PDA

View Full Version : Not quite sure what to think...



knightmarez28
2011-09-11, 06:34
So I'm doing random directory scans with spybot and I get to C:\windows\assemlby and apparently heuristic scans found over 40 fraud.windowsrecover and fraud.internetsecurity2011. Full scan of microsoft security essentials (updated about 5 am sept. 9), ad-aware (installed today), hijackthis (installed today) and spybot turns up nothing. Let me take that back, adaware did find some trojans and removed them successfully. Nothing major. Anyways, I did download the root analyzer as well and it didn't come up with anything. Computer bluescreened on me earlier and I've been fighting to get windows back in order ever since. Windows update last checked this morning as well so I have all the security updates and such. Anyways, I copied a full list of all the assemblies that were infected, guess I just want to know if it would be a false positive or what? Worse come to worse, I have no problems reformating as I have anything I want to keep on a separate drive and just a partition specifically for windows. I apologies if I'm posting in the wrong section or forgetting to take a step before posting, been staring at this screen for about 15 hours today (not all at once, of course).
Thanks in advance

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by David at 22:48:57 on 2011-09-10
Neo Reconia Windows Shine Edition 6.1.7601.1.1252.1.1033.18.4094.2598 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\UnsignedThemesSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Notepad2\Notepad2.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDFiles.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uLocal Page = www.google.com
uSearch Page = hxxp://www.google.com/
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = www.google.com
mStart Page = www.google.com
mDefault_Search_URL = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.google.com/
mLocal Page = hxxp://www.google.com/
mSearch Page = hxxp://www.google.com/
uURLSearchHooks: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\4.6\youtubedownloaderToolbarIE.dll
mWinlogon: Userinit=userinit.exe
BHO: FileServeManager: {00000001-ab3b-4334-9da2-ec6b2a02afc6} - C:\Program Files (x86)\FileServe Manager\FileServeBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\4.6\youtubedownloaderToolbarIE.dll
TB: YouTube Downloader Toolbar: {f3fee66e-e034-436a-86e4-9690573bee8a} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\4.6\youtubedownloaderToolbarIE.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Download with FileServe Manager - C:\Program Files (x86)\FileServe Manager\GetUrl.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
Trusted Zone: blackviper.com\www
Trusted Zone: facebook.com\www
Trusted Zone: google.com\www
Trusted Zone: hotmail.com\www
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\www
Trusted Zone: msn.com\www
Trusted Zone: yahoo.com\www
Trusted Zone: youtube.com\www
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E98E8CDF-5B4C-4FBB-9A97-3586B896239A} : DhcpNameServer = 192.168.1.1
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\SysWow64\DreamScene.dll
IFEO: notepad.exe - "C:\Program Files\Notepad2\Notepad2.exe" /z
BHO-X64: FileServeManager: {00000001-AB3B-4334-9DA2-EC6B2A02AFC6} - C:\Program Files (x86)\FileServe Manager\FileServeBHO.dll
BHO-X64: FileServeManager - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\4.6\youtubedownloaderToolbarIE.dll
TB-X64: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files (x86)\YouTube Downloader Toolbar\IE\4.6\youtubedownloaderToolbarIE.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
STS-X64: Windows DreamScene: {E31004D1-A431-41B8-826F-E902F9D95C81} - %SystemRoot%\SysWow64\DreamScene.dll
IFEO-X64: notepad.exe - "C:\Program Files\Notepad2\Notepad2.exe" /z
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\lvbthuwk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=937811&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: C:\Windows\system32\Macromed\Flash\NPSWF64_11_0_1.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-7-28 361984]
R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2011-6-23 55424]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-9-3 1153368]
R2 UnsignedThemes;Unsigned Themes;C:\Windows\UnsignedThemesSvc.exe [2009-7-13 24168]
R2 uxpatch;uxpatch;\??\C:\Windows\system32\drivers\uxpatch.sys --> C:\Windows\system32\drivers\uxpatch.sys [?]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-8-18 2151640]
S3 cpuz134;cpuz134;C:\Program Files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [2011-9-6 21480]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\Windows\system32\drivers\Synth3dVsc.sys --> C:\Windows\system32\drivers\Synth3dVsc.sys [?]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 tsusbhub;Remote Deskotop USB Hub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-09-11 02:35:53 -------- d-----w- C:\Users\David\AppData\Roaming\Safer Networking
2011-09-11 02:35:14 -------- d-----w- C:\Program Files (x86)\Safer Networking
2011-09-10 23:25:10 -------- d-----w- C:\Windows\SysWow64\RTCOM
2011-09-10 22:52:12 16432 ----a-w- C:\Windows\System32\lsdelete.exe
2011-09-10 22:04:01 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-09-10 22:02:31 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-09-10 22:02:29 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-09-10 21:10:12 388096 ----a-r- C:\Users\David\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-10 20:31:56 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-09-10 18:50:03 -------- d-----w- C:\Users\David\AppData\Local\Microangelo On Display
2011-09-10 18:50:03 -------- d-----w- C:\ProgramData\Microangelo On Display
2011-09-10 18:49:58 -------- d-----w- C:\Users\David\AppData\Roaming\Icons and Cursors
2011-09-10 18:46:39 -------- d-----w- C:\Windows\CheckSur
2011-09-10 18:25:18 -------- d-----w- C:\Users\David\AppData\Local\Apps
2011-09-10 15:18:28 -------- d-----w- C:\Users\David\AppData\Local\{5E143E51-2E42-47BD-9960-175BF1CD52C1}
2011-09-10 15:18:17 -------- d-----w- C:\Users\David\AppData\Local\{A67F6420-CBB2-406A-B2BF-F42BAB9CDF23}
2011-09-10 15:15:52 -------- d-----w- C:\Windows\PCHEALTH
2011-09-10 15:11:21 -------- d-----w- C:\Users\David\AppData\Local\{BEC64792-B349-49EA-891A-6B9D97964A7D}
2011-09-10 15:06:28 -------- d-----w- C:\Users\David\AppData\Local\{578661FF-BAD2-48FB-A1A5-44222177D9AF}
2011-09-10 11:37:41 8862544 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2F5CE568-0309-4D0F-A75D-D51F572E7052}\mpengine.dll
2011-09-10 11:36:18 -------- d-----w- C:\Users\David\AppData\Local\{835E9A4C-F60A-4016-997C-CFA13316B571}
2011-09-10 11:36:07 -------- d-----w- C:\Users\David\AppData\Local\{080F4431-2DAB-40CF-8ACE-8BA9193D1451}
2011-09-09 18:25:28 -------- d-----w- C:\Users\David\AppData\Local\{81AF8F47-5926-47D8-B8E5-756FDB593A2A}
2011-09-09 18:25:17 -------- d-----w- C:\Users\David\AppData\Local\{710E31BC-0587-4005-B652-17C7166383F9}
2011-09-09 06:24:53 -------- d-----w- C:\Users\David\AppData\Local\{1A47C01B-BC3A-46EB-9BF8-BF2EBCF41B00}
2011-09-09 06:24:42 -------- d-----w- C:\Users\David\AppData\Local\{1FA76C31-69E5-40C5-8078-ABB389BF1FCF}
2011-09-08 18:34:09 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-09-08 18:34:08 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{10DFC224-9A80-48C5-A753-CEF2F673705C}\gapaengine.dll
2011-09-08 18:24:15 -------- d-----w- C:\Users\David\AppData\Local\{92FE38A4-7543-46C6-8ED4-221DA7EBD261}
2011-09-08 18:24:03 -------- d-----w- C:\Users\David\AppData\Local\{72F8ACBC-7CE0-4471-B205-36171D86B36C}
2011-09-07 23:18:44 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-09-07 23:18:41 -------- d-----w- C:\Users\David\AppData\Local\PunkBuster
2011-09-07 23:18:13 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-09-07 23:18:13 215128 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-09-07 23:18:12 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-09-07 23:18:12 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
2011-09-07 23:15:59 508264 ----a-w- C:\Windows\System32\d3dx10_35.dll
2011-09-07 14:56:48 -------- d-----w- C:\Users\David\AppData\Local\{0FB352DA-2D88-4E9A-871E-CD25AB9A8D68}
2011-09-07 14:56:35 -------- d-----w- C:\Users\David\AppData\Local\{C178127B-925E-402E-86FF-E32323D6273F}
2011-09-07 07:28:12 -------- d-----w- C:\Program Files\Ventrilo
2011-09-07 07:27:49 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2011-09-07 00:44:10 114176 ----a-w- C:\Windows\SysWow64\PCWizard.cpl
2011-09-07 00:44:10 -------- d-----w- C:\Windows\Java
2011-09-07 00:44:07 -------- d-----w- C:\Program Files (x86)\CPUID
2011-09-06 23:20:19 203264 ----a-w- C:\Windows\System32\unrar.dll
2011-09-06 23:20:18 86016 ----a-w- C:\Windows\System32\ff_vfw.dll
2011-09-06 23:20:17 -------- d-----w- C:\Program Files\K-Lite Codec Pack x64
2011-09-06 23:14:32 839680 ----a-w- C:\Windows\SysWow64\lameACM.acm
2011-09-06 23:14:32 151552 ----a-w- C:\Windows\SysWow64\ac3acm.acm
2011-09-06 23:14:31 74752 ----a-w- C:\Windows\SysWow64\ff_vfw.dll
2011-09-06 23:14:31 650752 ----a-w- C:\Windows\SysWow64\xvidcore.dll
2011-09-06 23:14:31 630784 ----a-w- C:\Windows\SysWow64\vp7vfw.dll
2011-09-06 23:14:31 243200 ----a-w- C:\Windows\SysWow64\xvidvfw.dll
2011-09-06 23:14:31 216064 ----a-w- C:\Windows\SysWow64\lagarith.dll
2011-09-06 23:06:46 -------- d-----w- C:\Users\David\AppData\Local\{7F13EEA4-1576-45D7-936E-B352793BF225}
2011-09-06 23:06:36 -------- d-----w- C:\Users\David\AppData\Local\{4C00F0F0-2489-48BF-9613-D7A890A02A5D}
2011-09-06 23:05:33 -------- d-----w- C:\ProgramData\DFX
2011-09-06 23:05:32 -------- d-----w- C:\Program Files\DFX
2011-09-06 23:05:32 -------- d-----w- C:\Program Files\Common Files\DFX
2011-09-06 23:04:03 -------- d-----w- C:\ATI
2011-09-06 11:06:11 -------- d-----w- C:\Users\David\AppData\Local\{4F5DDE9D-A18F-44C9-983E-1C1FD0F16437}
2011-09-06 11:06:01 -------- d-----w- C:\Users\David\AppData\Local\{3C505592-3BB3-42CD-9E24-4B67B649FBA7}
2011-09-06 11:06:00 -------- d-----w- C:\Users\David\AppData\Local\{96861AE6-5630-4D95-8180-467EE88E076B}
2011-09-06 10:43:11 -------- d-----w- C:\Program Files\PeerBlock
2011-09-06 08:00:39 -------- d-----w- C:\Program Files (x86)\WinASO
2011-09-06 06:32:07 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-09-06 06:24:23 -------- d-----w- C:\Windows\SysWow64\Adobe
2011-09-06 05:45:16 -------- d-----w- C:\ProgramData\ServeZip
2011-09-06 05:45:16 -------- d-----w- C:\Program Files (x86)\ServeZip
2011-09-06 02:48:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2011-09-06 02:48:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2011-09-06 02:48:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2011-09-06 02:48:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2011-09-06 02:48:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2011-09-06 02:48:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2011-09-06 02:48:13 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2011-09-06 01:41:23 -------- d-----w- C:\Users\David\AppData\Local\Adobe
2011-09-05 17:21:07 118784 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL
2011-09-05 17:21:07 1071088 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2011-09-05 17:21:00 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-09-05 10:34:29 -------- d-----w- C:\Downloads
2011-09-05 10:32:24 -------- d-----w- C:\Users\David\AppData\Local\FileServe Manager
2011-09-05 10:31:51 -------- d-----w- C:\ProgramData\FileServe Limited
2011-09-05 10:31:51 -------- d-----w- C:\Program Files (x86)\FileServe Manager
2011-09-05 10:30:03 -------- d-----w- C:\ProgramData\Web Installer
2011-09-05 01:45:24 -------- d-----w- C:\Users\David\AppData\Roaming\Notepad2
2011-09-05 00:56:33 -------- d-----w- C:\Users\David\AppData\Roaming\DMCache
2011-09-04 17:10:25 8862544 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-04 17:09:41 -------- d-----w- C:\Users\David\AppData\Local\{A3BE5C33-3C6A-4C37-94F7-41D06CF37A52}
2011-09-04 17:09:28 -------- d-----w- C:\Users\David\AppData\Local\{2C5B1D1A-FD0C-4C26-9C24-2527BE9A0F6B}
2011-09-03 20:33:09 -------- d-----w- C:\Users\David\AppData\Local\{8CE458EA-9A42-43E5-B439-5652B5F18225}
2011-09-03 20:32:58 -------- d-----w- C:\Users\David\AppData\Local\{870A7AF8-0DB2-4031-A3F8-9F6DB417FC86}
2011-09-03 20:32:46 -------- d-----w- C:\Users\David\Tracing
2011-09-03 20:27:59 -------- d-----w- C:\Users\David\AppData\Local\Windows Live
2011-09-03 20:27:59 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-09-03 12:14:03 -------- d-----w- C:\Windows\SysWow64\Wat
2011-09-03 12:14:03 -------- d-----w- C:\Windows\System32\Wat
2011-09-03 09:16:44 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-09-03 09:16:44 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-09-03 08:08:22 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-09-03 08:08:21 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-09-03 07:48:33 -------- d-----w- C:\Users\David\AppData\Local\Apple Computer
2011-09-02 03:49:37 -------- d-----w- C:\Program Files (x86)\YouTube Downloader Toolbar
2011-09-02 03:49:37 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot
2011-09-02 03:49:37 -------- d-----w- C:\Program Files (x86)\Application Updater
2011-09-02 03:49:32 -------- d-----w- C:\ProgramData\YouTube Downloader
2011-09-02 03:49:29 -------- d-----w- C:\Program Files (x86)\YouTube Downloader
2011-09-01 16:05:39 967 ----a-w- C:\Windows\ScUnin.pif
2011-09-01 16:05:38 94208 ----a-w- C:\Windows\ScUnin.exe
2011-08-31 22:17:40 -------- d-----w- C:\Program Files (x86)\Disktrix
2011-08-31 22:08:47 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-31 21:36:05 8199504 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-08-31 21:36:03 8862544 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FA6AD033-116D-4E21-8E81-1104BECBCB5C}\mpengine.dll
2011-08-31 21:27:50 -------- d-----w- C:\Users\David\AppData\Local\AMD
2011-08-31 21:27:36 -------- d-----w- C:\Users\David\AppData\Local\ATI
2011-08-31 21:27:12 0 ----a-w- C:\Windows\ativpsrm.bin
2011-08-31 21:26:07 -------- d-----w- C:\Program Files (x86)\AMD APP
2011-08-31 21:26:05 -------- d-----w- C:\Program Files\Common Files\ATI Technologies
2011-08-31 21:26:05 -------- d-----w- C:\Program Files (x86)\Common Files\ATI Technologies
2011-08-31 21:25:58 -------- d-----w- C:\ProgramData\AMD
2011-08-31 21:25:57 46136 ----a-w- C:\Windows\System32\drivers\amdiox64.sys
2011-08-31 21:25:41 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2011-08-31 21:25:35 -------- d-----w- C:\Program Files\ATI Technologies
2011-08-31 21:25:31 -------- d-----w- C:\Program Files\ATI
2011-08-31 21:24:30 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-08-31 21:23:56 -------- d-----w- C:\Windows\System32\appmgmt
2011-08-31 21:20:23 -------- d-----w- C:\Users\David\AppData\Local\Mozilla
2011-08-31 21:15:23 1698408 ----a-w- C:\Windows\RtlExUpd.dll
2011-08-31 21:15:21 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-08-31 21:12:25 -------- d-----w- C:\Windows\SysWow64\directx
2011-08-31 21:10:29 -------- d-----w- C:\Program Files\Realtek
2011-08-31 21:10:22 -------- d--h--w- C:\Program Files (x86)\Temp
2011-08-31 21:10:20 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2011-08-31 21:10:20 65024 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2011-08-31 21:10:20 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2011-08-31 21:10:20 204800 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2011-08-31 21:10:19 757760 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2011-08-31 21:10:19 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2011-08-31 21:10:18 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2011-08-31 21:09:13 74272 ----a-w- C:\Windows\System32\RtNicProp64.dll
2011-08-31 21:09:13 539240 ----a-w- C:\Windows\System32\drivers\Rt64win7.sys
2011-08-31 21:09:13 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
2011-08-31 21:09:09 -------- d-----w- C:\Program Files (x86)\Realtek
2011-08-31 21:00:59 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-08-31 21:00:59 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-08-31 21:00:59 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-08-31 20:29:53 -------- d-----w- C:\Users\David\AppData\Local\Apple
2011-08-26 22:22:30 28056 ----a-w- C:\Windows\System32\xfcodec64.dll
2011-08-24 14:49:10 56320 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2011-08-24 14:48:30 13601280 ----a-w- C:\Windows\SysWow64\amdocl.dll
2011-08-24 14:47:52 43520 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2011-08-15 07:43:31 16530944 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2011-08-14 22:24:48 16531456 ----a-w- C:\Windows\System32\wmploc.DLL
.
==================== Find3M ====================
.
2011-09-10 18:11:55 705536 ----a-w- C:\Windows\SysWow64\imagesp1.dll
2011-09-10 18:11:54 20268032 ----a-w- C:\Windows\SysWow64\imageres.dll
2011-09-10 18:11:15 1792000 ----a-w- C:\Windows\SysWow64\authui.dll
2011-09-10 18:10:25 1493504 ----a-w- C:\Windows\SysWow64\ExplorerFrame.dll
2011-09-10 18:06:35 705536 ----a-w- C:\Windows\System32\imagesp1.dll
2011-09-10 18:06:34 20268032 ----a-w- C:\Windows\System32\imageres.dll
2011-09-10 18:05:44 1866240 ----a-w- C:\Windows\System32\ExplorerFrame.dll
2011-09-10 18:04:59 1927680 ----a-w- C:\Windows\System32\authui.dll
2011-08-30 21:28:46 3069032 ----a-w- C:\Windows\System32\drivers\RTKVHD64.sys
2011-08-30 17:37:44 2518632 ----a-w- C:\Windows\System32\RtPgEx64.dll
2011-08-24 17:30:06 3201128 ----a-w- C:\Windows\System32\RtkAPO64.dll
2011-08-23 16:06:12 97896 ----a-w- C:\Windows\System32\RCoInst64.dll
2011-08-20 01:10:26 64600 ----a-w- C:\Windows\System32\MBppld64.dll
2011-08-20 01:10:16 886360 ----a-w- C:\Windows\System32\MBAPO64.dll
2011-08-20 01:10:14 746072 ----a-w- C:\Windows\SysWow64\MBAPO32.dll
2011-08-19 18:54:12 1881704 ----a-w- C:\Windows\System32\RtkApi64.dll
2011-08-14 13:56:22 15331328 ----a-w- C:\Windows\System32\spwizimg.dll
2011-08-11 14:37:21 2560 ----a-w- C:\Windows\System32\bootstr.dll
2011-08-05 11:33:57 7680 ----a-w- C:\Windows\System32\spwizres.dll
2011-07-28 22:23:16 9980416 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-07-28 22:09:06 23921664 ----a-w- C:\Windows\System32\atio6axx.dll
2011-07-28 21:44:06 18388480 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-07-28 21:40:58 151552 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-07-28 21:40:44 726528 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-07-28 21:39:14 852992 ----a-w- C:\Windows\System32\aticfx64.dll
2011-07-28 21:36:26 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-07-28 21:36:12 485376 ----a-w- C:\Windows\System32\atieclxx.exe
2011-07-28 21:35:34 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-07-28 21:34:20 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-07-28 21:34:00 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-07-28 21:33:54 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-07-28 21:33:42 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-07-28 21:33:36 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2011-07-28 21:33:32 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-07-28 21:33:26 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-07-28 21:30:26 4198912 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-07-28 21:20:36 4943360 ----a-w- C:\Windows\System32\atidxx64.dll
2011-07-28 21:12:14 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-07-28 21:11:42 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-07-28 21:11:30 3871744 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-07-28 21:11:16 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-07-28 21:11:14 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-07-28 21:11:04 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-07-28 21:11:02 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-07-28 21:10:50 9644544 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-07-28 21:09:10 4256768 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-07-28 21:07:24 8247296 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-07-28 21:03:58 4056064 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-07-28 21:02:28 5399040 ----a-w- C:\Windows\System32\atiumd64.dll
2011-07-28 21:01:50 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-07-28 20:54:52 378368 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-07-28 20:54:44 266240 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-07-28 20:54:34 15360 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-07-28 20:54:30 13312 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-07-28 20:54:30 13312 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-07-28 20:54:26 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-07-28 20:54:18 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-07-28 20:54:10 309248 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-07-28 20:53:22 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-07-28 20:53:14 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-07-28 20:53:08 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-07-28 20:53:00 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-07-28 20:52:26 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-07-28 20:51:10 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-07-28 20:51:10 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-07-28 20:51:04 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-07-28 20:51:04 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-07-28 13:54:10 699904 ----a-w- C:\Windows\System32\taskmgr.exe
2011-07-28 12:19:14 60416 ----a-w- C:\Windows\System32\OVDecode64.dll
2011-07-28 12:18:58 51200 ----a-w- C:\Windows\System32\OpenCL.dll
2011-07-28 12:18:48 16552960 ----a-w- C:\Windows\System32\amdocl64.dll
2011-07-28 04:55:14 2604376 ----a-w- C:\Windows\System32\WavesGUILib.dll
2011-07-28 04:55:08 2132824 ----a-w- C:\Windows\System32\MaxxAudioEQ.dll
2011-07-22 23:35:22 1247848 ----a-w- C:\Windows\System32\RTCOM64.dll
2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-12 14:22:20 3147368 ----a-w- C:\Windows\System32\RtkHDM64.dll
2011-07-12 14:22:20 2432104 ----a-w- C:\Windows\System32\RHDMEx64.dll
2011-07-09 05:26:20 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-07-09 04:29:46 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
.
============= FINISH: 22:49:16.60 ===============

ken545
2011-09-11, 18:27
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.



Please run the MGA Diagnostic Tool and post the report it produces:

Download MGADiag (http://go.microsoft.com/fwlink/?linkid=52012) to your desktop.
Double-click on MGADiag.exe to launch the program.
Click Continue.
Ensure that the Windows tab is selected. (It should be by default.)
Click the Copy button to copy the MGA Diagnostic Report to the Windows clipboard.
Paste the MGA Diagnostic Report into your next reply.





Please download WVCheck by Artellos from one of the mirrors below;

Artellos.com (exe) (http://artellos.com/ccount/click.php?id=7)
Artellos.com (zip) (http://artellos.com/ccount/click.php?id=8)
After the download, run WVCheck.exe
As indicated by the prompt, This program can take a while depending on your hard drive space.
Once the program is done, copy the contents of the notepad file as a reply.






Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop.
Doubleclick CKScanner.exe then click Search For Files
When the cursor hourglass disappears, click Save List To File
A message box will verify the file saved
Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply




Post the 3 reports please not as attachments but copy and paste them in to the thread