View Full Version : Smitfraud-C.generic...Please Help!
coyotekanta
2012-02-28, 04:45
Spybot SD detected Smitfraud-C.generic in my laptop, but it could not remove it. It kept insisting admin needed to be logged in. Malwarebytes indicated it as Trojan.agent-svchost.exe. Malwarebytes also could not remove it. My husband installed smifraudfix.exe, svchost removal tool and so on. Nothing worked. Before smitfraud appeared, I had "Security Scan" by Trojan, and I installed TDSSkill and removed it. And now I cannot remove smitfraud (windiws\svchost.exe). I found Spybot, you guys, now, so please please help me!
Here is DSS:
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Kaori at 21:13:05 on 2012-02-27
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1977.684 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Battery Meter\BTMeter.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\WSED\WSED.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = about:blank
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [EPSON NX110 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFBA.EXE /FU "C:\Windows\TEMP\E_S194A.tmp" /EF "HKCU"
uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [BTMeter] C:\Program Files (x86)\Battery Meter\BTMeter.exe
mRun: [WSED] C:\Program Files (x86)\WSED\WSED.exe
mRun: [<NO NAME>]
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [LTCM Client] C:\Program Files (x86)\LTCM Client\ltcmClient.exe /startup
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
dRun: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
dExplorerRun: [McAfee] C:\Windows\system32\config\systemprofile\AppData\Roaming\F95495.exe
StartupFolder: C:\Users\Kaori\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EPSONA~1.LNK -
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{EDA23010-6CF7-447D-86DB-3B96AACEB689} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO-X64: ZoneAlarm Security Engine Registrar - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll
TB-X64: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [BTMeter] C:\Program Files (x86)\Battery Meter\BTMeter.exe
mRun-x64: [WSED] C:\Program Files (x86)\WSED\WSED.exe
mRun-x64: [(Default)]
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mRun-x64: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun-x64: [LTCM Client] C:\Program Files (x86)\LTCM Client\ltcmClient.exe /startup
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [ROC_roc_dec12] "C:\Program Files (x86)\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
Hosts: 94.63.147.16 www.google.com
Hosts: 94.63.147.17 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.jp/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Kaori\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\Users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\extensions\widevinemediatransformer@widevine\plugins\npwidevinemediatransformer.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-02-25 21:17:49 20480 ----a-w- C:\Windows\svchost.exe
2012-02-25 17:55:23 691 ----a-w- C:\Users\Kaori\AppData\Roaming\GetValue.vbs
2012-02-25 17:55:23 35 ----a-w- C:\Users\Kaori\AppData\Roaming\SetValue.bat
2012-02-25 10:57:39 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-02-25 10:57:39 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-02-23 21:20:45 -------- d-----w- C:\Program Files (x86)\Trojan SVCHOSTRemoval Tool
2012-02-23 02:34:01 -------- d-----w- C:\Users\Kaori\AppData\Roaming\CheckPoint
2012-02-23 02:33:29 -------- d-----w- C:\Program Files\CheckPoint
2012-02-23 02:33:13 -------- d-----w- C:\ProgramData\CheckPoint
2012-02-23 02:32:44 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-02-23 02:16:42 -------- d-----w- C:\Program Files (x86)\CheckPoint
2012-02-20 01:20:44 128512 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\ED57.tmp
2012-02-20 01:20:04 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp
2012-02-20 01:20:04 128512 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp.dat
2012-02-07 17:20:01 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\F440.tmp
2012-02-07 17:02:47 -------- d-----w- C:\Users\Kaori\AppData\Local\DDMSettings
.
==================== Find3M ====================
.
2012-02-28 00:08:45 3104 ----a-w- C:\Windows\SysWow64\tmp.reg
2012-02-22 12:35:31 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-20 01:27:30 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-10 20:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 21:18:32.76 ===============
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
coyotekanta
2012-02-29, 02:45
Thank you for your reply! I really appreciate.
I read "before you post" and ran ERUNT, also I nuked out firewall and AVG, disabled Spybot's teatime, and ran ConboFix. One msg came out, saying "C:\Windows\System32\GfxUI.exe A device attached to the system is not functioning". Cliked OK (there was no other choices).
Here is ComboFix report. (let me attach C:\....report later)
ComboFix 12-02-27.02 - Kaori 02/28/2012 17:28:34.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1977.1206 [GMT -5:00]
Running from: c:\users\Kaori\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-28 )))))))))))))))))))))))))))))))
.
.
2012-02-28 22:38 . 2012-02-28 22:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-28 22:12 . 2012-02-28 22:25 88576 ----a-w- c:\windows\ff.exe
2012-02-28 21:32 . 2012-02-28 22:17 -------- d-----w- c:\users\Kaori\AppData\Local\LogMeIn Rescue Applet
2012-02-28 02:09 . 2012-02-28 02:10 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-25 21:17 . 2009-07-14 01:14 20480 ----a-w- c:\windows\svchost.exe
2012-02-25 17:55 . 2012-02-28 00:08 691 ----a-w- c:\users\Kaori\AppData\Roaming\GetValue.vbs
2012-02-25 17:55 . 2012-02-28 00:08 35 ----a-w- c:\users\Kaori\AppData\Roaming\SetValue.bat
2012-02-25 10:57 . 2012-02-25 17:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-25 10:57 . 2012-02-25 11:02 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-23 21:20 . 2012-02-23 22:55 -------- d-----w- c:\program files (x86)\Trojan SVCHOSTRemoval Tool
2012-02-23 02:34 . 2012-02-23 02:34 -------- d-----w- c:\users\Kaori\AppData\Roaming\CheckPoint
2012-02-23 02:33 . 2012-02-28 21:18 -------- d-----w- c:\program files\CheckPoint
2012-02-23 02:33 . 2012-02-23 02:33 -------- d-----w- c:\programdata\CheckPoint
2012-02-23 02:32 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-23 02:16 . 2012-02-28 21:18 -------- d-----w- c:\program files (x86)\CheckPoint
2012-02-22 12:36 . 2012-02-22 12:36 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-20 01:20 . 2012-02-20 01:20 128512 ----a-w- c:\programdata\Microsoft\Windows\DRM\ED57.tmp
2012-02-20 01:20 . 2012-02-20 01:20 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\50F9.tmp
2012-02-07 17:20 . 2012-02-07 17:20 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\F440.tmp
2012-02-07 17:02 . 2012-02-07 17:02 -------- d-----w- c:\users\Kaori\AppData\Local\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 12:35 . 2011-02-03 00:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-20 01:27 . 2012-01-18 02:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-27 12:49 . 2011-12-27 12:49 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 222208 ----a-w- c:\windows\system32\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-12-27 12:49 . 2011-12-27 12:49 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 12288 ----a-w- c:\windows\system32\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 114176 ----a-w- c:\windows\system32\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 448512 ----a-w- c:\windows\system32\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 160256 ----a-w- c:\windows\system32\wextract.exe
2011-12-10 20:24 . 2011-07-25 10:54 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-14 01:14 33280 --sh--w- c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"BTMeter"="c:\program files (x86)\Battery Meter\BTMeter.exe" [2009-07-02 623984]
"WSED"="c:\program files (x86)\WSED\WSED.exe" [2009-05-27 247080]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"LTCM Client"="c:\program files (x86)\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ&prod=90&ver=10.0.1424" [?]
.
[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"McAfee"="c:\windows\system32\config\systemprofile\AppData\Roaming\F95495.exe" [2009-07-14 33280]
.
c:\users\Kaori\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Epson all-in-one Registration.lnk - [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R2 MSSQL$SCHEDUFLOW2008;SQL Server (SCHEDUFLOW2008);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-01-14 341296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1c51x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-14 7970848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.jp/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{cd90bf73-20f6-44ef-993d-bb920303bd2e} - (no file)
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKLM-Run-ROC_roc_dec12 - c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe
Wow6432Node-HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-ETDWare - \Elantech\ETDCtrl.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\\.\globalroot\systemroot\svchost.exe
.
**************************************************************************
.
Completion time: 2012-02-28 17:48:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-28 22:48
.
Pre-Run: 280,209,448,960 bytes free
Post-Run: 279,871,164,416 bytes free
.
- - End Of File - - 9F2A919591AB18448C60F18224589ACD
coyotekanta
2012-02-29, 02:57
Here is my new DDS....Thanks again, thanks for helping me!
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Kaori at 19:50:06 on 2012-02-28
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1977.467 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Battery Meter\BTMeter.exe
C:\Program Files (x86)\WSED\WSED.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
-netsvcs
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\SWSC.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [BTMeter] C:\Program Files (x86)\Battery Meter\BTMeter.exe
mRun: [WSED] C:\Program Files (x86)\WSED\WSED.exe
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [LTCM Client] C:\Program Files (x86)\LTCM Client\ltcmClient.exe /startup
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ"&"prod=90"&"ver=10.0.1424
dExplorerRun: [McAfee] C:\Windows\system32\config\systemprofile\AppData\Roaming\F95495.exe
StartupFolder: C:\Users\Kaori\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EPSONA~1.LNK -
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{EDA23010-6CF7-447D-86DB-3B96AACEB689} : DhcpNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO-X64: ZoneAlarm Security Engine Registrar - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [BTMeter] C:\Program Files (x86)\Battery Meter\BTMeter.exe
mRun-x64: [WSED] C:\Program Files (x86)\WSED\WSED.exe
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun-x64: [LTCM Client] C:\Program Files (x86)\LTCM Client\ltcmClient.exe /startup
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ"&"prod=90"&"ver=10.0.1424
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.jp/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Kaori\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\Users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\extensions\widevinemediatransformer@widevine\plugins\npwidevinemediatransformer.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;C:\Windows\System32\drivers\EMSC.sys [2009-6-26 13680]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-1-28 92160]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-1-14 341296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-2-25 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-4-24 483688]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\l1c51x64.sys --> C:\Windows\system32\DRIVERS\l1c51x64.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-4-24 209768]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-8 136176]
S2 MSSQL$SCHEDUFLOW2008;SQL Server (SCHEDUFLOW2008);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-2-10 29178224]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe --> C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-8 136176]
S3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
.
=============== Created Last 30 ================
.
2012-02-28 22:40:53 -------- d-----w- C:\$RECYCLE.BIN
2012-02-28 22:24:49 -------- d-----w- C:\ComboFix
2012-02-28 22:12:05 88576 ----a-w- C:\Windows\ff.exe
2012-02-28 21:58:21 256000 ----a-w- C:\Windows\PEV.exe
2012-02-28 21:58:21 208896 ----a-w- C:\Windows\MBR.exe
2012-02-28 21:58:20 98816 ----a-w- C:\Windows\sed.exe
2012-02-28 21:58:20 518144 ----a-w- C:\Windows\SWREG.exe
2012-02-28 21:32:09 -------- d-----w- C:\Users\Kaori\AppData\Local\LogMeIn Rescue Applet
2012-02-25 21:17:49 20480 ----a-w- C:\Windows\svchost.exe
2012-02-25 17:55:23 691 ----a-w- C:\Users\Kaori\AppData\Roaming\GetValue.vbs
2012-02-25 17:55:23 35 ----a-w- C:\Users\Kaori\AppData\Roaming\SetValue.bat
2012-02-25 10:57:39 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-02-25 10:57:39 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-02-23 21:20:45 -------- d-----w- C:\Program Files (x86)\Trojan SVCHOSTRemoval Tool
2012-02-23 02:34:01 -------- d-----w- C:\Users\Kaori\AppData\Roaming\CheckPoint
2012-02-23 02:33:29 -------- d-----w- C:\Program Files\CheckPoint
2012-02-23 02:33:13 -------- d-----w- C:\ProgramData\CheckPoint
2012-02-23 02:32:44 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-02-23 02:16:42 -------- d-----w- C:\Program Files (x86)\CheckPoint
2012-02-20 01:20:44 128512 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\ED57.tmp
2012-02-20 01:20:04 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp
2012-02-20 01:20:04 128512 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp.dat
2012-02-07 17:20:01 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\F440.tmp
2012-02-07 17:02:47 -------- d-----w- C:\Users\Kaori\AppData\Local\DDMSettings
.
==================== Find3M ====================
.
2012-02-28 00:08:45 3104 ----a-w- C:\Windows\SysWow64\tmp.reg
2012-02-22 12:35:31 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-20 01:27:30 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-10 20:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2009-07-14 01:14:53 33280 --sh--w- C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe
.
============= FINISH: 19:51:25.44 ===============
coyotekanta
2012-02-29, 03:07
Well...i forgot to check if windows firewall was on when I deleted Zonealarm...windows firewall was back on when I ran ComboFix....
hope it did not interfere...
Just in case...I let you know....
Hi again,
That went ok. Let's continue :)
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=422290#post422290
Suspect::[76]
c:\windows\ff.exe
c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe
File::
c:\windows\svchost.exe
DDS::
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
coyotekanta
2012-02-29, 23:21
Thanks!
Here is a ComboFix report after I drag the text file into it.
ComboFix 12-02-27.02 - Kaori 02/29/2012 15:27:41.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1977.1233 [GMT -5:00]
Running from: c:\users\Kaori\Desktop\ComboFix.exe
Command switches used :: c:\users\Kaori\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\svchost.exe"
.
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-29 )))))))))))))))))))))))))))))))
.
.
2012-02-29 21:03 . 2012-02-29 21:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-28 22:12 . 2012-02-28 22:42 88576 ------w- c:\windows\ff.exe
2012-02-28 21:32 . 2012-02-28 22:17 -------- d-----w- c:\users\Kaori\AppData\Local\LogMeIn Rescue Applet
2012-02-28 02:09 . 2012-02-28 02:10 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-25 21:17 . 2009-07-14 01:14 20480 ----a-w- c:\windows\svchost.exe
2012-02-25 17:55 . 2012-02-28 00:08 691 ----a-w- c:\users\Kaori\AppData\Roaming\GetValue.vbs
2012-02-25 17:55 . 2012-02-28 00:08 35 ----a-w- c:\users\Kaori\AppData\Roaming\SetValue.bat
2012-02-25 10:57 . 2012-02-25 17:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-25 10:57 . 2012-02-25 11:02 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-23 21:20 . 2012-02-23 22:55 -------- d-----w- c:\program files (x86)\Trojan SVCHOSTRemoval Tool
2012-02-23 02:34 . 2012-02-23 02:34 -------- d-----w- c:\users\Kaori\AppData\Roaming\CheckPoint
2012-02-23 02:33 . 2012-02-28 21:18 -------- d-----w- c:\program files\CheckPoint
2012-02-23 02:33 . 2012-02-23 02:33 -------- d-----w- c:\programdata\CheckPoint
2012-02-23 02:32 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-23 02:16 . 2012-02-28 21:18 -------- d-----w- c:\program files (x86)\CheckPoint
2012-02-22 12:36 . 2012-02-22 12:36 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-20 01:20 . 2012-02-20 01:20 128512 ----a-w- c:\programdata\Microsoft\Windows\DRM\ED57.tmp
2012-02-20 01:20 . 2012-02-20 01:20 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\50F9.tmp
2012-02-07 17:20 . 2012-02-07 17:20 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\F440.tmp
2012-02-07 17:02 . 2012-02-07 17:02 -------- d-----w- c:\users\Kaori\AppData\Local\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 12:35 . 2011-02-03 00:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-20 01:27 . 2012-01-18 02:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-27 12:49 . 2011-12-27 12:49 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 222208 ----a-w- c:\windows\system32\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-12-27 12:49 . 2011-12-27 12:49 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 12288 ----a-w- c:\windows\system32\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 114176 ----a-w- c:\windows\system32\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 448512 ----a-w- c:\windows\system32\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 160256 ----a-w- c:\windows\system32\wextract.exe
2011-12-10 20:24 . 2011-07-25 10:54 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-28_22.41.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-29 21:04 . 2012-02-29 21:04 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-02-28 22:39 . 2012-02-28 22:39 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2012-02-29 20:20 . 2012-02-29 20:14 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012022920120301\index.dat
+ 2012-02-28 20:34 . 2012-02-28 22:41 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012022820120229\index.dat
+ 2012-02-20 01:27 . 2012-02-29 20:14 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-02-20 01:27 . 2012-02-28 21:58 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2011-01-28 05:37 . 2012-02-29 20:15 54096 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-29 20:15 37424 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-02-29 20:15 14376 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
+ 2011-01-28 05:37 . 2012-02-29 20:15 54096 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-29 20:15 37424 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-02-29 20:15 14376 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
- 2012-02-28 22:40 . 2012-02-28 22:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-29 21:04 . 2012-02-29 21:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-28 22:40 . 2012-02-28 22:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-29 21:04 . 2012-02-29 21:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-01-28 06:05 . 2012-02-28 22:41 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-01-28 06:05 . 2012-02-29 20:25 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 04:54 . 2012-02-28 22:41 360448 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-02-29 21:06 360448 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 02:36 . 2012-02-29 20:20 662512 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 662512 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 121770 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-02-29 20:20 121770 c:\windows\system64\perfc009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 662512 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-29 20:20 662512 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 121770 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-02-29 20:20 121770 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-02-28 22:39 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-02-29 21:04 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2012-02-28 22:41 4161536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-29 20:25 4161536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-24 16:13 . 2012-02-29 21:04 4719520 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1062982632-715189573-2474834400-1003-12288.dat
+ 2012-02-20 19:48 . 2012-02-29 21:04 2581000 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2012-02-20 19:48 . 2012-02-28 22:39 2581000 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2009-07-14 04:54 . 2012-02-28 22:41 11124736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-29 20:25 11124736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 02:34 . 2012-02-28 22:55 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-02-28 22:03 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-02-28 22:03 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-02-28 22:55 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"BTMeter"="c:\program files (x86)\Battery Meter\BTMeter.exe" [2009-07-02 623984]
"WSED"="c:\program files (x86)\WSED\WSED.exe" [2009-05-27 247080]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"LTCM Client"="c:\program files (x86)\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ&prod=90&ver=10.0.1424" [?]
.
[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"McAfee"="c:\windows\system32\config\systemprofile\AppData\Roaming\F95495.exe" [2009-07-14 33280]
.
c:\users\Kaori\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Epson all-in-one Registration.lnk - [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R2 MSSQL$SCHEDUFLOW2008;SQL Server (SCHEDUFLOW2008);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-01-14 341296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1c51x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
2012-02-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="\Elantech\ETDCtrl.exe" [BU]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-14 7970848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.jp/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe
c:\\.\globalroot\systemroot\svchost.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Internet Explorer\iexplore.exe
c:\program files (x86)\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2012-02-29 16:11:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-29 21:11
ComboFix2.txt 2012-02-28 22:48
.
Pre-Run: 279,684,186,112 bytes free
Post-Run: 279,589,400,576 bytes free
.
- - End Of File - - 7C1704A16DCD3E30E263340A1218E324
Upload was successful
coyotekanta
2012-03-01, 00:17
Hi, again.
Unfortunately ESET (thru IE) did not run though I click "install" as directed. Nothing happened. I read "FAQ" and tried to fix it but didn't find the same HKEY.....
I have no idea....
Here is a new DSS at least...
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Kaori at 16:58:14 on 2012-02-29
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1977.739 [GMT -5:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Battery Meter\BTMeter.exe
C:\Program Files (x86)\WSED\WSED.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\SysWOW64\SWSC.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [BTMeter] C:\Program Files (x86)\Battery Meter\BTMeter.exe
mRun: [WSED] C:\Program Files (x86)\WSED\WSED.exe
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [LTCM Client] C:\Program Files (x86)\LTCM Client\ltcmClient.exe /startup
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ"&"prod=90"&"ver=10.0.1424
dExplorerRun: [McAfee] C:\Windows\system32\config\systemprofile\AppData\Roaming\F95495.exe
StartupFolder: C:\Users\Kaori\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EPSONA~1.LNK -
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{EDA23010-6CF7-447D-86DB-3B96AACEB689} : DhcpNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
BHO-X64: ZoneAlarm Security Engine Registrar - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [BTMeter] C:\Program Files (x86)\Battery Meter\BTMeter.exe
mRun-x64: [WSED] C:\Program Files (x86)\WSED\WSED.exe
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun-x64: [LTCM Client] C:\Program Files (x86)\LTCM Client\ltcmClient.exe /startup
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ"&"prod=90"&"ver=10.0.1424
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.jp/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Kaori\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\Users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\extensions\widevinemediatransformer@widevine\plugins\npwidevinemediatransformer.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 EMSC;COMPAL Embedded System Control;C:\Windows\System32\drivers\EMSC.sys [2009-6-26 13680]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-1-28 92160]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-2-28 821664]
R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-1-14 341296]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-2-25 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-4-24 483688]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\l1c51x64.sys --> C:\Windows\system32\DRIVERS\l1c51x64.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-4-24 209768]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-8 136176]
S2 MSSQL$SCHEDUFLOW2008;SQL Server (SCHEDUFLOW2008);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-2-10 29178224]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe --> C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
S3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-8 136176]
S3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
.
=============== Created Last 30 ================
.
2012-02-29 21:05:19 -------- d-sh--w- C:\$RECYCLE.BIN
2012-02-29 20:25:37 -------- d-----w- C:\ComboFix
2012-02-28 22:12:05 88576 ------w- C:\Windows\ff.exe
2012-02-28 21:58:21 256000 ----a-w- C:\Windows\PEV.exe
2012-02-28 21:58:21 208896 ----a-w- C:\Windows\MBR.exe
2012-02-28 21:58:20 98816 ----a-w- C:\Windows\sed.exe
2012-02-28 21:58:20 518144 ----a-w- C:\Windows\SWREG.exe
2012-02-28 21:32:09 -------- d-----w- C:\Users\Kaori\AppData\Local\LogMeIn Rescue Applet
2012-02-25 21:17:49 20480 ----a-w- C:\Windows\svchost.exe
2012-02-25 17:55:23 691 ----a-w- C:\Users\Kaori\AppData\Roaming\GetValue.vbs
2012-02-25 17:55:23 35 ----a-w- C:\Users\Kaori\AppData\Roaming\SetValue.bat
2012-02-25 10:57:39 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-02-25 10:57:39 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-02-23 21:20:45 -------- d-----w- C:\Program Files (x86)\Trojan SVCHOSTRemoval Tool
2012-02-23 02:34:01 -------- d-----w- C:\Users\Kaori\AppData\Roaming\CheckPoint
2012-02-23 02:33:29 -------- d-----w- C:\Program Files\CheckPoint
2012-02-23 02:33:13 -------- d-----w- C:\ProgramData\CheckPoint
2012-02-23 02:32:44 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-02-23 02:16:42 -------- d-----w- C:\Program Files (x86)\CheckPoint
2012-02-20 01:20:44 128512 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\ED57.tmp
2012-02-20 01:20:04 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp
2012-02-20 01:20:04 128512 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp.dat
2012-02-07 17:20:01 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\F440.tmp
2012-02-07 17:02:47 -------- d-----w- C:\Users\Kaori\AppData\Local\DDMSettings
.
==================== Find3M ====================
.
2012-02-28 00:08:45 3104 ----a-w- C:\Windows\SysWow64\tmp.reg
2012-02-22 12:35:31 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-20 01:27:30 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-10 20:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
.
============= FINISH: 16:59:25.32 ======
coyotekanta
2012-03-01, 00:18
Here is attach
Hi again,
Please see if ESET scanner runs from Firefox.
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=422350#post422350
Collect::
C:\Windows\ff.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\F95495.exe
Rootkit::
C:\Windows\svchost.exe
Registry::
[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"McAfee"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log (and ESET results if it ran successfully).
coyotekanta
2012-03-02, 08:37
Thanks to take care of me every day. :)
Here is a new ComboFix report.
ComboFix 12-02-27.02 - Kaori 03/02/2012 1:11.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1977.1066 [GMT -5:00]
Running from: c:\users\Kaori\Desktop\ComboFix.exe
Command switches used :: c:\users\Kaori\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
.
((((((((((((((((((((((((( Files Created from 2012-02-02 to 2012-03-02 )))))))))))))))))))))))))))))))
.
.
2012-03-02 06:19 . 2012-03-02 06:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-28 22:12 . 2012-02-28 22:42 88576 ------w- c:\windows\ff.exe
2012-02-28 21:32 . 2012-03-02 05:40 -------- d-----w- c:\users\Kaori\AppData\Local\LogMeIn Rescue Applet
2012-02-28 02:09 . 2012-02-28 02:10 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-25 21:17 . 2009-07-14 01:14 20480 ----a-w- c:\windows\svchost.exe
2012-02-25 17:55 . 2012-02-28 00:08 691 ----a-w- c:\users\Kaori\AppData\Roaming\GetValue.vbs
2012-02-25 17:55 . 2012-02-28 00:08 35 ----a-w- c:\users\Kaori\AppData\Roaming\SetValue.bat
2012-02-25 10:57 . 2012-02-25 17:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-25 10:57 . 2012-02-25 11:02 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-23 21:20 . 2012-02-23 22:55 -------- d-----w- c:\program files (x86)\Trojan SVCHOSTRemoval Tool
2012-02-23 02:34 . 2012-02-23 02:34 -------- d-----w- c:\users\Kaori\AppData\Roaming\CheckPoint
2012-02-23 02:33 . 2012-02-28 21:18 -------- d-----w- c:\program files\CheckPoint
2012-02-23 02:33 . 2012-02-23 02:33 -------- d-----w- c:\programdata\CheckPoint
2012-02-23 02:32 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-23 02:16 . 2012-02-28 21:18 -------- d-----w- c:\program files (x86)\CheckPoint
2012-02-22 12:36 . 2012-02-22 12:36 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-20 01:20 . 2012-02-20 01:20 128512 ----a-w- c:\programdata\Microsoft\Windows\DRM\ED57.tmp
2012-02-20 01:20 . 2012-02-20 01:20 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\50F9.tmp
2012-02-07 17:20 . 2012-02-07 17:20 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\F440.tmp
2012-02-07 17:02 . 2012-02-07 17:02 -------- d-----w- c:\users\Kaori\AppData\Local\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 12:35 . 2011-02-03 00:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-20 01:27 . 2012-01-18 02:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-27 12:49 . 2011-12-27 12:49 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 222208 ----a-w- c:\windows\system32\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-12-27 12:49 . 2011-12-27 12:49 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 12288 ----a-w- c:\windows\system32\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 114176 ----a-w- c:\windows\system32\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 448512 ----a-w- c:\windows\system32\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 160256 ----a-w- c:\windows\system32\wextract.exe
2011-12-10 20:24 . 2011-07-25 10:54 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-28_22.41.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-02 06:19 . 2012-03-02 06:19 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-02-28 22:39 . 2012-02-28 22:39 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2012-02-29 20:20 . 2012-02-29 21:06 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012022920120301\index.dat
+ 2012-02-28 20:34 . 2012-02-28 22:41 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012022820120229\index.dat
+ 2012-02-20 01:27 . 2012-03-02 06:00 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-02-20 01:27 . 2012-02-28 21:58 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2011-01-28 05:37 . 2012-03-02 05:42 54514 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-02 06:01 37504 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-03-02 06:01 14678 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
+ 2011-01-28 05:37 . 2012-03-02 05:42 54514 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-02 06:01 37504 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-03-02 06:01 14678 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
- 2012-02-28 22:40 . 2012-02-28 22:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-02 06:20 . 2012-03-02 06:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-28 22:40 . 2012-02-28 22:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-02 06:20 . 2012-03-02 06:20 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-01-28 06:05 . 2012-02-28 22:41 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-01-28 06:05 . 2012-03-02 06:21 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 04:54 . 2012-03-02 06:21 360448 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-02-28 22:41 360448 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 02:36 . 2012-02-29 21:13 662512 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 662512 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 121770 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-02-29 21:13 121770 c:\windows\system64\perfc009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 662512 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-29 21:13 662512 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 121770 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-02-29 21:13 121770 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-02-28 22:39 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-02 06:19 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2012-02-28 22:41 4161536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-02 06:21 4161536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-24 16:13 . 2012-03-02 06:19 5326560 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1062982632-715189573-2474834400-1003-12288.dat
+ 2012-02-20 19:48 . 2012-03-02 06:19 2581000 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2012-02-20 19:48 . 2012-02-28 22:39 2581000 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2009-07-14 04:54 . 2012-02-28 22:41 11124736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-02 06:09 11124736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 02:34 . 2012-02-29 21:21 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-02-28 22:03 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-02-28 22:03 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-02-29 21:21 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"BTMeter"="c:\program files (x86)\Battery Meter\BTMeter.exe" [2009-07-02 623984]
"WSED"="c:\program files (x86)\WSED\WSED.exe" [2009-05-27 247080]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"LTCM Client"="c:\program files (x86)\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ&prod=90&ver=10.0.1424" [?]
.
c:\users\Kaori\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Epson all-in-one Registration.lnk - [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R2 MSSQL$SCHEDUFLOW2008;SQL Server (SCHEDUFLOW2008);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-01-14 341296]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1c51x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
2012-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="\Elantech\ETDCtrl.exe" [BU]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-14 7970848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.jp/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\\.\globalroot\systemroot\svchost.exe
.
**************************************************************************
.
Completion time: 2012-03-02 01:28:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-02 06:28
ComboFix2.txt 2012-02-29 21:16
ComboFix3.txt 2012-02-28 22:48
.
Pre-Run: 279,535,755,264 bytes free
Post-Run: 279,305,637,888 bytes free
.
- - End Of File - - 88E880B6E3ECB79F8194684622119BF7
Upload was successful
coyotekanta
2012-03-02, 09:44
I could run ESET after deleting Norton Security Scan.
Here is the report.
C:\Program Files (x86)\Trojan SVCHOSTRemoval Tool\TrojanSVCHOSTRemovalTool.exe a variant of Win32/SecurityStronghold application
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp Win64/Olmarik.AD trojan
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp.dat a variant of Win32/Kryptik.AAZO trojan
C:\ProgramData\Microsoft\Windows\DRM\ED57.tmp a variant of Win32/Kryptik.AAZO trojan
C:\ProgramData\Microsoft\Windows\DRM\F440.tmp Win64/Olmarik.AD trojan
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp Win64/Olmarik.AD trojan
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp.dat a variant of Win32/Kryptik.AAZO trojan
C:\Users\All Users\Microsoft\Windows\DRM\ED57.tmp a variant of Win32/Kryptik.AAZO trojan
C:\Users\All Users\Microsoft\Windows\DRM\F440.tmp Win64/Olmarik.AD trojan
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
C:\Users\Kaori\Downloads\cnet_EFit_installer_exe.exe a variant of Win32/InstallCore.D application
C:\Users\Kaori\Downloads\TrojanSVCHOSTRemovalTool.exe a variant of Win32/SecurityStronghold application
C:\Windows\System32\config\systemprofile\AppData\Roaming\F95495.exe a variant of Win32/Kryptik.ABEC trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe a variant of Win32/Kryptik.ABEC trojan
Hi,
1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select skip and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)
coyotekanta
2012-03-02, 23:24
Hi!
It said 1 threat found...
Here is a report...
It's too long, so I'll attach it.
Good. Please run TDSSKiller again and let it cure the finding this time. Post back the report. Also, please run ComboFix (let it update itself) and post back the log + fresh dds.txt log :)
coyotekanta
2012-03-03, 00:17
I selected "cure" and it rebooted. ran TDSSKiller again. It said 0 threat found.
I'm attaching the report after cure.
Also there is ComboFix report.
ComboFix 12-02-27.02 - Kaori 03/02/2012 16:57:22.5.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1977.1099 [GMT -5:00]
Running from: c:\users\Kaori\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\ff.exe
c:\windows\svchost.exe
c:\windows\SysWow64\404Fix.exe
c:\windows\SysWow64\Agent.OMZ.Fix.exe
c:\windows\SysWow64\dumphive.exe
c:\windows\SysWow64\IEDFix.C.exe
c:\windows\SysWow64\IEDFix.exe
c:\windows\SysWow64\o4Patch.exe
c:\windows\SysWow64\Process.exe
c:\windows\SysWow64\regobj.dll
c:\windows\SysWow64\SrchSTS.exe
c:\windows\SysWow64\tmp.reg
c:\windows\SysWow64\VACFix.exe
c:\windows\SysWow64\VCCLSID.exe
c:\windows\SysWow64\WS2Fix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-02 to 2012-03-02 )))))))))))))))))))))))))))))))
.
.
2012-03-02 22:04 . 2012-03-02 22:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-02 21:44 . 2012-03-02 21:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-02 06:40 . 2012-03-02 06:40 -------- d-----w- c:\program files (x86)\ESET
2012-02-28 21:32 . 2012-03-02 05:40 -------- d-----w- c:\users\Kaori\AppData\Local\LogMeIn Rescue Applet
2012-02-28 02:09 . 2012-02-28 02:10 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-25 17:55 . 2012-02-28 00:08 691 ----a-w- c:\users\Kaori\AppData\Roaming\GetValue.vbs
2012-02-25 17:55 . 2012-02-28 00:08 35 ----a-w- c:\users\Kaori\AppData\Roaming\SetValue.bat
2012-02-25 10:57 . 2012-02-25 17:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-25 10:57 . 2012-02-25 11:02 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-23 21:20 . 2012-02-23 22:55 -------- d-----w- c:\program files (x86)\Trojan SVCHOSTRemoval Tool
2012-02-23 02:34 . 2012-02-23 02:34 -------- d-----w- c:\users\Kaori\AppData\Roaming\CheckPoint
2012-02-23 02:33 . 2012-02-28 21:18 -------- d-----w- c:\program files\CheckPoint
2012-02-23 02:33 . 2012-02-23 02:33 -------- d-----w- c:\programdata\CheckPoint
2012-02-23 02:32 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-23 02:16 . 2012-02-28 21:18 -------- d-----w- c:\program files (x86)\CheckPoint
2012-02-22 12:36 . 2012-02-22 12:36 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-20 01:20 . 2012-02-20 01:20 128512 ----a-w- c:\programdata\Microsoft\Windows\DRM\ED57.tmp
2012-02-20 01:20 . 2012-02-20 01:20 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\50F9.tmp
2012-02-07 17:20 . 2012-02-07 17:20 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\F440.tmp
2012-02-07 17:02 . 2012-02-07 17:02 -------- d-----w- c:\users\Kaori\AppData\Local\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 12:35 . 2011-02-03 00:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-20 01:27 . 2012-01-18 02:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-27 12:49 . 2011-12-27 12:49 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 222208 ----a-w- c:\windows\system32\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-12-27 12:49 . 2011-12-27 12:49 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 12288 ----a-w- c:\windows\system32\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 114176 ----a-w- c:\windows\system32\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 448512 ----a-w- c:\windows\system32\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 160256 ----a-w- c:\windows\system32\wextract.exe
2011-12-10 20:24 . 2011-07-25 10:54 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-28_22.41.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-02-28 22:39 . 2012-02-28 22:39 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2012-03-02 22:04 . 2012-03-02 22:04 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2012-03-02 06:37 . 2012-03-02 21:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012030220120303\index.dat
+ 2012-02-29 20:20 . 2012-02-29 21:06 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012022920120301\index.dat
+ 2012-02-28 20:34 . 2012-02-28 22:41 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012022820120229\index.dat
+ 2012-02-20 01:27 . 2012-03-02 21:03 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-02-20 01:27 . 2012-02-28 21:58 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2011-01-28 05:37 . 2012-03-02 21:47 54990 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-02 21:47 37528 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-03-02 21:47 14702 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
- 2011-02-02 23:36 . 2012-02-25 14:40 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-02 23:36 . 2012-03-02 21:55 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-02 23:36 . 2012-02-25 14:40 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-02-02 23:36 . 2012-03-02 21:55 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-02 21:55 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-25 14:40 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-28 05:37 . 2012-03-02 21:47 54990 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-02 21:47 37528 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-03-02 21:47 14702 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
+ 2011-02-02 23:36 . 2012-03-02 21:55 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-02 23:36 . 2012-02-25 14:40 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-02 23:36 . 2012-03-02 21:55 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-02 23:36 . 2012-02-25 14:40 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-25 14:40 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-02 21:55 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-02-28 22:40 . 2012-02-28 22:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-02 22:05 . 2012-03-02 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-02 22:05 . 2012-03-02 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-28 22:40 . 2012-02-28 22:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-01-28 06:05 . 2012-02-28 22:41 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-01-28 06:05 . 2012-03-02 21:03 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-14 04:54 . 2012-02-28 22:41 360448 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-02 21:03 360448 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 662512 c:\windows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-29 21:13 662512 c:\windows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-29 21:13 121770 c:\windows\system64\perfc009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 121770 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-02-29 21:13 662512 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 662512 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-29 21:13 121770 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-02-28 22:27 121770 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-03-02 22:04 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-02-28 22:39 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-03-02 21:03 4161536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-28 22:41 4161536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-05-24 16:13 . 2012-03-02 22:04 5326560 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1062982632-715189573-2474834400-1003-12288.dat
+ 2012-02-20 19:48 . 2012-03-02 21:44 2581000 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2012-02-20 19:48 . 2012-02-28 22:39 2581000 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2009-07-14 04:54 . 2012-02-28 22:41 11124736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-02 21:03 11124736 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 02:34 . 2012-02-28 22:03 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-03-02 06:37 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-02-28 22:03 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-03-02 06:37 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"BTMeter"="c:\program files (x86)\Battery Meter\BTMeter.exe" [2009-07-02 623984]
"WSED"="c:\program files (x86)\WSED\WSED.exe" [2009-05-27 247080]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"LTCM Client"="c:\program files (x86)\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ&prod=90&ver=10.0.1424" [?]
.
c:\users\Kaori\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Epson all-in-one Registration.lnk - [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R2 MSSQL$SCHEDUFLOW2008;SQL Server (SCHEDUFLOW2008);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-01-14 341296]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1c51x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
2012-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="\Elantech\ETDCtrl.exe" [BU]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-14 7970848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.jp/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe
.
**************************************************************************
.
Completion time: 2012-03-02 17:11:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-02 22:11
ComboFix2.txt 2012-03-02 06:29
ComboFix3.txt 2012-02-29 21:16
ComboFix4.txt 2012-02-28 22:48
.
Pre-Run: 278,952,095,744 bytes free
Post-Run: 278,884,061,184 bytes free
.
- - End Of File - - A5E8E873F02C1118C35FEF30036E7CE8
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?t=65312
Collect::
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp.dat
C:\ProgramData\Microsoft\Windows\DRM\ED57.tmp
C:\ProgramData\Microsoft\Windows\DRM\F440.tmp
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp.dat
C:\Users\All Users\Microsoft\Windows\DRM\ED57.tmp
C:\Users\All Users\Microsoft\Windows\DRM\F440.tmp
Folder::
C:\Program Files (x86)\Trojan SVCHOSTRemoval Tool
File::
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip
C:\Users\Kaori\Downloads\cnet_EFit_installer_exe.exe
C:\Users\Kaori\Downloads\TrojanSVCHOSTRemovalTool.exe
C:\Windows\System32\config\systemprofile\AppData\Roaming\F95495.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.
coyotekanta
2012-03-04, 17:02
Thanks again.
I could not make it yesterday. I was busy.
Then I tried to use ComboFix today, it said it was expired today and would reduce the function.
I exit.
Can I still use reduced function or do I have to uninstall CF/reinstall?
Did ComboFix ask you if you wanted to update it? It should do this and you should let it do so. If prompt was not shown please download a fresh copy of ComboFix.exe to your desktop and run the cfscript with it.
coyotekanta
2012-03-05, 15:34
CD didn't ask updating, so I deleted and reinstalled CF.
Here is a new CF result.
Thanks!
ComboFix 12-03-04.02 - Kaori 03/05/2012 8:14.7.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1977.1011 [GMT -5:00]
Running from: c:\users\Kaori\Downloads\ComboFix.exe
Command switches used :: c:\users\Kaori\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip"
"c:\users\Kaori\Downloads\cnet_EFit_installer_exe.exe"
"c:\users\Kaori\Downloads\TrojanSVCHOSTRemovalTool.exe"
"c:\windows\System32\config\systemprofile\AppData\Roaming\F95495.exe"
"c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe"
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Trojan SVCHOSTRemoval Tool
c:\program files (x86)\Trojan SVCHOSTRemoval Tool\database.db
c:\program files (x86)\Trojan SVCHOSTRemoval Tool\Results\List-23-02-12-17-55-23.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-02-05 to 2012-03-05 )))))))))))))))))))))))))))))))
.
.
2012-03-05 13:20 . 2012-03-05 13:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-02 21:44 . 2012-03-02 21:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-02 06:40 . 2012-03-02 06:40 -------- d-----w- c:\program files (x86)\ESET
2012-02-28 21:32 . 2012-03-02 05:40 -------- d-----w- c:\users\Kaori\AppData\Local\LogMeIn Rescue Applet
2012-02-28 02:09 . 2012-02-28 02:10 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-25 17:55 . 2012-02-28 00:08 691 ----a-w- c:\users\Kaori\AppData\Roaming\GetValue.vbs
2012-02-25 17:55 . 2012-02-28 00:08 35 ----a-w- c:\users\Kaori\AppData\Roaming\SetValue.bat
2012-02-25 10:57 . 2012-02-25 17:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-25 10:57 . 2012-02-25 11:02 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-23 02:34 . 2012-02-23 02:34 -------- d-----w- c:\users\Kaori\AppData\Roaming\CheckPoint
2012-02-23 02:33 . 2012-02-28 21:18 -------- d-----w- c:\program files\CheckPoint
2012-02-23 02:33 . 2012-02-23 02:33 -------- d-----w- c:\programdata\CheckPoint
2012-02-23 02:32 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-23 02:16 . 2012-02-28 21:18 -------- d-----w- c:\program files (x86)\CheckPoint
2012-02-22 12:36 . 2012-02-22 12:36 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-20 01:20 . 2012-02-20 01:20 128512 ------w- c:\programdata\Microsoft\Windows\DRM\ED57.tmp
2012-02-20 01:20 . 2012-02-20 01:20 6656 ------w- c:\programdata\Microsoft\Windows\DRM\50F9.tmp
2012-02-07 17:20 . 2012-02-07 17:20 6656 ------w- c:\programdata\Microsoft\Windows\DRM\F440.tmp
2012-02-07 17:02 . 2012-02-07 17:02 -------- d-----w- c:\users\Kaori\AppData\Local\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 12:35 . 2011-02-03 00:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-20 01:27 . 2012-01-18 02:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-27 12:49 . 2011-12-27 12:49 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 222208 ----a-w- c:\windows\system32\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-12-27 12:49 . 2011-12-27 12:49 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 12288 ----a-w- c:\windows\system32\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 114176 ----a-w- c:\windows\system32\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 448512 ----a-w- c:\windows\system32\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 160256 ----a-w- c:\windows\system32\wextract.exe
2011-12-10 20:24 . 2011-07-25 10:54 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-05_13.05.08 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-03-05 13:03 . 2012-03-05 13:03 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2012-03-05 13:21 . 2012-03-05 13:21 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-01-28 05:37 . 2012-03-05 13:06 55728 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-03-05 12:51 37528 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-05 13:06 37528 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-03-05 13:06 14798 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
+ 2011-01-28 05:37 . 2012-03-05 13:06 55728 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-05 13:06 37528 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-03-05 12:51 37528 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-03-05 13:06 14798 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
- 2012-03-05 13:04 . 2012-03-05 13:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-05 13:22 . 2012-03-05 13:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-05 13:22 . 2012-03-05 13:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-05 13:04 . 2012-03-05 13:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-03-05 13:03 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-05 13:21 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-05-24 16:13 . 2012-03-05 13:21 5643640 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1062982632-715189573-2474834400-1003-12288.dat
- 2011-05-24 16:13 . 2012-03-05 13:03 5643640 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1062982632-715189573-2474834400-1003-12288.dat
- 2009-07-14 02:34 . 2012-03-02 22:21 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-03-05 13:21 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-03-02 22:21 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-03-05 13:21 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"BTMeter"="c:\program files (x86)\Battery Meter\BTMeter.exe" [2009-07-02 623984]
"WSED"="c:\program files (x86)\WSED\WSED.exe" [2009-05-27 247080]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"LTCM Client"="c:\program files (x86)\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ&prod=90&ver=10.0.1424" [?]
.
c:\users\Kaori\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Epson all-in-one Registration.lnk - [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R2 MSSQL$SCHEDUFLOW2008;SQL Server (SCHEDUFLOW2008);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-01-14 341296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1c51x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="\Elantech\ETDCtrl.exe" [BU]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-14 7970848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.jp/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe
.
**************************************************************************
.
Completion time: 2012-03-05 08:28:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-05 13:28
ComboFix2.txt 2012-03-05 13:10
.
Pre-Run: 280,292,651,008 bytes free
Post-Run: 280,242,356,224 bytes free
.
- - End Of File - - DE9C6D98E6C3549DAC02B045DF925DB6
Upload was successful
Hi,
Next, please run ESET online scanner again and post back its findings :)
coyotekanta
2012-03-06, 18:53
Here is new ESET result...
I unistalled SecurityStronghold's SVCHOST removal tools the other days, and Norton Security Scan by Norton's tech support. And removed and reinstalled ComboFix. other than that, nothing has been changed since the first post.
Thanks for your patience to my slow reply! :)
C:\$RECYCLE.BIN\S-1-5-21-1062982632-715189573-2474834400-1003\$R1H2C84.exe a variant of Win32/SecurityStronghold application
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp Win64/Olmarik.AD trojan
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp.dat a variant of Win32/Kryptik.AAZO trojan
C:\ProgramData\Microsoft\Windows\DRM\ED57.tmp a variant of Win32/Kryptik.AAZO trojan
C:\ProgramData\Microsoft\Windows\DRM\F440.tmp Win64/Olmarik.AD trojan
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0002.dta a variant of Win32/Rootkit.Kryptik.JG trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AC trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.X trojan
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp Win64/Olmarik.AD trojan
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp.dat a variant of Win32/Kryptik.AAZO trojan
C:\Users\All Users\Microsoft\Windows\DRM\ED57.tmp a variant of Win32/Kryptik.AAZO trojan
C:\Users\All Users\Microsoft\Windows\DRM\F440.tmp Win64/Olmarik.AD trojan
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
C:\Users\Kaori\Downloads\cnet_EFit_installer_exe.exe a variant of Win32/InstallCore.D application
C:\Windows\System32\config\systemprofile\AppData\Roaming\F95495.exe a variant of Win32/Kryptik.ABEC trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe a variant of Win32/Kryptik.ABEC trojan
And removed and reinstalled ComboFix.
ComboFix shouldn't be uninstalled while case is still under work (assuming you did more than just deleting ComboFix.exe file on your desktop).
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp.dat
C:\ProgramData\Microsoft\Windows\DRM\ED57.tmp
C:\ProgramData\Microsoft\Windows\DRM\F440.tmp
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp.dat
C:\Users\All Users\Microsoft\Windows\DRM\ED57.tmp
C:\Users\All Users\Microsoft\Windows\DRM\F440.tmp
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip
C:\Users\Kaori\Downloads\cnet_EFit_installer_exe.exe
C:\Windows\System32\config\systemprofile\AppData\Roaming\F95495.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log. Run ESET scanner again and post back its log.
coyotekanta
2012-03-06, 20:06
Thanks, again.
ComboFIx did not update. It said it was expired, and I tried to reinstall without uninstall but it didn't work, so I uninstalled once and reinstalled.
Here is a new CF result..
ComboFix 12-03-04.02 - Kaori 03/06/2012 12:47:54.8.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1977.1134 [GMT -5:00]
Running from: c:\users\Kaori\Downloads\ComboFix.exe
Command switches used :: c:\users\Kaori\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\programdata\Microsoft\Windows\DRM\50F9.tmp"
"c:\programdata\Microsoft\Windows\DRM\50F9.tmp.dat"
"c:\programdata\Microsoft\Windows\DRM\ED57.tmp"
"c:\programdata\Microsoft\Windows\DRM\F440.tmp"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip"
"c:\programdata\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip"
"c:\users\All Users\Microsoft\Windows\DRM\50F9.tmp"
"c:\users\All Users\Microsoft\Windows\DRM\50F9.tmp.dat"
"c:\users\All Users\Microsoft\Windows\DRM\ED57.tmp"
"c:\users\All Users\Microsoft\Windows\DRM\F440.tmp"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip"
"c:\users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip"
"c:\users\Kaori\Downloads\cnet_EFit_installer_exe.exe"
"c:\windows\System32\config\systemprofile\AppData\Roaming\F95495.exe"
"c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe"
.
.
((((((((((((((((((((((((( Files Created from 2012-02-06 to 2012-03-06 )))))))))))))))))))))))))))))))
.
.
2012-03-06 17:55 . 2012-03-06 17:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-02 21:44 . 2012-03-02 21:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-02 06:40 . 2012-03-02 06:40 -------- d-----w- c:\program files (x86)\ESET
2012-02-28 21:32 . 2012-03-02 05:40 -------- d-----w- c:\users\Kaori\AppData\Local\LogMeIn Rescue Applet
2012-02-28 02:09 . 2012-02-28 02:10 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-25 17:55 . 2012-02-28 00:08 691 ----a-w- c:\users\Kaori\AppData\Roaming\GetValue.vbs
2012-02-25 17:55 . 2012-02-28 00:08 35 ----a-w- c:\users\Kaori\AppData\Roaming\SetValue.bat
2012-02-25 10:57 . 2012-02-25 17:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-25 10:57 . 2012-02-25 11:02 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-23 02:34 . 2012-02-23 02:34 -------- d-----w- c:\users\Kaori\AppData\Roaming\CheckPoint
2012-02-23 02:33 . 2012-02-28 21:18 -------- d-----w- c:\program files\CheckPoint
2012-02-23 02:33 . 2012-02-23 02:33 -------- d-----w- c:\programdata\CheckPoint
2012-02-23 02:32 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2012-02-23 02:16 . 2012-02-28 21:18 -------- d-----w- c:\program files (x86)\CheckPoint
2012-02-22 12:36 . 2012-02-22 12:36 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-20 01:20 . 2012-02-20 01:20 128512 ------w- c:\programdata\Microsoft\Windows\DRM\ED57.tmp
2012-02-20 01:20 . 2012-02-20 01:20 6656 ------w- c:\programdata\Microsoft\Windows\DRM\50F9.tmp
2012-02-07 17:20 . 2012-02-07 17:20 6656 ------w- c:\programdata\Microsoft\Windows\DRM\F440.tmp
2012-02-07 17:02 . 2012-02-07 17:02 -------- d-----w- c:\users\Kaori\AppData\Local\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 12:35 . 2011-02-03 00:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-20 01:27 . 2012-01-18 02:21 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-27 12:49 . 2011-12-27 12:49 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 367104 ----a-w- c:\windows\SysWow64\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-12-27 12:49 . 2011-12-27 12:49 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 222208 ----a-w- c:\windows\system32\msls31.dll
2011-12-27 12:49 . 2011-12-27 12:49 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2011-12-27 12:49 . 2011-12-27 12:49 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 1390080 ----a-w- c:\windows\system32\wininet.dll
2011-12-27 12:49 . 2011-12-27 12:49 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 49664 ----a-w- c:\windows\system32\imgutil.dll
2011-12-27 12:49 . 2011-12-27 12:49 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-12-27 12:49 . 2011-12-27 12:49 2309120 ----a-w- c:\windows\system32\jscript9.dll
2011-12-27 12:49 . 2011-12-27 12:49 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2011-12-27 12:49 . 2011-12-27 12:49 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-12-27 12:49 . 2011-12-27 12:49 12288 ----a-w- c:\windows\system32\mshta.exe
2011-12-27 12:49 . 2011-12-27 12:49 114176 ----a-w- c:\windows\system32\admparse.dll
2011-12-27 12:49 . 2011-12-27 12:49 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-12-27 12:49 . 2011-12-27 12:49 85504 ----a-w- c:\windows\system32\iesetup.dll
2011-12-27 12:49 . 2011-12-27 12:49 76800 ----a-w- c:\windows\system32\tdc.ocx
2011-12-27 12:49 . 2011-12-27 12:49 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-12-27 12:49 . 2011-12-27 12:49 448512 ----a-w- c:\windows\system32\html.iec
2011-12-27 12:49 . 2011-12-27 12:49 30720 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-27 12:49 . 2011-12-27 12:49 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-27 12:49 . 2011-12-27 12:49 111616 ----a-w- c:\windows\system32\iesysprep.dll
2011-12-27 12:49 . 2011-12-27 12:49 603648 ----a-w- c:\windows\system32\vbscript.dll
2011-12-27 12:49 . 2011-12-27 12:49 165888 ----a-w- c:\windows\system32\iexpress.exe
2011-12-27 12:49 . 2011-12-27 12:49 160256 ----a-w- c:\windows\system32\wextract.exe
2011-12-10 20:24 . 2011-07-25 10:54 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-05_13.05.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-06 17:55 . 2012-03-06 17:55 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-03-05 13:03 . 2012-03-05 13:03 13318 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-01-28 05:37 . 2012-03-06 17:44 55910 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-03-05 12:51 37528 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-06 17:44 37528 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-03-06 17:44 14822 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
- 2011-02-02 23:36 . 2012-03-02 22:12 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-02 23:36 . 2012-03-06 15:45 16384 c:\windows\system64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-02-02 23:36 . 2012-03-02 22:12 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-02-02 23:36 . 2012-03-06 15:45 32768 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-02 22:12 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-06 15:45 16384 c:\windows\system64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-28 05:37 . 2012-03-06 17:44 55910 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2012-03-05 12:51 37528 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-06 17:44 37528 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-02-03 00:13 . 2012-03-06 17:44 14822 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1062982632-715189573-2474834400-1003_UserData.bin
- 2011-02-02 23:36 . 2012-03-02 22:12 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-02 23:36 . 2012-03-06 15:45 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-02 23:36 . 2012-03-06 15:45 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-02-02 23:36 . 2012-03-02 22:12 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-02 22:12 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-06 15:45 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-03-05 13:04 . 2012-03-05 13:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-06 17:56 . 2012-03-06 17:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-06 17:56 . 2012-03-06 17:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-05 13:04 . 2012-03-05 13:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-03-05 13:03 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-06 17:55 408324 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-05-24 16:13 . 2012-03-06 17:55 5664320 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1062982632-715189573-2474834400-1003-12288.dat
- 2009-07-14 02:34 . 2012-03-02 22:21 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-03-05 13:36 10223616 c:\windows\system64\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-03-02 22:21 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-03-05 13:36 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"BTMeter"="c:\program files (x86)\Battery Meter\BTMeter.exe" [2009-07-02 623984]
"WSED"="c:\program files (x86)\WSED\WSED.exe" [2009-05-27 247080]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"LTCM Client"="c:\program files (x86)\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNTkyMTczNDIyLVhPMTArMTItTElDKzIyLVNQMSsxLVNQMVRCKzEtU1VEKzEtUzFJKzEtU1UzKzEtRkwxMCsxLVRVRyszLUREVCsyMDk3OC1MU0QrMi1ERDEwRisxLVNUMTBGQVBQKzEtRjEwTTEyQVQrMy1GMTBNMTJBKzEtRjEwTTEyQUIrMS1VMTArMS1GMTBNMTJBVEIrMS1GVUkrMi1GMTBUQisyLVNUMTBUQkYrMQ&prod=90&ver=10.0.1424" [?]
.
c:\users\Kaori\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Epson all-in-one Registration.lnk - [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R2 MSSQL$SCHEDUFLOW2008;SQL Server (SCHEDUFLOW2008);c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 136176]
R3 netr7364;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\DRIVERS\EMSC.SYS [2009-06-26 16752]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]
S2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-01-14 341296]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [x]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1c51x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
2012-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-08 14:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="\Elantech\ETDCtrl.exe" [BU]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-14 7970848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Kaori\AppData\Roaming\Mozilla\Firefox\Profiles\6v7c1pnl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.jp/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1062982632-715189573-2474834400-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe
.
**************************************************************************
.
Completion time: 2012-03-06 13:02:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-06 18:02
ComboFix2.txt 2012-03-05 13:29
ComboFix3.txt 2012-03-05 13:10
.
Pre-Run: 279,995,224,064 bytes free
Post-Run: 279,909,732,352 bytes free
.
- - End Of File - - A88FB7E17A48DB26FE493C8EA80FA923
coyotekanta
2012-03-06, 20:54
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp Win64/Olmarik.AD trojan
C:\ProgramData\Microsoft\Windows\DRM\50F9.tmp.dat a variant of Win32/Kryptik.AAZO trojan
C:\ProgramData\Microsoft\Windows\DRM\ED57.tmp a variant of Win32/Kryptik.AAZO trojan
C:\ProgramData\Microsoft\Windows\DRM\F440.tmp Win64/Olmarik.AD trojan
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0002.dta a variant of Win32/Rootkit.Kryptik.JG trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AC trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.X trojan
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp Win64/Olmarik.AD trojan
C:\Users\All Users\Microsoft\Windows\DRM\50F9.tmp.dat a variant of Win32/Kryptik.AAZO trojan
C:\Users\All Users\Microsoft\Windows\DRM\ED57.tmp a variant of Win32/Kryptik.AAZO trojan
C:\Users\All Users\Microsoft\Windows\DRM\F440.tmp Win64/Olmarik.AD trojan
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
C:\Users\Kaori\Downloads\cnet_EFit_installer_exe.exe a variant of Win32/InstallCore.D application
C:\Windows\System32\config\systemprofile\AppData\Roaming\F95495.exe a variant of Win32/Kryptik.ABEC trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe a variant of Win32/Kryptik.ABEC trojan
Hi,
Show hidden files
-----------------
1. Open Folder Options by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
2. Click the View tab.
3. Under Advanced settings, click Show hidden files and folders, and then click OK.
Navigate to C:\ProgramData\Microsoft\Windows\DRM folder and see if you can find and delete these files:
50F9.tmp
50F9.tmp.dat
ED57.tmp
F440.tmp
Let me know how it goes and then we'll continue.
coyotekanta
2012-03-07, 22:04
Hi, how are you?
I followed your direction precisely, and did not see DRM folder under C:\Program Data\Microsoft\Windows\.
I went to control panel again and tried to unclick "hide protected operating system file", and looked under C:\.....\Windows\. DRM folder appered under \Windows\..., but did not see the files. Checked "hide..." option back.
So I used "search option" in windows explore. Then the search option showed those files in search windows! I deleted them.
They are in "recicle bin" now.
I restarted PC just in case. It restarted without a trouble.
Aren't those files "protected operating system fie"?
Is it OK to delete them?
Should I empty recicle bin too?
Waiting for the next direction patiently. :)
Thanks.
coyotekanta
2012-03-08, 06:46
ESET new result...
C:\$RECYCLE.BIN\S-1-5-21-1062982632-715189573-2474834400-1003\$R67BHQC.tmp Win64/Olmarik.AD trojan
C:\$RECYCLE.BIN\S-1-5-21-1062982632-715189573-2474834400-1003\$RACEYLA.tmp a variant of Win32/Kryptik.AAZO trojan
C:\$RECYCLE.BIN\S-1-5-21-1062982632-715189573-2474834400-1003\$RD64GNZ.dat a variant of Win32/Kryptik.AAZO trojan
C:\$RECYCLE.BIN\S-1-5-21-1062982632-715189573-2474834400-1003\$RPBW5AB.tmp Win64/Olmarik.AD trojan
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0002.dta a variant of Win32/Rootkit.Kryptik.JG trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AC trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\02.03.2012_16.43.15\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.X trojan
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip Win32/Bagle.gen.zip worm
C:\Users\Kaori\Downloads\cnet_EFit_installer_exe.exe a variant of Win32/InstallCore.D application
C:\Windows\System32\config\systemprofile\AppData\Roaming\F95495.exe a variant of Win32/Kryptik.ABEC trojan
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe a variant of Win32/Kryptik.ABEC trojan
how are you?
Fine. I hope you too :)
Let's see if we can tackle those remaining items in the same way.
Delete C:\TDSSKiller_Quarantine folder.
Then delete these files:
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric3.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric4.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric5.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric6.zip
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric7.zip
C:\Users\Kaori\Downloads\cnet_EFit_installer_exe.exe
C:\Windows\System32\config\systemprofile\AppData\Roaming\F95495.exe
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\F95495.exe
coyotekanta
2012-03-11, 01:42
Thanks for your support all this way.
It looked that smitfraud was gone now, and remained F959...file seemed to invade my laptop long time ago. None of spyware detector and AVG did not even detect it.
My husband brought my laptop to a repair guy to reinstall OS because our daughter's 10" laptop was also attached by Rootkit..so we are tired to deal with it.
So I do not have infected PC right now.
But thank you very much for your help!
I really had a great experience to see how to work with the virus and to find out somebody can take care of us!
Thank you!
Since this issue appears to be resolved ... this Topic has been closed.
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.