Operating memory/Win32/Olmarik.TDL4 trojan

Inactive
By sean52492
Dec 19, 2011
Topic Status:
Not open for further replies.
  1. Hello i woke up this morning and my esetnod 32 ver5 had a message about Operating memory/Win32/Olmarik.TDL4 Trojan unable to clean i was was wondering if any one else has had this issue and how they resolved it i am running windows7 home premium with a 64-bit operating system i have since uninstalled eset and i am now running the avast free 30 day trial if any one has any tips or useful information please feel free to share it with me it would be much appreciated
    thank you in advance
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Welcome to TechSpot! I'll help with the malware.

    First, why did you uninstall Nod32? The message you got does not mean the program isn't working. In this case, it's telling you that the system is infected with a rootkit and that will require also using a rootkit remover. Changing to Avast won't make it any different.

    If you paid the the Eset program, I urge you to put that back on the system
    =============================
    It appears that you have also asked for help in at least one other forum. Please decide where you would like to remain and inform and other forums that you are getting help elsewhere. We ask the you do not tie up multiple helpers to work on the same problem.
    ============================
    If you decide to continue in this forum:

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ===================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. sean52492

    sean52492 Newcomer, in training Topic Starter

    My MBAM log

    thanks for replying so promptly here is my mbam log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8346

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    12/10/2011 4:42:01 AM
    mbam-log-2011-12-10 (04-42-01).txt

    Scan type: Quick scan
    Objects scanned: 178597
    Time elapsed: 7 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\sean rucker\AppData\Local\Temp\F8FE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\sean rucker\AppData\Local\Temp\lakdoyfyslro6j.exe.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\sean rucker\local settings\aqm.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    c:\Users\sean rucker\local settings\application data\aqm.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    c:\Users\sean rucker\AppData\Local\Temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  4. sean52492

    sean52492 Newcomer, in training Topic Starter

    My GMER log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-19 01:23:52
    Windows 6.1.7600
    Running: b5yle7lj.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x20 0xC4 0x8F 0x12 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xED 0x1A 0x77 0x7A ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0xE2 0x1B 0x6A ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD1 0x70 0xAD 0x5C ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xED 0x1A 0x77 0x7A ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0xE2 0x1B 0x6A ...
    Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Program Files (x86)\RTP\xff7e\xff6f\xff84\xff71\xff6f\xff8c\xff9f\RPG2000RTP.exe 1

    ---- Files - GMER 1.0.15 ----

    File C:\ADSM_PData_0150 0 bytes
    File C:\ADSM_PData_0150\DB 0 bytes
    File C:\ADSM_PData_0150\DB\SI.db 624 bytes
    File C:\ADSM_PData_0150\DB\UL.db 16 bytes
    File C:\ADSM_PData_0150\DB\VL.db 16 bytes
    File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
    File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
    File C:\ADSM_PData_0150\_avt 512 bytes

    ---- EOF - GMER 1.0.15 ----
  5. sean52492

    sean52492 Newcomer, in training Topic Starter

    My DDS log

    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
    Run by Sean Rucker at 22:46:30 on 2011-12-19
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4061.1713 [GMT -6:00]
    .
    AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\FBAgent.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
    C:\Program Files (x86)\ASUS\ASUS CopyProtect\aspg.exe
    C:\Program Files\P4G\BatteryLife.exe
    C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
    C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
    C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
    C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
    C:\Windows\SysWOW64\ACEngSvr.exe
    C:\Program Files\Elantech\ETDCtrl.exe
    C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files (x86)\Skype\Phone\Skype.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
    C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
    C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe
    C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
    C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
    C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
    C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
    C:\Windows\AsScrPro.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\SysWOW64\svchost.exe -k Akamai
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Users\Sean Rucker\Desktop\45fircep.exe
    C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://google.atcomet.com/b/
    uDefault_Page_URL = hxxp://asus.msn.com
    mDefault_Page_URL = hxxp://www.yahoo.com
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTo1.dll
    mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTo1.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin1.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTo1.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - C:\Program Files (x86)\HyperCam Toolbar\tbcore3.dll
    TB: HyperCam Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - C:\Program Files (x86)\HyperCam Toolbar\tbcore3.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTo1.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin1.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [DW6] "C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe"
    uRun: [Facebook Update] "C:\Users\Sean Rucker\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
    uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
    mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
    mRun: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
    mRun: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
    mRun: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
    mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    StartupFolder: C:\Users\SEANRU~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    StartupFolder: C:\Users\SEANRU~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\FANCYS~1.LNK - C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SRSPRE~1.LNK - C:\Windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: &D&ownload &with BitComet - C:\Program Files (x86)\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all with BitComet - C:\Program Files (x86)\BitComet\BitComet.exe/AddAllLink.htm
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Sean Rucker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{121B94E1-412A-438C-BE98-AFEB64B2F39B} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{121B94E1-412A-438C-BE98-AFEB64B2F39B}\05 : DhcpNameServer = 68.87.72.134 68.87.77.134
    TCP: Interfaces\{121B94E1-412A-438C-BE98-AFEB64B2F39B}\36C6F677E696E636166797 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{121B94E1-412A-438C-BE98-AFEB64B2F39B}\7416D656341666562343 : DhcpNameServer = 10.0.0.1
    TCP: Interfaces\{121B94E1-412A-438C-BE98-AFEB64B2F39B}\D43434D27457563747 : DhcpNameServer = 165.173.124.10 165.173.124.11 165.173.252.191 165.173.252.192
    TCP: Interfaces\{121B94E1-412A-438C-BE98-AFEB64B2F39B}\D43434D275962756C6563737D28456C607 : DhcpNameServer = 165.173.124.10 165.173.124.11 165.173.252.191 165.173.252.192
    TCP: Interfaces\{121B94E1-412A-438C-BE98-AFEB64B2F39B}\D43434D2F40756E6 : DhcpNameServer = 165.173.124.10 165.173.124.11 165.173.252.191 165.173.252.192
    TCP: Interfaces\{925EE5A0-56C4-4BF8-ACB7-B07956CF0007} : DhcpNameServer = 192.168.1.1
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO-X64: 0x1 - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngin1.dll
    BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    BHO-X64: Search Helper - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: SkypeIEPluginBHO - No File
    BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTo1.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: SMTTB2009 Class: {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\HyperCam Toolbar\tbcore3.dll
    BHO-X64: SMTTB2009 - No File
    TB-X64: HyperCam Toolbar: {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files (x86)\HyperCam Toolbar\tbcore3.dll
    TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTo1.dll
    TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngin1.dll
    TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB-X64: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
    mRun-x64: [ATKOSD2] C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
    mRun-x64: [ATKMEDIA] C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
    mRun-x64: [HControlUser] C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe
    mRun-x64: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    IE-X64: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Sean Rucker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Sean Rucker\AppData\Roaming\Mozilla\Firefox\Profiles\j4ydswwf.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/SeanRucker|http://tinychat.com/vegisgawdmang
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbf2f9b&v=6.010.006.004&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - prefs.js: network.proxy.http - 63.174.60.11
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.type - 4
    FF - component: C:\Program Files (x86)\AVG\AVG10\Firefox\components\avgssff.dll
    FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: C:\Users\Sean Rucker\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
    FF - plugin: C:\Users\Sean Rucker\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 lullaby;lullaby;C:\Windows\system32\DRIVERS\lullaby.sys --> C:\Windows\system32\DRIVERS\lullaby.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]
    R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
    R2 ASMMAP64;ASMMAP64;C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-7-2 15416]
    R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]
    R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-9-22 974944]
    R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfwwfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]
    S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-10 366152]
    S3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS --> C:\Windows\system32\drivers\AmUStor.SYS [?]
    S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
    S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\system32\DRIVERS\ManyCam_x64.sys --> C:\Windows\system32\DRIVERS\ManyCam_x64.sys [?]
    S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
    S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]
    S3 SUSTUCAM;Susteen USB Cable Modem Driver;C:\Windows\system32\DRIVERS\sustucam.sys --> C:\Windows\system32\DRIVERS\sustucam.sys [?]
    S3 SUSTUCAP;Susteen USB Cable Port Driver;C:\Windows\system32\DRIVERS\sustucap.sys --> C:\Windows\system32\DRIVERS\sustucap.sys [?]
    S3 SUSTUCAU;Susteen USB Cable USB Driver;C:\Windows\system32\DRIVERS\sustucau.sys --> C:\Windows\system32\DRIVERS\sustucau.sys [?]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-12-19 21:24:15 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{5D4D91F7-552F-488E-9421-8DACCA688786}
    2011-12-19 09:23:56 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{70B8AF23-4D71-4D2D-B77A-5425E178AAD0}
    2011-12-19 09:23:42 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{F7A8209E-5CA4-40A5-9B6B-DACDCB3444FB}
    2011-12-19 08:02:30 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{1CC42E53-D57A-478F-AE39-E17958415305}
    2011-12-19 08:02:16 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{6F9026B3-D951-46DB-B04E-0BF3E791B34D}
    2011-12-19 05:37:03 -------- d-----w- C:\ProgramData\AVAST Software
    2011-12-19 05:08:29 -------- d-s---w- C:\commy
    2011-12-18 18:57:51 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{DD1C99CB-165E-43BA-B3FA-3117ED54E77D}
    2011-12-18 18:57:36 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{5202659E-4351-4496-8ABC-B8F3AFEA0F00}
    2011-12-18 04:37:49 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{060CEE95-D3C0-465E-8737-5EE582703656}
    2011-12-18 04:37:36 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{B726D890-83D6-475D-B142-7C6705063D43}
    2011-12-17 09:57:09 -------- d-----w- C:\Windows\System32\SPReview
    2011-12-17 09:32:29 387072 ----a-w- C:\Users\Sean Rucker\AppData\Roaming\IXekY.exe
    2011-12-17 09:32:29 387072 ----a-w- C:\Users\Sean Rucker\AppData\Roaming\1kL7Gn.exe
    2011-12-17 05:59:23 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{17988848-C462-4BAB-B0AD-E2605EC337E4}
    2011-12-17 05:59:06 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{531770B4-80B6-49F7-8EB2-2B74A3866046}
    2011-12-16 18:08:41 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B5D10CC8-EF8F-4C47-B1AD-74CF674E6F7C}\mpengine.dll
    2011-12-15 23:57:23 3141632 ----a-w- C:\Windows\System32\win32k.sys
    2011-12-15 21:32:59 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{CE1293C1-AFE0-49BB-B617-D1BD991E8E65}
    2011-12-15 21:32:47 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{0EC3A1B7-511F-4A9B-A915-A4EA7A5A6B7F}
    2011-12-15 10:05:57 -------- d-----w- C:\Program Files\ESET
    2011-12-15 09:32:18 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{900E6517-AF20-4304-A6EE-EB6A77023061}
    2011-12-15 09:32:04 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{B3688976-1B10-4F72-9B3E-DF0B6C31A48B}
    2011-12-15 04:15:55 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-12-15 04:15:55 2048 ----a-w- C:\Windows\System32\tzres.dll
    2011-12-15 04:09:21 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2011-12-15 04:09:21 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-12-15 04:04:38 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-12-14 21:23:32 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{E7FE6F1F-4873-4150-A427-20629FC58EC2}
    2011-12-14 21:23:20 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{A309C2CA-57A6-4218-A5DA-9675CD88675D}
    2011-12-14 09:23:03 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{DA80DBE8-7FCE-4DEC-82F1-87E26DF07382}
    2011-12-14 09:22:49 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{F33B5C4A-8D51-47FF-A86A-85AD540F9B7F}
    2011-12-14 09:12:06 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{6F9D1C84-988D-406D-B647-2F335FB2AAF5}
    2011-12-13 22:06:52 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{1705F4BD-4917-408B-B095-F0280DB54CF8}
    2011-12-13 22:06:40 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{7BA13F30-0232-4D14-97F4-F61EDF1E807F}
    2011-12-13 10:06:13 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{110BE35D-AA73-4C78-AC5D-EF547779855F}
    2011-12-13 10:06:01 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{597E23B2-9F27-4C3F-B855-98C831CF99AE}
    2011-12-12 22:05:48 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{B2FD9D61-ABBB-4967-AA3C-E0A72DBDD7AB}
    2011-12-12 22:05:36 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{1C620861-B8C8-437E-936B-A1A7EDEF671C}
    2011-12-12 10:05:20 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{D7AA87CE-27EA-48E2-A6C0-52B1FEB6AC38}
    2011-12-12 10:05:08 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{297F9EF2-8C8C-447B-9131-F0C1CF02C161}
    2011-12-12 06:50:46 -------- d-----w- C:\Down
    2011-12-12 06:45:04 -------- d-----w- C:\Windyzone
    2011-12-12 06:43:02 77656 ----a-w- C:\Windows\System32\XAPOFX1_5.dll
    2011-12-12 06:43:02 74072 ----a-w- C:\Windows\SysWow64\XAPOFX1_5.dll
    2011-12-12 06:43:02 527192 ----a-w- C:\Windows\SysWow64\XAudio2_7.dll
    2011-12-12 06:43:02 518488 ----a-w- C:\Windows\System32\XAudio2_7.dll
    2011-12-12 06:43:00 239960 ----a-w- C:\Windows\SysWow64\xactengine3_7.dll
    2011-12-12 06:43:00 176984 ----a-w- C:\Windows\System32\xactengine3_7.dll
    2011-12-12 06:32:06 -------- d-----w- C:\Perfect World Entertainment
    2011-12-11 22:04:32 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{652CFF33-0F88-4AD2-992D-28AE8F57F248}
    2011-12-11 22:04:18 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{8594E4E0-70D3-42DD-9640-BFAADFB2187B}
    2011-12-10 11:03:12 -------- d-----w- C:\Windows\en
    2011-12-10 10:57:26 18328 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-12-10 10:49:14 -------- d-----w- C:\Windows\System32\EventProviders
    2011-12-10 10:45:40 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{436C0D55-2964-467B-861A-E446E3DE937D}
    2011-12-10 10:45:21 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{60E7B212-36EC-44A1-92AB-12022DCDD50B}
    2011-12-10 10:33:22 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{839DCA19-CD58-4E19-9CBB-5E6ABA8EE74D}
    2011-12-10 10:33:07 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{80AD8F6F-FD49-4FB6-B38D-DAB43B5CFEB0}
    2011-12-10 10:32:53 -------- d-----w- C:\Users\Sean Rucker\AppData\Roaming\Malwarebytes
    2011-12-10 10:32:38 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-12-10 10:32:29 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-10 10:07:44 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{58E10789-814B-4258-AF0F-3A62C2598910}
    2011-12-10 10:07:28 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{B5B4DA74-EB22-4317-A45D-A22FF62BEDB1}
    2011-12-10 09:46:00 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{FAF85C9E-F83F-4273-8A37-801B5E71E4C0}
    2011-12-10 09:45:46 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{B6A8D5E6-1413-4F2A-B68A-957A122BEF75}
    2011-12-10 09:33:04 -------- d-----we C:\Windows\system64
    2011-12-02 03:18:26 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{CCF5AC4B-533A-4E54-AC84-55B986DE30A8}
    2011-12-02 03:18:11 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{6CD371CA-D674-4385-A3B4-82044AA948DC}
    2011-12-02 03:05:38 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{21191F51-BEB3-490F-872B-BE582ADA8962}
    2011-12-02 03:05:24 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{7C951A71-3908-46F5-88F6-77125C499A7F}
    2011-11-29 19:48:47 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{C61D78C3-09AE-4BD2-AF0D-D7B2393A81BB}
    2011-11-29 19:48:35 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{CD2FF965-783E-464A-81C5-0673B1C1DA64}
    2011-11-25 23:46:28 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{6BAFC90C-98EE-40E3-963F-6C7128CA9AA0}
    2011-11-25 23:46:16 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{005027C6-2ABE-4D18-B232-3D20DED6D404}
    2011-11-24 19:54:24 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{0C01CB50-23B9-444E-8A7A-64583046ED15}
    2011-11-24 19:54:11 -------- d-----w- C:\Users\Sean Rucker\AppData\Local\{94388513-BA66-4BCB-8EBF-C243B2E5B36C}
    .
    ==================== Find3M ====================
    .
    2011-12-11 21:39:07 152064 ----a-w- C:\Windows\SysWow64\msclmd.dll
    2011-12-11 21:39:05 175104 ----a-w- C:\Windows\System32\msclmd.dll
    2011-10-04 20:52:46 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-09-29 16:24:44 1897328 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2009-04-08 17:31:56 106496 ----a-w- C:\Program Files (x86)\Common Files\CPInstallAction.dll
    2008-08-12 04:45:20 155648 ----a-w- C:\Program Files (x86)\Common Files\MSIactionall.dll
    .
    ============= FINISH: 22:56:05.90 ===============
  6. sean52492

    sean52492 Newcomer, in training Topic Starter

    Attatch.txt part one

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 5/25/2010 2:27:49 AM
    System Uptime: 12/19/2011 3:19:36 AM (19 hours ago)
    .
    Motherboard: ASUSTeK Computer Inc. | | K60IJ
    Processor: Pentium(R) Dual-Core CPU T4400 @ 2.20GHz | Socket 478 | 2200/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 449 GiB total, 107.626 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Virtual WiFi Miniport Adapter
    Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&4240F00&0&01
    Manufacturer: Microsoft
    Name: Microsoft Virtual WiFi Miniport Adapter
    PNP Device ID: {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&4240F00&0&01
    Service: vwifimp
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.4.7 MUI
    Akamai NetSession Interface
    Alcor Micro USB Card Reader
    Any DVD Converter Professional 4.2.5
    Apple Application Support
    Apple Software Update
    ASUS AI Recovery
    ASUS CopyProtect
    ASUS Data Security Manager
    ASUS FancyStart
    ASUS LifeFrame3
    ASUS Live Update
    ASUS MultiFrame
    ASUS SmartLogon
    ASUS Splendid Video Enhancement Technology
    ASUS Virtual Camera
    ASUS_Screensaver
    ATK Package
    Best Buy Software Installer
    BitComet 1.25
    Character Builder
    Compatibility Pack for the 2007 Office system
    Conduit Engine
    ControlDeck
    D3DX10
    DataPilot
    DFOLauncher
    Diablo II
    Easy DVD Rip
    EasyBits GO
    Facebook Video Calling 1.0.0.8953
    Gimp 2.6.2 Debug
    Gmask 1.70 English
    HyperCam 2
    HyperCam Toolbar
    IMVU Avatar Chat Software
    Intel(R) Control Center
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 26
    Junk Mail filter update
    K-Lite Codec Pack 6.1.0 (Full)
    LastChaos
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office Live Add-in 1.5
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Works
    Monster Maker
    Mozilla Firefox 4.0.1 (x86 en-US)
    MpcStar 5.3
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP3 Parser (KB973685)
    Nexon Game Manager
    OpenOffice.org 3.2
    Pando Media Booster
    PL-2303 USB-to-Serial
    Platform
    QuickTime
    RGSS-RTP Standard
    Risk your Life 2 - Destination Client v2015
    Roxio Burn
    Roxio Roxio Burn
    Roxio Update Manager
    RPG????2000 ??????????
    Rusty Hearts PWE
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype Toolbars
    Skype™ 5.5
    Susteen Launcher
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    USB2.0 UVC VGA WebCam
    uTorrentBar Toolbar
    VIA Platform Device Manager
    Visual Studio 2008 x64 Redistributables
    Warcraft III
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinFlash
    WinRAR archiver
    Wireless Console 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/19/2011 6:02:58 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    12/19/2011 3:35:36 AM, Error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 3 time(s).
    12/19/2011 3:35:36 AM, Error: Service Control Manager [7034] - The Network Location Awareness service terminated unexpectedly. It has done this 3 time(s).
    12/19/2011 3:35:36 AM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 3 time(s).
    12/19/2011 3:27:48 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 2 time(s).
    12/19/2011 3:27:48 AM, Error: Service Control Manager [7031] - The Workstation service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/19/2011 3:27:48 AM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    12/19/2011 3:27:48 AM, Error: Service Control Manager [7031] - The DNS Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
    12/19/2011 3:25:41 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    12/19/2011 3:23:59 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Cryptographic Services service, but this action failed with the following error: An instance of the service is already running.
    12/19/2011 3:22:59 AM, Error: Service Control Manager [7031] - The Workstation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/19/2011 3:22:59 AM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    12/19/2011 3:22:59 AM, Error: Service Control Manager [7031] - The DNS Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/19/2011 3:22:59 AM, Error: Service Control Manager [7031] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/19/2011 3:22:52 AM, Error: Service Control Manager [7001] - The MBAMService service depends on the MBAMProtector service which failed to start because of the following error: The system cannot find the file specified.
    12/19/2011 3:22:52 AM, Error: Service Control Manager [7000] - The MBAMProtector service failed to start due to the following error: The system cannot find the file specified.
    12/19/2011 3:22:27 AM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    12/19/2011 3:20:35 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32
    12/19/2011 3:20:35 AM, Error: Service Control Manager [7003] - The epfwwfpr service depends the following service: BFE. This service might not be installed.
    12/19/2011 3:20:21 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    12/19/2011 3:20:21 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    12/19/2011 3:20:20 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    12/19/2011 3:19:45 AM, Error: Application Popup [1060] - \SystemRoot\SysWow64\Drivers\ASPI32.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    12/19/2011 3:05:40 AM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004
    12/19/2011 2:59:42 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 3 time(s).
    12/19/2011 2:45:32 AM, Error: Service Control Manager [7031] - The Akamai NetSession Interface service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    12/19/2011 2:44:59 AM, Error: Service Control Manager [7000] - The ESET Service service failed to start due to the following error: The system cannot find the file specified.
    12/19/2011 1:57:23 AM, Error: Service Control Manager [7030] - The Eset install launcher (0852) service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    12/17/2011 4:01:55 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800706be: Windows 7 Service Pack 1 for x64-based Systems (KB976932).

    12/17/2011 3:33:55 AM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 499 time(s).
    Edit: Hundreds of same error above, same date, have been deleted by Bobbye
  7. sean52492

    sean52492 Newcomer, in training Topic Starter

    Attatch.txt part two

    Edit: Continued deleting of hundreds of same DNS error, same date by Bobbye
  8. sean52492

    sean52492 Newcomer, in training Topic Starter

    Attatch.txt part three

    Edit: Continued deleting of hundreds of same, sequential DNS error begin date of 12/13by Bobbye

    12/16/2011 1:37:55 AM, Error: Service Control Manager [7034] - The Cryptographic Services service terminated unexpectedly. It has done this 23 time(s).
    Edit: Deleting sequential multiple, excessive same Cryptographic errors begin date of 12/13 by Bobbye,

    12/15/2011 6:49:24 PM, Error: Microsoft-Windows-WMPNSS-Service [14370] - A device with IP address '192.168.1.22' failed to register itself for protected content retrieval due to unknown error '0xc00d2711'.
    12/14/2011 3:01:36 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    12/14/2011 3:01:32 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    12/14/2011 3:01:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    12/14/2011 3:01:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    12/14/2011 3:01:08 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    12/14/2011 3:01:08 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    12/14/2011 3:01:06 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/14/2011 3:00:58 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ASPI32 DfsC discache ehdrv NetBIOS NetBT nsiproxy Psched rdbss spldr sptd tdx vwififlt Wanarpv6 WfpLwf
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/14/2011 3:00:36 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    12/14/2011 3:00:11 AM, Error: sptd [4] - Driver detected an internal error in its data structures for .

    12/13/2011 9:38:07 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.57. The computer with the IP address 192.168.1.2 did not allow the name to be claimed by this computer.
    12/13/2011 8:36:20 AM, Error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 613 time(s).

    12/13/2011 8:06:07 PM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.58. The computer with the IP address 192.168.1.2 did not allow the name to be claimed by this computer.

    12/13/2011 3:58:27 PM, Error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 4 time(s).

    12/13/2011 10:33:54 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Akamai service.
    ==== End Of File ===========================
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Changing the AV won't work. Advise reformat and reinstall operating system.
    Check all Services for settings.
    If this is not a legitimate copy of Windows, suggest you get one.
  10. sean52492

    sean52492 Newcomer, in training Topic Starter

    quick question

    so what exactly dose this program do to a computer. and do i have any other options besides a reformat and reinstall?
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Are you using the Citrix Access Gateway 4.5? The DNS Client and Cryptographic Service are crashing every few seconds. None of the Services are working, many with the text the the Service might not be installed.
    ------------------------
    Please run the MGA Diagnostics tool
    • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
    • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
    • You must choose to Run this tool when prompted.
    • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
    • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
    • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
    • Please return to this thread and Paste the results here for review.
    ------------------------------------------
    This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

    1. What edition of Windows is it for?
    2. Does it read "OEM Software" or "OEM Product" in black lettering?
    3. Or, does it have the computer manufacturer's name in black lettering?
    4. DO NOT post the Product Key.

    NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
    ===============================
    Then this:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    There is also an entry in GMER from the compatibility assistant regarding the the Real-time Transport Protocol (RTP) which defines a standardized packet format for delivering audio and video over IP networks.
    -----------------------------
    Please leave the complete logs for both programs in your next reply.
  12. sean52492

    sean52492 Newcomer, in training Topic Starter

    MGA diagnostic results

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-2QWT6-HCQXJ-9YQTR
    Windows Product Key Hash: PVjSC5x6njvqunmbCY3lOD7rYDo=
    Windows Product ID: 00359-OEM-8992687-00007
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7600.2.00010300.0.0.003
    ID: {99927A64-22C2-4DA7-88D5-CBF24F5C9975}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7600.win7_gdr.110622-1503
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 102
    Microsoft Office Home and Student 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_B4D0AA8B-920-80070057

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{99927A64-22C2-4DA7-88D5-CBF24F5C9975}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010300.0.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-9YQTR</PKey><PID>00359-OEM-8992687-00007</PID><PIDType>2</PIDType><SID>S-1-5-21-1636183535-4098033670-2643594301</SID><SYSTEM><Manufacturer>ASUSTeK Computer Inc. </Manufacturer><Model>K60IJ </Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>206 </Version><SMBIOSVersion major="2" minor="5"/><Date>20091203000000.000000+000</Date></BIOS><HWID>3B4C3107018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>_ASUS_</OEMID><OEMTableID>Notebook</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>102</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><PidType>19</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7600.16385

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: d2c04e90-c3dd-4260-b0f3-f845f5d27d64
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00178-926-800007-02-1033-7600.0000-2092009
    Installation ID: 105364062620429040572150154975404895605646683880019384
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 9YQTR
    License Status: Licensed
    Remaining Windows rearm count: 2
    Trusted time: 12/20/2011 11:52:08 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 11:18:2011 01:18
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEA6GH4IagD0jMi3oaJlAmeg+62aLhGyg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
    ACPI Table Name OEMID Value OEMTableID Value
    APIC 120309 APIC1811
    FACP 120309 FACP1811
    DBGP 120309 DBGP1811
    HPET 120309 OEMHPET
    BOOT 120309 BOOT1811
    MCFG 120309 OEMMCFG
    SLIC _ASUS_ Notebook
    ECDT 120309 OEMECDT
    OEMB 120309 OEMB1811
    GSCI 120309 GMCHSCI
    SSDT PmRef CpuPm

    its for windows seven home premium and its not oem it is an asus model
  13. sean52492

    sean52492 Newcomer, in training Topic Starter

    Ckfile.txt

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\aeriagames\lastchaosusa\data\effect\ska\cracker\cracker.bm
    c:\aeriagames\lastchaosusa\data\effect\ska\cracker\cracker.smc
    c:\program files (x86)\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
    scanner sequence 3.AB.11.WQAADL
    ----- EOF -----
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Please clarify this for me:
    OEM is short for original equipment manufacturer. OEMs are manufacturers who resell another company's product under their own name and branding.

    System Locked Pre-installation, SLP, is a procedure used by major OEM computer manufacturers in order to pre-activate Microsoft Windows before mass distribution.
  15. sean52492

    sean52492 Newcomer, in training Topic Starter

    Clarification

    its an asus altec lansing srs laptop purchaed from best buy. it came preloaded with windows seven home premium.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
    ---------------------------------------------
    You have some really "funky stuff" on this system! Let's see if Combofix can help out:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ======================================
    Can you describe what system problems you're having? With all the crashing Services I'm surprised you can even run!

    Leave the Combofix log in your next reply. Hopefully it will be able ti find some causes of the DNS and Cryptographic Services.

    This particular 'find' seems to be exclusive to Eset users,
  17. sean52492

    sean52492 Newcomer, in training Topic Starter

    i cant seem to disable my eset so that combo fix doesn't say its active i have disabled every thing that i can see( from the gui menu at least )
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    How to temporarily disable ESET Smart Security/ESET NOD32 Antivirus:
    Version 5.x

    Access the main program Windows one of 2 ways:
    1. Double click the ESET icon by the clock
    or>>
    2. Click on Start> All Programs> ESET> ESET Smart Security or ESET NOD32 Antivirus.
    3. Click the Protection status icon and select Temporarily disable protection.
    4. Click Yes when prompted to confirm this action.
    5. In the Temporarily disable protection window, select the length of time you would like to disable protection from the Time interval drop-down menu.
    6. Click OK to continue
    Screenshot here if needed: http://kb.eset.com/esetkb/index?page=content&id=SOLN548.

    Note: Re-enable Antivirus and antispyware protection by clicking the Protection status icon Enable all antivirus and antispyware protection modules after troubleshooting
    ======================================
    Disable Avast:
    1. Right-click "Avast Antivirus" icon on the task bar.
    2. Click "Access Protection Control." Enter the same password that you used when you first installed the program. Click "OK." This will bring you to the scanner window.
    3. Click "Terminate" to disable Avast Anti-virus protection and email scanning.
    4. Click "OK" to confirm and save changes
  19. sean52492

    sean52492 Newcomer, in training Topic Starter

    Still detecting eset

    It is still detecting eset i have disabled everything as far as i can tell I'm attaching a screen shot any ideas?

    Attached Files:

  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Right click on the Eset icon by the clock> click on Temporarily Disable Real Time Protection.

    Have you tried just going ahead with the scan?

    If that still won 't do it, run Combofix in Safe Mode
  21. sean52492

    sean52492 Newcomer, in training Topic Starter

    Combofix log

    I finaly got combo fix to run properly here is the log

    ComboFix 11-12-28.03 - Sean Rucker 12/29/2011 4:40.1.2 - x64 MINIMAL
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4061.3453 [GMT -6:00]
    Running from: c:\users\Sean Rucker\Desktop\ComboFix.exe
    AV: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\program files (x86)\HyperCam Toolbar\tbHElper.dll
    c:\programdata\~yoEpOnEShcqIPv
    c:\programdata\~yoEpOnEShcqIPvr
    c:\programdata\yoEpOnEShcqIPv
    c:\users\Sean Rucker\AppData\Local\scs.exe
    c:\users\Sean Rucker\AppData\Roaming\1kL7Gn.exe
    c:\users\Sean Rucker\AppData\Roaming\IXekY.exe
    c:\windows\assembly\temp\@
    c:\windows\assembly\temp\cfg.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-29 11:23 . 2011-12-29 11:23 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-21 05:52 . 2011-12-21 05:53 -------- d-----w- C:\MGADiagToolOutput
    2011-12-21 05:51 . 2011-12-21 05:51 -------- d-----w- c:\programdata\Office Genuine Advantage
    2011-12-19 05:37 . 2011-12-19 07:51 -------- d-----w- c:\programdata\AVAST Software
    2011-12-19 05:08 . 2011-12-19 09:17 -------- d-----w- C:\commy
    2011-12-17 09:57 . 2011-12-17 09:57 -------- d-----w- c:\windows\system32\SPReview
    2011-12-16 18:08 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B5D10CC8-EF8F-4C47-B1AD-74CF674E6F7C}\mpengine.dll
    2011-12-15 23:57 . 2011-11-24 05:00 3141632 ----a-w- c:\windows\system32\win32k.sys
    2011-12-15 10:05 . 2011-12-19 09:16 -------- d-----w- c:\program files\ESET
    2011-12-15 04:15 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-15 04:15 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-15 04:09 . 2011-10-15 06:25 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-15 04:09 . 2011-10-15 05:48 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-15 04:04 . 2011-10-26 05:19 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-12 06:50 . 2011-12-12 06:50 -------- d-----w- C:\Down
    2011-12-12 06:45 . 2011-12-12 06:45 -------- d-----w- C:\Windyzone
    2011-12-12 06:43 . 2010-06-02 10:55 77656 ----a-w- c:\windows\system32\XAPOFX1_5.dll
    2011-12-12 06:43 . 2010-06-02 10:55 74072 ----a-w- c:\windows\SysWow64\XAPOFX1_5.dll
    2011-12-12 06:43 . 2010-06-02 10:55 527192 ----a-w- c:\windows\SysWow64\XAudio2_7.dll
    2011-12-12 06:43 . 2010-06-02 10:55 518488 ----a-w- c:\windows\system32\XAudio2_7.dll
    2011-12-12 06:43 . 2010-06-02 10:55 239960 ----a-w- c:\windows\SysWow64\xactengine3_7.dll
    2011-12-12 06:43 . 2010-06-02 10:55 176984 ----a-w- c:\windows\system32\xactengine3_7.dll
    2011-12-12 06:32 . 2011-12-12 06:32 -------- d-----w- C:\Perfect World Entertainment
    2011-12-10 11:03 . 2011-12-10 11:03 -------- d-----w- c:\windows\en
    2011-12-10 10:57 . 2011-12-10 10:57 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-12-10 10:49 . 2011-12-10 10:49 -------- d-----w- c:\windows\system32\EventProviders
    2011-12-10 10:32 . 2011-12-10 10:32 -------- d-----w- c:\users\Sean Rucker\AppData\Roaming\Malwarebytes
    2011-12-10 10:32 . 2011-12-10 10:32 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-10 10:32 . 2011-12-10 10:32 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-10 09:33 . 2011-12-10 09:33 -------- d-----we c:\windows\system64
    2011-12-02 03:43 . 2011-12-02 03:43 -------- d-----w- c:\windows\system32\Macromed
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-11 21:39 . 2009-07-14 02:36 152064 ----a-w- c:\windows\SysWow64\msclmd.dll
    2011-12-11 21:39 . 2009-07-14 02:36 175104 ----a-w- c:\windows\system32\msclmd.dll
    2011-10-04 20:52 . 2011-06-16 16:35 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2009-04-08 17:31 . 2009-04-08 17:31 106496 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
    2008-08-12 04:45 . 2008-08-12 04:45 155648 ----a-w- c:\program files (x86)\Common Files\MSIactionall.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTo1.dll" [2011-01-01 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2011-01-01 08:34 3911776 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngin1.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    2011-01-01 08:34 3911776 ----a-w- c:\program files (x86)\uTorrentBar\tbuTo1.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTo1.dll" [2011-01-01 3911776]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngin1.dll" [2011-01-01 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
    @="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
    [HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
    2007-06-02 00:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Facebook Update"="c:\users\Sean Rucker\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2011-08-29 137536]
    "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
    "Akamai NetSession Interface"="c:\users\Sean Rucker\AppData\Local\Akamai\netsession_win.exe" [2011-12-13 3305760]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-07-13 498160]
    "ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2009-10-27 6998656]
    "ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2009-08-20 170624]
    "HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
    "HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-09-17 2245120]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    .
    c:\users\Sean Rucker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    OpenOffice.org 3.2.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe [2010-4-10 12862]
    SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2010-4-10 156952]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Best Buy Software Installer.lnk - c:\program files\Best Buy Software Installer\Best Buy Software Installer.exe [2009-10-5 1132472]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
    R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\RYL 2 DOA\GameGuard\dump_wmimmc.sys [x]
    R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam_x64.sys [x]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
    R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]
    R3 SUSTUCAM;Susteen USB Cable Modem Driver;c:\windows\system32\DRIVERS\sustucam.sys [x]
    R3 SUSTUCAP;Susteen USB Cable Port Driver;c:\windows\system32\DRIVERS\sustucap.sys [x]
    R3 SUSTUCAU;Susteen USB Cable USB Driver;c:\windows\system32\DRIVERS\sustucau.sys [x]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 X6va005;X6va005;c:\users\SEANRU~1\AppData\Local\Temp\0055FFB.tmp [x]
    S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
    S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2011-09-22 974944]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
    S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1636183535-4098033670-2643594301-1001Core.job
    - c:\users\Sean Rucker\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-29 08:03]
    .
    2011-12-29 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1636183535-4098033670-2643594301-1001UA.job
    - c:\users\Sean Rucker\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-29 08:03]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
    @="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
    [HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
    2007-06-01 23:52 159744 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-09-30 621440]
    "AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-09-01 323584]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-09-22 4035152]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://google.atcomet.com/b/
    mStart Page = hxxp://www.yahoo.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Sean Rucker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Sean Rucker\AppData\Roaming\Mozilla\Firefox\Profiles\j4ydswwf.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/SeanRucker|http://tinychat.com/vegisgawdmang
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cbf2f9b&v=6.010.006.004&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
    FF - prefs.js: network.proxy.http - 63.174.60.11
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.type - 4
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    Toolbar-Locked - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    Wow6432Node-HKCU-Run-DW6 - c:\program files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe
    Toolbar-Locked - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
    HKLM-Run-Setwallpaper - c:\programdata\SetWallpaper.cmd
    AddRemove-ASUS_Screensaver - c:\windows\system32\ASUS_Screensaver.scr
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
    "ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_b427739.dll"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
    "ImagePath"="\??\c:\users\SEANRU~1\AppData\Local\Temp\0055FFB.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1636183535-4098033670-2643594301-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-1636183535-4098033670-2643594301-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
    c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
    c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
    c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
    c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
    c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
    c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
    c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
    c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
    c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
    c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
    c:\windows\AsScrPro.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-29 14:12:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-29 20:12
    .
    Pre-Run: 109,843,124,224 bytes free
    Post-Run: 111,658,409,984 bytes free
    .
    - - End Of File - - 59C797BDB8BE87C4EBA49445AB4C36D2
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Combofix ran in Reduced Functionality Mode. Did it either come up as "expired" or did you override the "your AV is running message?
    ===================================
    Please do this: Click on Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns /c (note space before the /)> enter
    ===================================
    Then run this: Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure "Include All Files" option remains checked.
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
    =============================================
    Download Eset Stand Alone Win32/Olmarik Tdl4 Cleaner and save to desktop.
    • Double click on the icon to run.
    • Follow the onscreen prompts
    • Reboot the computer when finished
    • Run a full scan with Eset Nod32.

    It is possible that this program has not been updated to the most current variant of this malware.
    ======================================
    Please leave logs generated. After I review that, I will give you some script to run through Combofix
  23. sean52492

    sean52492 Newcomer, in training Topic Starter

    logs

    when i ran the stand alone a message poped up and said win32/olmarik was not found on your system
    but this is the fss log

    Farbar Service Scanner
    Ran by Sean Rucker (administrator) on 31-12-2011 at 04:12:51
    Microsoft Windows 7 Home Premium (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

    bfe Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ===========
    cryptsvc Service is not running. Checking service configuration:
    The start type of cryptsvc service is OK.
    The ImagePath of cryptsvc service is OK.
    The ServiceDll of cryptsvc service is OK.


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll
    [2009-07-13 18:09] - [2009-07-13 19:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

    C:\Windows\System32\bfe.dll
    [2009-07-13 18:09] - [2009-07-13 19:40] - 0703488 ____A (Microsoft Corporation) 4992C609A6315671463E30F6512BC022

    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll
    [2009-07-13 17:36] - [2009-07-13 19:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

    C:\Windows\System32\vssvc.exe
    [2009-07-13 17:39] - [2009-07-13 19:39] - 1598976 ____A (Microsoft Corporation) 787898BF9FB6D7BD87A36E2D95C899BA

    C:\Windows\System32\wscsvc.dll
    [2011-02-09 14:48] - [2010-12-21 00:16] - 0097280 ____A (Microsoft Corporation) 8F9F3969933C02DA96EB0F84576DB43E

    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll
    [2009-07-13 18:36] - [2009-07-13 19:41] - 2418176 ____A (Microsoft Corporation) 38340204A2D0228F1E87740FC5E554A7

    C:\Windows\System32\qmgr.dll
    [2009-07-13 17:46] - [2009-07-13 19:41] - 0848384 ____A (Microsoft Corporation) 7F0C323FE3DA28AA4AA1BDA3F575707F

    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll
    [2009-07-13 17:49] - [2009-07-13 19:40] - 0175104 ____A (Microsoft Corporation) 8C57411B66282C01533CB776F98AD384

    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +33

    Sorry to have kept you waiting.

    Questions:
    Have you reset any of the Services?
    Have you intentionally disabled Services that are part of the security for the OS?
    You appear to be participating in numerous MMO and MMORPG. Have you disabled any Services that might possibly interfere with those?
    =====================================
    Please download SystemLook from the link below and save it to your Desktop.
    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      MpsSvc.*
      MpsDriv.*
      SDRSVC.*
      BFE.*
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ============================================
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    ------------------------------------
    Click on Start> Run> type in services.msc> Enter> Look for each of the following Services and set as directed:
    • Cryptographic Service: Set to Automatic
    • RPC Call: Set to Automatic
    • TCP/IP> Set to Automatic
    • Dnscache Service: Set to Automatic
    • BFE: Set to Automatic
    • Windows Backup-SDRSVC>> Set to Manual
    • Mpssvc: Set to Manual
    • Volume Shadow Copy (VSS): Set to Manual
    • MpsDrv: Set to Manual
    • Windows Updates: Set to Manual
    • Windows Backup (SDRSVC) Set to Manual
    =======================================
    Reboot back into Normal Mode
    =====================================
    Before you run the script below, disable the security. It was running when you ran Combofix and that can affect the scan.
    ------------------------------------
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    DDS::
    uURLSearchHooks: H - No File
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTo1.dll
    mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTo1.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin1.dll
    BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - C:\Program Files (x86)\HyperCam Toolbar\tbcore3.dll
    TB: HyperCam Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - C:\Program Files (x86)\HyperCam Toolbar\tbcore3.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTo1.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngin1.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\Sean Rucker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=- 
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=- 
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=- 
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Do you know what these are?
    2011-12-19 09:17 -------- d-----w- C:\commy
    2011-12-12 06:50 -------- d-----w- C:\Down
    2011-12-12 06::45 -------- d-----w-C:\Windyzone
    =====================
    There is a proxy port>> 3128> this is a 'Squid port'
    Backdoor-variant Trojans and worms open up port 3128 for remote access. This route may be used by a malicious user to plant a malware infected on the victim's machine or to be used in port forward DoS attacks.
    Particular users of this port: Win32.Mydoom, RingZero, ReverseWWWTunnel
    This is the Technical description for port 3128:
    Port 3128 is used by Squid software as an HTTP proxy to allow users to bypass firewall and Internet security for Web access. Users can gain access to a locally-banned site using port 3128 with an application or an HTTP proxy.

    It handles both inbound and outbound traffic and once port 3128 is opened up as a backdoor, remote users can use this pathway to take control of the machine and initiate attacks on other remote users on the Web.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.