TechSpot

Suspected Kernel mode rootkit win7x64

By MajorDick
Sep 19, 2011
  1. I know you probably just want logs and not waffley back stories so ill try and keep it as relevant and descriptive as possible as possible.
    A week ago or so my computer started suffering random reboots and hangs, a couple of days later the cpu fan speed went up to 4400rpm on bootup and stayed that high almost constantly with some random surges to higher speeds. after checking fan connections and blowing compressed air through the heat sink to no avail I reflashed the bios.
    This worked and the fan speed was back to its normal 2300rpm. I used the computer normal for a while then switched it off, the next day the fan speed was back up to 4400rpm, suggesting to me with my limited knowledge that the bios had been corrupted again and I was probably dealing with a rootkit.
    So i've completed you 6 steps, some of which I ran in windows 7 some of which I ran on minixp with Hirens Boot CD, here are the logs

    MBMA - failed to start of HBCD, ran in win7
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7745

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    18/09/2011 22:48:58
    mbam-log-2011-09-18 (22-48-58).txt

    Scan type: Quick scan
    Objects scanned: 177068
    Time elapsed: 1 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER - Windows7 produced an empty log and only allowed me to select Services, registries and files.
    my original HBCD scan produced this log:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2011-09-18 12:11:21
    Windows 5.1.2600
    Running: G-MER.exe; Driver: B:\Temp\kwtdypog.sys


    ---- System - GMER 1.0.15 ----

    INT 0x01 \SystemRoot\system32\drivers\dummy.sys F7A977C0
    INT 0x03 \SystemRoot\system32\drivers\dummy.sys F7A977E0
    INT 0x1F \I386\SYSTEM32\HALAACPI.DLL 80A18FD0
    INT 0x37 \I386\SYSTEM32\HALAACPI.DLL 80A18728
    INT 0x3D \I386\SYSTEM32\HALAACPI.DLL 80A19B70
    INT 0x41 \I386\SYSTEM32\HALAACPI.DLL 80A199CC
    INT 0x50 \I386\SYSTEM32\HALAACPI.DLL 80A18800
    INT 0xC1 \I386\SYSTEM32\HALAACPI.DLL 80A18984
    INT 0xD1 \I386\SYSTEM32\HALAACPI.DLL 80A17D34
    INT 0xE1 \I386\SYSTEM32\HALAACPI.DLL 80A18F0C
    INT 0xE3 \I386\SYSTEM32\HALAACPI.DLL 80A18C70
    INT 0xFD \I386\SYSTEM32\HALAACPI.DLL 80A19464
    INT 0xFE \I386\SYSTEM32\HALAACPI.DLL 80A19604

    ---- Kernel code sections - GMER 1.0.15 ----

    ? \I386\SYSTEM32\NTKRNLMP.EXE kernel module suspicious modification
    ? \I386\SYSTEM32\NTKRNLMP.EXE The system cannot find the file specified. !

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs dc_fsf.sys
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume1 dcrypt.sys
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume2 dcrypt.sys
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume3 dcrypt.sys
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume4 dcrypt.sys
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume5 dcrypt.sys
    AttachedDevice \Driver\ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)

    Device \Driver\ACPI_HAL \Device\00000008 HALAACPI.DLL

    AttachedDevice \FileSystem\Fastfat \Fat dc_fsf.sys
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:148] BB6C5096

    ---- EOF - GMER 1.0.15 ----

    I then realised the selected drive was the X drive which was the minixp ram drive
    So I selected the what hbcd was calling my J drive which is normally my C drive, this took a very long time to scan so I went to bed and when I came back to it the scan was complete but the computer was hung. I tried again, this time when I clicked save I got a blue screen stop error message
    "STOP: 0x0000008E (0x000009A, 0x808425BB, 0xBBB86E4, 0x00000000)"
    So I started a scan and stoped it early just to give you a view of the log which despite being for a different drive actually looks like the original xdrive log at the beginning:
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2011-09-19 11:25:58
    Windows 5.1.2600
    Running: G-MER.exe; Driver: B:\Temp\kwtdypog.sys


    ---- System - GMER 1.0.15 ----

    INT 0x01 \SystemRoot\system32\drivers\dummy.sys F7A5C7C0
    INT 0x03 \SystemRoot\system32\drivers\dummy.sys F7A5C7E0
    INT 0x1F \I386\SYSTEM32\HALAACPI.DLL 80A18FD0
    INT 0x37 \I386\SYSTEM32\HALAACPI.DLL 80A18728
    INT 0x3D \I386\SYSTEM32\HALAACPI.DLL 80A19B70
    INT 0x41 \I386\SYSTEM32\HALAACPI.DLL 80A199CC
    INT 0x50 \I386\SYSTEM32\HALAACPI.DLL 80A18800
    INT 0xC1 \I386\SYSTEM32\HALAACPI.DLL 80A18984
    INT 0xD1 \I386\SYSTEM32\HALAACPI.DLL 80A17D34
    INT 0xE1 \I386\SYSTEM32\HALAACPI.DLL 80A18F0C
    INT 0xE3 \I386\SYSTEM32\HALAACPI.DLL 80A18C70
    INT 0xFD \I386\SYSTEM32\HALAACPI.DLL 80A19464
    INT 0xFE \I386\SYSTEM32\HALAACPI.DLL 80A19604

    ---- Kernel code sections - GMER 1.0.15 ----

    ? \I386\SYSTEM32\NTKRNLMP.EXE kernel module suspicious modification
    ? \I386\SYSTEM32\NTKRNLMP.EXE The system cannot find the file specified. !

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:148] BB6C5096

    ---- EOF - GMER 1.0.15 ----


    DDS
    dds: -win7 version. hbcd gave a much shorter log
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385
    Run by Tom at 11:47:22 on 2011-09-19
    Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.4095.2879 [GMT 1:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files (x86)\MagicDisc\MagicDisc.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Users\Tom\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
    mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
    TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [Google Update] "C:\Users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
    uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    StartupFolder: C:\Users\Tom\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{B24440CD-6E5D-4152-8AB4-7F179985B39D} : DhcpNameServer = 192.168.0.1
    BHO-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
    BHO-X64: Conduit Engine - No File
    BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
    BHO-X64: uTorrentBar - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll
    TB-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
    TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    Hosts: 78.47.251.150 easyanticheat.se # misleading site
    Hosts: 78.47.251.150 www.easyanticheat.se # misleading site
    Hosts: 78.47.251.150 easyanticheat.com # misleading site
    Hosts: 78.47.251.150 www.easyanticheat.com # misleading site
    Hosts: 78.47.251.150 easyanticheat.org # misleading site
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
    R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-9-8 42184]
    R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
    S3 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    .
    =============== Created Last 30 ================
    .
    2011-12-12 12:18:06 25640 ----a-w- C:\Windows\gdrv.sys
    2011-09-16 20:21:36 -------- d-----w- C:\Users\Tom\rootkit
    2011-09-11 23:40:49 -------- d-----w- C:\Program Files (x86)\SpeedFan
    2011-09-08 14:49:58 -------- d-----w- C:\Users\Tom\AppData\Roaming\mIRC
    2011-09-08 14:49:58 -------- d-----w- C:\Program Files (x86)\mIRC
    2011-09-08 14:35:20 -------- d-----w- C:\Program Files\Ventrilo
    2011-09-08 14:34:36 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
    2011-09-08 10:10:26 600920 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2011-09-08 10:10:23 64856 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2011-09-08 10:08:56 40112 ----a-w- C:\Windows\avastSS.scr
    2011-09-08 10:08:50 -------- d-----w- C:\ProgramData\AVAST Software
    2011-09-08 10:08:50 -------- d-----w- C:\Program Files\AVAST Software
    2011-09-08 09:56:42 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B813A7FF-8CF1-401F-B620-F5D864BF2BA9}\mpengine.dll
    2011-09-08 09:54:27 -------- d-----w- C:\Users\Tom\AppData\Roaming\Malwarebytes
    2011-09-08 09:54:23 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-09-08 09:54:20 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-09-08 09:54:20 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-09-03 12:37:05 -------- d-----w- C:\Users\Tom\AppData\Local\dxhr
    2011-09-03 12:36:23 -------- d-----w- C:\Users\Tom\AppData\Local\28050
    2011-08-25 16:30:39 -------- d-----w- C:\Users\Tom\AppData\Local\ElevatedDiagnostics
    2011-08-25 12:52:44 -------- d-----w- C:\Users\Tom\AppData\Local\Gas Powered Games
    2011-08-25 12:23:49 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
    2011-08-24 11:17:52 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-08-24 11:17:52 2048 ----a-w- C:\Windows\System32\tzres.dll
    .
    ==================== Find3M ====================
    .
    2011-12-12 23:24:13 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2011-12-12 23:24:13 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2011-12-12 23:23:48 280736 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
    2011-12-12 23:08:20 6656 ----a-w- C:\Windows\System32\lpcio.dll
    2011-07-29 10:50:05 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-07-22 05:35:08 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-07-22 04:56:17 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-07-16 05:26:54 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2011-07-16 05:26:53 243200 ----a-w- C:\Windows\System32\wow64.dll
    2011-07-16 05:26:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2011-07-16 05:26:18 214528 ----a-w- C:\Windows\System32\winsrv.dll
    2011-07-16 05:24:09 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2011-07-16 05:21:32 422400 ----a-w- C:\Windows\System32\KernelBase.dll
    2011-07-16 05:17:46 338432 ----a-w- C:\Windows\System32\conhost.exe
    2011-07-16 04:36:09 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2011-07-16 04:32:14 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2011-07-16 04:31:50 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2011-07-16 04:30:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2011-07-16 04:30:27 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2011-07-16 02:26:12 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2011-07-16 02:26:11 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2011-07-16 02:21:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2011-07-16 02:21:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2011-07-16 02:21:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2011-07-16 02:21:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2011-07-14 10:06:56 9359872 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
    2011-07-14 10:06:44 4017152 ----a-w- C:\Windows\SysWow64\atiumdva.dll
    2011-07-14 10:06:10 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
    2011-07-14 10:06:10 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
    2011-07-14 10:06:09 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
    2011-07-14 10:06:05 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
    2011-07-14 10:06:03 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
    2011-07-14 10:06:00 485376 ----a-w- C:\Windows\System32\atieclxx.exe
    2011-07-14 10:05:55 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
    2011-07-14 10:05:55 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
    2011-07-14 10:05:55 120320 ----a-w- C:\Windows\System32\atitmm64.dll
    2011-07-14 10:05:53 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
    2011-07-14 10:05:52 23336960 ----a-w- C:\Windows\System32\atio6axx.dll
    2011-07-14 10:05:26 5008384 ----a-w- C:\Windows\System32\atidxx64.dll
    2011-07-14 10:05:20 309760 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
    2011-07-14 10:04:54 6847488 ----a-w- C:\Windows\SysWow64\aticaldd.dll
    2011-07-14 10:04:09 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
    2011-07-14 10:03:23 5486592 ----a-w- C:\Windows\System32\atiumd64.dll
    2011-07-14 10:03:08 262144 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
    2011-07-14 10:02:45 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
    2011-07-14 10:02:45 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
    2011-07-14 10:02:39 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
    2011-07-14 10:02:24 58880 ----a-w- C:\Windows\System32\coinst.dll
    2011-07-14 10:02:22 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
    2011-07-14 10:02:18 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
    2011-07-14 10:02:04 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
    2011-07-14 10:01:27 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
    2011-07-14 10:00:48 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
    2011-07-14 10:00:35 8489472 ----a-w- C:\Windows\System32\aticaldd64.dll
    2011-07-14 10:00:31 39936 ----a-w- C:\Windows\System32\atig6txx.dll
    2011-07-14 10:00:24 688128 ----a-w- C:\Windows\SysWow64\aticfx32.dll
    2011-07-14 10:00:17 151552 ----a-w- C:\Windows\System32\atiapfxx.exe
    2011-07-14 10:00:16 53760 ----a-w- C:\Windows\System32\atimpc64.dll
    2011-07-14 10:00:16 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
    2011-07-14 09:59:55 17940992 ----a-w- C:\Windows\SysWow64\atioglxx.dll
    2011-07-14 09:59:45 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
    2011-07-14 09:59:42 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
    2011-07-14 09:59:29 423424 ----a-w- C:\Windows\System32\atipdl64.dll
    2011-07-14 09:59:21 4219904 ----a-w- C:\Windows\SysWow64\atidxx32.dll
    2011-07-14 09:58:45 4330496 ----a-w- C:\Windows\SysWow64\atiumdag.dll
    2011-07-14 09:58:45 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
    2011-07-14 09:58:44 59392 ----a-w- C:\Windows\System32\atiedu64.dll
    2011-07-14 09:58:09 811008 ----a-w- C:\Windows\System32\aticfx64.dll
    2011-07-14 09:58:01 3810816 ----a-w- C:\Windows\System32\atiumd6a.dll
    2011-07-14 09:57:40 366592 ----a-w- C:\Windows\System32\atiadlxx.dll
    2011-07-14 09:57:40 16384 ----a-w- C:\Windows\System32\atimuixx.dll
    2011-07-14 09:57:39 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
    2011-07-11 11:02:27 0 ----a-w- C:\Windows\SysWow64\ConduitEngine.tmp
    2011-07-09 02:44:55 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
    2011-06-23 10:43:29 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
    2011-06-23 05:29:39 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2011-06-23 04:38:05 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2011-06-23 04:38:04 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2011-06-22 22:19:05 2250024 ----a-w- C:\Windows\SysWow64\pbsvc.exe
    2011-06-22 21:34:44 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
    2011-06-22 18:52:33 2434856 ----a-w- C:\Windows\SysWow64\pbsvc_bc2.exe
    .
    ============= FINISH: 11:47:46.92 ===============

    Attach:- win7 version
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Basic
    Boot Device: \Device\HarddiskVolume2
    Install Date: 14/06/2011 23:54:33
    System Uptime: 19/09/2011 11:39:39 (0 hours ago)
    .
    Motherboard: Acer | | EG43M
    Processor: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz | CPU 1 | 2499/333mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 342 GiB total, 76.919 GiB free.
    D: is FIXED (NTFS) - 343 GiB total, 279.18 GiB free.
    E: is CDROM (CDFS)
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    K: is CDROM (UDF)
    L: is CDROM (CDFS)
    M: is FIXED (NTFS) - 932 GiB total, 587.81 GiB free.
    N: is CDROM (UDF)
    O: is FIXED (NTFS) - 0 GiB total, 0.069 GiB free.
    P: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&242CC0DB&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&242CC0DB&0
    Service: i8042prt
    .
    ==== System Restore Points ===================
    .
    RP38: 12/08/2011 15:03:10 - Windows Update
    RP39: 12/08/2011 21:13:38 - Windows Update
    RP40: 15/08/2011 19:34:09 - Installed DirectX
    RP41: 23/08/2011 15:09:45 - Scheduled Checkpoint
    RP42: 25/08/2011 01:31:23 - Windows Update
    RP43: 03/09/2011 13:10:30 - Installed DirectX
    RP44: 03/09/2011 13:15:29 - Installed DirectX
    RP45: 08/09/2011 11:08:32 - avast! Free Antivirus Setup
    RP46: 08/09/2011 15:35:03 - Installed Ventrilo Client for Windows x64
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 78.47.251.150 easyanticheat.se # misleading site
    Hosts: 78.47.251.150 www.easyanticheat.se # misleading site
    Hosts: 78.47.251.150 easyanticheat.com # misleading site
    Hosts: 78.47.251.150 www.easyanticheat.com # misleading site
    Hosts: 78.47.251.150 easyanticheat.org # misleading site
    Hosts: 78.47.251.150 www.easyanticheat.org # misleading site
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Adobe AIR
    Adobe Flash Player ActiveX
    Age of Empires III
    Age of Empires III - The Asian Dynasties
    Age of Empires III - The WarChiefs
    And Yet It Moves 1.2.0
    avast! Free Antivirus
    Battlefield: Bad Company™ 2
    Call of Duty 4: Modern Warfare
    Call of Duty: Modern Warfare 2 - Multiplayer
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    CCC Help English
    Conduit Engine
    Counter-Strike: Source
    Crayon Physics Deluxe version 55
    Deus Ex: Human Revolution
    Dropbox
    Far Cry 2
    Garry's Mod
    GIMP 2.6.11
    Google Chrome
    Half-Life
    Half-Life 2
    Half-Life 2: Deathmatch
    Half-Life 2: Episode One
    Half-Life 2: Episode Two
    Java Auto Updater
    Java(TM) 6 Update 26
    Just Cause 2
    Left 4 Dead
    Left 4 Dead 2
    MagicDisc 2.7.106
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee Security Scan Plus
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft WSE 3.0 Runtime
    mIRC
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Portal
    Portal 2
    PunkBuster Services
    Realtek High Definition Audio Driver
    SpeedFan (remove only)
    Steam
    Supreme Commander 2
    System Requirements Lab CYRI
    Team Fortress 2
    The Sims™ 3
    The Sims™ 3 Fast Lane Stuff
    The Sims™ 3 Late Night
    TrackMania United 0.2.0.1
    uTorrentBar Toolbar
    VVVVVV version 2.0
    Winamp
    Winamp Detector Plug-in
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/12/2011 00:10:27, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147014847
    12/09/2011 00:28:04, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c2 (0x0000000000000007, 0x0000000000001097, 0x00000000c0220f44, 0xfffff80002e8c8ed). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 091211-20124-01.
    11/12/2011 17:34:13, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by -7775935 seconds. The time service will not change the system time by more than 54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->64.4.31.162:123) is working properly.
    .
    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ================================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. MajorDick

    MajorDick TS Rookie Topic Starter

    had to download tdsskiller on a laptop and copy it across on a usb as i cant access a wired internet connection at the moment
    win7 scan:
    system scan complete in 7 seconds.
    252 scanned
    0 infections.

    hbcd: "The application has failed to start because WINHTTP.dll was not found. Re-installing the application may fix this problem."
    This unable to locate component message is displaying both when trying to start tdsskiller from hbcd menu and by copying file to desktop and double clicking.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. MajorDick

    MajorDick TS Rookie Topic Starter

    awMBR log:

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-09-21 09:51:46
    -----------------------------
    09:51:46.038 OS Version: Windows x64 6.1.7600
    09:51:46.038 Number of processors: 4 586 0x170A
    09:51:46.038 ComputerName: TOM-PC UserName: Tom
    09:51:49.283 Initialize success
    09:51:49.314 AVAST engine defs: 11091900
    09:51:59.189 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    09:51:59.189 Disk 0 Vendor: ST375052 CC44 Size: 715404MB BusType: 8
    09:51:59.189 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
    09:51:59.189 Disk 1 Vendor: SAMSUNG_ 1AJ1 Size: 953869MB BusType: 8
    09:51:59.220 Disk 0 MBR read successfully
    09:51:59.220 Disk 0 MBR scan
    09:51:59.220 Disk 0 Windows 7 default MBR code
    09:51:59.235 Service scanning
    09:52:00.390 Modules scanning
    09:52:00.390 Disk 0 trace - called modules:
    09:52:00.405 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorV.sys hal.dll
    09:52:00.405 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80058e3060]
    09:52:00.421 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80047c3050]
    09:52:01.014 AVAST engine scan C:\Windows
    09:52:02.199 AVAST engine scan C:\Windows\system32
    09:52:54.896 AVAST engine scan C:\Windows\system32\drivers
    09:53:00.731 AVAST engine scan C:\Users\Tom
    09:54:08.404 AVAST engine scan C:\ProgramData
    09:54:15.548 Scan finished successfully
    09:55:48.915 Disk 0 MBR has been saved successfully to "C:\Users\Tom\Desktop\MBR.dat"
    09:55:48.915 The log file has been saved successfully to "C:\Users\Tom\Desktop\aswMBR.txt"


    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-09-21 13:08:23
    -----------------------------
    13:08:23.278 OS Version: Windows x64 6.1.7600
    13:08:23.278 Number of processors: 4 586 0x170A
    13:08:23.279 ComputerName: TOM-PC UserName: Tom
    13:08:27.059 Initialize success
    13:08:27.169 AVAST engine defs: 11092100
    13:08:33.706 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    13:08:33.708 Disk 0 Vendor: ST375052 CC44 Size: 715404MB BusType: 8
    13:08:33.710 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-2
    13:08:33.712 Disk 1 Vendor: SAMSUNG_ 1AJ1 Size: 953869MB BusType: 8
    13:08:33.730 Disk 0 MBR read successfully
    13:08:33.732 Disk 0 MBR scan
    13:08:33.735 Disk 0 Windows 7 default MBR code
    13:08:33.738 Service scanning
    13:08:35.323 Modules scanning
    13:08:35.326 Disk 0 trace - called modules:
    13:08:35.352 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStorV.sys hal.dll
    13:08:35.356 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80058e4060]
    13:08:35.359 3 CLASSPNP.SYS[fffff880019a743f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80046d9050]
    13:08:39.814 AVAST engine scan C:\Windows
    13:08:41.035 AVAST engine scan C:\Windows\system32
    13:09:36.449 AVAST engine scan C:\Windows\system32\drivers
    13:09:42.694 AVAST engine scan C:\Users\Tom
    13:10:54.500 AVAST engine scan C:\ProgramData
    13:11:03.242 Scan finished successfully
    13:11:51.289 Disk 0 MBR has been saved successfully to "C:\Users\Tom\Desktop\MBR.dat"
    13:11:51.305 The log file has been saved successfully to "C:\Users\Tom\Desktop\aswMBR.txt"


    Combofix log:


    ComboFix 11-09-21.01 - Tom 21/09/2011 13:22:59.2.4 - x64
    Microsoft Windows 7 Home Basic 6.1.7600.0.1252.1.1033.18.4095.3152 [GMT 1:00]
    Running from: c:\users\Tom\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    M:\install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-21 to 2011-09-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-12 12:18 . 2011-12-12 12:18 25640 ----a-w- c:\windows\gdrv.sys
    2011-09-21 12:29 . 2011-09-21 12:29 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-09-16 20:21 . 2011-09-16 20:21 -------- d-----w- c:\users\Tom\rootkit
    2011-09-11 23:40 . 2011-09-19 11:38 -------- d-----w- c:\program files (x86)\SpeedFan
    2011-09-08 14:49 . 2011-09-08 18:47 -------- d-----w- c:\users\Tom\AppData\Roaming\mIRC
    2011-09-08 14:49 . 2011-09-08 14:49 -------- d-----w- c:\program files (x86)\mIRC
    2011-09-08 14:35 . 2011-09-08 16:59 -------- d-----w- c:\users\Tom\AppData\Roaming\Ventrilo
    2011-09-08 14:35 . 2011-09-08 14:35 -------- d-----w- c:\program files\Ventrilo
    2011-09-08 14:34 . 2011-09-08 14:34 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    2011-09-08 10:10 . 2011-07-04 11:36 288088 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-09-08 10:10 . 2011-07-04 11:32 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-09-08 10:10 . 2011-07-04 11:32 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-09-08 10:10 . 2011-07-04 11:35 45400 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-09-08 10:10 . 2011-07-04 11:36 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-09-08 10:10 . 2011-07-04 11:43 253888 ----a-w- c:\windows\system32\aswBoot.exe
    2011-09-08 10:10 . 2011-07-04 11:32 64856 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-09-08 10:08 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-09-08 10:08 . 2011-07-04 11:43 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2011-09-08 10:08 . 2011-09-08 10:08 -------- d-----w- c:\programdata\AVAST Software
    2011-09-08 10:08 . 2011-09-08 10:08 -------- d-----w- c:\program files\AVAST Software
    2011-09-08 09:56 . 2011-08-16 07:48 8862544 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B813A7FF-8CF1-401F-B620-F5D864BF2BA9}\mpengine.dll
    2011-09-08 09:54 . 2011-09-08 09:54 -------- d-----w- c:\users\Tom\AppData\Roaming\Malwarebytes
    2011-09-08 09:54 . 2011-09-08 09:54 -------- d-----w- c:\programdata\Malwarebytes
    2011-09-08 09:54 . 2011-09-18 21:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-09-08 09:54 . 2011-08-31 16:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-03 12:37 . 2011-09-11 15:25 -------- d-----w- c:\users\Tom\AppData\Local\dxhr
    2011-09-03 12:36 . 2011-09-03 12:36 -------- d-----w- c:\users\Tom\AppData\Local\28050
    2011-08-25 16:30 . 2011-09-20 22:11 -------- d-----w- c:\users\Tom\AppData\Local\ElevatedDiagnostics
    2011-08-25 12:52 . 2011-08-25 12:52 -------- d-----w- c:\users\Tom\AppData\Local\Gas Powered Games
    2011-08-25 12:23 . 2011-08-25 12:23 -------- d-----w- c:\program files (x86)\SystemRequirementsLab
    2011-08-25 12:23 . 2011-08-25 12:24 -------- d-----w- c:\users\Tom\AppData\Roaming\SystemRequirementsLab
    2011-08-24 11:17 . 2011-07-09 05:14 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-08-24 11:17 . 2011-07-09 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-12 23:24 . 2011-06-23 10:35 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2011-12-12 23:24 . 2011-06-22 18:52 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2011-12-12 23:23 . 2011-06-22 18:52 280736 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2011-12-12 23:08 . 2011-08-12 14:03 6656 ----a-w- c:\windows\system32\lpcio.dll
    2011-07-29 10:50 . 2011-07-29 10:50 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-07-22 05:35 . 2011-08-12 14:02 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-07-22 04:56 . 2011-08-12 14:02 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2011-07-16 05:26 . 2011-08-12 14:03 362496 ----a-w- c:\windows\system32\wow64win.dll
    2011-07-16 05:26 . 2011-08-12 14:03 243200 ----a-w- c:\windows\system32\wow64.dll
    2011-07-16 05:26 . 2011-08-12 14:03 13312 ----a-w- c:\windows\system32\wow64cpu.dll
    2011-07-16 05:26 . 2011-08-12 14:03 214528 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-16 05:24 . 2011-08-12 14:03 16384 ----a-w- c:\windows\system32\ntvdm64.dll
    2011-07-16 05:21 . 2011-08-12 14:03 422400 ----a-w- c:\windows\system32\KernelBase.dll
    2011-07-16 05:17 . 2011-08-12 14:03 338432 ----a-w- c:\windows\system32\conhost.exe
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
    2011-07-16 05:04 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
    2011-07-16 04:36 . 2011-08-12 14:03 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
    2011-07-16 04:32 . 2011-08-12 14:03 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2011-07-16 04:31 . 2011-08-12 14:03 25600 ----a-w- c:\windows\SysWow64\setup16.exe
    2011-07-16 04:30 . 2011-08-12 14:03 5120 ----a-w- c:\windows\SysWow64\wow32.dll
    2011-07-16 04:30 . 2011-08-12 14:03 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
    2011-07-16 04:19 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
    2011-07-16 02:26 . 2011-08-12 14:03 7680 ----a-w- c:\windows\SysWow64\instnm.exe
    2011-07-16 02:26 . 2011-08-12 14:03 2048 ----a-w- c:\windows\SysWow64\user.exe
    2011-07-16 02:21 . 2011-08-12 14:03 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2011-07-16 02:21 . 2011-08-12 14:03 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2011-07-16 02:21 . 2011-08-12 14:03 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2011-07-16 02:21 . 2011-08-12 14:03 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2011-07-14 10:06 . 2011-07-14 10:06 9359872 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2011-07-14 10:06 . 2011-07-14 10:06 4017152 ----a-w- c:\windows\SysWow64\atiumdva.dll
    2011-07-14 10:06 . 2011-07-14 10:06 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
    2011-07-14 10:06 . 2011-07-14 10:06 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
    2011-07-14 10:06 . 2011-07-14 10:06 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
    2011-07-14 10:06 . 2011-04-20 01:21 38912 ----a-w- c:\windows\system32\atiu9p64.dll
    2011-07-14 10:06 . 2011-07-14 10:06 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
    2011-07-14 10:06 . 2011-07-14 10:05 485376 ----a-w- c:\windows\system32\atieclxx.exe
    2011-07-14 10:05 . 2011-07-14 10:05 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
    2011-07-14 10:05 . 2011-07-14 10:05 120320 ----a-w- c:\windows\system32\atitmm64.dll
    2011-07-14 10:05 . 2011-04-20 02:05 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2011-07-14 10:05 . 2011-04-20 01:21 40960 ----a-w- c:\windows\system32\atiuxp64.dll
    2011-07-14 10:05 . 2011-07-14 10:01 23336960 ----a-w- c:\windows\system32\atio6axx.dll
    2011-07-14 10:05 . 2011-04-20 01:49 5008384 ----a-w- c:\windows\system32\atidxx64.dll
    2011-07-14 10:05 . 2011-07-14 10:04 309760 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2011-07-14 10:04 . 2011-06-22 21:34 6847488 ----a-w- c:\windows\SysWow64\aticaldd.dll
    2011-07-14 10:04 . 2011-04-20 01:21 31744 ----a-w- c:\windows\SysWow64\atiuxpag.dll
    2011-07-14 10:03 . 2011-04-20 01:31 5486592 ----a-w- c:\windows\system32\atiumd64.dll
    2011-07-14 10:03 . 2011-07-14 10:02 262144 ----a-w- c:\windows\SysWow64\atiadlxy.dll
    2011-07-14 10:02 . 2011-07-14 10:02 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll
    2011-07-14 10:02 . 2011-07-14 10:02 12800 ----a-w- c:\windows\system32\atiglpxx.dll
    2011-07-14 10:02 . 2011-07-14 10:02 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
    2011-07-14 10:02 . 2011-04-20 01:27 58880 ----a-w- c:\windows\system32\coinst.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\ConduitEngine\prxConduitEngin.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTor.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-03-28 176936]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\prxConduitEngin.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-09-09 1242448]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-24 336384]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    .
    c:\users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2011-6-23 576000]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    R3 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y60x64.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1868448291-1290413434-3280070625-1000Core.job
    - c:\users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-14 15:06]
    .
    2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1868448291-1290413434-3280070625-1000UA.job
    - c:\users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-14 15:06]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 97792 ----a-w- c:\users\Tom\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-06 7940128]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-07-06 1833504]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.1.254
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-EA Core - c:\program files (x86)\Electronic Arts\EADM\Core.exe
    WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
    AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_moh.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1868448291-1290413434-3280070625-1000\Software\SecuROM\License information*]
    "datasecu"=hex:01,38,8e,91,94,2e,80,d3,7b,6f,45,1a,4d,f8,26,1c,c1,42,89,a0,88,
    88,8d,be,fd,af,ec,0e,a4,ae,5f,7b,93,c9,62,a8,7d,72,b1,1a,49,c1,23,ee,c4,70,\
    "rkeysecu"=hex:d5,56,77,9c,46,ea,46,cb,21,61,08,4c,8c,9a,35,83
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.9"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    .
    **************************************************************************
    .
    Completion time: 2011-09-21 13:34:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-09-21 12:34
    .
    Pre-Run: 85,043,724,288 bytes free
    Post-Run: 84,460,564,480 bytes free
    .
    - - End Of File - - 899C5394707CE358523CA24CB3382E8B


    System behaviour appears normal except for the overworked fan, I haven't experienced any random reboots or system hangs since the noise started but I have avoided running it for longer then necessary.
     
  6. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    All looks clean so far.

    I don't think we're dealing with any infection here.

    In this forum, we make sure, your computer is free of malware and your computer is clean :)
    Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
    You'll get more attention.
     
  7. MajorDick

    MajorDick TS Rookie Topic Starter

    Ok, thanks for all the help and sorry for my miss diagnosis.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,915   +344

    You're very welcome [​IMG]
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...