Inactive Suspected Kernel mode rootkit win7x64

[MajorDick]

I know you probably just want logs and not waffley back stories so ill try and keep it as relevant and descriptive as possible as possible.
A week ago or so my computer started suffering random reboots and hangs, a couple of days later the cpu fan speed went up to 4400rpm on bootup and stayed that high almost constantly with some random surges to higher speeds. after checking fan connections and blowing compressed air through the heat sink to no avail I reflashed the bios.
This worked and the fan speed was back to its normal 2300rpm. I used the computer normal for a while then switched it off, the next day the fan speed was back up to 4400rpm, suggesting to me with my limited knowledge that the bios had been corrupted again and I was probably dealing with a rootkit.
So i've completed you 6 steps, some of which I ran in windows 7 some of which I ran on minixp with Hirens Boot CD, here are the logs

MBMA - failed to start of HBCD, ran in win7
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7745

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

18/09/2011 22:48:58
mbam-log-2011-09-18 (22-48-58).txt

Scan type: Quick scan
Objects scanned: 177068
Time elapsed: 1 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER - Windows7 produced an empty log and only allowed me to select Services, registries and files.
my original HBCD scan produced this log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2011-09-18 12:11:21
Windows 5.1.2600
Running: G-MER.exe; Driver: B:\Temp\kwtdypog.sys


---- System - GMER 1.0.15 ----

INT 0x01 \SystemRoot\system32\drivers\dummy.sys F7A977C0
INT 0x03 \SystemRoot\system32\drivers\dummy.sys F7A977E0
INT 0x1F \I386\SYSTEM32\HALAACPI.DLL 80A18FD0
INT 0x37 \I386\SYSTEM32\HALAACPI.DLL 80A18728
INT 0x3D \I386\SYSTEM32\HALAACPI.DLL 80A19B70
INT 0x41 \I386\SYSTEM32\HALAACPI.DLL 80A199CC
INT 0x50 \I386\SYSTEM32\HALAACPI.DLL 80A18800
INT 0xC1 \I386\SYSTEM32\HALAACPI.DLL 80A18984
INT 0xD1 \I386\SYSTEM32\HALAACPI.DLL 80A17D34
INT 0xE1 \I386\SYSTEM32\HALAACPI.DLL 80A18F0C
INT 0xE3 \I386\SYSTEM32\HALAACPI.DLL 80A18C70
INT 0xFD \I386\SYSTEM32\HALAACPI.DLL 80A19464
INT 0xFE \I386\SYSTEM32\HALAACPI.DLL 80A19604

---- Kernel code sections - GMER 1.0.15 ----

? \I386\SYSTEM32\NTKRNLMP.EXE kernel module suspicious modification
? \I386\SYSTEM32\NTKRNLMP.EXE The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs dc_fsf.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume1 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume2 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume3 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume4 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume5 dcrypt.sys
AttachedDevice \Driver\ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\ACPI_HAL \Device\00000008 HALAACPI.DLL

AttachedDevice \FileSystem\Fastfat \Fat dc_fsf.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:148] BB6C5096

---- EOF - GMER 1.0.15 ----

I then realised the selected drive was the X drive which was the minixp ram drive
So I selected the what hbcd was calling my J drive which is normally my C drive, this took a very long time to scan so I went to bed and when I came back to it the scan was complete but the computer was hung. I tried again, this time when I clicked save I got a blue screen stop error message
"STOP: 0x0000008E (0x000009A, 0x808425BB, 0xBBB86E4, 0x00000000)"
So I started a scan and stoped it early just to give you a view of the log which despite being for a different drive actually looks like the original xdrive log at the beginning:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2011-09-19 11:25:58
Windows 5.1.2600
Running: G-MER.exe; Driver: B:\Temp\kwtdypog.sys


---- System - GMER 1.0.15 ----

INT 0x01 \SystemRoot\system32\drivers\dummy.sys F7A5C7C0
INT 0x03 \SystemRoot\system32\drivers\dummy.sys F7A5C7E0
INT 0x1F \I386\SYSTEM32\HALAACPI.DLL 80A18FD0
INT 0x37 \I386\SYSTEM32\HALAACPI.DLL 80A18728
INT 0x3D \I386\SYSTEM32\HALAACPI.DLL 80A19B70
INT 0x41 \I386\SYSTEM32\HALAACPI.DLL 80A199CC
INT 0x50 \I386\SYSTEM32\HALAACPI.DLL 80A18800
INT 0xC1 \I386\SYSTEM32\HALAACPI.DLL 80A18984
INT 0xD1 \I386\SYSTEM32\HALAACPI.DLL 80A17D34
INT 0xE1 \I386\SYSTEM32\HALAACPI.DLL 80A18F0C
INT 0xE3 \I386\SYSTEM32\HALAACPI.DLL 80A18C70
INT 0xFD \I386\SYSTEM32\HALAACPI.DLL 80A19464
INT 0xFE \I386\SYSTEM32\HALAACPI.DLL 80A19604

---- Kernel code sections - GMER 1.0.15 ----

? \I386\SYSTEM32\NTKRNLMP.EXE kernel module suspicious modification
? \I386\SYSTEM32\NTKRNLMP.EXE The system cannot find the file specified. !

---- Threads - GMER 1.0.15 ----

Thread System [4:148] BB6C5096

---- EOF - GMER 1.0.15 ----


DDS
dds: -win7 version. hbcd gave a much shorter log
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Tom at 11:47:22 on 2011-09-19
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.4095.2879 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
mWinlogon: Userinit=userinit.exe,
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [Google Update] "C:\Users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
StartupFolder: C:\Users\Tom\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B24440CD-6E5D-4152-8AB4-7F179985B39D} : DhcpNameServer = 192.168.0.1
BHO-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
BHO-X64: Conduit Engine - No File
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
BHO-X64: uTorrentBar - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
TB-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
Hosts: 78.47.251.150 easyanticheat.se # misleading site
Hosts: 78.47.251.150 www.easyanticheat.se # misleading site
Hosts: 78.47.251.150 easyanticheat.com # misleading site
Hosts: 78.47.251.150 www.easyanticheat.com # misleading site
Hosts: 78.47.251.150 easyanticheat.org # misleading site
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-9-8 42184]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
S3 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-12-12 12:18:06 25640 ----a-w- C:\Windows\gdrv.sys
2011-09-16 20:21:36 -------- d-----w- C:\Users\Tom\rootkit
2011-09-11 23:40:49 -------- d-----w- C:\Program Files (x86)\SpeedFan
2011-09-08 14:49:58 -------- d-----w- C:\Users\Tom\AppData\Roaming\mIRC
2011-09-08 14:49:58 -------- d-----w- C:\Program Files (x86)\mIRC
2011-09-08 14:35:20 -------- d-----w- C:\Program Files\Ventrilo
2011-09-08 14:34:36 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2011-09-08 10:10:26 600920 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-09-08 10:10:23 64856 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-09-08 10:08:56 40112 ----a-w- C:\Windows\avastSS.scr
2011-09-08 10:08:50 -------- d-----w- C:\ProgramData\AVAST Software
2011-09-08 10:08:50 -------- d-----w- C:\Program Files\AVAST Software
2011-09-08 09:56:42 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B813A7FF-8CF1-401F-B620-F5D864BF2BA9}\mpengine.dll
2011-09-08 09:54:27 -------- d-----w- C:\Users\Tom\AppData\Roaming\Malwarebytes
2011-09-08 09:54:23 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-08 09:54:20 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-09-08 09:54:20 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-03 12:37:05 -------- d-----w- C:\Users\Tom\AppData\Local\dxhr
2011-09-03 12:36:23 -------- d-----w- C:\Users\Tom\AppData\Local\28050
2011-08-25 16:30:39 -------- d-----w- C:\Users\Tom\AppData\Local\ElevatedDiagnostics
2011-08-25 12:52:44 -------- d-----w- C:\Users\Tom\AppData\Local\Gas Powered Games
2011-08-25 12:23:49 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
2011-08-24 11:17:52 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-24 11:17:52 2048 ----a-w- C:\Windows\System32\tzres.dll
.
==================== Find3M ====================
.
2011-12-12 23:24:13 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-12-12 23:24:13 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-12-12 23:23:48 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-12-12 23:08:20 6656 ----a-w- C:\Windows\System32\lpcio.dll
2011-07-29 10:50:05 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-07-22 05:35:08 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 04:56:17 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:26:54 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:26:53 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:26:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:26:18 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-07-16 05:24:09 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:21:32 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 05:17:46 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-07-16 04:36:09 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:32:14 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:31:50 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:30:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:30:27 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:26:12 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:26:11 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:21:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-14 10:06:56 9359872 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-07-14 10:06:44 4017152 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-07-14 10:06:10 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-07-14 10:06:10 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-07-14 10:06:09 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-07-14 10:06:05 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-07-14 10:06:03 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-07-14 10:06:00 485376 ----a-w- C:\Windows\System32\atieclxx.exe
2011-07-14 10:05:55 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-07-14 10:05:55 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-07-14 10:05:55 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-07-14 10:05:53 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-07-14 10:05:52 23336960 ----a-w- C:\Windows\System32\atio6axx.dll
2011-07-14 10:05:26 5008384 ----a-w- C:\Windows\System32\atidxx64.dll
2011-07-14 10:05:20 309760 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-07-14 10:04:54 6847488 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-07-14 10:04:09 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-07-14 10:03:23 5486592 ----a-w- C:\Windows\System32\atiumd64.dll
2011-07-14 10:03:08 262144 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-07-14 10:02:45 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-07-14 10:02:45 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-07-14 10:02:39 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-07-14 10:02:24 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-07-14 10:02:22 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-07-14 10:02:18 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-07-14 10:02:04 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-07-14 10:01:27 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-07-14 10:00:48 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-07-14 10:00:35 8489472 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-07-14 10:00:31 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-07-14 10:00:24 688128 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-07-14 10:00:17 151552 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-07-14 10:00:16 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-07-14 10:00:16 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-07-14 09:59:55 17940992 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-07-14 09:59:45 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-07-14 09:59:42 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-07-14 09:59:29 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-07-14 09:59:21 4219904 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-07-14 09:58:45 4330496 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-07-14 09:58:45 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-07-14 09:58:44 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-07-14 09:58:09 811008 ----a-w- C:\Windows\System32\aticfx64.dll
2011-07-14 09:58:01 3810816 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-07-14 09:57:40 366592 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-07-14 09:57:40 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-07-14 09:57:39 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-07-11 11:02:27 0 ----a-w- C:\Windows\SysWow64\ConduitEngine.tmp
2011-07-09 02:44:55 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-23 10:43:29 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-06-23 05:29:39 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:38:05 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:38:04 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-06-22 22:19:05 2250024 ----a-w- C:\Windows\SysWow64\pbsvc.exe
2011-06-22 21:34:44 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-06-22 18:52:33 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
.
============= FINISH: 11:47:46.92 ===============

Attach:- win7 version
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Basic
Boot Device: \Device\HarddiskVolume2
Install Date: 14/06/2011 23:54:33
System Uptime: 19/09/2011 11:39:39 (0 hours ago)
.
Motherboard: Acer | | EG43M
Processor: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz | CPU 1 | 2499/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 342 GiB total, 76.919 GiB free.
D: is FIXED (NTFS) - 343 GiB total, 279.18 GiB free.
E: is CDROM (CDFS)
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is CDROM (UDF)
L: is CDROM (CDFS)
M: is FIXED (NTFS) - 932 GiB total, 587.81 GiB free.
N: is CDROM (UDF)
O: is FIXED (NTFS) - 0 GiB total, 0.069 GiB free.
P: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&242CC0DB&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&242CC0DB&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP38: 12/08/2011 15:03:10 - Windows Update
RP39: 12/08/2011 21:13:38 - Windows Update
RP40: 15/08/2011 19:34:09 - Installed DirectX
RP41: 23/08/2011 15:09:45 - Scheduled Checkpoint
RP42: 25/08/2011 01:31:23 - Windows Update
RP43: 03/09/2011 13:10:30 - Installed DirectX
RP44: 03/09/2011 13:15:29 - Installed DirectX
RP45: 08/09/2011 11:08:32 - avast! Free Antivirus Setup
RP46: 08/09/2011 15:35:03 - Installed Ventrilo Client for Windows x64
.
==== Hosts File Hijack ======================
.
Hosts: 78.47.251.150 easyanticheat.se # misleading site
Hosts: 78.47.251.150 www.easyanticheat.se # misleading site
Hosts: 78.47.251.150 easyanticheat.com # misleading site
Hosts: 78.47.251.150 www.easyanticheat.com # misleading site
Hosts: 78.47.251.150 easyanticheat.org # misleading site
Hosts: 78.47.251.150 www.easyanticheat.org # misleading site
.
==== Installed Programs ======================
.
µTorrent
Adobe AIR
Adobe Flash Player ActiveX
Age of Empires III
Age of Empires III - The Asian Dynasties
Age of Empires III - The WarChiefs
And Yet It Moves 1.2.0
avast! Free Antivirus
Battlefield: Bad Company™ 2
Call of Duty 4: Modern Warfare
Call of Duty: Modern Warfare 2 - Multiplayer
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
CCC Help English
Conduit Engine
Counter-Strike: Source
Crayon Physics Deluxe version 55
Deus Ex: Human Revolution
Dropbox
Far Cry 2
Garry's Mod
GIMP 2.6.11
Google Chrome
Half-Life
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Java Auto Updater
Java(TM) 6 Update 26
Just Cause 2
Left 4 Dead
Left 4 Dead 2
MagicDisc 2.7.106
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Security Scan Plus
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
mIRC
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Portal
Portal 2
PunkBuster Services
Realtek High Definition Audio Driver
SpeedFan (remove only)
Steam
Supreme Commander 2
System Requirements Lab CYRI
Team Fortress 2
The Sims™ 3
The Sims™ 3 Fast Lane Stuff
The Sims™ 3 Late Night
TrackMania United 0.2.0.1
uTorrentBar Toolbar
VVVVVV version 2.0
Winamp
Winamp Detector Plug-in
.
==== Event Viewer Messages From Past Week ========
.
12/12/2011 00:10:27, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147014847
12/09/2011 00:28:04, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c2 (0x0000000000000007, 0x0000000000001097, 0x00000000c0220f44, 0xfffff80002e8c8ed). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 091211-20124-01.
11/12/2011 17:34:13, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by -7775935 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->64.4.31.162:123) is working properly.
.
==== End Of File ===========================

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

================================================================

Download TDSSKiller and save it to your desktop.

• Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

[MajorDick]

had to download tdsskiller on a laptop and copy it across on a usb as i cant access a wired internet connection at the moment
win7 scan:
system scan complete in 7 seconds.
252 scanned
0 infections.

hbcd: "The application has failed to start because WINHTTP.dll was not found. Re-installing the application may fix this problem."
This unable to locate component message is displaying both when trying to start tdsskiller from hbcd menu and by copying file to desktop and double clicking.

 

[Broni]

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[MajorDick]

awMBR log:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-21 09:51:46
-----------------------------
09:51:46.038 OS Version: Windows x64 6.1.7600
09:51:46.038 Number of processors: 4 586 0x170A
09:51:46.038 ComputerName: TOM-PC UserName: Tom
09:51:49.283 Initialize success
09:51:49.314 AVAST engine defs: 11091900
09:51:59.189 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:51:59.189 Disk 0 Vendor: ST375052 CC44 Size: 715404MB BusType: 8
09:51:59.189 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
09:51:59.189 Disk 1 Vendor: SAMSUNG_ 1AJ1 Size: 953869MB BusType: 8
09:51:59.220 Disk 0 MBR read successfully
09:51:59.220 Disk 0 MBR scan
09:51:59.220 Disk 0 Windows 7 default MBR code
09:51:59.235 Service scanning
09:52:00.390 Modules scanning
09:52:00.390 Disk 0 trace - called modules:
09:52:00.405 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorV.sys hal.dll
09:52:00.405 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80058e3060]
09:52:00.421 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047c3050]
09:52:01.014 AVAST engine scan C:\Windows
09:52:02.199 AVAST engine scan C:\Windows\system32
09:52:54.896 AVAST engine scan C:\Windows\system32\drivers
09:53:00.731 AVAST engine scan C:\Users\Tom
09:54:08.404 AVAST engine scan C:\ProgramData
09:54:15.548 Scan finished successfully
09:55:48.915 Disk 0 MBR has been saved successfully to "C:\Users\Tom\Desktop\MBR.dat"
09:55:48.915 The log file has been saved successfully to "C:\Users\Tom\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-21 13:08:23
-----------------------------
13:08:23.278 OS Version: Windows x64 6.1.7600
13:08:23.278 Number of processors: 4 586 0x170A
13:08:23.279 ComputerName: TOM-PC UserName: Tom
13:08:27.059 Initialize success
13:08:27.169 AVAST engine defs: 11092100
13:08:33.706 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:08:33.708 Disk 0 Vendor: ST375052 CC44 Size: 715404MB BusType: 8
13:08:33.710 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
13:08:33.712 Disk 1 Vendor: SAMSUNG_ 1AJ1 Size: 953869MB BusType: 8
13:08:33.730 Disk 0 MBR read successfully
13:08:33.732 Disk 0 MBR scan
13:08:33.735 Disk 0 Windows 7 default MBR code
13:08:33.738 Service scanning
13:08:35.323 Modules scanning
13:08:35.326 Disk 0 trace - called modules:
13:08:35.352 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorV.sys hal.dll
13:08:35.356 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80058e4060]
13:08:35.359 3 CLASSPNP.SYS[fffff880019a743f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80046d9050]
13:08:39.814 AVAST engine scan C:\Windows
13:08:41.035 AVAST engine scan C:\Windows\system32
13:09:36.449 AVAST engine scan C:\Windows\system32\drivers
13:09:42.694 AVAST engine scan C:\Users\Tom
13:10:54.500 AVAST engine scan C:\ProgramData
13:11:03.242 Scan finished successfully
13:11:51.289 Disk 0 MBR has been saved successfully to "C:\Users\Tom\Desktop\MBR.dat"
13:11:51.305 The log file has been saved successfully to "C:\Users\Tom\Desktop\aswMBR.txt"


Combofix log:


ComboFix 11-09-21.01 - Tom 21/09/2011 13:22:59.2.4 - x64
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.4095.3152 [GMT 1:00]
Running from: c:\users\Tom\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
M:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
.
.
2011-12-12 12:18 . 2011-12-12 12:18 25640 ----a-w- c:\windows\gdrv.sys
2011-09-21 12:29 . 2011-09-21 12:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-16 20:21 . 2011-09-16 20:21 -------- d-----w- c:\users\Tom\rootkit
2011-09-11 23:40 . 2011-09-19 11:38 -------- d-----w- c:\program files (x86)\SpeedFan
2011-09-08 14:49 . 2011-09-08 18:47 -------- d-----w- c:\users\Tom\AppData\Roaming\mIRC
2011-09-08 14:49 . 2011-09-08 14:49 -------- d-----w- c:\program files (x86)\mIRC
2011-09-08 14:35 . 2011-09-08 16:59 -------- d-----w- c:\users\Tom\AppData\Roaming\Ventrilo
2011-09-08 14:35 . 2011-09-08 14:35 -------- d-----w- c:\program files\Ventrilo
2011-09-08 14:34 . 2011-09-08 14:34 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2011-09-08 10:10 . 2011-07-04 11:36 288088 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-08 10:10 . 2011-07-04 11:32 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-08 10:10 . 2011-07-04 11:32 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-08 10:10 . 2011-07-04 11:35 45400 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-08 10:10 . 2011-07-04 11:36 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-08 10:10 . 2011-07-04 11:43 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-08 10:10 . 2011-07-04 11:32 64856 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-09-08 10:08 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-09-08 10:08 . 2011-07-04 11:43 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-09-08 10:08 . 2011-09-08 10:08 -------- d-----w- c:\programdata\AVAST Software
2011-09-08 10:08 . 2011-09-08 10:08 -------- d-----w- c:\program files\AVAST Software
2011-09-08 09:56 . 2011-08-16 07:48 8862544 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B813A7FF-8CF1-401F-B620-F5D864BF2BA9}\mpengine.dll
2011-09-08 09:54 . 2011-09-08 09:54 -------- d-----w- c:\users\Tom\AppData\Roaming\Malwarebytes
2011-09-08 09:54 . 2011-09-08 09:54 -------- d-----w- c:\programdata\Malwarebytes
2011-09-08 09:54 . 2011-09-18 21:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-09-08 09:54 . 2011-08-31 16:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-03 12:37 . 2011-09-11 15:25 -------- d-----w- c:\users\Tom\AppData\Local\dxhr
2011-09-03 12:36 . 2011-09-03 12:36 -------- d-----w- c:\users\Tom\AppData\Local\28050
2011-08-25 16:30 . 2011-09-20 22:11 -------- d-----w- c:\users\Tom\AppData\Local\ElevatedDiagnostics
2011-08-25 12:52 . 2011-08-25 12:52 -------- d-----w- c:\users\Tom\AppData\Local\Gas Powered Games
2011-08-25 12:23 . 2011-08-25 12:23 -------- d-----w- c:\program files (x86)\SystemRequirementsLab
2011-08-25 12:23 . 2011-08-25 12:24 -------- d-----w- c:\users\Tom\AppData\Roaming\SystemRequirementsLab
2011-08-24 11:17 . 2011-07-09 05:14 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-24 11:17 . 2011-07-09 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-12 23:24 . 2011-06-23 10:35 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-12-12 23:24 . 2011-06-22 18:52 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-12-12 23:23 . 2011-06-22 18:52 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-12-12 23:08 . 2011-08-12 14:03 6656 ----a-w- c:\windows\system32\lpcio.dll
2011-07-29 10:50 . 2011-07-29 10:50 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-07-22 05:35 . 2011-08-12 14:02 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-22 04:56 . 2011-08-12 14:02 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-07-16 05:26 . 2011-08-12 14:03 362496 ----a-w- c:\windows\system32\wow64win.dll
2011-07-16 05:26 . 2011-08-12 14:03 243200 ----a-w- c:\windows\system32\wow64.dll
2011-07-16 05:26 . 2011-08-12 14:03 13312 ----a-w- c:\windows\system32\wow64cpu.dll
2011-07-16 05:26 . 2011-08-12 14:03 214528 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 05:24 . 2011-08-12 14:03 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2011-07-16 05:21 . 2011-08-12 14:03 422400 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 05:17 . 2011-08-12 14:03 338432 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 04:36 . 2011-08-12 14:03 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2011-07-16 04:32 . 2011-08-12 14:03 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-07-16 04:31 . 2011-08-12 14:03 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2011-07-16 04:30 . 2011-08-12 14:03 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2011-07-16 04:30 . 2011-08-12 14:03 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll
2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:26 . 2011-08-12 14:03 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2011-07-16 02:26 . 2011-08-12 14:03 2048 ----a-w- c:\windows\SysWow64\user.exe
2011-07-16 02:21 . 2011-08-12 14:03 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21 . 2011-08-12 14:03 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-14 10:06 . 2011-07-14 10:06 9359872 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-07-14 10:06 . 2011-07-14 10:06 4017152 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-07-14 10:06 . 2011-07-14 10:06 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-07-14 10:06 . 2011-07-14 10:06 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-07-14 10:06 . 2011-07-14 10:06 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-07-14 10:06 . 2011-04-20 01:21 38912 ----a-w- c:\windows\system32\atiu9p64.dll
2011-07-14 10:06 . 2011-07-14 10:06 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-07-14 10:06 . 2011-07-14 10:05 485376 ----a-w- c:\windows\system32\atieclxx.exe
2011-07-14 10:05 . 2011-07-14 10:05 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-07-14 10:05 . 2011-07-14 10:05 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-07-14 10:05 . 2011-04-20 02:05 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-14 10:05 . 2011-04-20 01:21 40960 ----a-w- c:\windows\system32\atiuxp64.dll
2011-07-14 10:05 . 2011-07-14 10:01 23336960 ----a-w- c:\windows\system32\atio6axx.dll
2011-07-14 10:05 . 2011-04-20 01:49 5008384 ----a-w- c:\windows\system32\atidxx64.dll
2011-07-14 10:05 . 2011-07-14 10:04 309760 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-07-14 10:04 . 2011-06-22 21:34 6847488 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-07-14 10:04 . 2011-04-20 01:21 31744 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-07-14 10:03 . 2011-04-20 01:31 5486592 ----a-w- c:\windows\system32\atiumd64.dll
2011-07-14 10:03 . 2011-07-14 10:02 262144 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-07-14 10:02 . 2011-07-14 10:02 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-07-14 10:02 . 2011-07-14 10:02 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-07-14 10:02 . 2011-07-14 10:02 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-07-14 10:02 . 2011-04-20 01:27 58880 ----a-w- c:\windows\system32\coinst.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\ConduitEngine\prxConduitEngin.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\prxConduitEngin.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-09-09 1242448]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-24 336384]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2011-6-23 576000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R3 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1868448291-1290413434-3280070625-1000Core.job
- c:\users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-14 15:06]
.
2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1868448291-1290413434-3280070625-1000UA.job
- c:\users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-14 15:06]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-06 7940128]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-07-06 1833504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.254
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_moh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1868448291-1290413434-3280070625-1000\Software\SecuROM\License information*]
"datasecu"=hex:01,38,8e,91,94,2e,80,d3,7b,6f,45,1a,4d,f8,26,1c,c1,42,89,a0,88,
88,8d,be,fd,af,ec,0e,a4,ae,5f,7b,93,c9,62,a8,7d,72,b1,1a,49,c1,23,ee,c4,70,\
"rkeysecu"=hex:d5,56,77,9c,46,ea,46,cb,21,61,08,4c,8c,9a,35,83
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.9"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-09-21 13:34:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-21 12:34
.
Pre-Run: 85,043,724,288 bytes free
Post-Run: 84,460,564,480 bytes free
.
- - End Of File - - 899C5394707CE358523CA24CB3382E8B


System behaviour appears normal except for the overworked fan, I haven't experienced any random reboots or system hangs since the noise started but I have avoided running it for longer then necessary.

 

[Broni]

All looks clean so far.

I don't think we're dealing with any infection here.

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

 

[MajorDick]

Ok, thanks for all the help and sorry for my miss diagnosis.

 

[Broni]

You're very welcome