Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 37

Thread: Infected Computer

  1. #11
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello Triode

    Thank you for the logs.

    Lets continue with the following:


    1. MalwareBytes AntiMalware:


      • I can see that you have MBAM installed.
      • Double click on your MalwareBytes AntiMalware icon to launch the program.
      • Click on the "Update" tab and then on "Check for Updates".
      • The program will now install the latest Malware definition files.
      • Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
      • Once the program has scanned your computer, a log file will be created in Notepad.
      • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.



      • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
      • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
      • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
      • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
      • Come back here to this thread and Paste the log in your next reply.


    2. Temporary File Cleaner


      • Download TFC to your desktop.
      • Close any open windows.
      • Right click the TFC icon and select "Run as Administrator" to run the program.
      • TFC will close all open programs itself in order to run.
      • Click the Start button to begin the process.
      • Allow TFC to run uninterrupted.
      • The program should not take long to finish.
      • Once complete it should automatically reboot your machine.
      • If your machine does not reboot automatically, manually reboot to ensure a complete clean.
      • Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.


    3. Please run the following scan


      • Note: You will need to use Internet Explorer for this scan.
      • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
      • Please disable your real time security programs before performing the scan.



      • Scan your system with Eset Online Scanner
      • Place a check mark in the box YES, I accept the Terms Of Use.
      • Click the button.
      • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.



      • Check
      • Click the button.
      • Accept any security warnings from your browser.
      • Check
      • Make sure that the option to "Remove Found Threats" is UN checked.
      • Push the "Start" button.
      • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      • When the scan completes, push
      • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      • Push the button.
      • Push


      Please post the MBAM log and the ESET log for me to review in your next reply and let me know how the machine is running now.
    Proud Graduate of the WTT Classroom

  2. #12
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    Do you think my secondary HDD and external HDD are at risk also? And my iPhone that has been connected to this computer? I have noticed my phone acting a little funny sometimes.


    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.12.17.10

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Triode :: TRIODE-PC [administrator]

    12/17/2012 7:04:32 PM
    mbam-log-2012-12-17 (19-04-32).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 207090
    Time elapsed: 2 minute(s), 7 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    ESET Scan:
    C:\ProgramData\Spybot - Search & Destroy\Recovery\OptimumInstaller1.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\OptimumInstaller3.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
    C:\Qoobox\Quarantine\[4]-Submit_2012-12-17_07.34.50.zip multiple threats
    C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\4F3A.tmp.dat.vir Win32/Olmarik.AYD trojan
    C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\A517.tmp.dat.vir a variant of Win32/Kryptik.AQQU trojan
    C:\TDSSKiller_Quarantine\28.11.2012_22.10.04\mbr0000\tdlfs0000\tsk0000.dta a variant of Win32/Olmarik.AYI trojan
    C:\TDSSKiller_Quarantine\28.11.2012_22.10.04\mbr0000\tdlfs0000\tsk0001.dta a variant of Win64/Olmarik.AM trojan
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\OptimumInstaller1.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\OptimumInstaller3.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm


    Looks like all the remaining virus files are in various programs' quarantine folders?

  3. #13
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello Triode

    Looks like all the remaining virus files are in various programs' quarantine folders?
    Yes, everything that has been detected is being held in quarantine.

    Please post a new set of DDS scan logs and let me know how the machine is running now.
    Proud Graduate of the WTT Classroom

  4. #14
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16457
    Run by Triode at 21:42:53 on 2012-12-18
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6141.4552 [GMT -7:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
    C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\sppsvc.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: {9194649F-7143-4308-90C1-D6A35B0E354E} - <orphaned>
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{29206791-C83A-43F8-91B4-E93E2DA740D6} : DHCPNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
    TCP: Interfaces\{83DE6050-B21D-42E2-99B8-E9B053DD378C} : DHCPNameServer = 192.168.1.1
    SSODL: WebCheck - <orphaned>
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [CmPCIaudio] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\CMICNFG3.cpl,CMICtrlWnd
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    x64-SSODL: WebCheck - <orphaned>
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-7-23 984144]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-7-23 370288]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-11-29 279616]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-27 239616]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-7-23 25232]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-7-23 71600]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-26 44808]
    R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-13 96896]
    R3 danewFltr;NewDeathAdder Mouse;C:\Windows\System32\drivers\danew.sys [2011-7-23 12032]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-7-23 239616]
    R3 VKbms;Virtual HID Minidriver;C:\Windows\System32\drivers\VKbms.sys [2011-7-23 13312]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-23 1255736]
    .
    =============== Created Last 30 ================
    .
    2012-12-18 14:25:22 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7582CA7D-34DC-42DA-9974-44857EA143C0}\mpengine.dll
    2012-12-18 02:27:02 -------- d-----w- C:\Program Files (x86)\ESET
    2012-12-18 01:26:13 -------- d-----w- C:\Windows\ERUNT
    2012-12-18 01:26:02 -------- d-----w- C:\JRT
    2012-12-17 14:42:06 -------- d--h--w- C:\$RECYCLE.BIN
    2012-12-16 21:09:16 98816 ----a-w- C:\Windows\sed.exe
    2012-12-16 21:09:16 256000 ----a-w- C:\Windows\PEV.exe
    2012-12-16 21:09:16 208896 ----a-w- C:\Windows\MBR.exe
    2012-12-16 18:12:59 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
    2012-12-16 17:57:16 476904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    2012-12-16 17:56:45 -------- d-----w- C:\Windows\System32\appmgmt
    2012-12-12 14:26:53 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2012-12-12 14:26:53 367616 ----a-w- C:\Windows\System32\atmfd.dll
    2012-12-12 14:26:53 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2012-12-12 14:26:53 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2012-12-12 14:26:52 478208 ----a-w- C:\Windows\System32\dpnet.dll
    2012-12-12 14:26:52 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
    2012-12-12 14:26:52 3149824 ----a-w- C:\Windows\System32\win32k.sys
    2012-11-29 05:12:30 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-11-27 03:33:08 -------- d-----w- C:\Users\Triode\AppData\Roaming\Malwarebytes
    2012-11-27 03:32:54 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-11-27 03:32:53 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-11-27 03:32:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    .
    ==================== Find3M ====================
    .
    2012-12-16 18:12:42 916456 ----a-w- C:\Windows\System32\deployJava1.dll
    2012-12-16 18:12:42 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
    2012-12-12 05:20:28 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-12 05:20:28 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
    2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2012-10-30 23:51:55 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2012-10-30 23:51:55 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2012-10-30 23:51:07 41224 ----a-w- C:\Windows\avastSS.scr
    2012-10-25 10:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2012-10-25 10:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll
    2012-10-15 16:59:28 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
    2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
    2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
    2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll
    2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll
    2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll
    2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe
    2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
    2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
    2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
    2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
    2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
    2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
    2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
    2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
    2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
    2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
    2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
    2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll
    .
    ============= FINISH: 21:43:10.55 ===============



    aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
    Run date: 2012-12-18 21:47:41
    -----------------------------
    21:47:41.538 OS Version: Windows x64 6.1.7601 Service Pack 1
    21:47:41.538 Number of processors: 8 586 0x1A04
    21:47:41.538 ComputerName: TRIODE-PC UserName: Triode
    21:47:43.200 Initialize success
    21:47:43.398 AVAST engine defs: 12121801
    21:47:51.278 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
    21:47:51.279 Disk 0 Vendor: ST3500630AS 3.AAK Size: 476938MB BusType: 3
    21:47:51.283 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-b
    21:47:51.285 Disk 1 Vendor: ST3500630AS 3.AHG Size: 476940MB BusType: 3
    21:47:51.300 Disk 0 MBR read successfully
    21:47:51.304 Disk 0 MBR scan
    21:47:51.308 Disk 0 Windows 7 default MBR code
    21:47:51.313 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    21:47:51.328 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476836 MB offset 206848
    21:47:51.339 Disk 0 scanning C:\Windows\system32\drivers
    21:47:55.869 Service scanning
    21:48:05.668 Modules scanning
    21:48:05.677 Disk 0 trace - called modules:
    21:48:06.012 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
    21:48:06.017 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006843790]
    21:48:06.022 3 CLASSPNP.SYS[fffff8800195f43f] -> nt!IofCallDriver -> [0xfffffa80065f0810]
    21:48:06.028 5 ACPI.sys[fffff88000f687a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa8006619060]
    21:48:07.324 AVAST engine scan C:\Windows
    21:48:08.130 File: C:\Windows\PEV.exe **INFECTED** Win32:Rootkit-gen [Rtk]
    21:48:09.939 AVAST engine scan C:\Windows\system32
    21:49:40.280 AVAST engine scan C:\Windows\system32\drivers
    21:49:47.103 AVAST engine scan C:\Users\Triode
    21:50:49.678 AVAST engine scan C:\ProgramData
    21:51:51.949 Scan finished successfully
    21:52:00.076 Disk 0 MBR has been saved successfully to "C:\Users\Triode\Desktop\MBR.dat"
    21:52:00.078 The log file has been saved successfully to "C:\Users\Triode\Desktop\aswMBR.txt"


    Bleh, more infected stuff.

  5. #15
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello Triode

    Bleh, more infected stuff
    I think the aswMBR detection may possibly be a false positive.

    We'll deal with that in a moment. Right now we have some leftovers to take care of:

    1. Please work through the following steps


      • Hold down the Windows key (has the Windows symbol on it) and press the "R" key. A Run box will open. Type in Notepad and press Enter then click on "OK").
      • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
      • Copy and Paste the text in the quotebox below into the open Notepad window:

        DDS::
        BHO: {9194649F-7143-4308-90C1-D6A35B0E354E} - <orphaned>
        BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
        SSODL: WebCheck - <orphaned>
        x64-SSODL: WebCheck - <orphaned>
      • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
      • Close any open browsers.
      • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Refering to the picture below, drag CFScript.txt into ComboFix.exe




      • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
      • Once the log is produced, re-engage your resident anti virus.


      Please post the Combofix log and a new DDS log in your next reply.

      How is the machine running at the moment?
    Proud Graduate of the WTT Classroom

  6. #16
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    My computer seems to be running fine. It hasn't really had any issues with performance since I got rid of the Pihar. Have these scans covered whether my other hard drives are clean? And would my phone be at risk if it was connected to my computer?


    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16457
    Run by Triode at 17:49:15 on 2012-12-19
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6141.4187 [GMT -7:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
    C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: {9194649F-7143-4308-90C1-D6A35B0E354E} - <orphaned>
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{29206791-C83A-43F8-91B4-E93E2DA740D6} : DHCPNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
    TCP: Interfaces\{83DE6050-B21D-42E2-99B8-E9B053DD378C} : DHCPNameServer = 192.168.1.1
    SSODL: WebCheck - <orphaned>
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [CmPCIaudio] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\CMICNFG3.cpl,CMICtrlWnd
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    x64-SSODL: WebCheck - <orphaned>
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-7-23 984144]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-7-23 370288]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-11-29 279616]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-27 239616]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-7-23 25232]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-7-23 71600]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-26 44808]
    R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-13 96896]
    R3 danewFltr;NewDeathAdder Mouse;C:\Windows\System32\drivers\danew.sys [2011-7-23 12032]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-7-23 239616]
    R3 VKbms;Virtual HID Minidriver;C:\Windows\System32\drivers\VKbms.sys [2011-7-23 13312]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-23 1255736]
    .
    =============== Created Last 30 ================
    .
    2012-12-18 14:25:22 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7582CA7D-34DC-42DA-9974-44857EA143C0}\mpengine.dll
    2012-12-18 02:27:02 -------- d-----w- C:\Program Files (x86)\ESET
    2012-12-18 01:26:13 -------- d-----w- C:\Windows\ERUNT
    2012-12-18 01:26:02 -------- d-----w- C:\JRT
    2012-12-16 21:09:16 98816 ----a-w- C:\Windows\sed.exe
    2012-12-16 21:09:16 256000 ----a-w- C:\Windows\PEV.exe
    2012-12-16 21:09:16 208896 ----a-w- C:\Windows\MBR.exe
    2012-12-16 18:12:59 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
    2012-12-16 17:57:16 476904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    2012-12-16 17:56:45 -------- d-----w- C:\Windows\System32\appmgmt
    2012-12-12 14:26:53 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2012-12-12 14:26:53 367616 ----a-w- C:\Windows\System32\atmfd.dll
    2012-12-12 14:26:53 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2012-12-12 14:26:53 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2012-12-12 14:26:52 478208 ----a-w- C:\Windows\System32\dpnet.dll
    2012-12-12 14:26:52 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
    2012-12-12 14:26:52 3149824 ----a-w- C:\Windows\System32\win32k.sys
    2012-11-29 05:12:30 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-11-27 03:33:08 -------- d-----w- C:\Users\Triode\AppData\Roaming\Malwarebytes
    2012-11-27 03:32:54 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-11-27 03:32:53 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-11-27 03:32:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    .
    ==================== Find3M ====================
    .
    2012-12-16 18:12:42 916456 ----a-w- C:\Windows\System32\deployJava1.dll
    2012-12-16 18:12:42 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
    2012-12-12 05:20:28 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-12 05:20:28 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
    2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2012-10-30 23:51:55 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2012-10-30 23:51:55 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2012-10-30 23:51:07 41224 ----a-w- C:\Windows\avastSS.scr
    2012-10-25 10:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2012-10-25 10:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll
    2012-10-15 16:59:28 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
    2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
    2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
    2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll
    2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll
    2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll
    2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe
    2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
    2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
    2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
    2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
    2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
    2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
    2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
    2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
    2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
    2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
    2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
    2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll
    .
    ============= FINISH: 17:49:25.00 ===============




    ComboFix 12-12-19.02 - Triode 12/19/2012 17:38:29.3.8 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6141.4700 [GMT -7:00]
    Running from: c:\users\Triode\Desktop\ComboFix.exe
    Command switches used :: c:\users\Triode\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-20 to 2012-12-20 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-20 00:44 . 2012-12-20 00:44 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-18 14:25 . 2012-11-08 17:24 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7582CA7D-34DC-42DA-9974-44857EA143C0}\mpengine.dll
    2012-12-18 02:27 . 2012-12-18 02:27 -------- d-----w- c:\program files (x86)\ESET
    2012-12-18 01:26 . 2012-12-18 01:26 -------- d-----w- c:\windows\ERUNT
    2012-12-18 01:26 . 2012-12-18 01:26 -------- d-----w- C:\JRT
    2012-12-16 18:13 . 2012-12-16 18:12 289768 ----a-w- c:\windows\system32\javaws.exe
    2012-12-16 18:12 . 2012-12-16 18:12 108008 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
    2012-12-16 18:12 . 2012-12-16 18:12 189416 ----a-w- c:\windows\system32\javaw.exe
    2012-12-16 18:12 . 2012-12-16 18:12 188904 ----a-w- c:\windows\system32\java.exe
    2012-12-16 18:12 . 2012-12-16 18:12 -------- d-----w- c:\program files\Java
    2012-12-16 17:56 . 2012-12-16 17:56 -------- d-----w- c:\windows\system32\appmgmt
    2012-12-12 14:26 . 2012-11-05 21:35 46080 ----a-w- c:\windows\system32\atmlib.dll
    2012-12-12 14:26 . 2012-11-05 20:41 367616 ----a-w- c:\windows\system32\atmfd.dll
    2012-12-12 14:26 . 2012-11-05 20:32 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
    2012-12-12 14:26 . 2012-11-05 20:32 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2012-12-12 14:26 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys
    2012-12-12 14:26 . 2012-11-02 05:59 478208 ----a-w- c:\windows\system32\dpnet.dll
    2012-12-12 14:26 . 2012-11-02 05:11 376832 ----a-w- c:\windows\SysWow64\dpnet.dll
    2012-11-29 05:12 . 2012-11-29 05:12 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-11-27 04:12 . 2012-11-27 04:12 -------- d-----w- c:\program files (x86)\ERUNT
    2012-11-27 03:33 . 2012-11-27 03:33 -------- d-----w- c:\users\Triode\AppData\Roaming\Malwarebytes
    2012-11-27 03:32 . 2012-11-27 03:32 -------- d-----w- c:\programdata\Malwarebytes
    2012-11-27 03:32 . 2012-11-27 03:32 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-11-27 03:32 . 2012-09-30 02:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-12-16 18:12 . 2012-08-15 19:42 916456 ----a-w- c:\windows\system32\deployJava1.dll
    2012-12-16 18:12 . 2012-08-15 19:42 1034216 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-12-12 14:29 . 2011-07-23 21:59 67413224 ----a-w- c:\windows\system32\MRT.exe
    2012-12-12 05:20 . 2012-07-23 03:10 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-12 05:20 . 2012-07-23 03:10 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-10-30 23:51 . 2011-07-23 22:17 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-10-30 23:51 . 2011-07-23 22:18 370288 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-10-30 23:51 . 2011-07-23 22:17 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-10-30 23:51 . 2011-07-23 22:17 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-10-30 23:51 . 2011-07-23 22:18 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-10-30 23:51 . 2011-07-23 22:17 41224 ----a-w- c:\windows\avastSS.scr
    2012-10-30 23:50 . 2011-07-23 22:17 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2012-10-30 23:50 . 2011-07-23 22:17 285328 ----a-w- c:\windows\system32\aswBoot.exe
    2012-10-25 10:12 . 2012-10-25 10:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2012-10-25 10:12 . 2012-10-25 10:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2012-10-16 08:38 . 2012-11-28 14:11 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38 . 2012-11-28 14:11 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39 . 2012-11-28 14:11 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
    2012-10-15 16:59 . 2012-08-15 22:04 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-10-09 18:17 . 2012-11-14 14:16 55296 ----a-w- c:\windows\system32\dhcpcsvc6.dll
    2012-10-09 18:17 . 2012-11-14 14:16 226816 ----a-w- c:\windows\system32\dhcpcore6.dll
    2012-10-09 17:40 . 2012-11-14 14:16 44032 ----a-w- c:\windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40 . 2012-11-14 14:16 193536 ----a-w- c:\windows\SysWow64\dhcpcore6.dll
    2012-10-04 16:40 . 2012-12-12 14:27 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2012-10-03 17:56 . 2012-11-14 14:16 1914248 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-10-03 17:44 . 2012-11-14 14:16 303104 ----a-w- c:\windows\system32\nlasvc.dll
    2012-10-03 17:44 . 2012-11-14 14:16 70656 ----a-w- c:\windows\system32\nlaapi.dll
    2012-10-03 17:44 . 2012-11-14 14:16 246272 ----a-w- c:\windows\system32\netcorehc.dll
    2012-10-03 17:44 . 2012-11-14 14:16 18944 ----a-w- c:\windows\system32\netevent.dll
    2012-10-03 17:44 . 2012-11-14 14:16 216576 ----a-w- c:\windows\system32\ncsi.dll
    2012-10-03 17:42 . 2012-11-14 14:16 569344 ----a-w- c:\windows\system32\iphlpsvc.dll
    2012-10-03 16:42 . 2012-11-14 14:16 175104 ----a-w- c:\windows\SysWow64\netcorehc.dll
    2012-10-03 16:42 . 2012-11-14 14:16 18944 ----a-w- c:\windows\SysWow64\netevent.dll
    2012-10-03 16:42 . 2012-11-14 14:16 156672 ----a-w- c:\windows\SysWow64\ncsi.dll
    2012-10-03 16:07 . 2012-11-14 14:16 45568 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
    2012-09-25 22:47 . 2012-11-14 14:16 78336 ----a-w- c:\windows\SysWow64\synceng.dll
    2012-09-25 22:46 . 2012-11-14 14:16 95744 ----a-w- c:\windows\system32\synceng.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-02-19 248320]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-08-06 642216]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-07-23 1255736]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-11-30 279616]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-28 239616]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-05-14 96896]
    S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2010-03-23 12032]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
    S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [2010-10-01 13312]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-08-16 20:43 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-12-19 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-23 05:20]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-10-30 23:50 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-09-22 8116256]
    "CmPCIaudio"="c:\windows\Syswow64\CMICNFG3.cpl" [2008-04-17 6914048]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{9194649F-7143-4308-90C1-D6A35B0E354E} - (no file)
    AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_bc2.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
    @Allowed: (B 1 4 5 6) (S-1-5-5-0-162404)
    @="?????????????????? v1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
    @="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
    @Allowed: (B 1 4 5 6) (S-1-5-5-0-162404)
    @="?????????????????? v2"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
    @="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-12-19 17:46:24
    ComboFix-quarantined-files.txt 2012-12-20 00:46
    ComboFix2.txt 2012-12-17 14:46
    ComboFix3.txt 2012-12-16 21:20
    .
    Pre-Run: 286,343,405,568 bytes free
    Post-Run: 286,271,205,376 bytes free
    .
    - - End Of File - - BEAF51F5463B4DF40A4BD7AB0FAE8CA9

  7. #17
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello Triode

    My computer seems to be running fine. It hasn't really had any issues with performance since I got rid of the Pihar
    Thats good

    Have these scans covered whether my other hard drives are clean? And would my phone be at risk if it was connected to my computer?
    If you did not have your other hard drives and your phone plugged in when the scans were run then no. Once we are sure that your machine is malware free you can connect the drives and scan them with MBAM.

    Those leftovers are being a little persistant. They are only orphaned entries and so can cause no harm to your machine, but we would be keeping things tidier if we could remove them.

    Lets try this:

    1. Please work your way through the following steps


      • Open Notepad (Click on "Start" and then on "Run" and type notepad
      • Copy the text provided in the code box below and paste it into Notepad (make sure you include Windows Registry Editor Version 5.00.

        Code:
        Windows Registry Editor Version 5.00
        
        [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9194649F-7143-4308-90C1-D6A35B0E354E}]
        
        [-HKEY_CLASSES_ROOT\CLSID\{9194649F-7143-4308-90C1-D6A35B0E354E}]
      • Save the text in Notepad as fix.reg, change the "Save as Type" to "All Files" and select your desktop as the save location.
      • An icon will appear on your desktop called "fix.reg".
      • Double click on the "fix.reg" icon.
      • You will be asked if you wish to merge the contents of the file to the registry. Click "Yes" or "OK".
      • You should then receive a message informing you that the merge was successful.
      • Next, please reboot your machine.
      • Once you have rebooted, you may delete the fix.reg file.


      Once you have ran the fix.reg file please re scan with DDS and post the log created (I only need to see the dds.txt file).
    Proud Graduate of the WTT Classroom

  8. #18
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    My two other hard drives have been connected the whole time, but not my phone. I connected it for this DDS scan, if that makes any difference.


    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16457
    Run by Triode at 17:44:40 on 2012-12-20
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6141.4577 [GMT -7:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
    C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
    C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\System32\WUDFHost.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: {9194649F-7143-4308-90C1-D6A35B0E354E} - <orphaned>
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{29206791-C83A-43F8-91B4-E93E2DA740D6} : DHCPNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
    TCP: Interfaces\{83DE6050-B21D-42E2-99B8-E9B053DD378C} : DHCPNameServer = 192.168.1.1
    SSODL: WebCheck - <orphaned>
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
    x64-BHO: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    x64-TB: avast! WebRep: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
    x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
    x64-Run: [CmPCIaudio] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\CMICNFG3.cpl,CMICtrlWnd
    .
    INFO: x64-HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    x64-SSODL: WebCheck - <orphaned>
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-7-23 984144]
    R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2011-7-23 370288]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2011-11-29 279616]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-27 239616]
    R2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2011-7-23 25232]
    R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2011-7-23 71600]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-11-26 44808]
    R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-13 96896]
    R3 danewFltr;NewDeathAdder Mouse;C:\Windows\System32\drivers\danew.sys [2011-7-23 12032]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-7-23 239616]
    R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
    R3 VKbms;Virtual HID Minidriver;C:\Windows\System32\drivers\VKbms.sys [2011-7-23 13312]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-23 1255736]
    .
    =============== Created Last 30 ================
    .
    2012-12-20 00:50:54 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-12-18 14:25:22 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7582CA7D-34DC-42DA-9974-44857EA143C0}\mpengine.dll
    2012-12-18 02:27:02 -------- d-----w- C:\Program Files (x86)\ESET
    2012-12-18 01:26:13 -------- d-----w- C:\Windows\ERUNT
    2012-12-18 01:26:02 -------- d-----w- C:\JRT
    2012-12-16 21:09:16 98816 ----a-w- C:\Windows\sed.exe
    2012-12-16 21:09:16 256000 ----a-w- C:\Windows\PEV.exe
    2012-12-16 21:09:16 208896 ----a-w- C:\Windows\MBR.exe
    2012-12-16 18:12:59 108008 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
    2012-12-16 17:57:16 476904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    2012-12-16 17:56:45 -------- d-----w- C:\Windows\System32\appmgmt
    2012-12-12 14:26:53 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2012-12-12 14:26:53 367616 ----a-w- C:\Windows\System32\atmfd.dll
    2012-12-12 14:26:53 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2012-12-12 14:26:53 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2012-12-12 14:26:52 478208 ----a-w- C:\Windows\System32\dpnet.dll
    2012-12-12 14:26:52 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
    2012-12-12 14:26:52 3149824 ----a-w- C:\Windows\System32\win32k.sys
    2012-11-29 05:12:30 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-11-27 03:33:08 -------- d-----w- C:\Users\Triode\AppData\Roaming\Malwarebytes
    2012-11-27 03:32:54 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-11-27 03:32:53 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-11-27 03:32:53 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    .
    ==================== Find3M ====================
    .
    2012-12-16 18:12:42 916456 ----a-w- C:\Windows\System32\deployJava1.dll
    2012-12-16 18:12:42 1034216 ----a-w- C:\Windows\System32\npDeployJava1.dll
    2012-12-12 05:20:28 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-12-12 05:20:28 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
    2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
    2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
    2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
    2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
    2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
    2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
    2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2012-10-30 23:51:55 984144 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2012-10-30 23:51:55 71600 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2012-10-30 23:51:07 41224 ----a-w- C:\Windows\avastSS.scr
    2012-10-25 10:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2012-10-25 10:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
    2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
    2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll
    2012-10-15 16:59:28 54072 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
    2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll
    2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll
    2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll
    2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll
    2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll
    2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll
    2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll
    2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe
    2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll
    2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll
    2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll
    2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll
    2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll
    2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll
    2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll
    2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll
    2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
    2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys
    2012-09-25 22:47:43 78336 ----a-w- C:\Windows\SysWow64\synceng.dll
    2012-09-25 22:46:17 95744 ----a-w- C:\Windows\System32\synceng.dll
    .
    ============= FINISH: 17:44:49.18 ===============

  9. #19
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello Triode

    That malicious orphan is starting to annoy me.

    Lets try this:


    1. Download and run OTL by Oldtimer


      • Please download OTL by Oldtimer by clicking here and save the file (called OTL.exe) to your desktop.
      • Close all open windows on your computer then Right click on the OTL.exe icon and select "Run as Administrator" to run the program.
      • Check the boxes beside "LOP Check" and "Purity Check".
      • Under Custom Scan paste this in:




      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\drivers\*.sys /90
      CREATERESTOREPOINT



      • Click the "Run Scan" button. Do not change any settings unless specifically told to do so. The scan will not take long.


      • When the scan completes, it will open two notepad windows: OTL.Txt and Extras.Txt.
      • Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please Copy and Paste the contents of both files in your next reply. You may need two posts to fit them both in.
    Proud Graduate of the WTT Classroom

  10. #20
    Junior Member
    Join Date
    Nov 2012
    Posts
    20

    Default

    OTL logfile created on: 12/22/2012 11:45:31 AM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Triode\Desktop
    64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    6.00 Gb Total Physical Memory | 4.37 Gb Available Physical Memory | 72.85% Memory free
    11.99 Gb Paging File | 10.18 Gb Available in Paging File | 84.90% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 465.66 Gb Total Space | 264.46 Gb Free Space | 56.79% Space Free | Partition Type: NTFS
    Drive D: | 465.76 Gb Total Space | 266.10 Gb Free Space | 57.13% Space Free | Partition Type: NTFS
    Drive F: | 1397.26 Gb Total Space | 1182.08 Gb Free Space | 84.60% Space Free | Partition Type: NTFS

    Computer Name: TRIODE-PC | User Name: Triode | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/12/22 11:44:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Triode\Desktop\OTL.exe
    PRC - [2012/12/11 22:20:28 | 001,807,800 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe
    PRC - [2012/12/06 17:43:33 | 000,916,960 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    PRC - [2012/10/30 16:50:59 | 004,297,136 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2012/10/30 16:50:59 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2012/07/27 13:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    PRC - [2011/07/24 00:22:40 | 000,075,064 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
    PRC - [2011/02/19 11:04:12 | 000,248,320 | ---- | M] () -- C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    PRC - [2011/02/16 18:23:40 | 001,759,232 | ---- | M] (TODO: <Company name>) -- C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
    PRC - [2010/04/27 13:41:26 | 000,218,112 | ---- | M] () -- C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
    PRC - [2007/12/19 10:58:24 | 000,163,840 | ---- | M] (Razer Inc.) -- C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/12/11 22:20:27 | 014,586,296 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll
    MOD - [2012/12/06 17:43:33 | 002,397,152 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
    MOD - [2011/02/19 11:04:12 | 000,248,320 | ---- | M] () -- C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
    MOD - [2010/04/27 13:41:26 | 000,218,112 | ---- | M] () -- C:\Program Files (x86)\Razer\DeathAdder\razertra.exe


    ========== Services (SafeList) ==========

    SRV:64bit: - [2012/10/30 16:50:59 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV:64bit: - [2012/07/27 19:09:44 | 000,239,616 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
    SRV:64bit: - [2009/07/13 18:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV:64bit: - [2009/07/13 18:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
    SRV - [2012/12/20 07:27:35 | 000,541,760 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2012/12/11 22:20:28 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/12/06 17:43:33 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/07/27 13:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
    SRV - [2011/07/24 00:22:40 | 000,075,064 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
    SRV - [2010/05/18 15:13:58 | 000,935,208 | ---- | M] (Nero AG) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
    SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - [2012/10/30 16:51:56 | 000,059,728 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
    DRV:64bit: - [2012/10/30 16:51:55 | 000,984,144 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
    DRV:64bit: - [2012/10/30 16:51:55 | 000,370,288 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
    DRV:64bit: - [2012/10/30 16:51:55 | 000,071,600 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV:64bit: - [2012/10/30 16:51:53 | 000,025,232 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV:64bit: - [2012/10/15 09:59:28 | 000,054,072 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
    DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
    DRV:64bit: - [2012/07/27 21:07:44 | 010,278,912 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
    DRV:64bit: - [2012/07/27 18:14:46 | 000,368,640 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
    DRV:64bit: - [2012/07/09 13:42:54 | 000,052,736 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
    DRV:64bit: - [2012/05/13 23:12:30 | 000,096,896 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
    DRV:64bit: - [2012/02/29 23:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2011/11/29 22:42:59 | 000,279,616 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
    DRV:64bit: - [2011/03/10 23:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/10 23:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/11/20 20:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV:64bit: - [2010/11/20 20:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
    DRV:64bit: - [2010/11/20 20:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2010/11/20 20:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
    DRV:64bit: - [2010/09/30 23:16:34 | 000,013,312 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VKbms.sys -- (VKbms)
    DRV:64bit: - [2010/03/23 15:37:34 | 000,012,032 | ---- | M] (Razer (Asia-Pacific) Pte Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\danew.sys -- (danewFltr)
    DRV:64bit: - [2009/08/20 09:05:06 | 000,239,616 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
    DRV:64bit: - [2009/08/13 21:10:18 | 000,073,984 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
    DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/07/13 17:01:09 | 000,679,936 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xnacc.sys -- (xnacc)
    DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2008/03/03 17:25:44 | 000,846,848 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\cmudax3.sys -- (cmuda3)
    DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 42 04 EE CF C6 DC CD 01 [binary data]
    IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
    FF - prefs.js..extensions.enabledAddons: tineye%40ideeinc.com:1.1
    FF - prefs.js..extensions.enabledAddons: %7BD4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389%7D:0.9.10
    FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:7.0.1474
    FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
    FF - user.js - File not found

    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_135.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
    FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
    FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.4: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll (Amazon.com, Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/11/26 07:39:49 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/12/06 17:43:33 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/12/16 10:57:16 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/12/06 17:43:33 | 000,000,000 | ---D | M]
    FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/12/16 10:57:16 | 000,000,000 | ---D | M]

    [2011/07/23 15:30:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Triode\AppData\Roaming\Mozilla\Extensions
    [2012/10/22 17:03:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\extensions
    [2011/07/23 15:33:02 | 000,008,001 | ---- | M] () (No name found) -- C:\Users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\extensions\tineye@ideeinc.com.xpi
    [2011/10/29 11:16:11 | 000,434,392 | ---- | M] () (No name found) -- C:\Users\Triode\AppData\Roaming\Mozilla\Firefox\Profiles\xy2e13bl.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi
    [2012/12/06 17:43:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
    [2012/11/26 07:39:49 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
    [2012/12/06 17:43:33 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
    [2011/09/17 14:01:55 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
    [2012/08/30 06:17:20 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
    [2012/10/13 10:16:35 | 000,002,058 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/12/19 07:30:04 | 000,444,136 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.0scan.com
    O1 - Hosts: 127.0.0.1 0scan.com
    O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
    O1 - Hosts: 127.0.0.1 1000gratisproben.com
    O1 - Hosts: 127.0.0.1 1001namen.com
    O1 - Hosts: 127.0.0.1 www.1001namen.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 www.1-2005-search.com
    O1 - Hosts: 127.0.0.1 1-2005-search.com
    O1 - Hosts: 15281 more lines...
    O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
    O2:64bit: - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O2 - BHO: (no name) - {9194649F-7143-4308-90C1-D6A35B0E354E} - No CLSID value found.
    O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll File not found
    O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O4:64bit: - HKLM..\Run: [CmPCIaudio] C:\Windows\Syswow64\CMICNFG3.cpl (C-Media Corporation)
    O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe ()
    O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
    O13 - gopher Prefix: missing
    O16:64bit: - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{29206791-C83A-43F8-91B4-E93E2DA740D6}: DhcpNameServer = 69.145.248.4 69.146.17.2 69.144.49.29
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{83DE6050-B21D-42E2-99B8-E9B053DD378C}: DhcpNameServer = 192.168.1.1
    O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/07/01 03:11:41 | 000,000,000 | RH-D | M] - F:\autorun -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/12/22 11:44:07 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Triode\Desktop\OTL.exe
    [2012/12/21 07:24:55 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
    [2012/12/21 07:24:54 | 000,367,616 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
    [2012/12/21 07:24:54 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
    [2012/12/21 07:24:53 | 000,295,424 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
    [2012/12/19 17:50:54 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/12/19 17:46:25 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2012/12/17 19:27:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
    [2012/12/17 18:26:13 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
    [2012/12/17 18:26:02 | 000,000,000 | ---D | C] -- C:\JRT
    [2012/12/16 14:09:16 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/12/16 14:09:16 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/12/16 14:09:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/12/16 14:09:12 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/12/16 11:13:14 | 000,289,768 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\javaws.exe
    [2012/12/16 11:12:59 | 000,189,416 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\javaw.exe
    [2012/12/16 11:12:59 | 000,188,904 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\java.exe
    [2012/12/16 11:12:59 | 000,108,008 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\WindowsAccessBridge-64.dll
    [2012/12/16 11:12:40 | 000,000,000 | ---D | C] -- C:\Program Files\Java
    [2012/12/16 10:56:45 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt
    [2012/12/12 07:28:07 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
    [2012/12/12 07:28:07 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
    [2012/12/12 07:28:06 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
    [2012/12/12 07:28:06 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
    [2012/12/12 07:28:06 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
    [2012/12/12 07:28:05 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
    [2012/12/12 07:28:05 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
    [2012/12/12 07:28:05 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
    [2012/12/12 07:28:05 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
    [2012/12/12 07:28:05 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
    [2012/12/12 07:28:04 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
    [2012/12/12 07:28:04 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
    [2012/12/12 07:28:02 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
    [2012/12/12 07:28:02 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
    [2012/12/12 07:28:02 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
    [2012/12/12 07:27:13 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll
    [2012/12/12 07:27:13 | 000,424,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
    [2012/12/12 07:27:13 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe
    [2012/12/12 07:27:13 | 000,215,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
    [2012/12/12 07:27:12 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll
    [2012/12/12 07:27:12 | 000,243,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll
    [2012/12/12 07:27:12 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe
    [2012/12/12 07:27:12 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll
    [2012/12/12 07:27:12 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll
    [2012/12/12 07:27:11 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll
    [2012/12/12 07:27:11 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe
    [2012/12/12 07:27:11 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll
    [2012/12/12 07:27:11 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
    [2012/12/12 07:27:11 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll
    [2012/12/12 07:27:10 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe
    [2012/12/12 07:26:52 | 000,478,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dpnet.dll
    [2012/12/12 07:26:52 | 000,376,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dpnet.dll
    [2012/12/06 17:43:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
    [2012/11/28 22:12:30 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
    [2012/11/26 21:12:45 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2012/11/26 21:12:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
    [2012/11/26 21:12:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ERUNT
    [2012/11/26 20:33:08 | 000,000,000 | ---D | C] -- C:\Users\Triode\AppData\Roaming\Malwarebytes
    [2012/11/26 20:32:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2012/11/26 20:32:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2012/11/26 20:32:53 | 000,025,928 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
    [2012/11/26 20:32:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    [2012/11/26 07:39:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2012/11/26 07:27:58 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

    ========== Files - Modified Within 30 Days ==========

    [2012/12/22 11:44:08 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Triode\Desktop\OTL.exe
    [2012/12/22 11:20:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
    [2012/12/22 10:57:51 | 000,021,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/12/22 10:57:51 | 000,021,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/12/22 10:54:55 | 000,779,266 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
    [2012/12/22 10:54:55 | 000,660,280 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
    [2012/12/22 10:54:55 | 000,121,208 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
    [2012/12/22 10:50:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/12/22 10:50:16 | 534,896,639 | -HS- | M] () -- C:\hiberfil.sys
    [2012/12/21 07:31:36 | 000,294,200 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
    [2012/12/19 07:30:04 | 000,444,136 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
    [2012/12/17 07:42:05 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20121219-073004.backup
    [2012/12/16 11:12:48 | 000,108,008 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\WindowsAccessBridge-64.dll
    [2012/12/16 11:12:44 | 000,289,768 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\javaws.exe
    [2012/12/16 11:12:44 | 000,189,416 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\javaw.exe
    [2012/12/16 11:12:43 | 000,188,904 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\java.exe
    [2012/12/16 11:12:42 | 001,034,216 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\npDeployJava1.dll
    [2012/12/16 11:12:42 | 000,916,456 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\deployJava1.dll
    [2012/12/16 10:11:22 | 000,046,080 | ---- | M] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
    [2012/12/16 07:45:03 | 000,367,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
    [2012/12/16 07:13:28 | 000,295,424 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
    [2012/12/16 07:13:20 | 000,034,304 | ---- | M] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
    [2012/12/11 22:20:28 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
    [2012/12/11 22:20:28 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    [2012/12/06 21:19:44 | 000,001,130 | ---- | M] () -- C:\Users\Triode\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2012/11/28 21:26:48 | 473,095,749 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2012/11/28 20:37:08 | 000,830,007 | ---- | M] () -- C:\Users\Triode\AppData\Local\census.cache
    [2012/11/28 20:37:00 | 000,080,874 | ---- | M] () -- C:\Users\Triode\AppData\Local\ars.cache
    [2012/11/28 19:03:50 | 000,000,036 | ---- | M] () -- C:\Users\Triode\AppData\Local\housecall.guid.cache
    [2012/11/26 20:13:22 | 000,444,883 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20121128-174534.backup
    [2012/11/26 07:39:55 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
    [2012/11/24 00:36:32 | 000,001,065 | ---- | M] () -- C:\Windows\winamp.ini

    ========== Files Created - No Company Name ==========

    [2012/12/16 14:09:16 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/12/16 14:09:16 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/12/16 14:09:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/12/16 14:09:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/12/16 14:09:16 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/11/28 20:37:08 | 000,830,007 | ---- | C] () -- C:\Users\Triode\AppData\Local\census.cache
    [2012/11/28 20:37:00 | 000,080,874 | ---- | C] () -- C:\Users\Triode\AppData\Local\ars.cache
    [2012/11/28 19:03:50 | 000,000,036 | ---- | C] () -- C:\Users\Triode\AppData\Local\housecall.guid.cache
    [2012/11/26 07:27:53 | 473,095,749 | ---- | C] () -- C:\Windows\MEMORY.DMP
    [2012/07/27 18:39:50 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
    [2012/07/27 18:39:50 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
    [2011/10/25 21:21:34 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\OVDecoder.dll
    [2011/10/15 23:44:14 | 000,007,606 | ---- | C] () -- C:\Users\Triode\AppData\Local\Resmon.ResmonCfg
    [2011/09/12 15:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
    [2011/08/16 21:42:29 | 000,000,262 | ---- | C] () -- C:\Windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
    [2011/08/13 21:23:06 | 000,139,264 | ---- | C] () -- C:\Windows\SysWow64\VmixP6.dll
    [2011/08/13 21:23:06 | 000,000,262 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfl
    [2011/08/13 21:22:34 | 000,003,697 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.cfg
    [2011/08/13 21:22:34 | 000,000,190 | ---- | C] () -- C:\Windows\Cmicnfg3.ini.imi
    [2011/08/13 21:22:33 | 000,000,777 | ---- | C] () -- C:\Windows\cmudax3.ini
    [2011/07/24 21:57:02 | 000,109,016 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat
    [2011/07/24 00:22:56 | 000,215,128 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
    [2011/07/24 00:22:40 | 002,434,856 | ---- | C] () -- C:\Windows\SysWow64\pbsvc_bc2.exe
    [2011/07/24 00:22:40 | 000,075,064 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
    [2011/07/23 22:21:01 | 000,772,990 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
    [2011/07/23 15:54:19 | 000,146,432 | ---- | C] () -- C:\Windows\SysWow64\APOMngr.DLL
    [2011/07/23 15:54:19 | 000,072,704 | ---- | C] () -- C:\Windows\SysWow64\CmdRtr.DLL
    [2011/07/23 15:30:23 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2011/07/23 15:24:40 | 000,001,065 | ---- | C] () -- C:\Windows\winamp.ini
    [2011/07/23 15:02:28 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin

    ========== ZeroAccess Check ==========

    [2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 22:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 21:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 20:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

    ========== LOP Check ==========

    [2012/09/01 12:24:06 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\.minecraft
    [2011/09/01 23:53:42 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\Amazon
    [2011/07/23 15:38:26 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\Auslogics
    [2011/10/14 13:04:08 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\DAEMON Tools Lite
    [2011/07/23 22:30:05 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\fltk.org
    [2011/07/23 17:34:30 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\LolClient
    [2012/05/26 12:56:58 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\LolClient2
    [2012/01/11 17:19:23 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\OpenOffice.org
    [2011/07/23 15:22:12 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\Razer
    [2011/10/01 17:40:45 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\runic games
    [2012/11/04 13:22:19 | 000,000,000 | ---D | M] -- C:\Users\Triode\AppData\Roaming\wargaming.net

    ========== Purity Check ==========



    ========== Custom Scans ==========

    < %SYSTEMDRIVE%\*.exe >

    < MD5 for: AGP440.SYS >
    [2009/07/13 18:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysNative\drivers\AGP440.sys
    [2009/07/13 18:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysNative\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\AGP440.sys
    [2009/07/13 18:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7601.17514_none_1838f2aad55063bb\AGP440.sys

    < MD5 for: ATAPI.SYS >
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\ERDNT\cache64\atapi.sys
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\drivers\atapi.sys
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys
    [2009/07/13 18:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys

    < MD5 for: CNGAUDIT.DLL >
    [2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache86\cngaudit.dll
    [2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
    [2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
    [2009/07/13 18:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\ERDNT\cache64\cngaudit.dll
    [2009/07/13 18:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\SysNative\cngaudit.dll
    [2009/07/13 18:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

    < MD5 for: IASTORV.SYS >
    [2010/11/20 20:23:47 | 000,410,496 | ---- | M] (Intel Corporation) MD5=3DF4395A7CF8B7A72A5F4606366B8C2D -- C:\Windows\SysNative\DriverStore\FileRepository\iastorv.inf_amd64_neutral_668286aa35d55928\iaStorV.sys
    [2010/11/20 20:23:47 | 000,410,496 | ---- | M] (Intel Corporation) MD5=3DF4395A7CF8B7A72A5F4606366B8C2D -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.17514_none_0d3757e79e6784d0\iaStorV.sys
    [2011/03/10 23:19:16 | 000,410,496 | ---- | M] (Intel Corporation) MD5=5B3DE7208E5000D5B451B9D290D2579C -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.21680_none_0d714416b7c182d5\iaStorV.sys
    [2011/03/10 23:41:26 | 000,410,496 | ---- | M] (Intel Corporation) MD5=AAAF44DB3BD0B9D1FB6969B23ECC8366 -- C:\Windows\SysNative\drivers\iaStorV.sys
    [2011/03/10 23:41:26 | 000,410,496 | ---- | M] (Intel Corporation) MD5=AAAF44DB3BD0B9D1FB6969B23ECC8366 -- C:\Windows\SysNative\DriverStore\FileRepository\iastorv.inf_amd64_neutral_0bcee2057afcc090\iaStorV.sys
    [2011/03/10 23:41:26 | 000,410,496 | ---- | M] (Intel Corporation) MD5=AAAF44DB3BD0B9D1FB6969B23ECC8366 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7601.17577_none_0cf9793d9e95787b\iaStorV.sys

    < MD5 for: NETLOGON.DLL >
    [2010/11/20 20:24:01 | 000,695,808 | ---- | M] (Microsoft Corporation) MD5=AA339DD8BB128EF66660DFBBB59043D3 -- C:\Windows\ERDNT\cache64\netlogon.dll
    [2010/11/20 20:24:01 | 000,695,808 | ---- | M] (Microsoft Corporation) MD5=AA339DD8BB128EF66660DFBBB59043D3 -- C:\Windows\SysNative\netlogon.dll
    [2010/11/20 20:24:01 | 000,695,808 | ---- | M] (Microsoft Corporation) MD5=AA339DD8BB128EF66660DFBBB59043D3 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_5bddbcb24e997298\netlogon.dll
    [2010/11/20 20:24:09 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\ERDNT\cache86\netlogon.dll
    [2010/11/20 20:24:09 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\SysWOW64\netlogon.dll
    [2010/11/20 20:24:09 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=C1809B9907ADEDAF16F50C894100883B -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7601.17514_none_6632670482fa3493\netlogon.dll

    < MD5 for: NVSTOR.SYS >
    [2011/03/10 23:19:21 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=D23C7E8566DA2B8A7C0DBBB761D54888 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.21680_none_983ab4c5eef82cad\nvstor.sys
    [2011/03/10 23:41:34 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=DAB0E87525C10052BF65F06152F37E4A -- C:\Windows\SysNative\drivers\nvstor.sys
    [2011/03/10 23:41:34 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=DAB0E87525C10052BF65F06152F37E4A -- C:\Windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_0276fc3b3ea60d41\nvstor.sys
    [2011/03/10 23:41:34 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=DAB0E87525C10052BF65F06152F37E4A -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17577_none_97c2e9ecd5cc2253\nvstor.sys
    [2010/11/20 20:23:47 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=F7CD50FE7139F07E77DA8AC8033D1832 -- C:\Windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\nvstor.sys
    [2010/11/20 20:23:47 | 000,166,272 | ---- | M] (NVIDIA Corporation) MD5=F7CD50FE7139F07E77DA8AC8033D1832 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7601.17514_none_9800c896d59e2ea8\nvstor.sys

    < MD5 for: SCECLI.DLL >
    [2010/11/20 20:23:54 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\ERDNT\cache86\scecli.dll
    [2010/11/20 20:23:54 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\SysWOW64\scecli.dll
    [2010/11/20 20:23:54 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=8124944EC89D6A1815E4E53F5B96AAF4 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_a088921d241bbb4e\scecli.dll
    [2010/11/20 20:24:32 | 000,232,960 | ---- | M] (Microsoft Corporation) MD5=ED78427259134C63ED69804D2132B86C -- C:\Windows\ERDNT\cache64\scecli.dll
    [2010/11/20 20:24:32 | 000,232,960 | ---- | M] (Microsoft Corporation) MD5=ED78427259134C63ED69804D2132B86C -- C:\Windows\SysNative\scecli.dll
    [2010/11/20 20:24:32 | 000,232,960 | ---- | M] (Microsoft Corporation) MD5=ED78427259134C63ED69804D2132B86C -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7601.17514_none_9633e7caefbaf953\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /lockedfiles >

    < %systemroot%\System32\config\*.sav >

    < %systemroot%\system32\drivers\*.sys /90 >

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:A5514ABC

    < End of report >

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •