 365336]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-9-8 430080]
ZyXEL G-220 v2 Wireless Adapter Utility.lnk - c:\program files\ZyXEL G-220v2\ZyXEL G-220 v2.exe [2010-12-11 10850304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-03 136176]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314.sys [2010-03-27 319488]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [2010-03-27 51456]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-13 691696]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-03 19984]
S3 XG762_VS;ZyXEL 802.11g XG762 1211 Vista Driver;c:\windows\system32\DRIVERS\WlanGZG.sys [2008-05-08 873472]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-03 01:59]
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-03 01:59]
.
2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{8939D5E6-8F4F-4213-B197-1909C66440E1}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\e6ivt07i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6edc3889-b841-4127-a2bf-c5fc48f972c7} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{6EDC3889-B841-4127-A2BF-C5FC48F972C7} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-23 18:16
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-23 18:18:55
ComboFix-quarantined-files.txt 2011-03-23 22:18
.
Pre-Run: 121,798,684,672 bytes free
Post-Run: 121,749,012,480 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=15 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
- - End Of File - - 82FE6F33C3CCD7E721196ACD3F39B6EB
aspengrove22
2011-03-27, 19:15
Step Two, GMER.txt:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-27 12:13:00
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000054 Hitachi_ rev.GM2O
Running: d3et6rm9.exe; Driver: C:\Users\Nathan\AppData\Local\Temp\kgdiqpow.sys
aspengrove22
2011-03-27, 19:15
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x910B7DAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x910B9FE8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x910BA262]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcSendWaitReceivePort [0x910BA4D8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x910B86BE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x910B94F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x910B9A3C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateFile [0x910B899A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x910B9922]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0x910B7998]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x910B97F6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSection [0x910B7B40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x910B9B5C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x910B8344]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x910B988C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x910BB24A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0x910B8E1C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x910BC458]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwFsControlFile [0x910B8C2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x910BB33C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwMapViewOfSection [0x910BBAA4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x910B9AD2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenFile [0x910B8740]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x910B99B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x910B7FE8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x910BB83E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x910B9BF2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x910B7ED8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x910BA7DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQuerySection [0x910BBDDE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueueApcThread [0x910BB6D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplaceKey [0x910B6652]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x910B9F56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x910B9E1C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x910BAFE4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRestoreKey [0x910B69CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x910BC2FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSaveKey [0x910B65EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x910B9238]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x910B8560]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetInformationToken [0x910BA87E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSecurityObject [0x910BB4DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x910BBF2E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x910BC020]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x910BC15A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x910BB16E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x910B818E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x910B80E4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0x910BBC82]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0x910B827A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThreadEx [0x910B8442]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateUserProcess [0x910BA722]
INT 0x51 ? 86C10BF8
INT 0x52 ? 8816DBF8
INT 0x62 ? 8816DBF8
INT 0x82 ? 86C12BF8
INT 0x92 ? 86C10BF8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 119 830E089C 4 Bytes [AA, 7D, 0B, 91] {STOSB ; JGE 0xe; XCHG ECX, EAX}
.text ntkrnlpa.exe!KeSetEvent + 13D 830E08C0 8 Bytes CALL E59F1464
.text ntkrnlpa.exe!KeSetEvent + 181 830E0904 4 Bytes [D8, A4, 0B, 91]
.text ntkrnlpa.exe!KeSetEvent + 1A9 830E092C 4 Bytes [BE, 86, 0B, 91]
.text ntkrnlpa.exe!KeSetEvent + 1C1 830E0944 4 Bytes [F2, 94, 0B, 91]
.text ...
? System32\Drivers\spkx.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 843B641B 5 Bytes JMP 8816D1D8
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x9060F340, 0x3DC617, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!CreateDialogParamW 774C72A2 5 Bytes JMP 6FEFDEF8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!GetAsyncKeyState 774C863C 5 Bytes JMP 6FE18F37 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!SetWindowsHookExW 774C87AD 5 Bytes JMP 6FEF9B15 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!CallNextHookEx 774C8E3B 5 Bytes JMP 6FEED16D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!UnhookWindowsHookEx 774C98DB 5 Bytes JMP 6FE64666 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!EnableWindow 774CCD8B 5 Bytes JMP 6FEFDD85 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!CreateWindowExW 774D1305 5 Bytes JMP 6FEFDB6C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!GetKeyState 774D8CB1 5 Bytes JMP 6FEFD333 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!IsDialogMessageW 774E0745 5 Bytes JMP 6FE25A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!CreateDialogParamA 774E17AA 5 Bytes JMP 6FFF5CB4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!IsDialogMessage 774E1847 5 Bytes JMP 6FFF5550 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!CreateDialogIndirectParamA 774E26F1 5 Bytes JMP 6FFF5CEB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!CreateDialogIndirectParamW 774E9A62 5 Bytes JMP 6FFF5D22 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!SetKeyboardState 774F0987 5 Bytes JMP 6FFF58BF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!DialogBoxParamW 774F10B0 5 Bytes JMP 6FE25501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!DialogBoxIndirectParamW 774F2EF5 5 Bytes JMP 6FFF502F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!SendInput 774F2F75 5 Bytes JMP 6FFF647B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!EndDialog 774F326E 5 Bytes JMP 6FE27EBA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!SetCursorPos 77506FB2 5 Bytes JMP 6FFF64CF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!DialogBoxParamA 77508152 5 Bytes JMP 6FFF4FCC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!DialogBoxIndirectParamA 7750847D 5 Bytes JMP 6FFF5092 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!MessageBoxIndirectA 7751D4D9 5 Bytes JMP 6FFF4F61 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!MessageBoxIndirectW 7751D5D3 5 Bytes JMP 6FFF4EF6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!MessageBoxExA 7751D639 5 Bytes JMP 6FFF4E94 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!MessageBoxExW 7751D65D 5 Bytes JMP 6FFF4E32 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] USER32.dll!keybd_event 7751D972 5 Bytes JMP 6FFF67FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] SHELL32.dll!SHRestricted + D95 762C89A8 4 Bytes [4D, 30, 5E, 6D] {DEC EBP; XOR [ESI+0x6d], BL}
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] SHELL32.dll!SHRestricted + D9D 762C89B0 8 Bytes [57, 2F, 5E, 6D, 9C, 5B, 5D, ...] {PUSH EDI; DAS ; POP ESI; INSD ; PUSHF ; POP EBX; POP EBP; INSD }
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] ole32.dll!OleLoadFromStream 77391E80 5 Bytes JMP 6FFF53B0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5400] ole32.dll!CoCreateInstance 773C9F3E 5 Bytes JMP 6FEFDBC8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5800] USER32.dll!CreateWindowExW 774D1305 5 Bytes JMP 6FEFDB6C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5800] USER32.dll!DialogBoxParamW 774F10B0 5 Bytes JMP 6FE25501 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5800] USER32.dll!DialogBoxIndirectParamW 774F2EF5 5 Bytes JMP 6FFF502F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5800] USER32.dll!DialogBoxParamA 77508152 5 Bytes JMP 6FFF4FCC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5800] USER32.dll!DialogBoxIndirectParamA 7750847D 5 Bytes JMP 6FFF5092 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5800] USER32.dll!MessageBoxIndirectA 7751D4D9 5 Bytes JMP 6FFF4F61 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5800] USER32.dll!MessageBoxIndirectW 7751D5D3 5 Bytes JMP 6FFF4EF6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5800] USER32.dll!MessageBoxExA 7751D639 5 Bytes JMP 6FFF4E94 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5800] USER32.dll!MessageBoxExW 7751D65D 5 Bytes JMP 6FFF4E32 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86C2D1F8
Device \FileSystem\fastfat \FatCdrom 89AF4400
Device \FileSystem\udfs \UdfsCdRom 872C2500
Device \FileSystem\udfs \UdfsDisk 872C2500
Device \Driver\volmgr \Device\VolMgrControl 86C2F1F8
Device \Driver\usbohci \Device\USBPDO-0 881671F8
Device \Driver\usbehci \Device\USBPDO-1 881661F8
Device \Driver\nvstor32 \Device\00000054 86C2B1F8
Device \Driver\nvstor32 \Device\00000055 86C2B1F8
Device \Driver\USBSTOR \Device\00000061 89873500
AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
Device \Driver\volmgr \Device\HarddiskVolume1 86C2F1F8
Device \Driver\volmgr \Device\HarddiskVolume2 86C2F1F8
Device \Driver\cdrom \Device\CdRom0 87FA41F8
Device \Driver\volmgr \Device\HarddiskVolume3 86C2F1F8
Device \Driver\atapi \Device\Ide\IdePort0 86C2C1F8
Device \Driver\atapi \Device\Ide\IdePort1 86C2C1F8
Device \Driver\USBSTOR \Device\00000066 89873500
Device \Driver\volmgr \Device\HarddiskVolume4 86C2F1F8
Device \Driver\USBSTOR \Device\00000067 89873500
Device \Driver\volmgr \Device\HarddiskVolume5 86C2F1F8
Device \Driver\USBSTOR \Device\00000069 89873500
Device \Driver\netbt \Device\NetBt_Wins_Export 897A12A0
Device \Driver\Smb \Device\NetbiosSmb 89798500
Device \Driver\netbt \Device\NetBT_Tcpip_{0222303F-CCA0-495C-BD4E-3F7B80735DF3} 897A12A0
Device \Driver\nvstor32 \Device\RaidPort0 86C2B1F8
AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
Device \Driver\USBSTOR \Device\0000005d 89873500
Device \Driver\iScsiPrt \Device\RaidPort1 881BF1F8
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
Device \Driver\USBSTOR \Device\0000005e 89873500
Device \Driver\usbohci \Device\USBFDO-0 881671F8
Device \Driver\usbehci \Device\USBFDO-1 881661F8
Device \FileSystem\fastfat \Fat 89AF4400
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\cdfs \Cdfs 881941F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB8 0x3E 0x8D 0xC3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9D 0xE9 0xE4 0x4D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB8 0x3E 0x8D 0xC3 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9D 0xE9 0xE4 0x4D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB8 0x3E 0x8D 0xC3 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9D 0xE9 0xE4 0x4D ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB8 0x3E 0x8D 0xC3 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9D 0xE9 0xE4 0x4D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB8 0x3E 0x8D 0xC3 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9D 0xE9 0xE4 0x4D ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB8 0x3E 0x8D 0xC3 ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9D 0xE9 0xE4 0x4D ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB8 0x3E 0x8D 0xC3 ...
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9D 0xE9 0xE4 0x4D ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet012\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet013\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet014\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet015\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet016\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x7C 0xD5 0x4A ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Users\Public\Documents\Pinnacle\Content\MotionTitles\-Looks\Standard\01 \x2013 Soft Shadow Looks.ixLook 1
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
---- EOF - GMER 1.0.15 ----
aspengrove22
2011-03-27, 19:18
Step 3, MBR Check:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: ECS
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: Compaq-Presario
System Product Name: NC696AA-ABA SR5710Y
Logical Drives Mask: 0x0000017c
Kernel Drivers (total 153):
0x83034000 \SystemRoot\system32\ntkrnlpa.exe
0x83001000 \SystemRoot\system32\hal.dll
0x80408000 \SystemRoot\system32\kdcom.dll
0x8040F000 \SystemRoot\system32\PSHED.dll
0x80420000 \SystemRoot\system32\BOOTVID.dll
0x80428000 \SystemRoot\system32\CLFS.SYS
0x80469000 \SystemRoot\system32\CI.dll
0x8B607000 \SystemRoot\system32\DRIVERS\kl1.sys
0x8BB29000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8BBA5000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8060F000 \SystemRoot\System32\Drivers\spkx.sys
0x80702000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x8070B000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x80731000 \SystemRoot\system32\drivers\acpi.sys
0x80777000 \SystemRoot\system32\drivers\msisadrv.sys
0x8077F000 \SystemRoot\system32\drivers\pci.sys
0x807A6000 \SystemRoot\System32\drivers\partmgr.sys
0x807B5000 \SystemRoot\system32\drivers\volmgr.sys
0x8BBB2000 \SystemRoot\System32\drivers\volmgrx.sys
0x807C4000 \SystemRoot\system32\drivers\pciide.sys
0x807CB000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x807D9000 \SystemRoot\System32\drivers\mountmgr.sys
0x80549000 \SystemRoot\system32\drivers\nvraid.sys
0x80564000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x807E9000 \SystemRoot\system32\drivers\atapi.sys
0x80585000 \SystemRoot\system32\drivers\ataport.SYS
0x805A3000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x83601000 \SystemRoot\system32\DRIVERS\storport.sys
0x83642000 \SystemRoot\system32\drivers\fltmgr.sys
0x83674000 \SystemRoot\system32\drivers\fileinfo.sys
0x83684000 \SystemRoot\System32\Drivers\ksecdd.sys
0x836F5000 \SystemRoot\system32\drivers\ndis.sys
0x805C8000 \SystemRoot\system32\drivers\msrpc.sys
0x8420E000 \SystemRoot\system32\drivers\NETIO.SYS
0x84249000 \SystemRoot\System32\drivers\tcpip.sys
0x84333000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8BC08000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8BD18000 \SystemRoot\system32\drivers\volsnap.sys
0x8BD51000 \SystemRoot\System32\Drivers\spldr.sys
0x8BD59000 \SystemRoot\System32\Drivers\mup.sys
0x8BD68000 \SystemRoot\System32\drivers\ecache.sys
0x8BD8F000 \SystemRoot\system32\drivers\disk.sys
0x8BDA0000 \SystemRoot\system32\drivers\crcdisk.sys
0x8BDE5000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8BDF0000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8434E000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x8435E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x84371000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8437C000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x84386000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x843C4000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x90004000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0x90050000 \SystemRoot\system32\DRIVERS\ks.sys
0x9007A000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0x9020D000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x902C2000 \SystemRoot\system32\drivers\modem.sys
0x902CF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x90404000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x90504000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x9060F000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x90D31000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x90DD1000 \SystemRoot\System32\drivers\watchdog.sys
0x9051C000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x90DDD000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x90DE8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x90600000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x9054B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x9056E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x9057D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x90591000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x905A6000 \SystemRoot\system32\DRIVERS\termdd.sys
0x905B6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x9060B000 \SystemRoot\system32\DRIVERS\swenum.sys
0x905C1000 \SystemRoot\system32\DRIVERS\MarvinBus.sys
0x905EF000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x9035C000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
0x90399000 \SystemRoot\system32\DRIVERS\umbus.sys
0x903A6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x903DB000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x90E02000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x91039000 \SystemRoot\system32\drivers\portcls.sys
0x91066000 \SystemRoot\system32\drivers\drmk.sys
0x9108B000 \SystemRoot\system32\DRIVERS\klif.sys
0x9110E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x91117000 \SystemRoot\System32\Drivers\Null.SYS
0x9111E000 \SystemRoot\System32\Drivers\Beep.SYS
0x91125000 \SystemRoot\System32\drivers\vga.sys
0x91131000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x91152000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x9115A000 \SystemRoot\system32\drivers\rdpencdd.sys
0x91162000 \SystemRoot\System32\Drivers\Msfs.SYS
0x9116D000 \SystemRoot\System32\Drivers\Npfs.SYS
0x9117B000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x91184000 \SystemRoot\system32\DRIVERS\tdx.sys
0x9119A000 \SystemRoot\system32\DRIVERS\kl2.sys
0x911A0000 \SystemRoot\system32\DRIVERS\smb.sys
0x911B4000 \SystemRoot\System32\DRIVERS\netbt.sys
0x9017C000 \SystemRoot\system32\drivers\afd.sys
0x911E6000 \SystemRoot\system32\DRIVERS\pacer.sys
0x903EC000 \SystemRoot\system32\DRIVERS\klim6.sys
0x901C4000 \SystemRoot\system32\DRIVERS\netbios.sys
0x901D2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9120E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9124A000 \SystemRoot\system32\drivers\nsiproxy.sys
0x91254000 \SystemRoot\System32\Drivers\dfsc.sys
0x9126B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x91274000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x91284000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x9128B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9128D000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x91295000 \SystemRoot\system32\DRIVERS\klmouflt.sys
0x9129E000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x912B4000 \SystemRoot\System32\Drivers\crashdmp.sys
0x912C1000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x912CB000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x912F0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x99C30000 \SystemRoot\System32\win32k.sys
0x91305000 \SystemRoot\System32\drivers\Dxapi.sys
0x9130F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x901E5000 \SystemRoot\system32\DRIVERS\monitor.sys
0x91200000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x903F4000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x8BDA9000 \SystemRoot\System32\Drivers\fastfat.SYS
0x99E50000 \SystemRoot\System32\TSDDD.dll
0x99E70000 \SystemRoot\System32\cdd.dll
0x99E80000 \SystemRoot\System32\ATMFD.DLL
0x843D3000 \SystemRoot\system32\drivers\luafv.sys
0x9E200000 \SystemRoot\system32\drivers\spsys.sys
0x9E2B0000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9E2C0000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9E2EA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9E2F4000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9E307000 \SystemRoot\system32\drivers\HTTP.sys
0x9E374000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9E391000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9E3AA000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9E3BF000 \SystemRoot\system32\drivers\mrxdav.sys
0x9E3E0000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA0803000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA083C000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA0854000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA087C000 \SystemRoot\System32\DRIVERS\srv.sys
0xA08CA000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA08CE000 \SystemRoot\system32\drivers\peauth.sys
0xA09AC000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA09B6000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA09C2000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xA09CA000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA09DF000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0xE1A03000 \SystemRoot\system32\DRIVERS\udfs.sys
0xE1A3E000 \??\C:\Users\Nathan\AppData\Local\Temp\kgdiqpow.sys
0xE1A57000 \SystemRoot\system32\DRIVERS\WlanGZG.sys
0x776A0000 \Windows\System32\ntdll.dll
Processes (total 62):
0 System Idle Process
4 System
524 C:\Windows\System32\smss.exe
656 csrss.exe
712 C:\Windows\System32\wininit.exe
720 csrss.exe
756 C:\Windows\System32\services.exe
772 C:\Windows\System32\lsass.exe
780 C:\Windows\System32\lsm.exe
860 C:\Windows\System32\winlogon.exe
964 C:\Windows\System32\svchost.exe
1008 C:\Windows\System32\nvvsvc.exe
1036 C:\Windows\System32\svchost.exe
1080 C:\Windows\System32\svchost.exe
1168 C:\Windows\System32\svchost.exe
1232 C:\Windows\System32\svchost.exe
1248 C:\Windows\System32\svchost.exe
1332 C:\Windows\System32\audiodg.exe
1356 C:\Windows\System32\svchost.exe
1388 C:\Windows\System32\SLsvc.exe
1448 C:\Windows\System32\svchost.exe
1528 C:\Windows\System32\rundll32.exe
1688 C:\Windows\System32\svchost.exe
1892 C:\Windows\System32\dwm.exe
1936 C:\Windows\explorer.exe
2016 C:\Windows\System32\spoolsv.exe
2036 C:\Windows\System32\taskeng.exe
124 C:\Windows\System32\svchost.exe
644 C:\Windows\System32\taskeng.exe
2452 C:\Windows\System32\svchost.exe
2584 C:\Windows\System32\svchost.exe
2768 C:\Windows\System32\svchost.exe
2840 C:\Windows\System32\SearchIndexer.exe
2936 C:\Windows\System32\drivers\XAudio.exe
3172 WUDFHost.exe
3224 C:\hp\support\hpsysdrv.exe
3240 C:\Windows\System32\rundll32.exe
3288 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
3356 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
3364 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3372 C:\Windows\ehome\ehtray.exe
3404 C:\Program Files\Windows Media Player\wmpnscfg.exe
3424 C:\Program Files\PictureMover\Bin\PictureMover.exe
3440 C:\Program Files\ZyXEL G-220v2\ZyXEL G-220 v2.exe
3576 C:\Windows\ehome\ehmsas.exe
3804 C:\Program Files\Windows Media Player\wmpnetwk.exe
3312 C:\Windows\System32\svchost.exe
2236 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
2576 C:\Windows\System32\wuauclt.exe
4272 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
5800 C:\Program Files\Internet Explorer\iexplore.exe
5400 C:\Program Files\Internet Explorer\iexplore.exe
5272 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtblfs.exe
5468 C:\Windows\System32\mobsync.exe
3204 C:\Windows\System32\SearchProtocolHost.exe
5664 C:\Windows\System32\SearchFilterHost.exe
4268 C:\Program Files\Internet Explorer\iexplore.exe
3400 C:\Windows\System32\SearchProtocolHost.exe
5060 C:\Windows\System32\dllhost.exe
3728 dllhost.exe
2984 dllhost.exe
2520 C:\Users\Nathan\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`68580800 (NTFS)
\\.\I: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)
PhysicalDrive0 Model Number: HitachiHDP725025GLA, Rev: GM2O
PhysicalDrive1 Model Number: WD5000AAC External, Rev: 1.75
Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Hewlett-Packard MBR code detected
SHA1: F362CE084BC77B454330005C1657154A64FB9456
465 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: D90653CCC05EE39D4D44E1F67C33297D65F3ED4F
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done!
Blottedisk
2011-03-27, 22:16
Hi aspengrove22,
How's the machine running now? Please keep your USB drive plugged in and follow these steps:
Step 1 | Please download CCleaner (freeware) (http://www.majorgeeks.com/download4191.html )
Run the installer.
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png
Next: click Options (in the left panel) and click the Advanced button.
Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.
Step 2 | As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:
Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
Select Perform Quick scan, then click on Scan
When done, you will be prompted. Click OK. If Items are found, then click on Show Results
Check all items then click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or via the Logs tab when the application is started.
Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.
Step 3 | Let's perform an ESET Online Scan
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html ).
Please go here (http://www.eset.com/onlinescan/ ) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif (Selecting Uninstall application on close if you so wish)
aspengrove22
2011-03-28, 01:50
The computer is not running well. Sometimes I have to click on Icons on the desk top multiple times before the files will be executed. Navigating through Windows Explorer is slow and difficult. I also get the blue screen of death frequently when running multiple programs.
I just finished running CCleaner, now will run Malwarebytes.
aspengrove22
2011-03-28, 01:57
Malwarebytes found "no malicious items". Here is the log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6187
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019
3/27/2011 6:54:31 PM
mbam-log-2011-03-27 (18-54-31).txt
Scan type: Quick scan
Objects scanned: 150509
Time elapsed: 3 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
aspengrove22
2011-03-28, 04:51
ESET scan found the following threats:
C:\Users\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\290a52e3-4b3921ed multiple threats
C:\Users\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\33af523f-449f1a83 a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\Nathan\Downloads\FixCleanerSetup.exe Win32/Adware.ErrorRepair application
I:\Desktop Backup\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\201fcf81-5aa7a4dd Java/TrojanDownloader.Agent.NBU trojan
I:\Desktop Backup\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\15585d14-717a09e2 probably a variant of Win32/Agent.RPSVWU trojan
I:\Desktop Backup\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\25\1febdf59-31447e4d probably a variant of Win32/Agent.RPSVWU trojan
I:\Desktop Backup\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\6abb74a3-4a6d053f a variant of Java/Rowindal.A trojan
I:\Desktop Backup\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\739d2831-143750e9 multiple threats
I:\Desktop Backup\Nathan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\7e3a46b9-74237f7b multiple threats
I:\My Documents\isetup\iSetup.exe probably a variant of Win32/Genetik trojan
The log.txt file only contained the following:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
I realized that a bunch of these threats were actually on the I: drive, which is my portable hard drive. I think the Java problem is also present on at least one other of my computers, including my laptop.
That completes all of the current tasks, I'd appreciate any help with figuring out the next step.
Thanks
Blottedisk
2011-03-28, 05:27
Hi aspengrove22, thanks for the logs.
The computer is not running well. Sometimes I have to click on Icons on the desk top multiple times before the files will be executed. Navigating through Windows Explorer is slow and difficult. I also get the blue screen of death frequently when running multiple programs.
Were this issues happening before you become infected?
Please follow these steps (keep your portable hard drive plugged in):
Step 1 | Some of the infections are in both Java`s Caches from your main hard drive and your portable drive. We are going to download the latest version of Java, uninstall your current version, install the new version, and flush the cache. But you just need to perform this in your main drive. Regarding your portable drive, we are just removing the Java folder in next step; you don't really need a backup of Java.
Please follow these steps to remove older version Java components and update.
Click on the following link to visit java website: Java Runtime Environment (JRE) 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html )
Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
Click the "Download" button to the right column (JRE).
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.
Step 2 | Please navigate to the following location:
I:\Desktop Backup\Nathan\AppData\LocalLow\Sun
Select the folder Java and delete it.
Step 3 | Do you recognize the following file?
I:\My Documents\isetup\iSetup.exe
Please go to the following site to scan it: Virus Total (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.virustotal.com )
Click on Browse, and upload the following file for analysis:
I:\My Documents\isetup\iSetup.exe
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Step 4 | C:\Users\Nathan\Downloads\FixCleanerSetup.exe ---> This seems a Registry Cleaner. I don't recommend using registry cleaners; in addition this one was flagged by ESET as Adware. I recommend you to remove this installer and then uninstall the program from your PC.
Step 5 | Please take a new, fresh DDS log. Post the contents of dds.txt and attach the file attach.txt
aspengrove22
2011-03-29, 01:19
The slowing down problems are new. The blue screen is older and might be due to defective RAM but I'm not sure.
Step 1: Done
Step 2: Done
Step 3:
I don't recognize the iSetup item. I can't remember where it came from. Here are the results of the online scan:
File name: iSetup.exe
Submission date: 2011-03-28 21:48:48 (UTC)
Current status: queued queued analysing finished
Result: 2/ 43 (4.7%)
AhnLab-V3 2011.03.29.00 2011.03.28 -
AntiVir 7.11.5.99 2011.03.28 -
Antiy-AVL 2.0.3.7 2011.03.28 -
Avast 4.8.1351.0 2011.03.28 -
Avast5 5.0.677.0 2011.03.28 -
AVG 10.0.0.1190 2011.03.28 -
BitDefender 7.2 2011.03.28 -
CAT-QuickHeal 11.00 2011.03.28 -
ClamAV 0.96.4.0 2011.03.28 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8135 2011.03.28 -
DrWeb 5.0.2.03300 2011.03.28 -
Emsisoft 5.1.0.4 2011.03.28 -
eSafe 7.0.17.0 2011.03.27 -
eTrust-Vet 36.1.8240 2011.03.28 -
F-Prot 4.6.2.117 2011.03.28 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.28 -
GData 21 2011.03.28 -
Ikarus T3.1.1.97.0 2011.03.28 -
Jiangmin 13.0.900 2011.03.28 -
K7AntiVirus 9.94.4235 2011.03.28 -
Kaspersky 7.0.0.125 2011.03.28 -
McAfee 5.400.0.1158 2011.03.28 -
McAfee-GW-Edition 2010.1C 2011.03.28 -
Microsoft 1.6702 2011.03.28 -
NOD32 5994 2011.03.28 probably a variant of Win32/Genetik
Norman 6.07.03 2011.03.28 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.28 -
PCTools 7.0.3.5 2011.03.26 -
Prevx 3.0 2011.03.28 -
Rising 23.51.00.06 2011.03.28 -
Sophos 4.64.0 2011.03.28 Sus/Behav-1008
SUPERAntiSpyware 4.40.0.1006 2011.03.28 -
Symantec 20101.3.0.103 2011.03.28 -
TheHacker 6.7.0.1.160 2011.03.28 -
TrendMicro 9.200.0.1012 2011.03.28 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.28 -
VBA32 3.12.14.3 2011.03.28 -
VIPRE 8851 2011.03.28 -
ViRobot 2011.3.28.4380 2011.03.28 -
VirusBuster 13.6.274.0 2011.03.28 -
Additional information
MD5 : 07593e6566b9e46cd45120c7e1d04bae
SHA1 : a8544c8ef70512905726ab1bcfee89957bfa3090
SHA256: bccef8a5dce9a23f57e198bd9206c30bdc4f1ebdd3caea877f16744522fe4ced
VT Community
This file has never been reviewed by any VT Community member. Be the first one to comment on it!
Step 4:
I deleted the FixCleanerSetup.exe file. It wasn't installed on my computer.
Step 5:
Here is the dds.txt:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Nathan at 18:04:42.95 on Mon 03/28/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1746 [GMT -4:00]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Kaspersky Anti-Virus *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Program Files\ZyXEL G-220v2\ZyXEL G-220 v2.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtblfs.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Nathan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\cyberlink dvd suite deluxe\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\cyberlink dvd suite deluxe" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
mRun: [USBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\picturemover\bin\PictureMover.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel g-220v2\ZyXEL G-220 v2.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\nathan\appdata\roaming\mozilla\firefox\profiles\e6ivt07i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2010-4-22 22104]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe [2010-11-2 365336]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19984]
R3 XG762_VS;ZyXEL 802.11g XG762 1211 Vista Driver;c:\windows\system32\drivers\WlanGZG.sys [2010-12-11 873472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-2 136176]
S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2010-3-26 319488]
S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2010-3-26 51456]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ZDCNDIS5;ZDCNDIS Protocol Driver;c:\windows\system32\ZDCndis5.sys [2010-12-11 20736]
.
=============== Created Last 30 ================
.
2011-03-27 23:17:11 -------- d-----w- c:\program files\ESET
2011-03-27 22:42:52 -------- d-----w- c:\program files\CCleaner
2011-03-27 15:17:09 -------- d-----w- c:\users\nathan\My Movie
2011-03-26 15:42:59 -------- d-sh--w- c:\windows\ftpcache
2011-03-26 15:42:54 -------- d-----w- c:\program files\PBS KIDS PLAY
2011-03-25 19:51:53 -------- d-----w- C:\troubleshooting
2011-03-25 11:08:47 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{1bd9d4a6-96fc-4c67-8f1c-10f8a844cf5c}\mpengine.dll
2011-03-24 13:46:32 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-03-24 13:46:27 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-23 22:19:02 -------- d-sh--w- C:\$RECYCLE.BIN
2011-03-23 22:00:07 98816 ----a-w- c:\windows\sed.exe
2011-03-23 22:00:07 89088 ----a-w- c:\windows\MBR.exe
2011-03-23 22:00:07 256512 ----a-w- c:\windows\PEV.exe
2011-03-23 22:00:07 161792 ----a-w- c:\windows\SWREG.exe
2011-03-23 22:00:00 -------- d-----w- C:\rain
2011-03-22 19:57:38 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-22 19:57:38 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-22 19:57:38 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-13 15:32:20 -------- d-----w- c:\program files\vso
2011-03-12 23:51:20 -------- d-----w- c:\users\nathan\appdata\roaming\uTorrent
2011-03-11 20:12:27 -------- d-----w- c:\windows\system32\Adobe
2011-03-10 00:45:54 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-10 00:45:46 -------- d-----w- C:\Of Great Worth
2011-03-09 04:42:43 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 04:42:43 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 04:42:43 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 04:42:43 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 04:42:42 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 04:42:41 677888 ----a-w- c:\windows\system32\mstsc.exe
.
==================== Find3M ====================
.
2011-03-28 21:45:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-15 02:46:27 695926 ----a-w- c:\windows\system32\unins001.exe
2011-01-31 20:41:15 28672 ----a-w- c:\windows\system32\qttask.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 18:05:51.05 ===============
The "attached" file is attached.
That completes all the tasks for now.
Blottedisk
2011-03-29, 04:25
Hi aspengrove22,
Thanks for completing the tasks. Please keep your portable disk plugged and do the following:
ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
Please open Notepad and copy/paste all the text below... into the window:
File::
c:\windows\system32\unins001.exe
Folder::
I:\My Documents\isetup
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif
This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **
aspengrove22
2011-03-30, 16:29
ComboFix 11-03-29.05 - Nathan 03/30/2011 9:09.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2230 [GMT -4:00]
Running from: c:\users\Nathan\Desktop\ComboFix.exe
Command switches used :: c:\users\Nathan\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Kaspersky Anti-Virus *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\unins001.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\unins001.exe
i:\my documents\isetup
i:\my documents\isetup\iSetup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-30 13:21 . 2011-03-30 13:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-30 10:55 . 2011-03-30 10:55 -------- d-----w- c:\program files\uTorrent
2011-03-30 10:54 . 2011-03-30 12:14 -------- d-----w- c:\users\Nathan\AppData\Roaming\uTorrent
2011-03-29 09:43 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77D2DE53-28B9-4277-8082-368925DCFD8C}\mpengine.dll
2011-03-28 21:46 . 2011-03-28 21:46 -------- d-----w- c:\program files\Common Files\Java
2011-03-27 23:17 . 2011-03-27 23:17 -------- d-----w- c:\program files\ESET
2011-03-27 22:42 . 2011-03-27 22:42 -------- d-----w- c:\program files\CCleaner
2011-03-27 15:17 . 2011-03-27 15:17 -------- d-----w- c:\users\Nathan\My Movie
2011-03-26 15:42 . 2011-03-26 15:42 -------- d-sh--w- c:\windows\ftpcache
2011-03-26 15:42 . 2011-03-30 12:28 -------- d-----w- c:\program files\PBS KIDS PLAY
2011-03-25 19:51 . 2011-03-25 19:52 -------- d-----w- C:\troubleshooting
2011-03-25 19:18 . 2011-03-25 19:19 -------- d-----w- c:\program files\ERUNT
2011-03-24 13:46 . 2011-02-02 22:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-23 22:00 . 2011-03-23 22:19 -------- d-----w- C:\rain
2011-03-22 19:57 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-22 19:57 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-22 19:57 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-17 00:21 . 2011-03-17 03:19 -------- d-----w- c:\users\Nathan\AppData\Roaming\dvdcss
2011-03-13 15:32 . 2011-03-13 15:32 -------- d-----w- c:\program files\vso
2011-03-11 20:12 . 2011-03-11 20:12 -------- d-----w- c:\windows\system32\Adobe
2011-03-10 00:45 . 2011-03-10 00:45 -------- d-----w- c:\program files\Microsoft ActiveSync
2011-03-10 00:45 . 2011-03-10 00:56 -------- d-----w- C:\Of Great Worth
2011-03-09 04:42 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 04:42 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 04:42 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 04:42 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 04:42 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 04:42 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-28 21:45 . 2010-12-13 14:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-31 20:41 . 2011-01-31 20:41 28672 ----a-w- c:\windows\system32\qttask.exe
2011-01-26 20:03 . 2011-01-26 20:03 3584 ----a-r- c:\users\Nathan\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2011-01-20 16:37 . 2011-02-09 07:15 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-09 07:15 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-09 07:15 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-09 07:15 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-09 07:15 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-09 07:15 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-09 07:15 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-09 07:15 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-09 07:15 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-09 07:15 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-09 07:15 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-09 07:15 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-09 07:15 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-09 07:15 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-09 07:15 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-09 07:15 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-09 07:15 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-09 07:15 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-09 07:15 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-09 07:15 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-09 07:15 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-09 07:15 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-09 07:15 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-09 07:15 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-09 07:15 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-09 07:15 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-09 07:15 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-09 07:15 2039808 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2011-03-30 399736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-11-03 365336]
"USBToolTip"="c:\progra~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe" [2007-02-20 199752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-9-8 430080]
ZyXEL G-220 v2 Wireless Adapter Utility.lnk - c:\program files\ZyXEL G-220v2\ZyXEL G-220 v2.exe [2010-12-11 10850304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-03 136176]
R3 bcm;WiMAX Network Adapter;c:\windows\system32\DRIVERS\drxvi314.sys [2010-03-27 319488]
R3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\DRIVERS\BcmBusCtr.sys [2010-03-27 51456]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-13 691696]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-03 19984]
S3 XG762_VS;ZyXEL 802.11g XG762 1211 Vista Driver;c:\windows\system32\DRIVERS\WlanGZG.sys [2008-05-08 873472]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-03 01:59]
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-03 01:59]
.
2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{8939D5E6-8F4F-4213-B197-1909C66440E1}.job
- c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\e6ivt07i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-InstaCodecs_is1 - c:\windows\system32\unins001.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 09:21
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-30 09:24:09
ComboFix-quarantined-files.txt 2011-03-30 13:24
ComboFix2.txt 2011-03-23 22:18
.
Pre-Run: 117,999,472,640 bytes free
Post-Run: 118,445,473,792 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=16 Sets=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
- - End Of File - - 3CA4FDFCBC8F5C09E2CFA60AB51361AB
Blottedisk
2011-03-30, 20:21
Hi aspengrove22,
I can't find any more malware in the logs. How's the machine working? Can you describe it's behavior please?
Blottedisk
2011-04-04, 02:52
Hi aspengrove22,
Are you still with us?
Blottedisk
2011-04-05, 06:13
Due to the lack of feedback, this Topic is closed. If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please read the guidelines to request assistance (http://forums.spybot.info/showthread.php?t=288) and begin a New Topic.