Possible infection [Archive] - Safer-Networking Forums

jamper

2013-09-01, 03:57

Hello, and Thank You for the help.
A few things have been happening: During a recent windows update, as the computer was booting up and applying updates an error came up saying BitDefender encountered an error .....it said some more but it disappeared before I had the chance to read it all or copy it. I am not sure what to make of this because I do not have BitDefender.

Another problem (I think) is I have 2 partitions C and D and I have yet to use D, but it says there is 1GB being used, I have opened it and there is nothing there.

And the last thing is I keep seeing dllHost.exe COM surrogate showing up and disappearing about every 30 sec or so, every time it does I get the activity indicator on the cursor.
I reformatted the entire computer when I first saw this happen last week, but it is happening again.

Also when I tried to update awsmbr to run a scan for this it says avast engine download error 0.
Thanks Again.
------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16502
Run by yui at 18:03:26 on 2013-08-31
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6056.3604 [GMT -7:00]
.
AV: ZoneAlarm Internet Security Suite Antivirus *Enabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: ZoneAlarm Internet Security Suite Anti-Spyware *Enabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
FW: ZoneAlarm Internet Security Suite Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FBAgent.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\P4G\BatteryLife.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
C:\Windows\SysWOW64\ACEngSvr.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
C:\Windows\AsScrPro.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskeng.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Google Update] "C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
mRun: [Wireless Console 3] C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [ZoneAlarm] "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe"
StartupFolder: C:\Users\yui\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\FANCYS~1.LNK - C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{1869CCA2-698C-459D-8CB7-23813A41A346} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /SF3
x64-Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Users\yui\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Users\yui\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\yui\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Users\yui\AppData\Roaming\Mozilla\plugins\npo1d.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - ExtSQL: 2013-08-15 21:29; jid1-xUfzOsOFlzSOXg@jetpack; C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
FF - ExtSQL: 2013-08-15 21:30; jid0-hd39BGK3EuIbK47rGW3fZdR163o@jetpack; C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid0-hd39BGK3EuIbK47rGW3fZdR163o@jetpack.xpi
FF - ExtSQL: 2013-08-15 21:30; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-08-15 21:31; jid1-ZAdIEUB7XOzOJw@jetpack; C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi
FF - ExtSQL: 2013-08-15 21:31; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF - ExtSQL: 2013-08-15 21:31; {73a6fe31-595d-460b-a920-fcc0f8843232}; C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-08-15 21:31; support@lastpass.com; C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-08-15 21:56; jid1-4P0kohSJxU1qGg@jetpack; C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid1-4P0kohSJxU1qGg@jetpack.xpi
FF - ExtSQL: 2013-08-15 22:03; netflixrandomizer@joshkowarsky.com; C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\netflixrandomizer@joshkowarsky.com.xpi
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=base2013&Lan={dfltLng}&gu=a734bfc817a14665b49769779ebd1f2e&tu=10Go5009n2B000v&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - ea8e2377000000000000742f687ae033
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 15947
FF - user.js: extensions.zonealarm.vrsn - 1.8.11.6
FF - user.js: extensions.zonealarm.vrsni - 1.8.11.6
FF - user.js: extensions.zonealarm.vrsnTs - 1.8.11.613:24:24
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1042
FF - user.js: extensions.zonealarm.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base2013
FF - user.js: extensions.zonealarm.instlRef - ZLN119547823771645-1042
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.ffxUnstlRst - false
FF - user.js: extensions.zonealarm.admin - false
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm.rvrt - false
FF - user.js: extensions.zonealarm.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R1 ATKWMIACPIIO;ATKWMIACPI Driver;C:\Program Files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2010-7-26 17024]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2013-8-31 28504]
R1 kltdi;kltdi;C:\Windows\System32\drivers\kltdi.sys [2013-8-31 54104]
R1 kneps;kneps;C:\Windows\System32\drivers\kneps.sys [2013-8-31 178600]
R2 AFBAgent;AFBAgent;C:\Windows\System32\FBAgent.exe [2013-8-30 379520]
R2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-8-30 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-8-30 1033688]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-8-30 171928]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-8-30 2655768]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;C:\Program Files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [2013-6-18 54160]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\drivers\ETD.sys [2013-8-30 138024]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-8-30 317440]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2013-8-30 76912]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2013-8-30 1147232]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\System32\drivers\SiSG664.sys [2009-6-10 56832]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-8-31 1255736]
.
=============== Created Last 30 ================
.
2013-09-01 00:57:42 -------- d-----w- C:\Windows\System32\MRT
2013-09-01 00:09:23 178600 ----a-w- C:\Windows\System32\drivers\kneps.sys
2013-09-01 00:09:22 54104 ----a-w- C:\Windows\System32\drivers\kltdi.sys
2013-09-01 00:09:10 28504 ----a-w- C:\Windows\System32\drivers\klim6.sys
2013-09-01 00:09:07 458584 ----a-w- C:\Windows\System32\drivers\kl1.sys
2013-09-01 00:09:03 89944 ----a-w- C:\Windows\System32\drivers\klflt.sys
2013-09-01 00:08:36 -------- d-----w- C:\Program Files (x86)\CheckPoint
2013-08-31 23:58:35 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2013-08-31 23:41:42 -------- d-----w- C:\Windows\SysWow64\Wat
2013-08-31 23:41:42 -------- d-----w- C:\Windows\System32\Wat
2013-08-31 23:27:25 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2013-08-31 23:27:25 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2013-08-31 23:21:45 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2013-08-31 23:21:45 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2013-08-31 23:21:45 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2013-08-31 23:21:45 444752 ----a-w- C:\Windows\System32\mscoree.dll
2013-08-31 23:21:45 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2013-08-31 23:21:45 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2013-08-31 23:21:45 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2013-08-31 23:21:45 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2013-08-31 23:21:45 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2013-08-31 23:21:44 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2013-08-31 23:15:08 46080 ----a-w- C:\Windows\System32\atmlib.dll
2013-08-31 23:15:08 367616 ----a-w- C:\Windows\System32\atmfd.dll
2013-08-31 23:15:08 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2013-08-31 23:15:08 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2013-08-31 23:12:01 80896 ----a-w- C:\Windows\System32\imagehlp.dll
2013-08-31 23:12:01 22896 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2013-08-31 23:12:01 158720 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-08-31 23:12:00 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2013-08-31 23:12:00 5120 ----a-w- C:\Windows\System32\wmi.dll
2013-08-31 17:08:01 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-08-31 17:08:00 751104 ----a-w- C:\Windows\System32\win32spl.dll
2013-08-31 17:06:52 3150848 ----a-w- C:\Windows\System32\win32k.sys
2013-08-31 17:05:58 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2013-08-31 17:04:37 516096 ----a-w- C:\Program Files\Windows Mail\wab.exe
2013-08-31 17:03:47 46592 ----a-w- C:\Windows\System32\msasn1.dll
2013-08-31 17:02:57 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2013-08-31 17:02:57 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2013-08-31 17:02:43 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-08-31 17:02:42 182272 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-08-31 17:02:42 1462784 ----a-w- C:\Windows\System32\crypt32.dll
2013-08-31 17:02:42 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2013-08-31 17:02:42 139264 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-08-31 17:02:42 1157632 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-08-31 17:02:30 77312 ----a-w- C:\Windows\System32\packager.dll
2013-08-31 17:02:30 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2013-08-31 00:45:16 -------- d-----w- C:\Program Files\CCleaner
2013-08-31 00:06:54 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2013-08-31 00:05:57 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2013-08-31 00:05:53 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-08-31 00:02:38 -------- d-----w- C:\Users\yui\AppData\Roaming\Malwarebytes
2013-08-31 00:02:30 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-08-31 00:02:30 -------- d-----w- C:\ProgramData\Malwarebytes
2013-08-31 00:02:30 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-08-31 00:02:15 -------- d-----w- C:\Users\yui\AppData\Local\Programs
2013-08-30 20:50:03 9515512 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3FB6940E-A62C-4ED0-9B97-C443D5B25992}\mpengine.dll
2013-08-30 20:50:02 278800 ------w- C:\Windows\System32\MpSigStub.exe
2013-08-30 20:28:33 -------- d-----w- C:\Users\yui\AppData\Roaming\CheckPoint
2013-08-30 20:27:31 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
2013-08-30 20:23:27 -------- d-----w- C:\ProgramData\CheckPoint
2013-08-30 20:17:29 -------- d-----w- C:\Users\yui\AppData\Local\Google
2013-08-30 20:16:56 -------- d-----w- C:\Users\yui\AppData\Local\Macromedia
2013-08-30 20:16:18 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-30 20:16:18 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-08-30 20:15:52 -------- d-----w- C:\Users\yui\AppData\Local\Adobe
2013-08-30 20:10:00 -------- d-----w- C:\Users\yui\AppData\Local\Mozilla
2013-08-30 20:04:27 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-08-30 20:04:27 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-08-30 20:04:27 139264 ----a-w- C:\Windows\System32\cabview.dll
2013-08-30 20:04:27 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2013-08-30 20:04:27 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-08-30 20:04:26 -------- d-----w- C:\temp
2013-08-30 19:59:05 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-08-30 19:58:51 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-08-30 19:58:42 36864 ----a-w- C:\Windows\System32\wuapp.exe
2013-08-30 19:58:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2013-08-30 19:17:47 5047080 ----a-w- C:\Windows\System32\ETDUI.cpl
2013-08-30 19:17:43 438808 ----a-w- C:\Windows\System32\drivers\iaStor.sys
2013-08-30 19:17:43 15416 ----a-w- C:\Windows\System32\drivers\kbfiltr.sys
2013-08-30 19:17:43 138024 ----a-w- C:\Windows\System32\drivers\ETD.sys
2013-08-30 19:17:39 76912 ----a-w- C:\Windows\System32\drivers\L1C62x64.sys
2013-08-30 19:17:00 317440 ----a-w- C:\Windows\System32\drivers\IntcDAud.sys
2013-08-30 19:17:00 14848 ----a-w- C:\Windows\System32\IntcDAuC.dll
2013-08-30 19:15:58 4368920 ----a-w- C:\Windows\System32\GfxUI.exe
2013-08-30 19:10:12 45056 ----a-w- C:\Windows\System32\acovcnt.exe
2013-08-30 19:08:44 2621440 ---h--r- C:\K73SV.BIN
2013-08-30 19:08:44 2621440 ---h--r- C:\K73E.BIN
2013-08-30 19:08:33 -------- d-----w- C:\eSupport
2013-08-30 19:08:10 -------- d-----w- C:\ProgramData\Trend Micro
2013-08-30 19:05:52 327008 ----a-w- C:\Windows\System32\RaCoInstx.dll
2013-08-30 19:04:51 518896 ----a-w- C:\Windows\System32\SRSTSX64.dll
2013-08-30 19:03:28 -------- d-----w- C:\Program Files\Common Files\Intel
2013-08-30 19:03:28 -------- d-----w- C:\Program Files (x86)\Common Files\Intel
2013-08-30 19:02:03 8192 ----a-w- C:\Windows\SysWow64\drivers\IntelMEFWVer.dll
2013-08-30 19:02:03 8192 ----a-w- C:\Windows\System32\drivers\IntelMEFWVer.dll
2013-08-30 19:01:59 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2013-08-30 19:01:54 56344 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2013-08-30 18:59:35 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2013-08-30 18:59:31 -------- d-----w- C:\Intel
2013-08-30 18:57:51 947584 ----a-w- C:\Windows\System32\drivers\ndis.sys
2013-08-30 18:56:04 410504 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2013-08-30 18:56:04 27016 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2013-08-30 18:56:04 166280 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2013-08-30 18:56:04 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys
2013-08-30 18:56:04 107912 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2013-08-30 18:56:03 2566144 ----a-w- C:\Windows\System32\esent.dll
2013-08-30 18:56:03 187264 ----a-w- C:\Windows\System32\drivers\storport.sys
2013-08-30 18:56:03 1686016 ----a-w- C:\Windows\SysWow64\esent.dll
2013-08-30 18:52:21 51712 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2013-08-30 18:52:21 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
.
==================== Find3M ====================
.
2013-08-31 23:58:35 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2013-08-30 19:06:51 80512 ----a-w- C:\Windows\AsusScr_K Series_ENG Uninstaller.exe
2013-08-30 19:06:50 3058304 ----a-w- C:\Windows\AsScrPro.exe
2013-06-13 23:34:16 451096 ----a-w- C:\Windows\System32\drivers\vsdatant.sys
.
============= FINISH: 18:03:45.86 ===============

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-08-31 18:12:12
-----------------------------
18:12:12.666 OS Version: Windows x64 6.1.7600
18:12:12.666 Number of processors: 4 586 0x2A07
18:12:12.666 ComputerName: YUI-PC UserName: yui
18:12:13.992 Initialize success
18:12:47.710 AVAST engine download error: 0
18:13:01.485 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:13:01.500 Disk 0 Vendor: Hitachi_ JEDO Size: 610480MB BusType: 3
18:13:01.688 Disk 0 MBR read successfully
18:13:01.688 Disk 0 MBR scan
18:13:01.688 Disk 0 Windows 7 default MBR code
18:13:01.703 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 25600 MB offset 2048
18:13:01.703 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152620 MB offset 52430848
18:13:01.719 Disk 0 Partition - 00 0F Extended LBA 432258 MB offset 364996608
18:13:01.750 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 432257 MB offset 364998656
18:13:01.875 Disk 0 scanning C:\Windows\system32\drivers
18:13:06.243 Service scanning
18:13:24.152 Modules scanning
18:13:24.152 Disk 0 trace - called modules:
18:13:24.713 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
18:13:24.713 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007ebc060]
18:13:24.713 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa800638bd20]
18:13:24.729 5 ACPI.sys[fffff88000eef781] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8006390050]
18:13:24.729 Scan finished successfully
18:13:38.004 Disk 0 MBR has been saved successfully to "C:\Users\yui\Desktop\MBR.dat"
18:13:38.004 The log file has been saved successfully to "C:\Users\yui\Desktop\aswMBR.txt"

Robybel

2013-09-04, 05:38

Hi and Welcome!! jamper :)

My name is Robybel.

I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

Having said that....Let's get going!! ;)

========================

Download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe).

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Next

http://i.imgur.com/81mYIKe.jpg AdwCleaner

Double click on AdwCleaner.exe to run the tool again.

Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...
This time, click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.

Next

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Next

Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it to your desktop.
Quit all other programs
Start RogueKiller.exe
Wait until the Prescan has finished ...
Click on Scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png
Wait for the end of the scan
A report will be created on your desktop.
Click on the Delete button
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png
Next click on the ShortcutsFix
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png
another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

On your next reply please post :

checkup.txt
AdwCleaner[S1].txt
JRT.txt
All RKreport.txt

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

jamper

2013-09-04, 05:59

Hi, Thanks for helping me.
I will follow all instructions, but I have a question about AdwCleaner, you did not provide a link, so should I just do a search for it? is there a recommended download I should use?

jamper

2013-09-04, 06:13

For RogueKiller should I use thr *64 ?

jamper

2013-09-04, 22:00

Results of screen317's Security Check version 0.99.73
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
ZoneAlarm Internet Security Suite Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.75.0.1300
Adobe Flash Player 11.8.800.94
Mozilla Firefox (23.0.1)
````````Process Check: objlist.exe by Laurent````````
Spybot Teatimer.exe is disabled!
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm ZAPrivacyService.exe
CheckPoint ZoneAlarm zatray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
====================================================================================

# AdwCleaner v3.002 - Report created 04/09/2013 at 12:21:46
# Updated 01/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : yui - YUI-PC
# Running from : C:\Users\yui\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\yui\AppData\Roaming\CheckPoint\ZoneAlarm LTD Toolbar
Folder Deleted : C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\jetpack
File Deleted : C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\searchplugins\zonealarm.xml
File Deleted : C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\user.js

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16660

-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [1539 octets] - [04/09/2013 12:20:38]
AdwCleaner[S0].txt - [1476 octets] - [04/09/2013 12:21:46]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1536 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.7 (09.01.2013:1)
OS: Windows 7 Home Premium x64
Ran by yui on Wed 09/04/2013 at 12:35:59.65
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ FireFox

Emptied folder: C:\Users\yui\AppData\Roaming\mozilla\firefox\profiles\k90afalj.default\minidumps [5 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 09/04/2013 at 12:40:53.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

RogueKiller V8.6.9 _x64_ [Sep 3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : yui [Admin rights]
Mode : Scan -- Date : 09/04/2013 12:44:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Google Update ("C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-4156131364-3118308946-494500273-1000\[...]\Run : Google Update ("C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-4156131364-3118308946-494500273-1000UA.job : C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-4156131364-3118308946-494500273-1000Core.job : C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-4156131364-3118308946-494500273-1000Core : C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-4156131364-3118308946-494500273-1000UA : C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS547564A9E384 +++++
--- User ---
[MBR] d0fb3e02adb2f4850ba33f02fa8da32e
[BSP] 2ee18edf56eb573bfe8fc4993312b762 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 25600 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 52430848 | Size: 152620 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 364996608 | Size: 432258 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_09042013_124453.txt >>

====================================================================================

RogueKiller V8.6.9 _x64_ [Sep 3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : yui [Admin rights]
Mode : Remove -- Date : 09/04/2013 12:45:59
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Google Update ("C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-4156131364-3118308946-494500273-1000\[...]\Run : Google Update ("C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe" /c [7]) -> [0x2] The system cannot find the file specified.
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 4 ¤¤¤
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-4156131364-3118308946-494500273-1000UA.job : C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> DELETED
[V1][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-4156131364-3118308946-494500273-1000Core.job : C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-4156131364-3118308946-494500273-1000Core : C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED
[V2][SUSP PATH] GoogleUpdateTaskUserS-1-5-21-4156131364-3118308946-494500273-1000UA : C:\Users\yui\AppData\Local\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS547564A9E384 +++++
--- User ---
[MBR] d0fb3e02adb2f4850ba33f02fa8da32e
[BSP] 2ee18edf56eb573bfe8fc4993312b762 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 2048 | Size: 25600 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 52430848 | Size: 152620 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 364996608 | Size: 432258 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_09042013_124559.txt >>
RKreport[0]_S_09042013_124453.txt

====================================================================================

RogueKiller V8.6.9 _x64_ [Sep 3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : yui [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/04/2013 12:46:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 3 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 9 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[0]_SC_09042013_124623.txt >>
RKreport[0]_D_09042013_124559.txt;RKreport[0]_S_09042013_124453.txt

Robybel

2013-09-05, 22:04

Hi jamper

Sorry for delay :(

Very good job

Please read through these instructions to familarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

On your next reply please post :

Combofix log

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

jamper

2013-09-06, 02:19

ComboFix 13-09-04.04 - yui 09/05/2013 17:08:13.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6056.4740 [GMT -7:00]
Running from: c:\users\yui\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\msvcr71.dll
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2013-08-06 to 2013-09-06 )))))))))))))))))))))))))))))))
.
.
2013-09-06 00:12 . 2013-09-06 00:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-04 19:35 . 2013-09-04 19:35 -------- d-----w- c:\windows\ERUNT
2013-09-04 19:19 . 2013-09-04 19:21 -------- d-----w- C:\AdwCleaner
2013-09-03 10:44 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-09-03 10:44 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-09-03 10:05 . 2013-09-03 10:05 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-09-03 10:03 . 2013-09-03 10:03 1887232 ----a-w- c:\windows\system32\d3d11.dll
2013-09-03 10:03 . 2013-09-03 10:03 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
2013-09-03 08:59 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-09-03 08:59 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-09-03 08:59 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2013-09-03 08:59 . 2013-07-09 05:46 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-09-03 08:59 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-09-03 08:59 . 2013-07-09 05:46 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-09-03 08:59 . 2013-07-09 05:46 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-09-03 08:59 . 2013-07-09 04:52 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-09-03 08:59 . 2013-07-09 04:46 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-09-03 08:59 . 2013-07-09 04:46 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-09-03 08:59 . 2013-07-09 04:46 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-09-03 08:57 . 2013-07-06 06:03 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-03 08:57 . 2013-04-10 05:46 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-09-03 08:57 . 2013-04-10 05:03 936448 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-09-03 08:57 . 2013-05-13 05:50 52224 ----a-w- c:\windows\system32\certenc.dll
2013-09-03 08:57 . 2013-05-13 03:43 1192448 ----a-w- c:\windows\system32\certutil.exe
2013-09-03 08:57 . 2013-05-13 03:08 903168 ----a-w- c:\windows\SysWow64\certutil.exe
2013-09-03 08:57 . 2013-05-13 03:08 43008 ----a-w- c:\windows\SysWow64\certenc.dll
2013-09-02 19:03 . 2013-09-02 19:03 -------- d-----w- c:\windows\system32\SPReview
2013-09-02 19:02 . 2013-09-02 19:02 -------- d-----w- c:\windows\system32\EventProviders
2013-09-02 12:49 . 2010-11-20 13:34 215936 ----a-w- c:\windows\system32\drivers\vhdmp.sys
2013-09-02 12:48 . 2010-11-20 13:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2013-09-02 12:48 . 2010-11-20 13:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2013-09-02 12:48 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2013-09-02 12:48 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\wdscore.dll
2013-09-02 12:48 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\sqmapi.dll
2013-09-02 12:48 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
2013-09-02 12:48 . 2010-11-20 12:21 189952 ----a-w- c:\program files (x86)\Windows Portable Devices\sqmapi.dll
2013-09-02 12:48 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2013-09-02 12:47 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2013-09-02 12:47 . 2010-11-20 13:27 244736 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll
2013-09-02 12:47 . 2010-11-20 13:27 244736 ----a-w- c:\windows\system32\sqmapi.dll
2013-09-01 01:00 . 2013-09-01 01:00 -------- d-----w- c:\program files (x86)\ERUNT
2013-09-01 00:57 . 2013-09-01 00:58 -------- d-----w- c:\windows\system32\MRT
2013-09-01 00:09 . 2013-08-04 07:02 178600 ----a-w- c:\windows\system32\drivers\kneps.sys
2013-09-01 00:09 . 2012-11-16 04:06 54104 ----a-w- c:\windows\system32\drivers\kltdi.sys
2013-09-01 00:09 . 2012-11-16 04:06 28504 ----a-w- c:\windows\system32\drivers\klim6.sys
2013-09-01 00:09 . 2013-08-04 07:02 458584 ----a-w- c:\windows\system32\drivers\kl1.sys
2013-09-01 00:09 . 2013-08-04 07:02 89944 ----a-w- c:\windows\system32\drivers\klflt.sys
2013-09-01 00:09 . 2013-08-04 07:02 613720 ----a-w- c:\windows\system32\drivers\klif.sys
2013-09-01 00:08 . 2013-09-01 00:08 -------- d-----w- c:\program files (x86)\CheckPoint
2013-08-31 23:41 . 2013-08-31 23:41 -------- d-----w- c:\windows\SysWow64\Wat
2013-08-31 23:41 . 2013-08-31 23:41 -------- d-----w- c:\windows\system32\Wat
2013-08-31 23:15 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll
2013-08-31 23:15 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll
2013-08-31 23:15 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2013-08-31 23:15 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2013-08-31 23:15 . 2010-09-30 10:41 100864 ----a-w- c:\windows\system32\fontsub.dll
2013-08-31 23:15 . 2010-09-30 06:47 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2013-08-31 23:12 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-08-31 23:12 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2013-08-31 23:12 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-08-31 23:12 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2013-08-31 23:12 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-08-31 17:06 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2013-08-31 17:06 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2013-08-31 17:06 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2013-08-31 17:06 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2013-08-31 17:06 . 2011-07-09 02:46 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2013-08-31 17:06 . 2011-04-27 02:40 158208 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2013-08-31 17:06 . 2011-04-27 02:39 128000 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2013-08-31 17:06 . 2011-11-17 05:35 314880 ----a-w- c:\windows\SysWow64\webio.dll
2013-08-31 17:06 . 2011-11-17 06:35 395776 ----a-w- c:\windows\system32\webio.dll
2013-08-31 17:06 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-08-31 17:04 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2013-08-31 17:03 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2013-08-31 17:02 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2013-08-31 17:02 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2013-08-31 02:56 . 2013-08-31 02:56 -------- d-----w- c:\program files\Microsoft Silverlight
2013-08-31 02:56 . 2013-08-31 02:56 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2013-08-31 00:45 . 2013-08-31 00:45 -------- d-----w- c:\program files\CCleaner
2013-08-31 00:06 . 2013-09-06 00:06 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-08-31 00:05 . 2009-01-25 20:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-08-31 00:05 . 2013-08-31 00:08 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-08-31 00:02 . 2013-08-31 00:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-08-31 00:02 . 2013-08-31 00:02 -------- d-----w- c:\programdata\Malwarebytes
2013-08-31 00:02 . 2013-04-04 21:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-30 20:50 . 2013-08-20 07:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3FB6940E-A62C-4ED0-9B97-C443D5B25992}\mpengine.dll
2013-08-30 20:50 . 2013-08-07 11:22 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-08-30 20:28 . 2013-09-01 00:09 -------- dc----w- c:\windows\system32\DRVSTORE
2013-08-30 20:23 . 2013-09-01 00:08 -------- d-----w- c:\programdata\CheckPoint
2013-08-30 20:16 . 2013-08-30 20:16 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-30 20:16 . 2013-08-30 20:16 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-08-30 20:16 . 2013-08-30 20:16 -------- d-----w- c:\windows\system32\Macromed
2013-08-30 20:09 . 2013-08-30 20:09 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-08-30 20:04 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2013-08-30 20:04 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2013-08-30 20:04 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2013-08-30 20:04 . 2013-08-30 20:04 -------- d-----w- C:\temp
2013-08-30 19:59 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2013-08-30 19:59 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2013-08-30 19:59 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2013-08-30 19:59 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2013-08-30 19:58 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2013-08-30 19:58 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2013-08-30 19:58 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2013-08-30 19:58 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2013-08-30 19:58 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2013-08-30 19:45 . 2013-08-30 19:45 -------- d-----w- c:\users\yui
2013-08-30 19:17 . 2010-12-13 13:12 5047080 ----a-w- c:\windows\system32\ETDUI.cpl
2013-08-30 19:17 . 2010-12-13 13:12 138024 ----a-w- c:\windows\system32\drivers\ETD.sys
2013-08-30 19:17 . 2010-11-05 15:45 438808 ----a-w- c:\windows\system32\drivers\iaStor.sys
2013-08-30 19:17 . 2009-07-20 09:29 15416 ----a-w- c:\windows\system32\drivers\kbfiltr.sys
2013-08-30 19:17 . 2010-08-24 09:55 76912 ----a-w- c:\windows\system32\drivers\L1C62x64.sys
2013-08-30 19:17 . 2010-10-14 16:28 317440 ----a-w- c:\windows\system32\drivers\IntcDAud.sys
2013-08-30 19:17 . 2010-10-14 16:27 14848 ----a-w- c:\windows\system32\IntcDAuC.dll
2013-08-30 19:15 . 2011-02-10 05:48 4368920 ----a-w- c:\windows\system32\GfxUI.exe
2013-08-30 19:10 . 2013-09-03 12:20 45056 ----a-w- c:\windows\system32\acovcnt.exe
2013-08-30 19:08 . 2011-02-10 14:04 2621440 ------r- C:\K73E.BIN
2013-08-30 19:08 . 2011-02-10 13:41 2621440 ------r- C:\K73SV.BIN
2013-08-30 19:08 . 2013-08-30 19:06 -------- d-----w- C:\eSupport
2013-08-30 19:08 . 2013-08-30 20:25 -------- d-----w- c:\programdata\Trend Micro
2013-08-30 19:06 . 2013-08-30 19:06 80512 ----a-w- c:\windows\AsusScr_K Series_ENG Uninstaller.exe
2013-08-30 19:06 . 2011-02-16 07:23 55310091 ------w- c:\windows\system32\AsusScr_K Series_ENG.scr
2013-08-30 19:06 . 2013-08-30 19:06 -------- d-----w- c:\windows\SysWow64\Macromed
2013-08-30 19:06 . 2013-08-30 19:06 3058304 ----a-w- c:\windows\AsScrPro.exe
2013-08-30 19:06 . 2013-09-05 20:00 -------- d-----w- C:\ASUS.DAT
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-02 19:09 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2013-09-02 19:09 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2013-06-13 23:34 . 2013-06-13 23:34 451096 ----a-w- c:\windows\system32\drivers\vsdatant.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-08-17 5732992]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-10-07 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2010-09-23 1601536]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2013-08-12 73832]
.
c:\users\yui\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe -d [2013-8-30 12862]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys;c:\windows\SYSNATIVE\DRIVERS\SiSG664.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys [x]
S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys [x]
S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe;c:\windows\SYSNATIVE\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [x]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-30 20:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-10 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-10 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-10 418328]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-08-11 324096]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\
FF - ExtSQL: 2013-08-15 21:29; jid1-xUfzOsOFlzSOXg@jetpack; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
FF - ExtSQL: 2013-08-15 21:30; jid0-hd39BGK3EuIbK47rGW3fZdR163o@jetpack; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid0-hd39BGK3EuIbK47rGW3fZdR163o@jetpack.xpi
FF - ExtSQL: 2013-08-15 21:30; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-08-15 21:31; jid1-ZAdIEUB7XOzOJw@jetpack; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi
FF - ExtSQL: 2013-08-15 21:31; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF - ExtSQL: 2013-08-15 21:31; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-08-15 21:31; support@lastpass.com; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-08-15 21:56; jid1-4P0kohSJxU1qGg@jetpack; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid1-4P0kohSJxU1qGg@jetpack.xpi
FF - ExtSQL: 2013-08-15 22:03; netflixrandomizer@joshkowarsky.com; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\netflixrandomizer@joshkowarsky.com.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-05 17:14:59
ComboFix-quarantined-files.txt 2013-09-06 00:14
.
Pre-Run: 122,074,836,992 bytes free
Post-Run: 121,413,177,344 bytes free
.
- - End Of File - - 6F3DA14A778B0BDF7FACCF95657A3F62

Robybel

2013-09-06, 14:36

Hi jamper

Please follow all previous instructions regarding security programs.

Open a new Notepad session
Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.

Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

ClearJavaCache

In the notepad
Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Next

Please open your MalwareBytes AntiMalware Program
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Next

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://www.eset.com/online-scanner-popup/)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
Push the Back button.
Select Uninstall application on close check box and push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png

On your next reply please post :

MBAM log
ESET Report

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

jamper

2013-09-06, 23:40

Thanks again for your help.

ComboFix 13-09-04.04 - yui 09/06/2013 11:49:45.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6056.4751 [GMT -7:00]
Running from: c:\users\yui\Desktop\ComboFix.exe
Command switches used :: c:\users\yui\Desktop\CFScript.txt
AV: ZoneAlarm Internet Security Suite Antivirus *Disabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
FW: ZoneAlarm Internet Security Suite Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Internet Security Suite Anti-Spyware *Disabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
.
.
((((((((((((((((((((((((( Files Created from 2013-08-06 to 2013-09-06 )))))))))))))))))))))))))))))))
.
.
2013-09-06 18:54 . 2013-09-06 18:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-04 19:35 . 2013-09-04 19:35 -------- d-----w- c:\windows\ERUNT
2013-09-04 19:19 . 2013-09-04 19:21 -------- d-----w- C:\AdwCleaner
2013-09-03 10:44 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-09-03 10:44 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-09-03 10:05 . 2013-09-03 10:05 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-09-03 10:03 . 2013-09-03 10:03 1887232 ----a-w- c:\windows\system32\d3d11.dll
2013-09-03 10:03 . 2013-09-03 10:03 1505280 ----a-w- c:\windows\SysWow64\d3d11.dll
2013-09-03 08:59 . 2013-04-10 06:01 265064 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-09-03 08:59 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-09-03 08:59 . 2011-02-03 11:25 144384 ----a-w- c:\windows\system32\cdd.dll
2013-09-03 08:59 . 2013-07-09 05:46 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-09-03 08:59 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-09-03 08:59 . 2013-07-09 05:46 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-09-03 08:59 . 2013-07-09 05:46 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-09-03 08:59 . 2013-07-09 04:52 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-09-03 08:59 . 2013-07-09 04:46 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-09-03 08:59 . 2013-07-09 04:46 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-09-03 08:59 . 2013-07-09 04:46 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-09-03 08:57 . 2013-07-06 06:03 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-09-03 08:57 . 2013-04-10 05:46 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2013-09-03 08:57 . 2013-04-10 05:03 936448 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2013-09-03 08:57 . 2013-05-13 05:50 52224 ----a-w- c:\windows\system32\certenc.dll
2013-09-03 08:57 . 2013-05-13 03:43 1192448 ----a-w- c:\windows\system32\certutil.exe
2013-09-03 08:57 . 2013-05-13 03:08 903168 ----a-w- c:\windows\SysWow64\certutil.exe
2013-09-03 08:57 . 2013-05-13 03:08 43008 ----a-w- c:\windows\SysWow64\certenc.dll
2013-09-02 19:03 . 2013-09-02 19:03 -------- d-----w- c:\windows\system32\SPReview
2013-09-02 19:02 . 2013-09-02 19:02 -------- d-----w- c:\windows\system32\EventProviders
2013-09-02 12:49 . 2010-11-20 13:34 215936 ----a-w- c:\windows\system32\drivers\vhdmp.sys
2013-09-02 12:48 . 2010-11-20 13:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2013-09-02 12:48 . 2010-11-20 13:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2013-09-02 12:48 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2013-09-02 12:48 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\wdscore.dll
2013-09-02 12:48 . 2010-11-20 12:21 189952 ----a-w- c:\windows\SysWow64\sqmapi.dll
2013-09-02 12:48 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
2013-09-02 12:48 . 2010-11-20 12:21 189952 ----a-w- c:\program files (x86)\Windows Portable Devices\sqmapi.dll
2013-09-02 12:48 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2013-09-02 12:47 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2013-09-02 12:47 . 2010-11-20 13:27 244736 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll
2013-09-02 12:47 . 2010-11-20 13:27 244736 ----a-w- c:\windows\system32\sqmapi.dll
2013-09-01 01:00 . 2013-09-01 01:00 -------- d-----w- c:\program files (x86)\ERUNT
2013-09-01 00:57 . 2013-09-01 00:58 -------- d-----w- c:\windows\system32\MRT
2013-09-01 00:09 . 2013-08-04 07:02 178600 ----a-w- c:\windows\system32\drivers\kneps.sys
2013-09-01 00:09 . 2012-11-16 04:06 54104 ----a-w- c:\windows\system32\drivers\kltdi.sys
2013-09-01 00:09 . 2012-11-16 04:06 28504 ----a-w- c:\windows\system32\drivers\klim6.sys
2013-09-01 00:09 . 2013-08-04 07:02 458584 ----a-w- c:\windows\system32\drivers\kl1.sys
2013-09-01 00:09 . 2013-08-04 07:02 89944 ----a-w- c:\windows\system32\drivers\klflt.sys
2013-09-01 00:09 . 2013-08-04 07:02 613720 ----a-w- c:\windows\system32\drivers\klif.sys
2013-09-01 00:08 . 2013-09-01 00:08 -------- d-----w- c:\program files (x86)\CheckPoint
2013-08-31 23:41 . 2013-08-31 23:41 -------- d-----w- c:\windows\SysWow64\Wat
2013-08-31 23:41 . 2013-08-31 23:41 -------- d-----w- c:\windows\system32\Wat
2013-08-31 23:15 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll
2013-08-31 23:15 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll
2013-08-31 23:15 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2013-08-31 23:15 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2013-08-31 23:15 . 2010-09-30 10:41 100864 ----a-w- c:\windows\system32\fontsub.dll
2013-08-31 23:15 . 2010-09-30 06:47 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2013-08-31 23:12 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-08-31 23:12 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2013-08-31 23:12 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-08-31 23:12 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2013-08-31 23:12 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-08-31 17:06 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2013-08-31 17:06 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2013-08-31 17:06 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2013-08-31 17:06 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2013-08-31 17:06 . 2011-07-09 02:46 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2013-08-31 17:06 . 2011-04-27 02:40 158208 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2013-08-31 17:06 . 2011-04-27 02:39 128000 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2013-08-31 17:06 . 2011-11-17 05:35 314880 ----a-w- c:\windows\SysWow64\webio.dll
2013-08-31 17:06 . 2011-11-17 06:35 395776 ----a-w- c:\windows\system32\webio.dll
2013-08-31 17:06 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-08-31 17:04 . 2012-04-28 03:55 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2013-08-31 17:03 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2013-08-31 17:02 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2013-08-31 17:02 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2013-08-31 02:56 . 2013-08-31 02:56 -------- d-----w- c:\program files\Microsoft Silverlight
2013-08-31 02:56 . 2013-08-31 02:56 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2013-08-31 00:45 . 2013-08-31 00:45 -------- d-----w- c:\program files\CCleaner
2013-08-31 00:06 . 2013-09-06 00:06 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-08-31 00:05 . 2009-01-25 20:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-08-31 00:05 . 2013-08-31 00:08 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-08-31 00:02 . 2013-08-31 00:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-08-31 00:02 . 2013-08-31 00:02 -------- d-----w- c:\programdata\Malwarebytes
2013-08-31 00:02 . 2013-04-04 21:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-08-30 20:50 . 2013-08-20 07:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3FB6940E-A62C-4ED0-9B97-C443D5B25992}\mpengine.dll
2013-08-30 20:50 . 2013-08-07 11:22 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-08-30 20:28 . 2013-09-01 00:09 -------- dc----w- c:\windows\system32\DRVSTORE
2013-08-30 20:23 . 2013-09-01 00:08 -------- d-----w- c:\programdata\CheckPoint
2013-08-30 20:16 . 2013-08-30 20:16 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-30 20:16 . 2013-08-30 20:16 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-08-30 20:16 . 2013-08-30 20:16 -------- d-----w- c:\windows\system32\Macromed
2013-08-30 20:09 . 2013-08-30 20:09 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-08-30 20:04 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2013-08-30 20:04 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2013-08-30 20:04 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2013-08-30 20:04 . 2013-08-30 20:04 -------- d-----w- C:\temp
2013-08-30 19:59 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2013-08-30 19:59 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2013-08-30 19:59 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2013-08-30 19:59 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2013-08-30 19:58 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2013-08-30 19:58 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2013-08-30 19:58 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2013-08-30 19:58 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2013-08-30 19:58 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2013-08-30 19:45 . 2013-08-30 19:45 -------- d-----w- c:\users\yui
2013-08-30 19:17 . 2010-12-13 13:12 5047080 ----a-w- c:\windows\system32\ETDUI.cpl
2013-08-30 19:17 . 2010-12-13 13:12 138024 ----a-w- c:\windows\system32\drivers\ETD.sys
2013-08-30 19:17 . 2010-11-05 15:45 438808 ----a-w- c:\windows\system32\drivers\iaStor.sys
2013-08-30 19:17 . 2009-07-20 09:29 15416 ----a-w- c:\windows\system32\drivers\kbfiltr.sys
2013-08-30 19:17 . 2010-08-24 09:55 76912 ----a-w- c:\windows\system32\drivers\L1C62x64.sys
2013-08-30 19:17 . 2010-10-14 16:28 317440 ----a-w- c:\windows\system32\drivers\IntcDAud.sys
2013-08-30 19:17 . 2010-10-14 16:27 14848 ----a-w- c:\windows\system32\IntcDAuC.dll
2013-08-30 19:15 . 2011-02-10 05:48 4368920 ----a-w- c:\windows\system32\GfxUI.exe
2013-08-30 19:10 . 2013-09-03 12:20 45056 ----a-w- c:\windows\system32\acovcnt.exe
2013-08-30 19:08 . 2011-02-10 14:04 2621440 ------r- C:\K73E.BIN
2013-08-30 19:08 . 2011-02-10 13:41 2621440 ------r- C:\K73SV.BIN
2013-08-30 19:08 . 2013-08-30 19:06 -------- d-----w- C:\eSupport
2013-08-30 19:08 . 2013-08-30 20:25 -------- d-----w- c:\programdata\Trend Micro
2013-08-30 19:06 . 2013-08-30 19:06 80512 ----a-w- c:\windows\AsusScr_K Series_ENG Uninstaller.exe
2013-08-30 19:06 . 2011-02-16 07:23 55310091 ------w- c:\windows\system32\AsusScr_K Series_ENG.scr
2013-08-30 19:06 . 2013-08-30 19:06 -------- d-----w- c:\windows\SysWow64\Macromed
2013-08-30 19:06 . 2013-08-30 19:06 3058304 ----a-w- c:\windows\AsScrPro.exe
2013-08-30 19:06 . 2013-09-06 09:29 -------- d-----w- C:\ASUS.DAT
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-02 19:09 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2013-09-02 19:09 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2013-06-13 23:34 . 2013-06-13 23:34 451096 ----a-w- c:\windows\system32\drivers\vsdatant.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2010-08-17 5732992]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2010-10-07 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2010-09-23 1601536]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"ZoneAlarm"="c:\program files (x86)\CheckPoint\ZoneAlarm\zatray.exe" [2013-08-12 73832]
.
c:\users\yui\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_94E3CE3704FE82FBF49A6A.exe -d [2013-8-30 12862]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys;c:\windows\SYSNATIVE\DRIVERS\SiSG664.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys [x]
S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys [x]
S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe;c:\windows\SYSNATIVE\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [x]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe;c:\program files (x86)\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-30 20:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-10 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-10 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-10 418328]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-08-11 324096]
"ETDCtrl"="c:\program files (x86)\Elantech\ETDCtrl.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = localhost:21320
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\
FF - ExtSQL: 2013-08-15 21:29; jid1-xUfzOsOFlzSOXg@jetpack; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
FF - ExtSQL: 2013-08-15 21:30; jid0-hd39BGK3EuIbK47rGW3fZdR163o@jetpack; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid0-hd39BGK3EuIbK47rGW3fZdR163o@jetpack.xpi
FF - ExtSQL: 2013-08-15 21:30; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-08-15 21:31; jid1-ZAdIEUB7XOzOJw@jetpack; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi
FF - ExtSQL: 2013-08-15 21:31; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF - ExtSQL: 2013-08-15 21:31; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2013-08-15 21:31; support@lastpass.com; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-08-15 21:56; jid1-4P0kohSJxU1qGg@jetpack; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\jid1-4P0kohSJxU1qGg@jetpack.xpi
FF - ExtSQL: 2013-08-15 22:03; netflixrandomizer@joshkowarsky.com; c:\users\yui\AppData\Roaming\Mozilla\Firefox\Profiles\k90afalj.default\extensions\netflixrandomizer@joshkowarsky.com.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-06 11:55:50
ComboFix-quarantined-files.txt 2013-09-06 18:55
ComboFix2.txt 2013-09-06 00:15
.
Pre-Run: 121,480,495,104 bytes free
Post-Run: 121,172,533,248 bytes free
.
- - End Of File - - 7D41A42240EAB8434FEECA06A8CD4A58

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.06.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
yui :: YUI-PC [administrator]

9/6/2013 1:22:41 PM
mbam-log-2013-09-06 (13-22-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217320
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET: no threats found, so no report.

Robybel

2013-09-07, 15:42

Hi jamper

Please let me know how your machine is running and if there are any outstanding issues.

jamper

2013-09-07, 20:16

Hello and thanks for everything.
I am still seeing dllHost.exe COM surrogate, it keeps appearing then disappearing in task manager, and every time it does my mouse pointer blinks and gets the activity indicator, it happens about every 20 to 30 seconds.
I also have something showing up in my D partition, I have formatted, and wiped it clean, but something taking up 1GB keeps showing up, but I cant see what it is

Robybel

2013-09-08, 09:36

Hi jamper :)

I can see a screen shot of your dllHost.exe :)

jamper

2013-09-08, 10:28

Thanks again, I took a couple of shots, it's driving me crazy seeing the activity indicator every few seconds, sometimes there will be 2 of the dllhost.exe at the same time.

Robybel

2013-09-08, 18:18

Hi jamper :)

Try this:

ERUNT Registry
Backing Up Your Registry
Go HERE (http://www.larshederer.homepage.t-online.de/erunt/) and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
Make sure that at least the first two check boxes are ticked
Press OK
Press YES to create the folder.
For detailed instruction on how to back-up registry via ERUNT, please visit HERE (http://www.winxptutor.com/regback.htm)
NEXT

Stop, Disable A Service
Go to Start, Run OR Start, Programs, Accessories, Command Prompt and type Services.msc and click OK.
Scroll down and find the service.

dllHost

Click once on the service to highlight it.
Right-Click on the service. Click on Properties
Select the General tab.
Next to Service Status, click Stop.
Click the Arrow-down tab on the right-hand side of the Start-up Type box.
From the drop-down menu, click on Disabled
Click Apply , then OK

jamper

2013-09-08, 22:31

Hi Robybel,
Thanks, for the help, but I am a little confused, the very first thing that I did before posting in the forum was to download ERUNT, and the other thing is on your last reply you said to download erunt but the email I received to alert me to your reply gave me different instructions which included using Tweaking.com and no mention of erunt.
So I am not sure what to do. and wondering why the email says something different then your last post.

jamper

2013-09-09, 00:43

I followed the instructions to disable the service, but the dll does not show up in the Services.msc even tho it is in the task manager

Robybel

2013-09-09, 05:00

Ok go in task manager and right click on dllhost process. Click stop process :-)

jamper

2013-09-09, 06:33

I have tried that, it will not let me, it says the handle is invalid.

jamper

2013-09-11, 04:14

Hi, Thanks for you help, but I am just going to do a clean install.

Robybel

2013-09-11, 21:22

Ok jamper:bigthumb:

Feel free to ask if you have any doubts about proper installation clean

Robybel

2013-09-13, 05:47

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.