Sign in to follow this  
itsjinx

Can't install adaware!

Recommended Posts

[b]Also, I just used "smartSniff" which sniffs out the actual IP packets being sent and this is what I'm noticing when I tried to visit a random website like php.net, I see the usual GET request:[/b]

[size=2]GET /manual/en/function.set-time-limit.php HTTP/1.1
Host: php.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://www.google.com/search?sclient=psy-ab&hl=en&safe=off&site=&source=hp&q=max+execution+time+php&btnG=Search
Cookie: LAST_LANG=en; COUNTRY=USA%2C69.14.59.217[/size]

[b]And then 1 second after that request is sent through my browser, a POST request is misteriously automatically sent to my browser:[/b]
[size=2]POST / HTTP/1.1
Host: www.aloneinthedark.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://php.net/manual/en/function.set-time-limit.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 272[/size]
[size=4][b]And then that website redirects a GET request:[/b][/size]
[size=2]GET /go.php?id=0d80b4c95def93a737181b4f7530a904&aid=569&said=direc40&lastpage=BxsbH1VAQBgYGEEIAAAIAwpBDAACQBwKDh0MB1AcDAMGCgEbUh8cFkIODUkHA1IKAUkcDgkKUgAJCUkcBhsKUkkcABodDApSBx9JHlICDhdEChcKDBobBgABRBsGAgpEHwcfSQ0bAShSPAoOHQwH HTTP/1.1
Host: tegralaysia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Connection: keep-alive
Referer: http://www.aloneinthedark.com/[/size]

Now the thing to note is that the first mysterious POST request is not always to the same site 'aloneinthedark.com', its different alot of times to another random site, but they all do the same thing which is redirect my search query through a couple sites to then display a webpage with ADS based on my original google search query....

Share this post


Link to post
Share on other sites
I uploaded 2 quick youtube videos to show what's happening.

Here is what I explained with the redirect in Firefox normal mode. You will see me search google and then the automatic redirect through a few websites. Then I click the back button and choose the original PHP.net site that I was redirected from, and you will notice it will continue to redirect me even when I select it like this, BUT only 4 times and then it lets me visit the real site without redirecting. This happens no matter what website I visit after clicking a link in my browser:
[media]http://www.youtube.com/watch?v=fHcrhXB2jXo[/media]

Here is doing the same thing in IE Safe mode:
[media]http://www.youtube.com/watch?v=cA7-qGMXTWc[/media] Edited by itsjinx

Share this post


Link to post
Share on other sites
BHO: MP3 Rocket Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: MP3 Rocket Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
That toolbar in IE should be uninstalled or inactivated since Ask.com might do strange things.

You have three different DHCP servers. The first one should be your router. Do you know the other two? Do they belong to your internet provider?
TCP: DhcpNameServer = 192.168.1.1 64.233.217.5 64.233.217.2

Please, let aswMBR scan the computer, see http://public.avast.com/~gmerek/aswMBR.htm
Follow only the first section, "How to scan", and don't try to fix anything. Post its log.

Share this post


Link to post
Share on other sites
Please, save GooredFix on the desktop, from one of the links:
http://jpshortstuff.247fixes.com/GooredFix.exe
http://downloads.securitycadets.com/GooredFix.exe

Double-click the program to start it.
Click on 'Yes' to start the scan.
Paste the content of the log that will pop-up, it will also be stored on your desktop with the name GooredFix.txt.

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' timestamp='1321483986' post='130575']BHO: MP3 Rocket Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll TB: MP3 Rocket Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll That toolbar in IE should be uninstalled or inactivated since Ask.com might do strange things. You have three different DHCP servers. The first one should be your router. Do you know the other two? Do they belong to your internet provider? TCP: DhcpNameServer = 192.168.1.1 64.233.217.5 64.233.217.2 Please, let aswMBR scan the computer, see http://public.avast.com/~gmerek/aswMBR.htm Follow only the first section, "How to scan", and don't try to fix anything. Post its log.[/quote]

I deleted the toolbars, they werent showing up as installed anyways.
Also, I'm not sure about the 3 DCHP server IP's, but the problem still happens if I connect my computer with an ethernet cable directly to my cable modem and disable my wireless network, so that would mean the DCHP issue couldn't be it, right?

I am scanning right now with the other programs as well. Edited by itsjinx

Share this post


Link to post
Share on other sites
CeciliaB,

I found another thread on here that has the EXACT symptoms as mine! I can't understand what they did that fixed the issue but here is the thread:

http://www.bleepingcomputer.com/forums/topic403458.html

can you help to see what the fix was???

Share this post


Link to post
Share on other sites
itsjinx,

I have read that other thread before. That computer was infected by a fake/rogue program called "Windows Vista Recovery". Most of the infection were removed by ComboFix.

Have you seen any fake programs, for example antivirus or registry cleaners, on a web page shortly before your problem started?
But criminal groups changes infection type now and then even if they still has the same goal, in this case the same web site.

Since it has gone a week since you ran ComboFix, please remove the one you have and download the latest version by following the instructions on http://www.bleepingcomputer.com/combofix/how-to-use-combofix for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.

Share this post


Link to post
Share on other sites
Here is contents of GooredFix:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 15:13 on 17/11/2011 (derek)
Firefox version 8.0 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [23:45 07/11/2011]

C:\Users\derek\Application Data\Mozilla\Firefox\Profiles\iysioyqt.default\extensions\
[email protected] [05:54 13/07/2010]
[email protected] [05:54 13/07/2010]
{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} [05:54 13/07/2010]
{8faa99f2-0cd0-4b79-a717-cab1d1a50ba5} [02:19 09/09/2011]
{c45c406e-ab73-11d8-be73-000a95be3b12} [05:54 13/07/2010]

C:\Users\derek\Application Data\Mozilla\Firefox\Profiles\ocwvh1o7.default\extensions\
[email protected] [20:21 14/11/2011]
[email protected] [03:02 12/11/2011]
{3112ca9c-de6d-4884-a869-9855de68056c} [01:10 11/06/2011]
{73a6fe31-595d-460b-a920-fcc0f8843232}(44) [20:39 08/07/2010]
{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} [04:09 14/05/2011]
{c45c406e-ab73-11d8-be73-000a95be3b12} [21:24 09/01/2011]
{e3f6c2cc-d8db-498c-af6c-499fb211db97} [23:46 07/11/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' timestamp='1321565507' post='130593']
itsjinx,

I have read that other thread before. That computer was infected by a fake/rogue program called "Windows Vista Recovery". Most of the infection were removed by ComboFix.

Have you seen any fake programs, for example antivirus or registry cleaners, on a web page shortly before your problem started?
But criminal groups changes infection type now and then even if they still has the same goal, in this case the same web site.

Since it has gone a week since you ran ComboFix, please remove the one you have and download the latest version by following the instructions on [url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingc...to-use-combofix[/url] for installing and running ComboFix.

Read carefully and note the "Disclaimer of warranty"!

Paste the content of the log into your answer.
[/quote]

No I have never seen any popups for anything trying to get me to buy something... Only when I click links in my browser does it redirect to "ads" pages. Whatever that other thread was talking about is what I definitely have, mainly the iexplore.exe program opening in the background and loading random invisible pages that sometimes play music or other sounds...

I am going to download and run combofix again, but can I do it in windows safe mode? Because when I run combofix it says i have "trend micro 2009" installed and to close it but I don't have that installed and there are no processes opened for trend micro, so I'm wondering if its best to scan in safe mode?

Share this post


Link to post
Share on other sites
I think ComboFix "reads" this information, visible in DDS log:
AV: Trend Micro AntiVirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro AntiVirus *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}

Those lines can be removed in the following way:

Click Start button and in the little search field enter

wbemtest

Start that program.
When the program is up do as in this animated sequence::
http://img.photobucket.com/albums/v666/sUBs/Delete_AV_From_WMI.gif
That is:

Connect
root\SecurityCenter
Query
SELECT * FROM AntivirusProduct
Apply
Select the number corresponding to 'AV: Trend Micro AntiVirus' above.
Delete

Repeat but replace 'AntivirusProduct' with 'SpywareProduct' and the number corresponding to 'SP: Trend Micro AntiVirus' above.

Restart the computer.

Share this post


Link to post
Share on other sites
NEW COMBOFIX LOG:

ComboFix 11-11-17.03 - derek 11/17/2011 17:56:29.4.8 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8174.6437 [GMT -5:00]
Running from: c:\users\derek\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro AntiVirus *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))
.
.
2011-11-17 23:31 . 2011-11-17 23:31 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-11-17 23:31 . 2011-11-17 23:31 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-11-17 23:31 . 2011-11-17 23:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-17 19:43 . 2011-11-17 19:43 -------- d-----w- c:\users\derek\AppData\Roaming\SUPERAntiSpyware.com
2011-11-17 19:43 . 2011-11-17 19:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-17 19:43 . 2011-11-17 19:43 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-11-16 22:27 . 2011-11-16 22:27 -------- d-----w- c:\users\derek\AppData\Local\TechSmith
2011-11-16 22:25 . 2011-11-16 22:25 -------- d-----w- c:\windows\SysWow64\QuickTime
2011-11-16 22:25 . 2011-11-16 22:25 -------- d-----w- c:\program files (x86)\Common Files\TechSmith Shared
2011-11-16 22:25 . 2011-11-16 22:25 -------- d-----w- c:\programdata\TechSmith
2011-11-16 22:25 . 2011-11-16 22:25 -------- d-----w- c:\program files (x86)\TechSmith
2011-11-15 22:20 . 2011-11-16 03:51 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2011-11-15 22:20 . 2011-11-15 22:20 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
2011-11-15 17:54 . 2011-11-15 17:54 675416 ----a-w- c:\windows\system32\drivers\avc3.sys
2011-11-12 19:57 . 2011-11-12 19:58 -------- d-----w- c:\program files (x86)\MP3 Rocket
2011-11-09 22:35 . 2011-11-09 22:35 -------- d-----w- c:\users\derek\AppData\Roaming\Malwarebytes
2011-11-09 22:35 . 2011-11-09 22:35 -------- d-----w- c:\programdata\Malwarebytes
2011-11-09 22:35 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-09 22:13 . 2011-11-09 22:37 -------- d-----w- C:\sh4ldr
2011-11-09 22:12 . 2011-11-09 22:37 -------- d-----w- c:\windows\89A072791DB3485AB1DF584DF86774B9.TMP
2011-11-09 22:12 . 2011-11-09 22:12 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2011-11-08 04:14 . 2011-11-08 04:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\BitDefender
2011-11-08 00:05 . 2011-11-08 00:05 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\QuickScan
2011-11-07 23:45 . 2011-11-09 22:28 134104 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-11-07 23:45 . 2011-11-09 22:28 89048 ----a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-11-07 23:45 . 2011-11-09 22:28 801752 ----a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-11-07 23:45 . 2011-11-09 22:28 478168 ----a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-11-07 23:45 . 2011-11-09 22:28 1989592 ----a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-11-07 23:45 . 2011-11-09 22:28 15832 ----a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-11-07 23:45 . 2011-09-29 00:26 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-11-07 23:45 . 2011-09-29 00:26 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-11-07 23:31 . 2011-11-07 23:31 -------- d-----w- c:\programdata\Lavasoft
2011-11-07 23:31 . 2011-11-07 23:31 -------- d-----w- c:\program files (x86)\Lavasoft
2011-11-07 23:30 . 2011-11-07 23:30 243637 ----a-w- c:\programdata\1320708220.bdinstall.bin
2011-11-07 23:28 . 2011-11-07 23:32 -------- d-----w- c:\users\derek\AppData\Roaming\Bitdefender
2011-11-07 23:28 . 2011-11-07 23:30 -------- d-----w- c:\programdata\Bitdefender
2011-11-07 23:24 . 2011-11-07 23:25 -------- d-----w- c:\program files\Bitdefender
2011-11-07 23:24 . 2011-11-07 23:24 -------- d-----w- c:\users\derek\AppData\Roaming\QuickScan
2011-11-07 23:23 . 2011-11-08 00:11 329800 ----a-w- c:\windows\system32\drivers\trufos.sys
2011-11-07 23:23 . 2011-03-24 20:36 431176 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2011-11-07 23:23 . 2011-11-07 23:23 -------- d-----w- c:\program files\Common Files\Bitdefender
2011-11-07 23:23 . 2011-11-07 23:23 -------- d-----w- c:\program files (x86)\Common Files\Bitdefender
2011-11-07 22:39 . 2011-11-07 22:39 -------- d-----w- c:\users\derek\AppData\Local\Trend Micro
2011-11-07 00:27 . 2011-11-07 23:45 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-11-07 00:27 . 2011-11-07 23:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-11-07 00:21 . 2010-09-01 21:59 835656 ----a-w- c:\windows\SysWow64\WINCTL5.OCX
2011-11-07 00:21 . 2009-04-14 16:50 495689 ----a-w- c:\windows\SysWow64\WINUTIL6.DLL
2011-11-07 00:21 . 2006-03-31 20:36 393216 ----a-w- c:\windows\SysWow64\WINLCTL5.DLL
2011-11-07 00:21 . 2003-09-23 06:00 608448 ----a-w- c:\windows\SysWow64\COMCTL32.OCX
2011-11-07 00:21 . 2011-11-07 00:21 -------- d-----w- c:\windows\McAfee.com
2011-11-07 00:21 . 2008-06-02 15:38 212240 ----a-w- c:\windows\SysWow64\Richtx32.ocx
2011-11-07 00:00 . 2010-03-08 10:10 13824 ----a-w- c:\windows\system32\ffnd.exe
2011-11-06 23:06 . 2011-11-07 00:07 -------- d-----w- c:\users\derek\AppData\Roaming\FreeFixer
2011-11-06 23:06 . 2011-11-06 23:06 -------- d-----w- c:\users\derek\AppData\Local\FreeFixer
2011-11-06 23:06 . 2011-11-06 23:06 -------- d-----w- c:\program files\FreeFixer
2011-11-05 17:52 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2011-11-04 23:09 . 2011-11-04 23:09 -------- d-----w- c:\users\derek\AppData\Roaming\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
2011-11-04 23:09 . 2011-11-04 23:09 -------- d-----w- c:\program files (x86)\Market Samurai
2011-10-29 02:33 . 2011-10-29 02:33 -------- d-----w- c:\users\derek\AppData\Local\APN
2011-10-19 20:42 . 2011-11-04 00:15 -------- d-----w- c:\users\derek\AppData\Local\Spotify
2011-10-19 20:42 . 2011-10-21 03:12 -------- d-----w- c:\users\derek\AppData\Roaming\Spotify
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 23:58 . 2011-05-03 00:05 34688 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 23:58 . 2011-05-03 00:05 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 23:58 . 2011-05-03 00:04 80768 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-01 20:49 . 2011-10-01 20:49 0 ----a-w- c:\windows\SysWow64\sho9564.tmp
2011-09-30 22:40 . 2011-09-30 22:40 0 ----a-w- c:\windows\SysWow64\sho78B0.tmp
2011-09-29 21:09 . 2011-09-29 21:09 79952 ----a-w- c:\windows\system32\drivers\bdsandbox.sys
2011-09-23 21:39 . 2011-05-17 00:38 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-16 23:25 . 2011-09-16 23:25 0 ----a-w- c:\windows\SysWow64\sho8A99.tmp
2011-09-09 19:25 . 2011-09-09 19:25 0 ----a-w- c:\windows\SysWow64\shoB3C6.tmp
2011-09-01 16:15 . 2011-09-01 16:15 553280 ----a-w- c:\windows\system32\drivers\avckf.sys
2011-08-31 22:43 . 2011-08-31 22:43 0 ----a-w- c:\windows\SysWow64\shoC64B.tmp
2011-08-24 21:10 . 2011-08-24 21:10 0 ----a-w- c:\windows\SysWow64\shoB497.tmp
.
.
((((((((((((((((((((((((((((( [email protected]_01.55.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-11-10 22:20 . 2011-11-10 22:20 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-11-17 22:28 . 2011-11-17 22:28 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2009-07-14 04:54 . 2011-11-17 22:33 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-11-10 22:20 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-11-17 22:33 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-10 22:20 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-17 22:33 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-10 22:20 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-25 22:01 . 2011-11-14 02:05 62990 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-17 22:36 34466 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-05-03 02:44 . 2011-11-10 22:20 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-03 02:44 . 2011-11-17 23:33 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-11-11 21:52 . 2011-11-17 23:33 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-10 22:20 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-17 23:33 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-13 23:19 . 2011-11-17 22:32 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-13 23:19 . 2011-11-11 01:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-13 23:19 . 2011-11-17 22:32 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-13 23:19 . 2011-11-11 01:05 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-13 23:19 . 2011-11-11 01:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-13 23:19 . 2011-11-17 22:32 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-12 23:17 . 2011-11-10 22:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-12 23:17 . 2011-11-17 23:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-12 23:17 . 2011-11-17 23:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-12 23:17 . 2011-11-10 22:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-12 23:20 . 2011-11-17 22:36 6074 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1620454023-599415270-3658004543-1004_UserData.bin
+ 2010-07-19 20:34 . 2010-07-19 20:34 625664 c:\windows\SysWOW64\tsccvid64.dll
+ 2010-07-19 20:33 . 2010-07-19 20:33 594944 c:\windows\SysWOW64\tsccvid.dll
+ 2010-07-13 22:34 . 2011-11-14 01:46 413082 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2011-11-17 22:38 818158 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-17 22:38 177538 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-11-10 22:16 306360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-11-17 22:28 306360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-11-16 22:25 . 2011-11-16 22:25 680448 c:\windows\Installer\{C0E8FE43-C35B-451D-B35F-D4BD056D70E7}\IconEF5C48881.exe
+ 2001-09-06 02:00 . 2001-09-06 02:00 1700352 c:\windows\SysWOW64\gdiplus.dll
+ 2010-07-13 17:27 . 2011-11-17 22:28 1932232 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1620454023-599415270-3658004543-1004-12288.dat
- 2010-07-13 17:27 . 2011-11-10 22:16 1932232 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1620454023-599415270-3658004543-1004-12288.dat
+ 2011-11-03 17:08 . 2011-11-03 17:08 15544320 c:\windows\Installer\16b463.msi
+ 2011-11-16 22:09 . 2011-11-16 22:09 195687424 c:\windows\Installer\a186c80.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-10-21 01:03 991888 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-10-21 01:03 991888 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-10-21 01:03 991888 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe"
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
"ControlCenter3"=c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
.
R0 szkg5;szkg5;c:\windows\SySWOW64\DRIVERS\szkg64.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MSSQL$DDNI;SQL Server (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe [2009-03-30 43010392]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [x]
R2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [x]
R3 bdsandbox;bdsandbox;c:\windows\system32\drivers\bdsandbox.sys [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SampleCollector;Intel(R) Sample Collector;c:\program files\Sony\VAIO Care\collsvc.exe [2009-12-23 168448]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [x]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [x]
R3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\Bitdefender\Bitdefender Arrakis Server\bin\arrakis3.exe [2011-10-15 466736]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-03 135664]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-03 135664]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
R4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R4 SafeBox;SafeBox;c:\program files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe [2011-09-13 74336]
R4 SMPDiskOptimizer;SMPDiskOptimizer;c:\program files (x86)\System Optimizer\SMPDefragSrv64.exe [2010-10-19 275456]
R4 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-02-24 108400]
R4 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-02-24 422768]
R4 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-02-24 67952]
R4 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService.exe [2010-02-08 302448]
R4 SQLAgent$DDNI;SQL Server Agent (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
R4 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2010-01-20 574320]
R4 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2010-03-18 852336]
R4 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-02-20 529776]
R4 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-02-20 386416]
R4 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-02-20 115568]
R4 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [2010-06-09 1223024]
S0 avc3;avc3;c:\windows\system32\DRIVERS\avc3.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [2011-03-01 89680]
S1 bdfwfpf;bdfwfpf;c:\program files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [2011-08-10 102992]
S1 BDVEDISK;BDVEDISK;c:\windows\system32\DRIVERS\bdvedisk.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-11-20 13336]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-10-07 375176]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2010-09-17 15928]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [x]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S2 UPDATESRV;BitDefender Desktop Update Service;c:\program files\Bitdefender\Bitdefender 2012\updatesrv.exe [2011-11-15 62512]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
S3 avchv;avchv Function Driver;c:\windows\system32\DRIVERS\avchv.sys [x]
S3 avckf;avckf;c:\windows\system32\DRIVERS\avckf.sys [x]
S3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2009-07-14 01:14 301568 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-03 03:05]
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-03 03:05]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-10-21 00:56 1256592 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-10-21 00:56 1256592 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-10-21 00:56 1256592 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox1]
@="{152C96EB-288E-4EDC-B7C6-D21F8250ADF3}"
[HKEY_CLASSES_ROOT\CLSID\{152C96EB-288E-4EDC-B7C6-D21F8250ADF3}]
2011-09-13 16:23 260760 ------w- c:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox2]
@="{342DAA0B-D796-460D-8566-901E08A1CCAD}"
[HKEY_CLASSES_ROOT\CLSID\{342DAA0B-D796-460D-8566-901E08A1CCAD}]
2011-09-13 16:23 260760 ------w- c:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox3]
@="{57595DAE-1AE1-4D97-A49E-67CBB53B52DF}"
[HKEY_CLASSES_ROOT\CLSID\{57595DAE-1AE1-4D97-A49E-67CBB53B52DF}]
2011-09-13 16:23 260760 ------w- c:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox4]
@="{33816773-98AE-4723-ADE0-EBE54C8B5A67}"
[HKEY_CLASSES_ROOT\CLSID\{33816773-98AE-4723-ADE0-EBE54C8B5A67}]
2011-09-13 16:23 260760 ------w- c:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SYSTEM32\blank.htm
TCP: DhcpNameServer = 64.233.217.5 64.233.217.2
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
FF - ProfilePath - c:\users\derek\AppData\Roaming\Mozilla\Firefox\Profiles\ocwvh1o7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com
FF - prefs.js: browser.search.selectedEngine - Search The Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Component Based Servicing\ApplicabilityEvaluationCache\Package_for_KB2447568~31bf3856ad364e35~amd64~~6.1.1.0]
@DACL=(02 0000)
"ApplicabilityState"=dword:00000070
"CurrentState"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Component Based Servicing\ApplicabilityEvaluationCache\Package_for_KB947821~31bf3856ad364e35~amd64~~6.1.8.0]
@DACL=(02 0000)
"ApplicabilityState"=dword:00000070
"CurrentState"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-17 18:53:29
ComboFix-quarantined-files.txt 2011-11-17 23:53
ComboFix2.txt 2011-11-14 23:48
ComboFix3.txt 2011-11-11 20:33
.
Pre-Run: 486,971,338,752 bytes free
Post-Run: 486,741,286,912 bytes free
.
- - End Of File - - 8C5ED7115AA23BC8DEDFD62F887C0765

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' timestamp='1321569428' post='130596']
I think ComboFix "reads" this information, visible in DDS log:
AV: Trend Micro AntiVirus *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro AntiVirus *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}

Those lines can be removed in the following way:

Click Start button and in the little search field enter

wbemtest

Start that program.
When the program is up do as in this animated sequence::
[url="http://img.photobucket.com/albums/v666/sUBs/Delete_AV_From_WMI.gif"]http://img.photobuck...AV_From_WMI.gif[/url]
That is:

Connect
root\SecurityCenter
Query
SELECT * FROM AntivirusProduct
Apply
Select the number corresponding to 'AV: Trend Micro AntiVirus' above.
Delete

Repeat but replace 'AntivirusProduct' with 'SpywareProduct' and the number corresponding to 'SP: Trend Micro AntiVirus' above.

Restart the computer.
[/quote]

I did that but there was no results shown to delete. it said 0 rows found....

it also shows no results for SpywareProduct either.... Edited by itsjinx

Share this post


Link to post
Share on other sites
Upload the following files to http://www.virustotal.com/ one by one using the "Upload a file" function and post back the links to the scan reports:
c:\windows\Installer\{C0E8FE43-C35B-451D-B35F-D4BD056D70E7}\IconEF5C48881.exe
c:\windows\Installer\16b463.msi
c:\windows\Installer\a186c80.msi

Share this post


Link to post
Share on other sites
You have a driver belonging to Trend Micro antivirus in the computer:
C:\Windows\SysWow64\drivers\tmcomm.sys

Did you use one of the versions mentioned on http://esupport.trendmicro.com/solution/en-us/1037161.aspx ? In that case follow the instruction there.

Remove this folder if it exists: C:\Users\derek\AppData\Local\Trend Micro

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' timestamp='1321624283' post='130606']
Upload the following files to [url="http://www.virustotal.com/"]http://www.virustotal.com/[/url] one by one using the "Upload a file" function and post back the links to the scan reports:
c:\windows\Installer\{C0E8FE43-C35B-451D-B35F-D4BD056D70E7}\IconEF5C48881.exe
c:\windows\Installer\16b463.msi
c:\windows\Installer\a186c80.msi
[/quote]

They all came up clean:
c:\windows\Installer\a186c80.msi = Camtasia installer used to make those youtube videos I uploaded

c:\windows\Installer\16b463.msi = Adaware installation database file(adaware never fully installs to use it)


IconEF5C48881.exe = Avast definition database downloaded for aswMBR.exe

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' timestamp='1321624893' post='130607']
You have a driver belonging to Trend Micro antivirus in the computer:
C:\Windows\SysWow64\drivers\tmcomm.sys

Did you use one of the versions mentioned on [url="http://esupport.trendmicro.com/solution/en-us/1037161.aspx"]http://esupport.tren...us/1037161.aspx[/url] ? In that case follow the instruction there.

Remove this folder if it exists: C:\Users\derek\AppData\Local\Trend Micro
[/quote]

That folder doesn't exsist anymore and I already deleted tmcomm.sys after I realized it was related to trend. I just now ran that official uninstaller and it said it was successful and then I restarted my computer and tried combofix again and it still says Trend Micro is installed and should be disabled and uninstalled. I'm thinking about simply completely deleting my computer and re-installing windows from disc :-(

The thing is, there are many people who have this issue if you search google for "get-answers-fast.com" you will see they all have the same problem but I can't figure out what they are doing to fix the issue.

For example this thread: http://deletemalware.blogspot.com/2011/11/remove-get-answers-fastcom-uninstall.html

They said to delete these files:[list]
[*]C:\Documents and Settings\All Users\Application Data\mazuki.dll
[*]C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
[*]C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[*]C:\WINDOWS\system\BCBSMP35.BPL
[*]C:\WINDOWS\system32\sstray.exe
[/list]
But I only have 2 files:[list]
[*]C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
[*]C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[/list]
And they are supposedly windows BIT files.

Share this post


Link to post
Share on other sites
Did you delete tmcomm.sys after the last run of ComboFix? Since I saw the file in the last log.

It is few such malware removal descriptions that I trust, most of them are written to earn money when people buy products that don't help them. In this case the link to Stopzilla looks suspicious to me. Usually files as mazuki.dll have a random name, that is it will be different in each infected computer.

C:\WINDOWS\system32\sstray.exe This file is usually an Nvidia file, see http://www.systemlookup.com/Startup/11753-sstray_exe.html

These two are common files found in most computers, including mine:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\WINDOWS\system\BCBSMP35.BPL Borland library file

Have you checked the register entry "Computer\HKEY_Current_User\Software\Microsoft\Internet Explorer\TypedURLs" mentioned in the first comment?

When I read topics in trusted malware removal forums I found tools that you have used as ComboFix, TDSSKiller etc. But I notice now that I haven't seen your log from aswMBR , see post #28.

This is supposed to remove the security center information about Trend Micro.
Copy all lines in the box:
[code]
SecCenter::
{68F968AC-2AA0-091D-848C-803E83E35902}
{D3988948-0C9A-0693-BE3C-BB4CF86413BF}
[/code]
and paste into Notepad.
Save the file on the desktop with the name CFScript.

Prepare the computer according to the instructions for running ComboFix.
Drag CFScript with the mouse and drop it on top of the ComboFix icon on the Desktop, the program will start in a special way.
Paste the new ComboFix log into your answer.

Share this post


Link to post
Share on other sites
Okay, here is the combofix log after doing that:

ComboFix 11-11-18.02 - derek 11/18/2011 22:19:50.6.8 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8174.5409 [GMT -5:00]
Running from: c:\users\derek\Documents\Programs\ComboFix.exe
Command switches used :: c:\users\derek\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-19 to 2011-11-19 )))))))))))))))))))))))))))))))
.
.
2011-11-19 03:54 . 2011-11-19 03:54 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-11-19 03:54 . 2011-11-19 03:54 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2011-11-19 03:54 . 2011-11-19 03:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-18 18:43 . 2011-11-18 18:43 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-18 04:08 . 2011-09-06 21:45 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-18 04:08 . 2011-11-18 17:11 -------- d-----w- c:\programdata\AVAST Software
2011-11-18 04:08 . 2011-11-18 04:08 -------- d-----w- c:\program files\AVAST Software
2011-11-16 22:27 . 2011-11-16 22:27 -------- d-----w- c:\users\derek\AppData\Local\TechSmith
2011-11-16 22:25 . 2011-11-16 22:25 -------- d-----w- c:\windows\SysWow64\QuickTime
2011-11-16 22:25 . 2011-11-16 22:25 -------- d-----w- c:\program files (x86)\Common Files\TechSmith Shared
2011-11-16 22:25 . 2011-11-16 22:25 -------- d-----w- c:\programdata\TechSmith
2011-11-16 22:25 . 2011-11-16 22:25 -------- d-----w- c:\program files (x86)\TechSmith
2011-11-15 22:20 . 2011-11-16 03:51 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection
2011-11-15 22:20 . 2011-11-15 22:20 -------- d-----w- c:\program files (x86)\Toolbar Cleaner
2011-11-15 17:54 . 2011-11-15 17:54 675416 ----a-w- c:\windows\system32\drivers\avc3.sys
2011-11-09 22:35 . 2011-11-09 22:35 -------- d-----w- c:\users\derek\AppData\Roaming\Malwarebytes
2011-11-09 22:35 . 2011-11-09 22:35 -------- d-----w- c:\programdata\Malwarebytes
2011-11-09 22:35 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-09 22:13 . 2011-11-09 22:37 -------- d-----w- C:\sh4ldr
2011-11-09 22:12 . 2011-11-09 22:37 -------- d-----w- c:\windows\89A072791DB3485AB1DF584DF86774B9.TMP
2011-11-09 22:12 . 2011-11-09 22:12 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2011-11-08 04:14 . 2011-11-08 04:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\BitDefender
2011-11-08 00:05 . 2011-11-08 00:05 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\QuickScan
2011-11-07 23:45 . 2011-11-09 22:28 134104 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-11-07 23:45 . 2011-11-09 22:28 89048 ----a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
2011-11-07 23:45 . 2011-11-09 22:28 801752 ----a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-11-07 23:45 . 2011-11-09 22:28 478168 ----a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
2011-11-07 23:45 . 2011-11-09 22:28 1989592 ----a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
2011-11-07 23:45 . 2011-11-09 22:28 15832 ----a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
2011-11-07 00:21 . 2010-09-01 21:59 835656 ----a-w- c:\windows\SysWow64\WINCTL5.OCX
2011-11-07 00:21 . 2009-04-14 16:50 495689 ----a-w- c:\windows\SysWow64\WINUTIL6.DLL
2011-11-07 00:21 . 2006-03-31 20:36 393216 ----a-w- c:\windows\SysWow64\WINLCTL5.DLL
2011-11-07 00:21 . 2003-09-23 06:00 608448 ----a-w- c:\windows\SysWow64\COMCTL32.OCX
2011-11-07 00:21 . 2008-06-02 15:38 212240 ----a-w- c:\windows\SysWow64\Richtx32.ocx
2011-11-06 23:06 . 2011-11-07 00:07 -------- d-----w- c:\users\derek\AppData\Roaming\FreeFixer
2011-11-06 23:06 . 2011-11-06 23:06 -------- d-----w- c:\users\derek\AppData\Local\FreeFixer
2011-11-06 23:06 . 2011-11-06 23:06 -------- d-----w- c:\program files\FreeFixer
2011-11-04 23:09 . 2011-11-04 23:09 -------- d-----w- c:\users\derek\AppData\Roaming\MarketSamurai.6E37012E1CBD7F47B14488FCC715944F3EBDCEDC.1
2011-11-04 23:09 . 2011-11-04 23:09 -------- d-----w- c:\program files (x86)\Market Samurai
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 23:58 . 2011-05-03 00:05 34688 ----a-w- c:\windows\system32\LMIport.dll
2011-10-07 23:58 . 2011-05-03 00:05 87456 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-10-07 23:58 . 2011-05-03 00:04 80768 ----a-w- c:\windows\system32\LMIinit.dll
2011-10-01 20:49 . 2011-10-01 20:49 0 ----a-w- c:\windows\SysWow64\sho9564.tmp
2011-09-30 22:40 . 2011-09-30 22:40 0 ----a-w- c:\windows\SysWow64\sho78B0.tmp
2011-09-29 21:09 . 2011-09-29 21:09 79952 ----a-w- c:\windows\system32\drivers\bdsandbox.sys
2011-09-23 21:39 . 2011-05-17 00:38 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-16 23:25 . 2011-09-16 23:25 0 ----a-w- c:\windows\SysWow64\sho8A99.tmp
2011-09-09 19:25 . 2011-09-09 19:25 0 ----a-w- c:\windows\SysWow64\shoB3C6.tmp
2011-09-01 16:15 . 2011-09-01 16:15 553280 ----a-w- c:\windows\system32\drivers\avckf.sys
2011-08-31 22:43 . 2011-08-31 22:43 0 ----a-w- c:\windows\SysWow64\shoC64B.tmp
2011-08-24 21:10 . 2011-08-24 21:10 0 ----a-w- c:\windows\SysWow64\shoB497.tmp
.
.
((((((((((((((((((((((((((((( [email protected]_01.55.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-11-10 22:20 . 2011-11-10 22:20 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-11-18 17:32 . 2011-11-18 17:32 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2009-07-14 04:54 . 2011-11-18 17:37 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-11-10 22:20 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-11-18 17:37 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-10 22:20 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-18 17:37 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-10 22:20 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-25 22:01 . 2011-11-18 17:39 63404 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-11-18 17:19 34482 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-05-03 02:44 . 2011-11-10 22:20 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-03 02:44 . 2011-11-19 03:51 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-11-11 21:52 . 2011-11-19 03:51 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-11-19 03:51 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-11-10 22:20 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-13 23:19 . 2011-11-11 01:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-13 23:19 . 2011-11-18 17:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-07-13 23:19 . 2011-11-11 01:05 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-07-13 23:19 . 2011-11-18 17:36 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-13 23:19 . 2011-11-11 01:05 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-13 23:19 . 2011-11-18 17:36 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-12 23:17 . 2011-11-10 22:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-12 23:17 . 2011-11-19 03:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-12 23:17 . 2011-11-19 03:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-12 23:17 . 2011-11-10 22:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-21 23:51 . 2011-11-18 05:04 5676 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2010-07-12 23:20 . 2011-11-18 17:19 6122 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1620454023-599415270-3658004543-1004_UserData.bin
+ 2010-07-19 20:34 . 2010-07-19 20:34 625664 c:\windows\SysWOW64\tsccvid64.dll
+ 2010-07-19 20:33 . 2010-07-19 20:33 594944 c:\windows\SysWOW64\tsccvid.dll
+ 2010-07-13 22:34 . 2011-11-18 04:52 415362 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2011-11-18 21:39 956860 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-11-18 21:39 225764 c:\windows\system32\perfc009.dat
+ 2010-10-19 22:36 . 2011-11-18 04:52 262144 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2010-10-19 22:36 . 2010-10-18 23:46 262144 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:01 . 2011-11-18 17:32 306360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-11-10 22:16 306360 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-11-16 22:25 . 2011-11-16 22:25 680448 c:\windows\Installer\{C0E8FE43-C35B-451D-B35F-D4BD056D70E7}\IconEF5C48881.exe
+ 2001-09-06 02:00 . 2001-09-06 02:00 1700352 c:\windows\SysWOW64\gdiplus.dll
- 2010-07-13 17:27 . 2011-11-10 22:16 1932232 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1620454023-599415270-3658004543-1004-12288.dat
+ 2010-07-13 17:27 . 2011-11-18 17:32 1932232 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1620454023-599415270-3658004543-1004-12288.dat
+ 2011-11-03 17:08 . 2011-11-03 17:08 15544320 c:\windows\Installer\16b463.msi
+ 2011-11-16 22:09 . 2011-11-16 22:09 195687424 c:\windows\Installer\a186c80.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-10-21 01:03 991888 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-10-21 01:03 991888 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-10-21 01:03 991888 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe"
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"
"ControlCenter3"=c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
.
R0 szkg5;szkg5;c:\windows\SySWOW64\DRIVERS\szkg64.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MSSQL$DDNI;SQL Server (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe [2009-03-30 43010392]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe64.sys [x]
R2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [x]
R3 bdsandbox;bdsandbox;c:\windows\system32\drivers\bdsandbox.sys [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;c:\windows\system32\PCTINDIS5X64.SYS [x]
R3 SampleCollector;Intel(R) Sample Collector;c:\program files\Sony\VAIO Care\collsvc.exe [2009-12-23 168448]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [x]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [x]
R3 Update Server;BitDefender Update Server v2;c:\program files\Common Files\Bitdefender\Bitdefender Arrakis Server\bin\arrakis3.exe [2011-10-15 466736]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
R4 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R4 SafeBox;SafeBox;c:\program files\Bitdefender\Bitdefender SafeBox\safeboxservice.exe [2011-09-13 74336]
R4 SMPDiskOptimizer;SMPDiskOptimizer;c:\program files (x86)\System Optimizer\SMPDefragSrv64.exe [2010-10-19 275456]
R4 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-02-24 108400]
R4 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-02-24 422768]
R4 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-02-24 67952]
R4 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService.exe [2010-02-08 302448]
R4 SQLAgent$DDNI;SQL Server Agent (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
R4 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2010-01-20 574320]
R4 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2010-03-18 852336]
R4 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-02-20 529776]
R4 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-02-20 386416]
R4 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-02-20 115568]
R4 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [2010-06-09 1223024]
S0 avc3;avc3;c:\windows\system32\DRIVERS\avc3.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver;c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [2011-03-01 89680]
S1 bdfwfpf;bdfwfpf;c:\program files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [2011-08-10 102992]
S1 BDVEDISK;BDVEDISK;c:\windows\system32\DRIVERS\bdvedisk.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-11-20 13336]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2011-10-07 375176]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2010-09-17 15928]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [x]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S2 UPDATESRV;BitDefender Desktop Update Service;c:\program files\Bitdefender\Bitdefender 2012\updatesrv.exe [2011-11-15 62512]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
S3 avchv;avchv Function Driver;c:\windows\system32\DRIVERS\avchv.sys [x]
S3 avckf;avckf;c:\windows\system32\DRIVERS\avckf.sys [x]
S3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 52342792
*Deregistered* - 52342792
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2009-07-14 01:14 301568 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-10-21 00:56 1256592 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-10-21 00:56 1256592 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-10-21 00:56 1256592 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox1]
@="{152C96EB-288E-4EDC-B7C6-D21F8250ADF3}"
[HKEY_CLASSES_ROOT\CLSID\{152C96EB-288E-4EDC-B7C6-D21F8250ADF3}]
2011-09-13 16:23 260760 ------w- c:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox2]
@="{342DAA0B-D796-460D-8566-901E08A1CCAD}"
[HKEY_CLASSES_ROOT\CLSID\{342DAA0B-D796-460D-8566-901E08A1CCAD}]
2011-09-13 16:23 260760 ------w- c:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox3]
@="{57595DAE-1AE1-4D97-A49E-67CBB53B52DF}"
[HKEY_CLASSES_ROOT\CLSID\{57595DAE-1AE1-4D97-A49E-67CBB53B52DF}]
2011-09-13 16:23 260760 ------w- c:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\__SafeBox4]
@="{33816773-98AE-4723-ADE0-EBE54C8B5A67}"
[HKEY_CLASSES_ROOT\CLSID\{33816773-98AE-4723-ADE0-EBE54C8B5A67}]
2011-09-13 16:23 260760 ------w- c:\program files\Bitdefender\Bitdefender Safebox\safeboxshell.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mStart Page = about:blank
mLocal Page = c:\windows\SYSTEM32\blank.htm
TCP: DhcpNameServer = 192.168.1.1 64.233.217.5 64.233.217.2
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
FF - ProfilePath - c:\users\derek\AppData\Roaming\Mozilla\Firefox\Profiles\ocwvh1o7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com
FF - prefs.js: browser.search.selectedEngine - Search The Web
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10v_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10v.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Component Based Servicing\ApplicabilityEvaluationCache\Package_for_KB2447568~31bf3856ad364e35~amd64~~6.1.1.0]
@DACL=(02 0000)
"ApplicabilityState"=dword:00000070
"CurrentState"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Component Based Servicing\ApplicabilityEvaluationCache\Package_for_KB947821~31bf3856ad364e35~amd64~~6.1.8.0]
@DACL=(02 0000)
"ApplicabilityState"=dword:00000070
"CurrentState"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-11-18 23:16:14
ComboFix-quarantined-files.txt 2011-11-19 04:16
ComboFix2.txt 2011-11-17 23:53
ComboFix3.txt 2011-11-14 23:48
ComboFix4.txt 2011-11-11 20:33
.
Pre-Run: 486,804,221,952 bytes free
Post-Run: 486,799,814,656 bytes free
.
- - End Of File - - E1FEA7CD3F2269DD685B8D5204B72382

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' timestamp='1321645074' post='130617']
Did you delete tmcomm.sys after the last run of ComboFix? Since I saw the file in the last log.

Have you checked the register entry "Computer\HKEY_Current_User\Software\Microsoft\Internet Explorer\TypedURLs" mentioned in the first comment?

When I read topics in trusted malware removal forums I found tools that you have used as ComboFix, TDSSKiller etc. But I notice now that I haven't seen your log from aswMBR , see post #28.

This is supposed to remove the security center information about Trend Micro.
Copy all lines in the box:
[/quote]

Yes I deleted it after the last log I sent you a couple days ago, but the log I just posted for combofix is AFTER I deleted tmcomm.sys.

Yes I checked the registry entry and I dont even have that registry entry, even if I search the registry.

I haven't posted aswMBR log because it always freezes before it finishes. I will run it tonight overnight and hopefully it will be finished and I will post it soon.

Share this post


Link to post
Share on other sites
1.
Please, save [url="http://ad13.geekstogo.com/MBRCheck.exe"]MBRCheck.exe[/url] by a_d_13 on the desktop.
Run the program.
Wait until it is finished or until "Enter 'Y' and hit ENTER for more options, or 'N' to exit:" is displayed. In the latter case press N followed by Enter.
When done a log file is created on the desktop called MBRCheckxxxxxx.txt where xxxxxx is the time. Paste the log in your answer.

2.
Run an online scan with Eset [url="http://www.eset.com/onlinescan/"]http://www.eset.com/onlinescan/[/url]
To shorten the scanning time disable your antivirus program while scanning.

Un-check "Remove found threats"
Check "Scan Archives"

Click "Advanced Settings"
Check:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Scan

When the scan completes the log file C:\Program\Eset\Eset Online Scanner\log.txt is created. Open it in Notepad and paste its content in your answer.

3.
Do you have any files (not folders) in the folder %AllUsersProfile%\Application Data? Which ones?

Share this post


Link to post
Share on other sites
HERE is aswMBR log:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-18 23:34:31
-----------------------------
23:34:31.434 OS Version: Windows x64 6.1.7600
23:34:31.434 Number of processors: 8 586 0x1E05
23:34:31.435 ComputerName: DEREK-VAIO UserName: derek
23:34:36.024 Initialize success
23:35:34.942 AVAST engine defs: 11111801
23:57:40.084 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:57:40.088 Disk 0 Vendor: SAMSUNG_ 2AJ1 Size: 610480MB BusType: 3
23:57:40.102 Disk 0 MBR read successfully
23:57:40.107 Disk 0 MBR scan
23:57:40.115 Disk 0 Windows XP default MBR code
23:57:40.120 Service scanning
23:57:42.259 Modules scanning
23:57:42.265 Disk 0 trace - called modules:
23:57:42.288 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8007c00334]<<
23:57:42.295 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007bed060]
23:57:42.301 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa800783b400]
23:57:42.307 5 ACPI.sys[fffff88000fb3781] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800783e050]
23:57:42.314 \Driver\iaStor[0xfffffa8007813060] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8007c00334
23:57:46.813 AVAST engine scan C:\Windows
23:57:51.839 AVAST engine scan C:\Windows\system32
23:59:16.964 AVAST engine scan C:\Windows\system32\drivers
23:59:28.372 AVAST engine scan C:\Users\derek
02:03:16.152 AVAST engine scan C:\ProgramData
02:28:55.643 Scan finished successfully
16:45:14.802 Disk 0 MBR has been saved successfully to "C:\Users\derek\Desktop\MBR.dat"
16:45:14.811 The log file has been saved successfully to "C:\Users\derek\Desktop\aswMBR.txt"

Share this post


Link to post
Share on other sites
MBRCheck log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: (build 7600), 64-bit
Base Board Manufacturer: Sony Corporation
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Sony Corporation
System Product Name: VPCF127FX
Logical Drives Mask: 0x00010014

Kernel Drivers (total 212):
0x0484B000 \SystemRoot\system32\ntoskrnl.exe
0x04802000 \SystemRoot\system32\hal.dll
0x00BB5000 \SystemRoot\system32\kdcom.dll
0x00C11000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C55000 \SystemRoot\system32\PSHED.dll
0x00C69000 \SystemRoot\system32\CLFS.SYS
0x00CC7000 \SystemRoot\system32\CI.dll
0x00EF5000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F99000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00FA8000 \SystemRoot\system32\drivers\ACPI.sys
0x00E00000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00E09000 \SystemRoot\system32\drivers\msisadrv.sys
0x00E13000 \SystemRoot\system32\drivers\pci.sys
0x00E46000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00E53000 \SystemRoot\System32\drivers\partmgr.sys
0x00E68000 \SystemRoot\system32\drivers\compbatt.sys
0x00E71000 \SystemRoot\system32\drivers\BATTC.SYS
0x00E7D000 \SystemRoot\system32\drivers\volmgr.sys
0x00E92000 \SystemRoot\System32\drivers\volmgrx.sys
0x00D87000 \SystemRoot\System32\drivers\mountmgr.sys
0x01097000 \SystemRoot\system32\drivers\iaStor.sys
0x011EB000 \SystemRoot\system32\drivers\amdxata.sys
0x01000000 \SystemRoot\system32\drivers\fltmgr.sys
0x0104C000 \SystemRoot\system32\drivers\fileinfo.sys
0x01206000 \SystemRoot\system32\DRIVERS\avc3.sys
0x012B0000 \SystemRoot\system32\DRIVERS\bdfsfltr.sys
0x0137B000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x01433000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01387000 \SystemRoot\System32\Drivers\msrpc.sys
0x015D5000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0169A000 \SystemRoot\System32\Drivers\cng.sys
0x0170D000 \SystemRoot\System32\drivers\pcw.sys
0x0171E000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01887000 \SystemRoot\system32\drivers\ndis.sys
0x01979000 \SystemRoot\system32\drivers\NETIO.SYS
0x01800000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01A01000 \SystemRoot\System32\drivers\tcpip.sys
0x0182B000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01728000 \SystemRoot\system32\drivers\volsnap.sys
0x01875000 \SystemRoot\System32\Drivers\spldr.sys
0x01774000 \SystemRoot\System32\drivers\rdyboost.sys
0x019D9000 \SystemRoot\System32\Drivers\mup.sys
0x019EB000 \SystemRoot\System32\drivers\hwpolicy.sys
0x017AE000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x017E8000 \SystemRoot\system32\drivers\disk.sys
0x01600000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x02F95000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x02FBF000 \SystemRoot\System32\Drivers\Null.SYS
0x02FC8000 \SystemRoot\System32\Drivers\Beep.SYS
0x02FCF000 \SystemRoot\System32\drivers\vga.sys
0x02E00000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02FDD000 \SystemRoot\System32\drivers\watchdog.sys
0x02FED000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02FF6000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02E25000 \SystemRoot\system32\drivers\rdprefmp.sys
0x019F4000 \SystemRoot\System32\Drivers\Msfs.SYS
0x0163E000 \SystemRoot\System32\Drivers\Npfs.SYS
0x0164F000 \??\c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys
0x0167B000 \SystemRoot\system32\DRIVERS\tdx.sys
0x015EF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x042E6000 \SystemRoot\system32\drivers\afd.sys
0x04370000 \SystemRoot\System32\DRIVERS\netbt.sys
0x043B5000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x043BE000 \SystemRoot\system32\DRIVERS\pacer.sys
0x043E4000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x04200000 \SystemRoot\system32\DRIVERS\netbios.sys
0x0420F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x0422A000 \SystemRoot\system32\drivers\termdd.sys
0x0423E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x0428F000 \SystemRoot\system32\drivers\nsiproxy.sys
0x0429B000 \SystemRoot\system32\drivers\mssmbios.sys
0x042A6000 \SystemRoot\System32\drivers\discache.sys
0x042B5000 \SystemRoot\System32\Drivers\dfsc.sys
0x042D3000 \SystemRoot\system32\drivers\blbdrive.sys
0x01400000 \SystemRoot\system32\DRIVERS\bdvedisk.sys
0x01320000 \??\C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys
0x01348000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04AD9000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x04A00000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
0x044E4000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04400000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04446000 \SystemRoot\system32\drivers\HDAudBus.sys
0x0446A000 \SystemRoot\system32\drivers\usbehci.sys
0x0447B000 \SystemRoot\system32\drivers\USBPORT.SYS
0x0582E000 \SystemRoot\system32\DRIVERS\athrx.sys
0x05A53000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x05A60000 \SystemRoot\system32\drivers\rimssne64.sys
0x05A80000 \SystemRoot\system32\drivers\1394ohci.sys
0x05ABE000 \SystemRoot\system32\drivers\i8042prt.sys
0x05ADC000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x05AEB000 \SystemRoot\system32\drivers\Apfiltr.sys
0x05B3A000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x05B49000 \SystemRoot\system32\drivers\SFEP.sys
0x05B4C000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x05B59000 \SystemRoot\system32\DRIVERS\intelsmb.sys
0x05B62000 \SystemRoot\system32\drivers\wmiacpi.sys
0x05B6B000 \SystemRoot\system32\drivers\intelppm.sys
0x05B81000 \SystemRoot\system32\drivers\CmBatt.sys
0x05B86000 \SystemRoot\system32\drivers\CompositeBus.sys
0x05B96000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0x05B9D000 \SystemRoot\system32\DRIVERS\serscan.sys
0x05BA5000 \SystemRoot\system32\drivers\ksthunk.sys
0x05BAB000 \SystemRoot\system32\drivers\ks.sys
0x05BEE000 \SystemRoot\system32\DRIVERS\ArcSoftKsUFilter.sys
0x05800000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x045D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x05816000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x04A02000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x04A31000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x04A4C000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x04A6D000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x05822000 \SystemRoot\system32\drivers\swenum.sys
0x04A87000 \SystemRoot\system32\DRIVERS\avchv.sys
0x044D1000 \SystemRoot\system32\DRIVERS\umbus.sys
0x00DA1000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0141D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x013E5000 \SystemRoot\system32\drivers\nvhda64v.sys
0x06A01000 \SystemRoot\system32\drivers\portcls.sys
0x06A3E000 \SystemRoot\system32\drivers\drmk.sys
0x06C08000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x06E31000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x06E4E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x06E50000 \SystemRoot\System32\Drivers\usbvideo.sys
0x00070000 \SystemRoot\System32\win32k.sys
0x06E7E000 \SystemRoot\System32\drivers\Dxapi.sys
0x06E8A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x06E98000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x06EB1000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x06EBA000 \SystemRoot\system32\drivers\NMgamingms.sys
0x06EBD000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x06ECB000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x06ED8000 \SystemRoot\System32\Drivers\crashdmp.sys
0x06A60000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x06EE6000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x06EF9000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00520000 \SystemRoot\System32\TSDDD.dll
0x006C0000 \SystemRoot\System32\cdd.dll
0x008E0000 \SystemRoot\System32\ATMFD.DLL
0x06F07000 \SystemRoot\system32\drivers\luafv.sys
0x06F2A000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x06F35000 \SystemRoot\system32\drivers\WudfPf.sys
0x06F56000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x06F6B000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x06FBE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x06FD1000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x02E2E000 \SystemRoot\system32\DRIVERS\trufos.sys
0x0486B000 \SystemRoot\system32\drivers\HTTP.sys
0x04933000 \SystemRoot\system32\DRIVERS\bowser.sys
0x04951000 \SystemRoot\System32\drivers\mpsdrv.sys
0x04969000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x04996000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x04800000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x04823000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0x0482D000 \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys
0x04834000 \??\C:\Windows\system32\drivers\LMIRfsDriver.sys
0x078AA000 \SystemRoot\system32\drivers\peauth.sys
0x07950000 \??\C:\Windows\system32\drivers\regi.sys
0x07971000 \SystemRoot\System32\Drivers\secdrv.SYS
0x07C5B000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0x07D12000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0x07D5F000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x07D8C000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0797C000 \SystemRoot\System32\DRIVERS\srv2.sys
0x07800000 \SystemRoot\System32\DRIVERS\srv.sys
0x07D9E000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0x07DA9000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x0AE7D000 \SystemRoot\System32\Drivers\bthport.sys
0x0AF09000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x0AF35000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x0AF45000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x0AFD6000 \??\C:\Users\derek\AppData\Local\Temp\aswMBR.sys
0x02E89000 \SystemRoot\system32\DRIVERS\avckf.sys
0x779E0000 \Windows\System32\ntdll.dll
0x48470000 \Windows\System32\smss.exe
0xFFD00000 \Windows\System32\apisetschema.dll
0xFFC20000 \Windows\System32\autochk.exe
0x778C0000 \Windows\System32\kernel32.dll
0xFFB70000 \Windows\System32\urlmon.dll
0xFFA40000 \Windows\System32\rpcrt4.dll
0xFF9F0000 \Windows\System32\ws2_32.dll
0xFF970000 \Windows\System32\shlwapi.dll
0xFF920000 \Windows\System32\Wldap32.dll
0xFF8F0000 \Windows\System32\imm32.dll
0xFF870000 \Windows\System32\difxapi.dll
0xFF610000 \Windows\System32\iertutil.dll
0x77BB0000 \Windows\System32\psapi.dll
0xFF4E0000 \Windows\System32\wininet.dll
0xFF440000 \Windows\System32\clbcatq.dll
0xFF260000 \Windows\System32\setupapi.dll
0xFF1C0000 \Windows\System32\msvcrt.dll
0xFF1A0000 \Windows\System32\imagehlp.dll
0x77BA0000 \Windows\System32\normaliz.dll
0xFF190000 \Windows\System32\nsi.dll
0xFF170000 \Windows\System32\sechost.dll
0xFF090000 \Windows\System32\oleaut32.dll
0xFE300000 \Windows\System32\shell32.dll
0xFE290000 \Windows\System32\gdi32.dll
0xFE280000 \Windows\System32\lpk.dll
0xFE170000 \Windows\System32\msctf.dll
0xFE0A0000 \Windows\System32\usp10.dll
0xFDFC0000 \Windows\System32\advapi32.dll
0xFDF20000 \Windows\System32\comdlg32.dll
0x777C0000 \Windows\System32\user32.dll
0xFDD10000 \Windows\System32\ole32.dll
0xFDC70000 \Windows\System32\comctl32.dll
0xFDC00000 \Windows\System32\KernelBase.dll
0xFDBC0000 \Windows\System32\cfgmgr32.dll
0xFDBA0000 \Windows\System32\devobj.dll
0xFDA30000 \Windows\System32\crypt32.dll
0xFD9F0000 \Windows\System32\wintrust.dll
0xFD9E0000 \Windows\System32\msasn1.dll
0x75EF0000 \Windows\SysWOW64\normaliz.dll

Processes (total 62):
0 System Idle Process
4 System
420 C:\Windows\System32\smss.exe
680 csrss.exe
756 C:\Windows\System32\wininit.exe
776 csrss.exe
816 C:\Windows\System32\services.exe
836 C:\Windows\System32\lsass.exe
844 C:\Windows\System32\lsm.exe
952 C:\Windows\System32\svchost.exe
1012 C:\Program Files\Bitdefender\Bitdefender 2012\vsserv.exe
136 C:\Windows\System32\nvvsvc.exe
472 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\svchost.exe
1088 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\svchost.exe
1280 C:\Windows\System32\svchost.exe
1772 C:\Windows\System32\winlogon.exe
1892 C:\Windows\System32\spoolsv.exe
1920 C:\Windows\System32\svchost.exe
2016 C:\Windows\System32\svchost.exe
2124 C:\Windows\System32\nvvsvc.exe
2228 C:\Windows\System32\svchost.exe
2268 C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
2320 C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
2356 C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
2912 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
2932 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2964 C:\Windows\System32\svchost.exe
3036 C:\Program Files\Bitdefender\Bitdefender 2012\updatesrv.exe
2484 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
3800 C:\Windows\System32\taskhost.exe
3812 C:\Windows\System32\taskeng.exe
3844 C:\Program Files\Bitdefender\Bitdefender 2012\bdagent.exe
3956 C:\Windows\System32\dwm.exe
3968 C:\Program Files\Sony\VAIO Care\VCSpt.exe
4032 C:\Program Files\Sony\VAIO Gate\VAIO Gate.exe
4056 C:\Windows\explorer.exe
3652 C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
3564 C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
4044 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
3824 C:\Program Files\Bitdefender\Bitdefender 2012\pchooklaunch64.exe
4120 C:\Program Files\Bitdefender\Bitdefender 2012\Antispam32\pchooklaunch32.exe
4688 C:\Windows\System32\svchost.exe
5032 C:\Windows\System32\SearchIndexer.exe
4920 C:\Program Files\Sony\VAIO Care\VCsystray.exe
5320 C:\Windows\System32\vds.exe
5132 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
3920 C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
4040 C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE
5464 C:\Windows\System32\svchost.exe
1828 C:\Users\derek\Documents\Programs\aswMBR.exe
3452 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
3384 C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
4240 C:\Program Files (x86)\Microsoft Office\OFFICE11\EXCEL.EXE
4340 C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
5232 C:\Windows\System32\audiodg.exe
3628 C:\Windows\System32\SearchProtocolHost.exe
6024 C:\Windows\System32\SearchFilterHost.exe
4392 C:\Users\derek\Desktop\MBRCheck.exe
5100 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`70700000 (NTFS)
\\.\Q: --> error 5

PhysicalDrive0 Model Number: SAMSUNGHM641JI, Rev: 2AJ10001

Size Device Name MBR Status
--------------------------------------------
596 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Share this post


Link to post
Share on other sites
[quote]23:57:42.288 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8007c00334]<<
...
596 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A[/quote]
Those are suspicious lines. Very similar to http://www.cybertechhelp.com/forums/showthread.php?p=1225310

Were any of the lines in aswMBR log in another colour? Like on http://public.avast.com/~gmerek/aswMBR.htm

The normal way to clean a bad MBR is to overwrite it with a standard MBR. But that usually means that you no longer can start an installation of Windows by pressing a button while BIOS is running or other special functions reached from BIOS that your computer manufacturer has created.

Share this post


Link to post
Share on other sites
Eset said it found one virus:

C:\Users\derek\AppData\Roaming\Mozilla\Firefox\Profiles\iysioyqt.default\extensions\{8faa99f2-0cd0-4b79-a717-cab1d1a50ba5}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan

Share this post


Link to post
Share on other sites
[quote name='CeciliaB' timestamp='1321748223' post='130641']
Those are suspicious lines. Very similar to [url="http://www.cybertechhelp.com/forums/showthread.php?p=1225310"]http://www.cybertech...d.php?p=1225310[/url]

Were any of the lines in aswMBR log in another colour? Like on [url="http://public.avast.com/~gmerek/aswMBR.htm"]http://public.avast....erek/aswMBR.htm[/url]

The normal way to clean a bad MBR is to overwrite it with a standard MBR. But that usually means that you no longer can start an installation of Windows by pressing a button while BIOS is running or other special functions reached from BIOS that your computer manufacturer has created.
[/quote]

this line was RED: 23:57:42.288 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8007c00334]<<

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this