TechSpot

Windows 7 BSOD and Internet connection timeouts

By gott1rott
May 6, 2011
  1. Hello all, I'll just start from the beginning. I'm using wireless internet. A few days ago, my internet started randomly timing out and losing connection according to the Network and sharing center. My separate wireless software however would still show I was connected. My ps3 (internet browser) and other computer have no problems like this.

    A few hours after, I later looked at my task manager and had almost double the processes running than usual, about 107. Some had duplicate names and others had what looked like a random sequence of letters for names. When trying to end them, it would say my computer will shut down.

    So, I ran the 8 steps and the problem went away for a day. I tried running the steps again, but removal attempts with malwarebytes and TFC resulted in multiple crashes to BSOD memory dump screen. Now when I login to windows, I keep getting this same crash a few minutes after. The only way I could run the steps again and avoid crashes is safe mode which I'm using now. Internet has also been flawless in safe mode.
     
  2. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6515

    Windows 6.1.7600 (Safe Mode)
    Internet Explorer 8.0.7600.16385

    5/5/2011 11:05:34 PM
    mbam-log-2011-05-05 (23-05-34).txt

    Scan type: Quick scan
    Objects scanned: 159763
    Time elapsed: 4 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 6
    Registry Values Infected: 16
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 17

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{BCE3EFEF-DEBA-BAC1-0FBE-FA4F3DC127EC} (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BCE3EFEF-DEBA-BAC1-0FBE-FA4F3DC127EC} (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{BCE3EFEF-DEBA-BAC1-0FBE-FA4F3DC127EC} (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{D4J6D07X-46N7-7177-107X-0V8667UKT48G} (Trojan.VBCrypt) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D4J6D07X-46N7-7177-107X-0V8667UKT48G} (Trojan.VBCrypt) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Core Services (Heuristics.Shuriken) -> Value: Core Services -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Core Services (Heuristics.Shuriken) -> Value: Core Services -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefender (Heuristics.Shuriken) -> Value: WinDefender -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinDefender (Heuristics.Shuriken) -> Value: WinDefender -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefender (Heuristics.Shuriken) -> Value: WinDefender -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdiagmon.exe (Trojan.Agent.Gen) -> Value: sysdiagmon.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdiagmon.exe (Trojan.Agent.Gen) -> Value: sysdiagmon.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Trojan.VBCrypt) -> Value: Policies -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies (Trojan.VBCrypt) -> Value: Policies -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Firewall (Heuristics.Shuriken) -> Value: Windows Firewall -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup (Heuristics.Shuriken) -> Value: Startup -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BBProtect (Backdoor.Agent) -> Value: BBProtect -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProcessDefender (Heuristics.Shuriken) -> Value: ProcessDefender -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crr.dll (Malware.Trace) -> Value: crr.dll -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Desktop (Trojan.Agent) -> Value: Windows Desktop -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Desktop (Trojan.Agent) -> Value: Windows Desktop -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\Users\gott1rott\AppData\Roaming\windefender (Rogue.WinDefender) -> Quarantined and deleted successfully.

    Files Infected:
    c:\Users\gott1rott\AppData\Roaming\winlogon.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\bots.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\sysdiagmon.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    c:\Windows\System32\install\server.exe (Trojan.VBCrypt) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\microsoft\svchost.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\218134784.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\469369864.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\cn.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\lqpgp.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\nrlpb.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\microsoft\Run.exe (Trojan.VBCrypt) -> Quarantined and deleted successfully.
    c:\Windows\kmsemulator.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\windefender\FileName.exe (Malware.Trace) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\cglogs.dat (Malware.Trace) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\data.dat (Stolen.Data) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\install\server.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Users\gott1rott\AppData\Roaming\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
     
  3. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit scan 2011-05-05 23:30:53
    Windows 6.1.7600
    Running: 91pg2plt.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAD 0xB9 0x63 0x8D ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA0 0x65 0xB8 0xAF ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x58 0x56 0x7C 0x63 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xF8 0xFA 0x39 0xB3 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xAD 0xB9 0x63 0x8D ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA0 0x65 0xB8 0xAF ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x58 0x56 0x7C 0x63 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xF8 0xFA 0x39 0xB3 ...

    ---- EOF - GMER 1.0.15 ----
     
  4. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    .
    DDS (Ver_11-03-05.01) - NTFS_AMD64 NETWORK
    Run by gott1rott at 23:33:00.75 on Thu 05/05/2011
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_25
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6143.5315 [GMT -4:00]
    .
    AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\ctfmon.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Users\gott1rott\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - e:\Program Files (x86)\Megaupload\Mega Manager\MegaIEMn.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - C:\Program Files (x86)\PayPal\PayPal Plug-In\PayPalHelper.dll
    TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - C:\Program Files (x86)\PayPal\PayPal Plug-In\OToolbar.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    uRun: [armakicker] C:\Users\gott1rott\AppData\Roaming\login.exe
    uRun: [PRjDElIKmm] "C:\Users\gott1rott\AppData\Local\Temp\tempfile.exe"
    mRun: [armakicker] C:\Users\gott1rott\AppData\Roaming\login.exe
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [{{mStartup}}] C:\Users\GOTT1R~1\AppData\Local\Temp\Newfile.exe
    mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    dRun: [CtxfiReg] CTXFIREG.exe /FAIL1
    mExplorerRun: [armakicker] C:\Users\gott1rott\AppData\Roaming\login.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WG111v2\WG111v2.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - E:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - E:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    mASetup: {3DEAACEE-1CB6-FD5B-EFCC-B2C0DDDCAEBF} - C:\Users\gott1rott\AppData\Roaming\login.exe
    uASetup: {3DEAACEE-1CB6-FD5B-EFCC-B2C0DDDCAEBF} - C:\Users\gott1rott\AppData\Roaming\login.exe
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - E:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    TB-X64: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
    mRun-x64: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    mRun-x64: [mylbx] e:\Program Files\My Lockbox\mylbx.exe /a
    mRun-x64: [BCSSync] "E:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - E:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\GOTT1R~1\AppData\Roaming\Mozilla\Firefox\Profiles\jqxxnw85.default\
    FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
    FF - component: C:\Program Files (x86)\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
    FF - component: C:\Users\gott1rott\AppData\Roaming\Mozilla\Firefox\Profiles\jqxxnw85.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
    FF - plugin: C:\Users\gott1rott\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
    FF - plugin: C:\Users\gott1rott\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: C:\Users\gott1rott\AppData\Roaming\Mozilla\Firefox\Profiles\jqxxnw85.default\extensions\battlefieldplay4free@ea.com\plugins\npBP4FUpdater.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
    FF - Ext: PayPal Plug-In for Firefox: paypalfirefoxplugin@orbiscom - C:\Program Files (x86)\PayPal\PayPal Plug-In
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - C:\Users\gott1rott\AppData\Roaming\Move Networks
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: CHM Reader: {6e098d65-7d2d-46d4-ada0-2f882a29f795} - %profile%\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}
    FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
    FF - Ext: Battlefield Play4Free: battlefieldplay4free@ea.com - %profile%\extensions\battlefieldplay4free@ea.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 FSProFilter;FSPro File Filter;C:\Windows\System32\drivers\FSPFltd.sys [2010-9-29 55440]
    R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-7-14 55280]
    R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\System32\drivers\SCMNdisP.sys [2010-4-26 25312]
    R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
    R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2011-4-30 46136]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]
    S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
    S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
    S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-4-30 203776]
    S2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-4-5 365568]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-1-16 136360]
    S2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-1-16 269480]
    S2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2010-1-16 83120]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 fsproflt;FSPro Filter Service;C:\Windows\SysWOW64\fsproflt.exe [2010-9-29 142648]
    S2 IPClampService;IP-Clamp Licensing by cebas VISUAL TECHNOLOGY Inc.;C:\Program Files (x86)\cebas\ip-clamp\ipclamp.exe [2007-11-20 45700]
    S2 mi-raysat_3dsmax2011_64;mental ray 3.8 Satellite for Autodesk 3ds Max 2011 64-bit 64-bit;E:\Program Files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe [2010-3-10 86016]
    S2 SCM_Service;SCM_Service;C:\Windows\SysWOW64\WinService.exe [2010-4-26 180224]
    S2 TabletServicePen;TabletServicePen;C:\Program Files\Tablet\Pen\Pen_Tablet.exe [2011-1-9 5790064]
    S2 TouchServicePen;Wacom Consumer Touch Service;C:\Program Files\Tablet\Pen\Pen_TouchService.exe [2011-1-9 487280]
    S3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2011-4-30 9323520]
    S3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2011-4-30 304128]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-4-30 115216]
    S3 cpuz134;cpuz134;C:\Program Files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [2010-11-25 21480]
    S3 Creative Dolby Digital Live Pack Licensing Service;Creative Dolby Digital Live Pack Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\DDLLicensing.exe [2010-1-16 79360]
    S3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2009-7-14 230424]
    S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2009-7-14 230424]
    S3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2009-7-14 1445912]
    S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2009-7-14 1445912]
    S3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2009-7-14 95256]
    S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2009-7-14 95256]
    S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-8-2 1436424]
    S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2010-5-14 128928]
    S3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\System32\drivers\ha20x22k.sys [2009-7-14 1613336]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;E:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 51445112]
    S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\Windows\System32\drivers\wg111v2.sys [2010-4-26 340992]
    S3 SaiH053C;SaiH053C;C:\Windows\System32\drivers\SaiH053C.sys [2007-5-1 171144]
    S3 ScreamBAudioSvc;ScreamBee Audio;C:\Windows\System32\drivers\ScreamingBAudio64.sys [2010-7-1 38992]
    S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\System32\drivers\viahduaa.sys [2009-4-17 1250816]
    S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\System32\drivers\wacmoumonitor.sys [2011-1-9 18288]
    S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys [2010-3-13 29288]
    .
    =============== Created Last 30 ================
    .
    2011-05-06 03:09:03 78848 ----a-w- C:\Windows\KMSEmulator.exe
    2011-05-05 23:07:34 63488 ---ha-w- C:\Users\GOTT1R~1\AppData\Roaming\qofpy.exe
    2011-05-05 23:04:05 64000 ---ha-w- C:\Users\GOTT1R~1\AppData\Roaming\ywmlh.exe
    2011-05-05 23:02:55 64000 ---ha-w- C:\Users\GOTT1R~1\AppData\Roaming\dbwkm.exe
    2011-05-04 19:43:28 222 ----a-w- C:\Users\GOTT1R~1\AppData\Roaming\Microsoft\svchost.exe~cache.bat
    2011-05-04 07:57:56 0 ----a-w- C:\Users\GOTT1R~1\AppData\Roaming\bs.exe
    2011-05-03 04:59:03 733184 ----a-w- C:\Users\GOTT1R~1\AppData\Roaming\clcjql.exe
    2011-05-03 02:09:51 724992 ----a-w- C:\Users\GOTT1R~1\AppData\Roaming\ixbwui.exe
    2011-05-03 01:00:51 602112 ----a-w- C:\Users\GOTT1R~1\AppData\Roaming\ypjduh.exe
    2011-05-02 23:55:57 16384 ----a-w- C:\Users\GOTT1R~1\AppData\Roaming\login.exe
    2011-05-02 23:55:53 724992 ----a-w- C:\Users\GOTT1R~1\AppData\Roaming\cxstbs.exe
    2011-04-30 17:19:41 -------- d-----w- C:\Users\GOTT1R~1\AppData\Local\AMD
    2011-04-30 17:16:18 -------- d-----w- C:\PROGRA~3\AMD
    2011-04-30 16:31:42 -------- d-----w- C:\Program Files (x86)\AMD APP
    2011-04-30 16:31:06 46136 ----a-w- C:\Windows\System32\drivers\amdiox64.sys
    2011-04-14 01:59:14 59904 ----a-w- C:\Windows\SysWow64\OVDecode.dll
    2011-04-14 01:59:02 51712 ----a-w- C:\Windows\SysWow64\OpenCL.dll
    2011-04-14 01:58:46 12385280 ----a-w- C:\Windows\SysWow64\amdocl.dll
    2011-04-14 01:45:32 -------- d-----w- C:\Users\GOTT1R~1\AppData\Local\Arktos
    2011-04-09 20:43:14 56732 ----a-w- C:\Windows\RFMaxPluginUninstall.exe
    .
    ==================== Find3M ====================
    .
    2011-04-14 09:07:59 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-04-06 04:11:44 9323520 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
    2011-04-06 02:29:18 22623232 ----a-w- C:\Windows\System32\atio6axx.dll
    2011-04-06 02:25:56 234768 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2011-04-06 02:09:50 61952 ----a-w- C:\Windows\System32\OVDecode64.dll
    2011-04-06 02:09:34 53760 ----a-w- C:\Windows\System32\OpenCL.dll
    2011-04-06 02:09:22 16116224 ----a-w- C:\Windows\System32\amdocl64.dll
    2011-04-06 02:07:18 17469952 ----a-w- C:\Windows\SysWow64\atioglxx.dll
    2011-04-06 02:03:24 147456 ----a-w- C:\Windows\System32\atiapfxx.exe
    2011-04-06 02:03:14 671744 ----a-w- C:\Windows\SysWow64\aticfx32.dll
    2011-04-06 02:02:00 788480 ----a-w- C:\Windows\System32\aticfx64.dll
    2011-04-06 02:00:39 234768 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2011-04-06 01:59:32 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
    2011-04-06 01:59:24 480256 ----a-w- C:\Windows\System32\atieclxx.exe
    2011-04-06 01:58:48 203776 ----a-w- C:\Windows\System32\atiesrxx.exe
    2011-04-06 01:57:36 120320 ----a-w- C:\Windows\System32\atitmm64.dll
    2011-04-06 01:57:20 423424 ----a-w- C:\Windows\System32\atipdl64.dll
    2011-04-06 01:57:14 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
    2011-04-06 01:57:02 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
    2011-04-06 01:56:56 16384 ----a-w- C:\Windows\System32\atimuixx.dll
    2011-04-06 01:56:52 59392 ----a-w- C:\Windows\System32\atiedu64.dll
    2011-04-06 01:56:48 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
    2011-04-06 01:53:34 4307968 ----a-w- C:\Windows\SysWow64\atidxx32.dll
    2011-04-06 01:44:52 5086208 ----a-w- C:\Windows\System32\atidxx64.dll
    2011-04-06 01:42:14 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
    2011-04-06 01:42:12 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
    2011-04-06 01:42:04 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
    2011-04-06 01:42:02 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
    2011-04-06 01:41:50 7467008 ----a-w- C:\Windows\System32\aticaldd64.dll
    2011-04-06 01:38:50 6098432 ----a-w- C:\Windows\SysWow64\aticaldd.dll
    2011-04-06 01:35:00 4256768 ----a-w- C:\Windows\SysWow64\atiumdag.dll
    2011-04-06 01:34:38 1208320 ----a-w- C:\Windows\System32\atiumd6v.dll
    2011-04-06 01:34:16 1912832 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
    2011-04-06 01:34:04 3421184 ----a-w- C:\Windows\System32\atiumd6a.dll
    2011-04-06 01:29:00 5408256 ----a-w- C:\Windows\System32\atiumd64.dll
    2011-04-06 01:28:02 58880 ----a-w- C:\Windows\System32\coinst.dll
    2011-04-06 01:26:40 3631616 ----a-w- C:\Windows\SysWow64\atiumdva.dll
    2011-04-06 01:22:20 361984 ----a-w- C:\Windows\System32\atiadlxx.dll
    2011-04-06 01:22:12 258048 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
    2011-04-06 01:22:04 14848 ----a-w- C:\Windows\System32\atig6pxx.dll
    2011-04-06 01:22:00 12800 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
    2011-04-06 01:22:00 12800 ----a-w- C:\Windows\System32\atiglpxx.dll
    2011-04-06 01:21:56 39936 ----a-w- C:\Windows\System32\atig6txx.dll
    2011-04-06 01:21:50 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
    2011-04-06 01:21:42 304128 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
    2011-04-06 01:20:58 40448 ----a-w- C:\Windows\System32\atiuxp64.dll
    2011-04-06 01:20:52 31232 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
    2011-04-06 01:20:46 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
    2011-04-06 01:20:38 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
    2011-04-06 01:20:04 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
    2011-04-06 01:13:22 53760 ----a-w- C:\Windows\System32\atimpc64.dll
    2011-04-06 01:13:22 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
    2011-04-06 01:13:16 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
    2011-04-06 01:13:16 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
    2011-04-05 23:19:53 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
    2011-04-02 21:07:04 8192 ----a-w- C:\Windows\SysWow64\gsimrxnp.dll
    2011-04-02 21:07:04 49024 ----a-w- C:\Windows\inf\gsiata.sys
    2011-04-02 21:07:03 92160 ----a-w- C:\Windows\SysWow64\enhkey.dll
    2011-03-31 21:48:38 86016 ----a-w- C:\Windows\SysWow64\frapsvid.dll
    2011-03-31 21:48:36 84992 ----a-w- C:\Windows\System32\frapsv64.dll
    2011-03-24 12:02:22 230352 ----a-w- C:\Windows\System32\drivers\truecrypt.sys
    2011-02-24 17:20:53 647168 ----a-w- C:\Windows\AutoKMS.exe
    2003-11-03 21:07:06 499712 ----a-w- C:\Program Files (x86)\msvcp71.dll
    2003-11-03 21:07:06 348160 ----a-w- C:\Program Files (x86)\msvcr71.dll
    2003-05-30 13:22:06 344064 ----a-r- C:\Program Files (x86)\msvcr70.dll
    2002-01-05 07:40:18 487424 ----a-w- C:\Program Files (x86)\msvcp70.dll
    .
    ============= FINISH: 23:33:24.14 ===============
     
  5. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume6
    Install Date: 11/16/2009 7:01:29 PM
    System Uptime: 5/5/2011 11:10:52 PM (0 hours ago)
    .
    Motherboard: ASRock | | A780GXH/128M
    Processor: AMD Phenom(tm) II X6 1055T Processor | CPUSocket | 2800/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 37 GiB total, 2.229 GiB free.
    D: is FIXED (NTFS) - 149 GiB total, 127.357 GiB free.
    E: is FIXED (NTFS) - 466 GiB total, 5.627 GiB free.
    H: is CDROM (UDF)
    U: is FIXED (NTFS) - 1397 GiB total, 937.067 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: Security Processor Loader Driver
    Device ID: ROOT\LEGACY_SPLDR\0000
    Manufacturer:
    Name: Security Processor Loader Driver
    PNP Device ID: ROOT\LEGACY_SPLDR\0000
    Service: spldr
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: sptd
    Device ID: ROOT\LEGACY_SPTD\0000
    Manufacturer:
    Name: sptd
    PNP Device ID: ROOT\LEGACY_SPTD\0000
    Service: sptd
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft Teredo Tunneling Adapter
    Device ID: ROOT\*TEREDO\0000
    Manufacturer: Microsoft
    Name: Teredo Tunneling Pseudo-Interface
    PNP Device ID: ROOT\*TEREDO\0000
    Service: tunnel
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    µTorrent
    4.0.0.529
    Add or Remove Adobe Premiere Pro CS5
    Adobe After Effects CS5
    Adobe After Effects CS5 Third Party Content
    Adobe After Effects CS5 Third Party Royalty Content
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Media Player
    Adobe Photoshop CS5
    Advertising Center
    AMD VISION Engine Control Center
    Apple Application Support
    Apple Software Update
    ATI Catalyst Registration
    Autodesk Backburner 2008.1
    Autodesk Material Library 2011
    Autodesk Material Library 2011 Base Image library
    Autodesk Material Library 2011 Medium Image library
    Avira AntiVir Personal - Free Antivirus
    Battlefield Play4Free
    BattlEye Uninstall
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    CCC Help English
    Conduit Engine
    DolbyFiles
    DVD Decrypter (Remove Only)
    Fraps (remove only)
    FumeFX 2.1 R2011 64-bit
    Futuremark SystemInfo
    GiPo@MoveOnBoot 1.9.5
    headus UVLayout v2 Demo
    HydraVision
    ImagXpress
    IP-Clamp Service
    Java Auto Updater
    Java(TM) 6 Update 25
    JDownloader
    K-Lite Codec Pack 6.0.4 (Full)
    KeyHoleTV
    Malwarebytes' Anti-Malware
    Mega Manager
    Menu Templates - Starter Kit
    Microsoft .NET Framework 1.1
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Move Media Player
    Movie Templates - Starter Kit
    Mozilla Firefox (3.6.17)
    MSXML 4.0 SP2 Parser and SDK
    Nero 9 Trial
    Nero BurnRights
    Nero ControlCenter
    Nero Disc Copy Gadget
    Nero DiscSpeed
    Nero DriveSpeed
    Nero InfoTool
    Nero Installer
    Nero Recode
    Nero StartSmart
    Nero Vision
    NeroBurningROM
    NeroExpress
    neroxml
    NETGEAR WG111v2 wireless USB 2.0 adapter
    NVIDIA PhysX
    Oblivion
    OpenAL
    PayPal Plug-In
    PC Wizard 2010.1.96
    PDF Settings CS5
    Platform
    PokerStars
    Portal 2
    PunkBuster Services
    PxMergeModule
    Quick Screen Capture 3.0
    QuickTime
    Rapture3D 2.3.22 Game
    redist
    Solidrocks 0.85b (remove only)
    Sound Blaster X-Fi
    SoundFont Bank Manager
    Steam
    Ulead GIF Animator 5
    uTorrentBar Toolbar
    VC 9.0 Runtime
    VIA Platform Device Manager
    VLC media player 1.0.5
    Warcraft II Battle.NET Edition 2.02
    WebTablet IE Plugin
    WebTablet Netscape Plugin
    WinPcap 3.0
    YouTube Downloader 2.5.6
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/5/2011 7:19:40 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa8006aed630, 0xfffffa8006aed910, 0xfffff800033e2240). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 050511-45109-01.
    5/5/2011 7:15:40 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa8008265060, 0xfffffa8008265340, 0xfffff8000338b240). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 050511-62812-01.
    5/5/2011 7:11:57 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa80084e8b30, 0xfffffa80084e8e10, 0xfffff8000337a240). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 050511-82625-01.
    5/5/2011 7:04:22 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer SHERRIE-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B642AACF-FC91-4F71-902D-59E864533EFD}. The master browser is stopping or an election is being forced.
    5/5/2011 11:12:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    5/5/2011 11:12:02 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    5/5/2011 11:11:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/5/2011 11:11:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    5/5/2011 11:11:27 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb discache SASDIFSV SASKUTIL SCDEmu spldr sptd truecrypt Wanarpv6
    5/5/2011 11:10:56 PM, Error: sptd [4] - Driver detected an internal error in its data structures for .
    5/5/2011 11:08:13 PM, Error: Application Popup [1060] - \??\C:\Windows\SysWow64\drivers\enport.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    5/5/2011 11:06:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    5/5/2011 11:06:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    5/5/2011 11:00:44 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    5/5/2011 11:00:30 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    5/5/2011 1:49:45 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa8005515b30, 0xfffffa8005515e10, 0xfffff80003396240). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 050511-63906-01.
    5/5/2011 1:44:53 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa800826eb30, 0xfffffa800826ee10, 0xfffff8000337c240). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 050511-80609-01.
    5/5/2011 1:39:16 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa80058ab060, 0xfffffa80058ab340, 0xfffff800033ca240). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 050511-115015-01.
    5/4/2011 1:22:56 PM, Error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort3.
    5/3/2011 8:28:36 PM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.2. The computer with the IP address 192.168.1.5 did not allow the name to be claimed by this computer.
    5/3/2011 3:54:54 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    5/3/2011 3:31:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    5/3/2011 3:31:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    5/3/2011 3:30:58 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa8005407060, 0xfffffa8005407340, 0xfffff800033dd240). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 050311-52406-01.
    5/3/2011 3:30:44 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL SCDEmu spldr sptd tdx truecrypt Wanarpv6 WfpLwf
    5/3/2011 3:30:42 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    5/3/2011 3:30:42 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    5/3/2011 3:30:42 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    5/3/2011 3:30:42 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/3/2011 3:30:42 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/3/2011 3:30:40 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/3/2011 3:30:40 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    5/3/2011 3:30:40 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    5/3/2011 3:30:40 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/3/2011 3:30:40 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    5/3/2011 3:24:56 AM, Error: Microsoft-Windows-Subsys-SMSS [12] - The crash dump file could not be created due to a lack of free space on the destination drive. Increasing the amount of free space on the destination drive may help prevent this error.
    5/2/2011 1:18:41 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    .
    ==== End Of File ===========================
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to the Virus and Malware forum! I see Mbam has removed a significant ammount ot malware. And I see processes in your system that will bring more.

    Your use of the KMSEmulator is one of them. Another is the uTorrent Toolbar.

    Please run the following:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.

    Follow with this online virus scan:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Paste the 2 logs into you next reply. We'll go from there.
     
  7. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncrack.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncracklightmap.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetailcrackndetailncrackshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncrack.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_221602_4\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncrack.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncracklightmap.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetailcrackndetailncrackshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncrack.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
    c:\users\gott1rott\documents\battlefield play4free\mods\main\cache\{d7b71ee2-d700-11cf-e770-5b28bec2c535}_222577_4\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
    c:\users\gott1rott\documents\xilisoft corporation\video converter ultimate\crack.js
    c:\users\public\documents\cebas\sample scenes shared\thinkingparticles 3\cracks.max
    c:\users\public\documents\cebas\sample scenes shared\thinkingparticles 3\cracks_linear.max
    c:\users\public\documents\cebas\sample scenes shared\thinkingparticles 3\crack_spread.max
    scanner sequence 3.ZZ.11
    ----- EOF -----
     
  8. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    C:\Documents and Settings\gott1rott\AppData\Roaming\clcjql.exe a variant of MSIL/Injector.FZ trojan
    C:\Documents and Settings\gott1rott\AppData\Roaming\cxstbs.exe a variant of MSIL/Injector.FZ trojan
    C:\Documents and Settings\gott1rott\AppData\Roaming\ixbwui.exe a variant of MSIL/Injector.FZ trojan
    C:\Documents and Settings\gott1rott\Application Data\clcjql.exe a variant of MSIL/Injector.FZ trojan
    C:\Documents and Settings\gott1rott\Application Data\cxstbs.exe a variant of MSIL/Injector.FZ trojan
    C:\Documents and Settings\gott1rott\Application Data\ixbwui.exe a variant of MSIL/Injector.FZ trojan
    C:\Users\gott1rott\AppData\Roaming\clcjql.exe a variant of MSIL/Injector.FZ trojan
    C:\Users\gott1rott\AppData\Roaming\cxstbs.exe a variant of MSIL/Injector.FZ trojan
    C:\Users\gott1rott\AppData\Roaming\ixbwui.exe a variant of MSIL/Injector.FZ trojan
    C:\Users\gott1rott\Application Data\clcjql.exe a variant of MSIL/Injector.FZ trojan
    C:\Users\gott1rott\Application Data\cxstbs.exe a variant of MSIL/Injector.FZ trojan
    C:\Users\gott1rott\Application Data\ixbwui.exe a variant of MSIL/Injector.FZ trojan
    C:\Windows\AutoKMS.exe probably a variant of Win32/Agent.BBYXCWL trojan
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files  
      C:\Documents and Settings\gott1rott\AppData\Roaming\clcjql.exe 
      C:\Documents and Settings\gott1rott\AppData\Roaming\cxstbs.exe 
      C:\Documents and Settings\gott1rott\AppData\Roaming\ixbwui.exe
      C:\Documents and Settings\gott1rott\Application Data\clcjql.exe 
      C:\Documents and Settings\gott1rott\Application Data\cxstbs.exe
      C:\Documents and Settings\gott1rott\Application Data\ixbwui.exe
      C:\Users\gott1rott\AppData\Roaming\clcjql.exe 
      C:\Users\gott1rott\AppData\Roaming\cxstbs.exe
      C:\Users\gott1rott\AppData\Roaming\ixbwui.exe
      C\Users\gott1rott\Application Data\clcjql.exe 
      C:\Users\gott1rott\Application Data\cxstbs.exe
      C:\Users\gott1rott\Application Data\ixbwui.exe
      C:\Windows\AutoKMS.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Looking for information on the new MSIL/Injector.FZ trojan suggests it might be coming through BitFrost. Did you use that for any of the pirated entries?

    Regarding these:
    As far as I can tell, thinkingParticles is software from Cebas. This looks to be very costly. Samples do come with the trial. We tend to associate the words 'crack', 'serial' and 'keygen' with pirated saoftware. But I also understand that visual rendering can be used to literally show 'cracks' as in a wall or road.

    Can you clarify this for me please?

    Additionally this program itself is costly: Xilisoft Video Converter Ultimate I don't see this program installed, but have concern about this javascrit crack:
    c:\users\gott1rott\documents\xilisoft corporation\video converter ultimate\crack.js

    The bottom line is that we don't support piracy. I am giving you the benefit of the doubt to tell me about 'crack'.
    =======================================
    You should also consider the payload of the Trojan removed in Mbam: MSIL/Injector.G is a trojan that steals sensitive information. The trojan can send the information to a remote machine.
    =======================================
     
  10. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    I've actually never heard of Bitfrost. By the name, I would assume it's a torrent client, but I haven't used it. You are correct about the thinkingparticles. I am using the trial version The .max is the primary file format used by 3ds for saving scenes. "Crack" is in the filename because there are visual cracks in the scene. The Xilisoft Converter was pirated software, but I thought I got rid of that a while ago.

    As for the OTM, it asked me to reboot and I clicked yes, so I have the log from after the reboot. I just wasn't sure if I was supposed to save a log before rebooting.

    Thanks for the heads up on that trojan. Where do we go from here?
     
  11. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\gott1rott\AppData\Roaming\clcjql.exe moved successfully.
    C:\Documents and Settings\gott1rott\AppData\Roaming\cxstbs.exe moved successfully.
    C:\Documents and Settings\gott1rott\AppData\Roaming\ixbwui.exe moved successfully.
    File/Folder C:\Documents and Settings\gott1rott\Application Data\clcjql.exe not found.
    File/Folder C:\Documents and Settings\gott1rott\Application Data\cxstbs.exe not found.
    File/Folder C:\Documents and Settings\gott1rott\Application Data\ixbwui.exe not found.
    File/Folder C:\Users\gott1rott\AppData\Roaming\clcjql.exe not found.
    File/Folder C:\Users\gott1rott\AppData\Roaming\cxstbs.exe not found.
    File/Folder C:\Users\gott1rott\AppData\Roaming\ixbwui.exe not found.
    File/Folder C\Users\gott1rott\Application Data\clcjql.exe not found.
    File/Folder C:\Users\gott1rott\Application Data\cxstbs.exe not found.
    File/Folder C:\Users\gott1rott\Application Data\ixbwui.exe not found.
    C:\Windows\AutoKMS.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: gott1rott
    ->Temp folder emptied: 1008585 bytes
    ->Temporary Internet Files folder emptied: 144585 bytes
    ->Java cache emptied: 2978 bytes
    ->FireFox cache emptied: 67884732 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 6416 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 6914 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 66.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 05092011_155507

    Files moved on Reboot...
    C:\Users\gott1rott\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    We have a lot of work to do. The system is badly infected: Please uninstall the KMS Emulator
    ==================================
    Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan: Uninstall directions if needed:
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  13. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    ComboFix 11-05-09.02 - gott1rott 05/10/2011 3:07.1.6 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6143.4656 [GMT -4:00]
    Running from: c:\users\gott1rott\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\Common Files\Temp
    c:\program files (x86)\Common Files\Temp\Bridge.exe
    c:\program files (x86)\Common Files\Temp\unins000.dat
    c:\program files (x86)\Common Files\Temp\unins000.exe
    c:\users\gott1rott\AppData\Roaming\chrtmp
    c:\users\gott1rott\AppData\Roaming\dbwkm.exe
    c:\users\gott1rott\AppData\Roaming\gott1rottlog.dat
    c:\users\gott1rott\AppData\Roaming\login.exe
    c:\users\gott1rott\AppData\Roaming\qofpy.exe
    c:\users\gott1rott\AppData\Roaming\ypjduh.exe
    c:\users\gott1rott\AppData\Roaming\ywmlh.exe
    c:\windows\SysWow64\install
    c:\windows\SysWow64\winservice.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_SCM_Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-09 19:55 . 2011-05-09 19:55 -------- d-----w- C:\_OTM
    2011-05-09 19:16 . 2011-05-09 19:16 781272 ----a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
    2011-05-09 19:16 . 2011-05-09 19:16 1874904 ----a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
    2011-05-09 19:16 . 2011-05-09 19:16 89048 ----a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
    2011-05-09 19:16 . 2011-05-09 19:16 465880 ----a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
    2011-05-09 19:16 . 2011-05-09 19:16 1892184 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_42.dll
    2011-05-09 19:16 . 2011-05-09 19:16 15832 ----a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
    2011-05-09 19:16 . 2011-05-09 19:16 1974616 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_42.dll
    2011-05-09 19:16 . 2011-05-09 19:16 142296 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
    2011-05-07 07:26 . 2011-05-08 06:39 -------- d-----w- c:\users\gott1rott\.dvdcss
    2011-05-06 20:22 . 2011-05-06 20:22 -------- d-----w- c:\program files (x86)\ESET
    2011-05-04 19:43 . 2011-05-04 19:43 222 ----a-w- c:\users\gott1rott\AppData\Roaming\Microsoft\svchost.exe~cache.bat
    2011-05-04 07:57 . 2011-05-04 07:57 0 ----a-w- c:\users\gott1rott\AppData\Roaming\bs.exe
    2011-05-03 14:12 . 2011-05-03 14:12 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-04-30 17:19 . 2011-04-30 17:19 -------- d-----w- c:\users\gott1rott\AppData\Local\AMD
    2011-04-30 17:16 . 2011-04-30 17:16 -------- d-----w- c:\programdata\AMD
    2011-04-30 16:31 . 2011-04-30 16:31 -------- d-----w- c:\programdata\ATI
    2011-04-30 16:31 . 2011-04-30 16:31 -------- d-----w- c:\program files (x86)\AMD APP
    2011-04-30 16:31 . 2010-02-18 13:18 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys
    2011-04-14 01:59 . 2011-04-14 01:59 59904 ----a-w- c:\windows\SysWow64\OVDecode.dll
    2011-04-14 01:59 . 2011-04-14 01:59 51712 ----a-w- c:\windows\SysWow64\OpenCL.dll
    2011-04-14 01:58 . 2011-04-14 01:58 12385280 ----a-w- c:\windows\SysWow64\amdocl.dll
    2011-04-14 01:45 . 2011-04-14 01:45 -------- d-----w- c:\users\gott1rott\AppData\Local\Arktos
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-14 09:07 . 2010-04-21 23:59 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-04-09 20:43 . 2011-04-09 20:43 56732 ----a-w- c:\windows\RFMaxPluginUninstall.exe
    2011-04-06 02:25 . 2010-10-09 19:14 234768 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2011-04-06 02:09 . 2011-04-06 02:09 61952 ----a-w- c:\windows\system32\OVDecode64.dll
    2011-04-06 02:09 . 2011-04-06 02:09 53760 ----a-w- c:\windows\system32\OpenCL.dll
    2011-04-06 02:09 . 2011-04-06 02:09 16116224 ----a-w- c:\windows\system32\amdocl64.dll
    2011-04-06 02:02 . 2010-02-19 20:28 788480 ----a-w- c:\windows\system32\aticfx64.dll
    2011-04-06 02:00 . 2011-03-10 14:54 234768 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2011-04-06 01:44 . 2010-02-19 20:26 5086208 ----a-w- c:\windows\system32\atidxx64.dll
    2011-04-06 01:28 . 2010-02-19 20:15 58880 ----a-w- c:\windows\system32\coinst.dll
    2011-04-06 01:22 . 2010-10-27 02:14 361984 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-04-06 01:20 . 2010-02-19 19:45 40448 ----a-w- c:\windows\system32\atiuxp64.dll
    2011-04-06 01:20 . 2010-10-27 02:13 38912 ----a-w- c:\windows\system32\atiu9p64.dll
    2011-04-06 01:20 . 2010-10-27 02:13 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2011-04-05 23:19 . 2011-03-10 14:54 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
    2011-04-02 21:07 . 2011-04-02 21:07 8192 ----a-w- c:\windows\SysWow64\gsimrxnp.dll
    2011-04-02 21:07 . 2011-04-02 21:07 4992 ----a-w- c:\windows\SysWow64\drivers\enport.sys
    2011-04-02 21:07 . 2011-04-02 21:07 49024 ----a-w- c:\windows\inf\gsiata.sys
    2011-04-02 21:07 . 2011-04-02 21:07 293888 ----a-w- c:\windows\SysWow64\drivers\gsimrx.sys
    2011-04-02 21:07 . 2011-04-02 21:07 92160 ----a-w- c:\windows\SysWow64\enhkey.dll
    2011-03-31 21:48 . 2011-03-31 21:48 86016 ----a-w- c:\windows\SysWow64\frapsvid.dll
    2011-03-31 21:48 . 2011-03-31 21:48 84992 ----a-w- c:\windows\system32\frapsv64.dll
    2011-03-24 12:02 . 2011-03-24 12:02 230352 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2003-11-03 21:07 . 2004-04-23 21:06 499712 ----a-w- c:\program files (x86)\msvcp71.dll
    2003-11-03 21:07 . 2004-04-23 21:06 348160 ----a-w- c:\program files (x86)\msvcr71.dll
    2003-05-30 13:22 . 2003-09-08 13:09 344064 ----a-r- c:\program files (x86)\msvcr70.dll
    2002-01-05 07:40 . 2003-09-08 13:09 487424 ----a-w- c:\program files (x86)\msvcp70.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-12-09 17:51 3911776 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    2010-12-09 17:51 3911776 ----a-w- c:\program files (x86)\uTorrentBar\tbuTor.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776]
    .
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CtxfiReg"="CTXFIREG.exe" [2009-07-14 47104]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    NETGEAR WG111v2 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG111v2\WG111v2.exe [2010-4-26 1261568]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 ATICDSDr;ATICDSDr;c:\users\GOTT1R~1\AppData\Local\Temp\ATICDSDr.sys [x]
    R3 cpuz130;cpuz130;c:\users\GOTT1R~1\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
    R3 cpuz134;cpuz134;c:\program files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [2010-07-09 21480]
    R3 Creative Dolby Digital Live Pack Licensing Service;Creative Dolby Digital Live Pack Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\DDLLicensing.exe [2010-01-16 79360]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
    R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
    R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
    R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
    R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-08-02 1436424]
    R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2010-11-11 128928]
    R3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [x]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;e:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 51445112]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 47632]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RTCore64;RTCore64;c:\program files (x86)\RMClock\RTCore64.sys [x]
    R3 SaiH053C;SaiH053C;c:\windows\system32\DRIVERS\SaiH053C.sys [x]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [x]
    R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [x]
    S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-06 365568]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-29 136360]
    S2 fsproflt;FSPro Filter Service;c:\windows\SysWOW64\fsproflt.exe [2010-01-06 142648]
    S2 IPClampService;IP-Clamp Licensing by cebas VISUAL TECHNOLOGY Inc.;c:\program files (x86)\cebas\ip-clamp\ipclamp.exe [2007-11-20 45700]
    S2 mi-raysat_3dsmax2011_64;mental ray 3.8 Satellite for Autodesk 3ds Max 2011 64-bit 64-bit;e:\program files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe [2010-03-10 86016]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2010-10-13 5790064]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2010-10-13 487280]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [x]
    S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [x]
    S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"="c:\combofix\CF7521.cfxxe" [X]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "mylbx"="e:\program files\My Lockbox\mylbx.exe" [2010-07-14 1804000]
    "BCSSync"="e:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 112512]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - e:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    FF - ProfilePath - c:\users\gott1rott\AppData\Roaming\Mozilla\Firefox\Profiles\jqxxnw85.default\
    FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-armakicker - c:\users\gott1rott\AppData\Roaming\login.exe
    Wow6432Node-HKLM-Run-armakicker - c:\users\gott1rott\AppData\Roaming\login.exe
    HKLM_Wow6432Node-ActiveSetup-{3DEAACEE-1CB6-FD5B-EFCC-B2C0DDDCAEBF} - c:\users\gott1rott\AppData\Roaming\login.exe
    WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)
    AddRemove-Adobe Bridge CS5_is1 - c:\program files (x86)\Common Files\Temp\unins000.exe
    AddRemove-BattlEye - e:\program files (x86)\Bohemia Interactive\ArmA 2 Operation ArrowheadExpansion\BattlEye\UnInstallBE.exe
    AddRemove-Solidrocks 0.85b - e:\program files\Autodesk\3ds Max 2011\uninst.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1569982102-2375594022-2670966679-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    "??"=hex:c9,52,8c,b4,41,ae,6e,35,45,cb,61,80,5b,e4,84,71,f1,a7,23,10,36,15,05,
    00,60,ad,3c,4c,47,6b,56,55,47,ea,f1,e5,6a,08,1b,8e,c1,f1,19,2e,2b,17,bd,7c,\
    "??"=hex:b2,8c,90,ba,cd,4f,49,cf,0f,49,60,b9,fd,b5,b5,2e
    .
    [HKEY_USERS\S-1-5-21-1569982102-2375594022-2670966679-1000\Software\SecuROM\License information*]
    "datasecu"=hex:21,38,20,4a,b7,53,d3,f6,e1,30,05,08,f3,71,a0,b9,e8,af,b9,6d,1f,
    37,13,d8,38,49,2d,19,94,b0,40,8a,0b,80,d5,aa,a9,c9,e2,a5,32,1a,c1,8f,1e,3d,\
    "rkeysecu"=hex:95,11,2f,12,e3,74,61,aa,cd,db,fd,a7,a7,1d,0a,40
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
    c:\program files (x86)\DCPFLICS\DCPFLICS.exe
    c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-10 03:21:59 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-10 07:21
    .
    Pre-Run: 1,703,137,280 bytes free
    Post-Run: 1,370,562,560 bytes free
    .
    - - End Of File - - F1BB8EE5705F0AF04C966AF21EE1DCC8
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- got a bit behind.
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    FileLook::
    c:\users\gott1rott\AppData\Roaming\Microsoft\svchost.exe~cache.bat
    c:\users\gott1rott\AppData\Roaming\bs.exe
    DDS::
    uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\tbuTor.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    uRun: [armakicker] C:\Users\gott1rott\AppData\Roaming\login.exe
    uRun: [PRjDElIKmm] "C:\Users\gott1rott\AppData\Local\Temp\tempfile.exe"
    mRun: [armakicker] C:\Users\gott1rott\AppData\Roaming\login.exe
    mRun: [{{mStartup}}] C:\Users\GOTT1R~1\AppData\Local\Temp\Newfile.exe
    mExplorerRun: [armakicker] C:\Users\gott1rott\AppData\Roaming\login.exe
    mASetup: {3DEAACEE-1CB6-FD5B-EFCC-B2C0DDDCAEBF} - C:\Users\gott1rott\AppData\Roaming\login.exe
    uASetup: {3DEAACEE-1CB6-FD5B-EFCC-B2C0DDDCAEBF} - C:\Users\gott1rott\AppData\Roaming\login.exe
    BHO-X64: URLRedirectionBHO - No File
    TB-X64: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"=-
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
    [HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1569982102-2375594022-2670966679-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    [HKEY_USERS\S-1-5-21-1569982102-2375594022-2670966679-1000\Software\SecuROM\License information*]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please consider removing these from the Trusted Zone. Security is lower in that zone and nothing needs to be there:
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com

    ===============================
    How is the system doing now?
     
  15. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    ComboFix 11-05-11.04 - gott1rott 05/12/2011 22:32:21.3.6 - x64
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6143.4429 [GMT -4:00]
    Running from: c:\users\gott1rott\Desktop\ComboFix.exe
    Command switches used :: c:\users\gott1rott\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-13 02:35 . 2011-05-13 02:35 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-05-09 19:55 . 2011-05-09 19:55 -------- d-----w- C:\_OTM
    2011-05-09 19:16 . 2011-05-09 19:16 781272 ----a-w- c:\program files (x86)\Mozilla Firefox\mozsqlite3.dll
    2011-05-09 19:16 . 2011-05-09 19:16 1874904 ----a-w- c:\program files (x86)\Mozilla Firefox\mozjs.dll
    2011-05-09 19:16 . 2011-05-09 19:16 89048 ----a-w- c:\program files (x86)\Mozilla Firefox\libEGL.dll
    2011-05-09 19:16 . 2011-05-09 19:16 465880 ----a-w- c:\program files (x86)\Mozilla Firefox\libGLESv2.dll
    2011-05-09 19:16 . 2011-05-09 19:16 1892184 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_42.dll
    2011-05-09 19:16 . 2011-05-09 19:16 15832 ----a-w- c:\program files (x86)\Mozilla Firefox\mozalloc.dll
    2011-05-09 19:16 . 2011-05-09 19:16 1974616 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_42.dll
    2011-05-09 19:16 . 2011-05-09 19:16 142296 ----a-w- c:\program files (x86)\Mozilla Firefox\components\browsercomps.dll
    2011-05-07 07:26 . 2011-05-08 06:39 -------- d-----w- c:\users\gott1rott\.dvdcss
    2011-05-06 20:22 . 2011-05-06 20:22 -------- d-----w- c:\program files (x86)\ESET
    2011-05-04 19:43 . 2011-05-04 19:43 222 ----a-w- c:\users\gott1rott\AppData\Roaming\Microsoft\svchost.exe~cache.bat
    2011-05-04 07:57 . 2011-05-04 07:57 0 ----a-w- c:\users\gott1rott\AppData\Roaming\bs.exe
    2011-05-03 14:12 . 2011-05-03 14:12 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-04-30 17:19 . 2011-04-30 17:19 -------- d-----w- c:\users\gott1rott\AppData\Local\AMD
    2011-04-30 17:16 . 2011-04-30 17:16 -------- d-----w- c:\programdata\AMD
    2011-04-30 16:31 . 2011-04-30 16:31 -------- d-----w- c:\programdata\ATI
    2011-04-30 16:31 . 2011-04-30 16:31 -------- d-----w- c:\program files (x86)\AMD APP
    2011-04-30 16:31 . 2010-02-18 13:18 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys
    2011-04-14 01:59 . 2011-04-14 01:59 59904 ----a-w- c:\windows\SysWow64\OVDecode.dll
    2011-04-14 01:59 . 2011-04-14 01:59 51712 ----a-w- c:\windows\SysWow64\OpenCL.dll
    2011-04-14 01:58 . 2011-04-14 01:58 12385280 ----a-w- c:\windows\SysWow64\amdocl.dll
    2011-04-14 01:45 . 2011-04-14 01:45 -------- d-----w- c:\users\gott1rott\AppData\Local\Arktos
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-14 09:07 . 2010-04-21 23:59 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-04-09 20:43 . 2011-04-09 20:43 56732 ----a-w- c:\windows\RFMaxPluginUninstall.exe
    2011-04-06 02:25 . 2010-10-09 19:14 234768 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2011-04-06 02:09 . 2011-04-06 02:09 61952 ----a-w- c:\windows\system32\OVDecode64.dll
    2011-04-06 02:09 . 2011-04-06 02:09 53760 ----a-w- c:\windows\system32\OpenCL.dll
    2011-04-06 02:09 . 2011-04-06 02:09 16116224 ----a-w- c:\windows\system32\amdocl64.dll
    2011-04-06 02:02 . 2010-02-19 20:28 788480 ----a-w- c:\windows\system32\aticfx64.dll
    2011-04-06 02:00 . 2011-03-10 14:54 234768 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2011-04-06 01:44 . 2010-02-19 20:26 5086208 ----a-w- c:\windows\system32\atidxx64.dll
    2011-04-06 01:28 . 2010-02-19 20:15 58880 ----a-w- c:\windows\system32\coinst.dll
    2011-04-06 01:22 . 2010-10-27 02:14 361984 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-04-06 01:20 . 2010-02-19 19:45 40448 ----a-w- c:\windows\system32\atiuxp64.dll
    2011-04-06 01:20 . 2010-10-27 02:13 38912 ----a-w- c:\windows\system32\atiu9p64.dll
    2011-04-06 01:20 . 2010-10-27 02:13 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2011-04-05 23:19 . 2011-03-10 14:54 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
    2011-04-02 21:07 . 2011-04-02 21:07 8192 ----a-w- c:\windows\SysWow64\gsimrxnp.dll
    2011-04-02 21:07 . 2011-04-02 21:07 4992 ----a-w- c:\windows\SysWow64\drivers\enport.sys
    2011-04-02 21:07 . 2011-04-02 21:07 49024 ----a-w- c:\windows\inf\gsiata.sys
    2011-04-02 21:07 . 2011-04-02 21:07 293888 ----a-w- c:\windows\SysWow64\drivers\gsimrx.sys
    2011-04-02 21:07 . 2011-04-02 21:07 92160 ----a-w- c:\windows\SysWow64\enhkey.dll
    2011-03-31 21:48 . 2011-03-31 21:48 86016 ----a-w- c:\windows\SysWow64\frapsvid.dll
    2011-03-31 21:48 . 2011-03-31 21:48 84992 ----a-w- c:\windows\system32\frapsv64.dll
    2011-03-24 12:02 . 2011-03-24 12:02 230352 ----a-w- c:\windows\system32\drivers\truecrypt.sys
    2003-11-03 21:07 . 2004-04-23 21:06 499712 ----a-w- c:\program files (x86)\msvcp71.dll
    2003-11-03 21:07 . 2004-04-23 21:06 348160 ----a-w- c:\program files (x86)\msvcr71.dll
    2003-05-30 13:22 . 2003-09-08 13:09 344064 ----a-r- c:\program files (x86)\msvcr70.dll
    2002-01-05 07:40 . 2003-09-08 13:09 487424 ----a-w- c:\program files (x86)\msvcp70.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\users\gott1rott\AppData\Roaming\bs.exe ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 0
    Created time: 2011-05-04 07:57
    Modified time: 2011-05-04 07:57
    MD5: D41D8CD98F00B204E9800998ECF8427E
    SHA1: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
    .
    .
    --- c:\users\gott1rott\AppData\Roaming\Microsoft\svchost.exe~cache.bat ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 222
    Created time: 2011-05-04 19:43
    Modified time: 2011-05-04 19:43
    MD5: 21F254E105C8A6EF2613F7F25BAAE147
    SHA1: A8524741CF25C26E8B2413B1C30A0998703B3C0A
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-05-13_02.07.59 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-11-17 00:31 . 2011-05-13 01:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-11-17 00:31 . 2011-05-13 02:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-11-17 00:31 . 2011-05-13 02:11 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-11-17 00:31 . 2011-05-13 01:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CtxfiReg"="CTXFIREG.exe" [2009-07-14 47104]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    NETGEAR WG111v2 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WG111v2\WG111v2.exe [2010-4-26 1261568]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 IPClampService;IP-Clamp Licensing by cebas VISUAL TECHNOLOGY Inc.;c:\program files (x86)\cebas\ip-clamp\ipclamp.exe [2007-11-20 45700]
    R2 mi-raysat_3dsmax2011_64;mental ray 3.8 Satellite for Autodesk 3ds Max 2011 64-bit 64-bit;e:\program files\Autodesk\3ds Max 2011\mentalimages\satellite\raysat_3dsmax2011_64server.exe [2010-03-10 86016]
    R3 ATICDSDr;ATICDSDr;c:\users\GOTT1R~1\AppData\Local\Temp\ATICDSDr.sys [x]
    R3 cpuz130;cpuz130;c:\users\GOTT1R~1\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]
    R3 cpuz134;cpuz134;c:\program files (x86)\CPUID\PC Wizard 2010\pcwiz_x64.sys [2010-07-09 21480]
    R3 Creative Dolby Digital Live Pack Licensing Service;Creative Dolby Digital Live Pack Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\DDLLicensing.exe [2010-01-16 79360]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
    R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
    R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
    R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
    R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-08-02 1436424]
    R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [2010-11-11 128928]
    R3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [x]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;e:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 51445112]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 47632]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-10 174440]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 RTCore64;RTCore64;c:\program files (x86)\RMClock\RTCore64.sys [x]
    R3 SaiH053C;SaiH053C;c:\windows\system32\DRIVERS\SaiH053C.sys [x]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [x]
    R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [x]
    S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-04-06 365568]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-29 136360]
    S2 fsproflt;FSPro Filter Service;c:\windows\SysWOW64\fsproflt.exe [2010-01-06 142648]
    S2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [2010-10-13 5790064]
    S2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [2010-10-13 487280]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\DRIVERS\wg111v2.sys [x]
    S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [x]
    S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "mylbx"="e:\program files\My Lockbox\mylbx.exe" [2010-07-14 1804000]
    "BCSSync"="e:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 112512]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - e:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
    FF - ProfilePath - c:\users\gott1rott\AppData\Roaming\Mozilla\Firefox\Profiles\jqxxnw85.default\
    FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-05-12 22:37:06
    ComboFix-quarantined-files.txt 2011-05-13 02:37
    ComboFix2.txt 2011-05-10 07:21
    .
    Pre-Run: 1,277,403,136 bytes free
    Post-Run: 1,220,431,872 bytes free
    .
    - - End Of File - - B5FF19CD8AFBC9F431A58FB5D4456AC4
     
  16. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    The computer has been running great all week actually. I haven't noticed any problems. Thanks, I really appreciate all the help.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome! Glad to hear system is working well. I tried to get information about 2 files- but I didn't get much. No company name, no program or app name. But I'd like you to search for both of them> you can use Windows explorer (Windows key+E) and navigate to each file>> Do a right click> Properties:
    c:\users\gott1rott\AppData\Roaming\bs.exe
    This looks 'empty.' Go ahead and do a right click> Delete unless you recognize something
    c:\users\gott1rott\AppData\Roaming\Microsoft\svchost.exe~cache.bat
    This one has 'stuff' in it. Follow same path as above,
    ================================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Click on Start> right click on Computer> Properties
    • Select System Protection
    • Click on the Create button (near bottom)
    • Type a name for the Restore Point
    • Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
    • Click Start> Computer> right click the C Drive and choose Properties> enter.
    • Click Disk Cleanup from there.
      [​IMG]
    • Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
    • Click the More Options tab
      [​IMG]
    • Click the Clean up under System Restore and Shadow Copies.
    • Click OK.
    • You will get a confirmation screen> Just click Delete.
    • Click OK on the Disk Cleanup Screen.
    • Click Delete Files on the Confirmation screen.
    [​IMG]
    It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin

    Let me know if you have any more questions.
    ======================================
    Stay away from file sharing and torrent sites! It is not worth the trip unless you want to stop by this forum weekly! Very important: Use a Site Advisor when you choose a site from a search and when you go to download anything!

    The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Every time you do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

    If you want to link to another site from the page you're on o another, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.

    Many time when I try to identify a process, many to most sites may have the 'red light.' That means that whatever I'm looking for, I cannot trust that site to be safe or accurate. So I am only in the green light business!
     
  18. gott1rott

    gott1rott TS Rookie Topic Starter Posts: 37

    Nice add on. Again, thanks for your help!
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Here are a few more you might want to look into- all may not work on Win 7 64bit:
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o] [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      [o] Temporary File Cleaner
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...