TechSpot

Windows 7 restore virus/failed hard drive

Inactive
By rds11
Mar 30, 2012
  1. Yesterday I got a message on Windows Essentials that it caught something and the recommended action was to remove it, which I did.

    When I restarted the PC today, I had a hard drive failure notice (well several of them) and every programs and icons were gone. In fact, my problem was very similar to the one from this thread :
    http://www.techspot.com/vb/topic166419.html

    So I downloaded the UnHide program, ran it, and now almost everything is back, except a few shortcuts that I had pinned to my task bar and my desktop wallscreen picture.

    My OS is Windows 7 Home Premium

    System
    --------------------------------------------------------------------------------

    Manufacturer Gigabyte Technology Co., Ltd.
    Model P55A-UD4P
    Total amount of system memory 8,00 GB RAM
    System type 64-bit operating system
    Number of processor cores 4



    Storage
    --------------------------------------------------------------------------------

    Total size of hard disk(s) 931 GB
    Disk partition (C:) 242 GB Free (931 GB Total)



    So, what should I do next to clean up my PC ?
     
  2. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. rds11

    rds11 TS Rookie Topic Starter

    Thanks for the quick reply !
    Here are the logs:

    Malwarebytes Log
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.31.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Remi-David :: REMI-DAVID-PC [administrator]

    2012-03-30 22:42:10
    mbam-log-2012-03-30 (22-42-10).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 198501
    Time elapsed: 2 minute(s), 18 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)



    GMER

    Produced no log...found no system modification.




    DDS
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
    Run by Remi-David at 23:14:03 on 2012-03-30
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8187.6221 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
    C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
    C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files (x86)\USB TV\EM28XX\BDARemote.exe
    C:\Program Files (x86)\Marvell\raid\Apache2\bin\httpd.exe
    C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\CyberLink\Shared files\RichVideo64.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Marvell\raid\Apache2\bin\httpd.exe
    C:\Program Files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
    C:\Program Files (x86)\Marvell\raid\svc\mvraidsvc.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\ATI\Catalyst Media Center\CMCService.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.ca/search?q=%s
    uURLSearchHooks: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
    mURLSearchHooks: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
    BHO: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
    mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
    mRun: [MRUTray] C:\Program Files (x86)\Marvell\raid\tray\MarvellTray.exe
    mRun: [NeroCheck] C:\Windows\SysWOW64\\NeroCheck.exe
    mRun: [CMCService] "C:\Program Files (x86)\ATI\Catalyst Media Center\CMCService.exe"
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
    mRun: [TrayServer] C:\Program Files (x86)\MAGIX\Movie_Edit_Pro_17_Plus_Download_Version\TrayServer_en.exe
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime Alternative\QTTask.exe" -atboottime
    mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BDAREM~1.LNK - C:\Program Files (x86)\USB TV\EM28XX\BDARemote.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: DhcpNameServer = 24.48.19.13 24.202.72.13 24.53.0.2
    TCP: Interfaces\{8C574716-7B0F-47A2-BC8F-953292042010} : DhcpNameServer = 24.48.19.13 24.202.72.13 24.53.0.2
    BHO-X64: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    BHO-X64: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
    BHO-X64: Canon Easy-WebPrint EX BHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    TB-X64: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
    TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
    TB-X64: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
    EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
    mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun-x64: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
    mRun-x64: [MRUTray] C:\Program Files (x86)\Marvell\raid\tray\MarvellTray.exe
    mRun-x64: [NeroCheck] C:\Windows\SysWOW64\\NeroCheck.exe
    mRun-x64: [CMCService] "C:\Program Files (x86)\ATI\Catalyst Media Center\CMCService.exe"
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
    mRun-x64: [TrayServer] C:\Program Files (x86)\MAGIX\Movie_Edit_Pro_17_Plus_Download_Version\TrayServer_en.exe
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime Alternative\QTTask.exe" -atboottime
    mRun-x64: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Remi-David\AppData\Roaming\Mozilla\Firefox\Profiles\i4p0nccw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.laahs.info/home.php?team=0
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin.dll
    FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin2.dll
    FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin3.dll
    FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin4.dll
    FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin5.dll
    FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin6.dll
    FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin7.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mv91cons;Marvell 91xx Config Device Driver;C:\Windows\system32\DRIVERS\mv91cons.sys --> C:\Windows\system32\DRIVERS\mv91cons.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 Fabs;FABS - Helping agent for MAGIX media database;C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-8-27 1253376]
    R2 Marvell RAID;Marvell RAID Event Agent;C:\Program Files (x86)\Marvell\raid\svc\mvraidsvc.exe [2009-10-5 151552]
    R2 MRUWebService;MRU Web Service;C:\Program Files (x86)\Marvell\raid\Apache2\bin\httpd.exe [2009-4-8 24635]
    R2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\CyberLink\Shared files\RichVideo64.exe [2012-1-15 386344]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
    R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 Doteri;Doteri; [x]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-8-7 3276800]
    S3 hcwhdpvr;Hauppauge HD PVR Capture Device;C:\Windows\system32\DRIVERS\hcwhdpvr.sys --> C:\Windows\system32\DRIVERS\hcwhdpvr.sys [?]
    S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\system32\DRIVERS\ivusb.sys --> C:\Windows\system32\DRIVERS\ivusb.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-03-31 02:40:42 -------- d-----w- C:\Users\Remi-David\AppData\Roaming\Malwarebytes
    2012-03-31 02:40:34 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-03-31 02:40:33 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-03-31 02:40:33 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-03-30 22:52:09 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0F29EEE1-5FD3-4A3C-8C06-8F24702762FF}\mpengine.dll
    2012-03-30 22:51:26 -------- d-sh--w- C:\$RECYCLE.BIN
    2012-03-30 22:30:55 98816 ----a-w- C:\Windows\sed.exe
    2012-03-30 22:30:55 518144 ----a-w- C:\Windows\SWREG.exe
    2012-03-30 22:30:55 256000 ----a-w- C:\Windows\PEV.exe
    2012-03-30 22:30:55 208896 ----a-w- C:\Windows\MBR.exe
    2012-03-14 01:30:19 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-03-14 01:30:18 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2012-03-14 01:30:18 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2012-03-13 21:33:18 1544192 ----a-w- C:\Windows\System32\DWrite.dll
    2012-03-13 21:33:18 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2012-03-13 21:33:16 3145728 ----a-w- C:\Windows\System32\win32k.sys
    2012-03-13 21:32:51 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
    2012-03-13 21:32:51 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
    2012-03-13 21:32:51 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
    2012-03-13 21:32:38 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
    2012-03-13 21:32:38 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
    2012-03-13 21:32:38 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
    2012-03-13 21:32:38 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
    .
    ==================== Find3M ====================
    .
    2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
    2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
    2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
    .
    ============= FINISH: 23:14:15,54 ===============







    Attach

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2009-12-22 20:08:36
    System Uptime: 2012-03-30 18:50:53 (5 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | P55A-UD4P
    Processor: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz | Socket 1156 | 2794/133mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 931 GiB total, 241,593 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP544: 2012-03-30 18:30:57 - ComboFix created restore point
    .
    ==== Installed Programs ======================
    .
    .
    Update for Microsoft Office 2007 (KB2508958)
    µTorrent
    3DMark06
    AC3Filter 1.63b
    Adobe Flash Player 10 Plugin
    Adobe Photoshop CS
    Adobe Reader 9.4.3
    Apple Application Support
    Apple Software Update
    Applian Director
    ArcSoft TotalMedia Extreme
    ATI Catalyst Registration
    Audacity 1.3.12 (Unicode)
    AviSynth 2.5
    Canon Easy-WebPrint EX
    Canon Inkjet Printer/Scanner/Fax Extended Survey Program
    Canon MP Navigator EX 3.1
    Canon Speed Dial Utility
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    Catalyst Control Center
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Media Center
    Catalyst Media Center DVD Authoring Module
    CCC Help English
    CDRoller version 9.30
    Cisco Connect
    Conduit Engine
    CyberLink BD Advisor 2.0
    CyberLink PowerDirector
    CyberLink PowerDirector 10
    CyberLink WaveEditor
    Dracula 2
    Dracula Resurrection
    ffdshow [rev 3154] [2009-12-09]
    FFmpeg for Audacity on Windows
    Firebird SQL Server - MAGIX Edition
    Gigabyte Raid Configurer
    H.264 Encoder 1.5
    Haali Media Splitter
    Handbrake 0.9.4
    Hauppauge HDPVR Scheduler
    Huffyuv AVI lossless video codec (Remove Only)
    HydraVision
    ImgBurn
    Internet TV for Windows Media Center
    Java Auto Updater
    Java(TM) 6 Update 24
    Lagarith Lossless Codec (1.3.27)
    MAGIX Movie Edit Pro 17 Plus Download Version
    MAGIX Screenshare
    MAGIX Speed burnR (MSI)
    MainConcept Reference v2
    Malwarebytes Anti-Malware version 1.60.1.1000
    Marvell MRU V4
    McAfee Security Scan Plus
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox (3.6.18)
    MSVCRT Redists
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Neat Video v2.2 Pro plug-in for VirtualDub
    NEC Electronics USB 3.0 Host Controller Driver
    Nero - Burning Rom
    PS3 Media Server
    QuickTime
    QuickTime Alternative 1.81
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    SimonT Hockey Simulator Support Files
    SmartSound Quicktracks 5
    SmartSound Quicktracks for Premiere Elements 8.0
    SmartSound Quicktracks Plugin
    The Lord of the Rings FREE Trial
    TMPGEnc Authoring Works 4
    tsDemux 1.0
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    USB Video Driver
    uTorrentBar_FR Toolbar
    Video Enhancer 1.9.6
    VideoReDo TVSuite Version 4.20.7.629
    Windows Installer Clean Up
    WinPcap 4.0.2
    x264vfw - H.264/MPEG-4 AVC codec for x64 (remove only)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2012-03-30 18:51:30, Error: Service Control Manager [7000] - The Cyberlink RichVideo Service(CRVS) service failed to start due to the following error: The system cannot find the file specified.
    2012-03-30 18:42:18, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.
    2012-03-30 18:40:45, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    2012-03-30 18:39:57, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    2012-03-30 17:17:51, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    2012-03-29 21:18:39, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "2" attempting to start the service RichVideo with arguments "-Service" in order to run the server: {889CA1C3-E115-47E1-88EC-20DF644E982A}
    2012-03-29 20:33:31, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    2012-03-28 08:09:47, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    2012-03-25 08:59:53, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    .
    ==== End Of File ===========================
     
  4. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  5. rds11

    rds11 TS Rookie Topic Starter

    When I opened up my PC this morning, before doing the latest steps shown above, Windows Essentials identified 7 potential severe threats and removed all 7. In the history, all 7 are related to Java.

    Then, I proceeded with the aswMBR and bootkit remover steps.

    So here it goes :

    aswmbr

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-31 08:47:32
    -----------------------------
    08:47:32.087 OS Version: Windows x64 6.1.7601 Service Pack 1
    08:47:32.087 Number of processors: 8 586 0x1E05
    08:47:32.087 ComputerName: REMI-DAVID-PC UserName: Remi-David
    08:47:34.052 Initialize success
    08:47:36.876 AVAST engine defs: 12033100
    08:48:03.146 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-6
    08:48:03.146 Disk 0 Vendor: WDC_WD10EADS-00P8B0 01.00A01 Size: 953869MB BusType: 3
    08:48:03.178 Disk 0 MBR read successfully
    08:48:03.178 Disk 0 MBR scan
    08:48:03.193 Disk 0 Windows 7 default MBR code
    08:48:03.193 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    08:48:03.209 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
    08:48:03.287 Disk 0 scanning C:\Windows\system32\drivers
    08:48:18.996 Service scanning
    08:48:43.332 Modules scanning
    08:48:43.332 Disk 0 trace - called modules:
    08:48:43.379 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
    08:48:43.395 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800778a790]
    08:48:43.410 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8007223520]
    08:48:43.410 5 ACPI.sys[fffff88000fa47a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP5T0L0-6[0xfffffa8007209680]
    08:48:45.688 AVAST engine scan C:\Windows
    08:49:22.098 AVAST engine scan C:\Windows\system32
    08:53:01.903 AVAST engine scan C:\Windows\system32\drivers
    08:53:16.379 AVAST engine scan C:\Users\Remi-David
    09:03:59.163 AVAST engine scan C:\ProgramData
    09:07:55.316 Scan finished successfully
    09:08:40.478 Disk 0 MBR has been saved successfully to "C:\Users\Remi-David\Desktop\MBR.dat"
    09:08:40.525 The log file has been saved successfully to "C:\Users\Remi-David\Desktop\aswMBR1.txt"



    bootkit

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
    Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    931 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  6. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. rds11

    rds11 TS Rookie Topic Starter

    Combofix ran fine, I didn't have to use rkill


    Combofix log

    ComboFix 12-03-30.06 - Remi-David 2012-03-31 12:35:16.2.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8187.5553 [GMT -4:00]
    Running from: c:\users\Remi-David\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-31 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-31 16:38 . 2012-03-31 16:38 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-03-31 03:16 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7125BDD2-6D24-40DD-92FF-55C45337855A}\mpengine.dll
    2012-03-31 02:40 . 2012-03-31 02:40 -------- d-----w- c:\users\Remi-David\AppData\Roaming\Malwarebytes
    2012-03-31 02:40 . 2012-03-31 02:40 -------- d-----w- c:\programdata\Malwarebytes
    2012-03-31 02:40 . 2012-03-31 02:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-03-31 02:40 . 2011-12-10 19:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-14 01:30 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
    2012-03-14 01:30 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2012-03-14 01:30 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2012-03-13 21:33 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
    2012-03-13 21:33 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
    2012-03-13 21:33 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
    2012-03-13 21:32 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-03-13 21:32 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-03-13 21:32 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-03-13 21:32 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
    2012-03-13 21:32 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
    2012-03-13 21:32 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-03-13 21:32 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-14 03:27 . 2011-06-13 21:55 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-02-10 21:56 . 2012-02-10 21:57 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E50D4B0F-37E6-496C-B0AB-79895B44D60A}\gapaengine.dll
    2012-01-31 12:44 . 2009-12-23 01:42 279656 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-04 10:44 . 2012-02-16 00:24 509952 ----a-w- c:\windows\system32\ntshrui.dll
    2012-01-04 08:58 . 2012-02-16 00:24 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-03-30_22.42.38 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-12-23 01:20 . 2012-03-31 12:31 51952 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-03-31 12:31 32768 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-12-23 01:15 . 2012-03-31 12:31 17542 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3952311282-3270686217-2811382985-1000_UserData.bin
    + 2009-12-23 01:05 . 2012-03-30 23:45 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-12-23 01:05 . 2012-03-21 22:14 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-23 01:05 . 2012-03-30 23:45 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-23 01:05 . 2012-03-21 22:14 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-03-21 22:14 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-03-30 23:45 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:46 . 2012-03-31 02:12 94384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2012-03-30 22:42 . 2012-03-30 22:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-03-31 16:39 . 2012-03-31 16:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-03-31 16:39 . 2012-03-31 16:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-03-30 22:42 . 2012-03-30 22:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 02:36 . 2012-03-30 22:27 626262 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-03-31 12:34 626262 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-03-31 12:34 107538 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2012-03-30 22:27 107538 c:\windows\system32\perfc009.dat
    - 2009-07-14 05:01 . 2012-03-30 22:40 413688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-03-31 16:38 413688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-02-09 02:35 . 2012-03-31 16:38 3527080 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2011-02-09 02:35 . 2012-03-30 22:40 3527080 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    + 2011-03-06 04:20 . 2012-03-31 16:38 1305374 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3952311282-3270686217-2811382985-1000-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}"= "c:\program files (x86)\uTorrentBar_FR\tbuTor.dll" [2010-11-29 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}]
    2010-11-29 20:26 3908192 ----a-w- c:\program files (x86)\uTorrentBar_FR\tbuTor.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-11-29 20:26 3908192 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}"= "c:\program files (x86)\uTorrentBar_FR\tbuTor.dll" [2010-11-29 3908192]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
    .
    [HKEY_CLASSES_ROOT\clsid\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-09-25 106496]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "MRUTray"="c:\program files (x86)\Marvell\raid\tray\MarvellTray.exe" [2009-10-09 741376]
    "NeroCheck"="c:\windows\SysWOW64\\NeroCheck.exe" [2001-07-09 155648]
    "CMCService"="c:\program files (x86)\ATI\Catalyst Media Center\CMCService.exe" [2008-06-06 172032]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "TrayServer"="c:\program files (x86)\MAGIX\Movie_Edit_Pro_17_Plus_Download_Version\TrayServer_en.exe" [2008-11-13 90112]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-07 421160]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 343168]
    "QuickTime Task"="c:\program files (x86)\QuickTime Alternative\QTTask.exe" [2011-07-05 421888]
    "ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-3-29 113664]
    BDARemote.lnk - c:\program files (x86)\USB TV\EM28XX\BDARemote.exe [2010-9-26 81997]
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 Doteri;Doteri; [x]
    R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
    R3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\DRIVERS\hcwhdpvr.sys [x]
    R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
    S0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\DRIVERS\mv91cons.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S1 archlp;archlp;SysWOW64\drivers\archlp.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
    S2 Marvell RAID;Marvell RAID Event Agent;c:\program files (x86)\Marvell\raid\svc\mvraidsvc.exe [2009-10-05 151552]
    S2 MRUWebService;MRU Web Service;c:\program files (x86)\Marvell\raid\Apache2\bin\httpd.exe [2009-04-09 24635]
    S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2010-08-19 386344]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
    S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-01 2710856]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-03 767312]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.ca/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 24.48.19.13 24.202.72.13 24.53.0.2
    FF - ProfilePath - c:\users\Remi-David\AppData\Roaming\Mozilla\Firefox\Profiles\i4p0nccw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.laahs.info/home.php?team=0
    FF - prefs.js: network.proxy.type - 4
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Adobe DLM (powered by getPlus(R)): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{05EEB91A-AEF7-4F8A-978F-FB83E7B03F8E} - (no file)
    .
    .
    "ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z
    [\]^_¦\00\00¦\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~¦\00\00¦\00\00\00\00m\00\00\00\00\00\00\00\00‘’“"
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3952311282-3270686217-2811382985-1000\Software\CyberLink\Common\claud\yberLink PD8\PowerDirector\P* *\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-3952311282-3270686217-2811382985-1000\Software\CyberLink\Common\claud\yberLink PD8\PowerDirector\P*! *\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-3952311282-3270686217-2811382985-1000\Software\CyberLink\Common\claud\yberLink PD8\PowerDirector\P*9 *\PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_USERS\S-1-5-21-3952311282-3270686217-2811382985-1000\Software\CyberLink\Common\claud\yberLink PD8\P*o*w*e*r*D*i*r*e*c*t* \PDR8]
    "AuDsInterface"=dword:00000008
    "AuHDMIMode"=dword:00000000
    "AuDsDnmx"=dword:00000008
    "AuDsDualMono"=dword:00000000
    "AuDsDHMode"=dword:00000002
    "AuDsDVSMode"=dword:00000005
    "AuDsCLHMode"=dword:00000002
    "AuDsCLVSMode"=dword:00000002
    "AuDsTSOn"=dword:00000001
    "AuDsFocusOn"=dword:00000001
    "AuDsTBOn"=dword:00000001
    "AuDsFocusLevel"=dword:00000005
    "AuDsTBLevel"=dword:00000008
    "AuDsSpkSize"=dword:00000001
    "AuDsDTSS2SpeakWidth"=dword:0000000a
    "AuDsDTSS2DialGain"=dword:00000000
    "AuDsDTSS2BassRGain"=dword:00000000
    "AuDsChanExpand"=dword:00000004
    "AuDsPL2Mode"=dword:00000003
    "AuDsPL2XPanorama"=dword:00000000
    "AuDsPL2XCntrWidth"=dword:00000003
    "AuDsMEIMode"=dword:00000014
    "AuDsMEIVolFront"=dword:0000001e
    "AuDsMEIVolRear"=dword:0000001e
    "AuDsMEIVolCenter"=dword:0000001e
    "AuDsMEIVolLFE"=dword:0000001e
    "AuDsNeo6Mode"=dword:00000000
    "AU_DRC_MODE"=dword:00000002
    "LFEON"=dword:00000001
    "AuDsCntrMix"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\13E4ECADC9B1CE008E87AC078D24AD3E\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_085742B0AA254FE28249C52D2D7A040F"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\23A912A2A082758DA5C00BF6A1746E7B\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_EC1CA8611CFD480088A21E7682C6DCC7"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\3700BE3FD0A3A8EC5847E42297A7D613\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_83872715E6364546B5048FE457997193"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\5E85D89A38458734F3227589B40B7782\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_4B248A8164944DCD8C25EB5F0DBEFCB8"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\6CDEB16487467ED4EC02A2D1661BF6FE\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_7E96D84B37CA48BC9687664158242F3A"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\7F86AC179D474AB2596F49005FCDB601\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_1CC9B7DEA775434C8B61FC6B49D961F2"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\83B5EA6023B8427B7B2862F947F8247A\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_8CAA40EF7A0143BDAB6DC8401985E629"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\B8BE940BCE9B4A66E0C73BBD86C4F751\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_F266FF3447AD40FDA3F3B8FF18BC47B2"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\C50B7CF4156CD2ABEA3B03ED957D92B7\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_8EB2EF0875E64D5CA0F1B6BF249440A0"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\C6425C0E4BCC6476F1C91FE39E325760\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_0EFB980BDFA242CC86DD8B4F12357AE7"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\CB71F54A36ACDEE5D329F24C34D3B5CB\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_C783F6346E1D4CCAA83B648553F277EF"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\CF2F662EEFEC901998E4C3A068B5519A\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_2C7757251EDF40B0BC3D4D566BBB68D5"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\F1C31A7E47AF1535CA90226029EA4A13\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_DB5392730B2A4EFA9047E4BCC4CF9B60"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\FA268A91897FEC97BF092CDBE996F6D4\A4287689D68C38A4F8C37E8AB60EFA3D]
    @DACL=(02 0000)
    "PatchGUID"=""
    "MediaCabinet"=""
    "File"="_8F55ACBE7A0B434E89114645DD6CFCD9"
    "ComponentVersion"="100.0.0.0"
    "ProductVersion"="7.0.0"
    "PatchSize"="0"
    "PatchAttributes"="0"
    "PatchSequence"="0"
    "SharedComponent"="0"
    "IsFullFile"="0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
    c:\program files (x86)\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
    c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE
    c:\program files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
    .
    **************************************************************************
    .
    Completion time: 2012-03-31 12:44:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-03-31 16:44
    .
    Pre-Run: 258*629*705*728 bytes free
    Post-Run: 258*434*527*232 bytes free
    .
    - - End Of File - - 7802875E83B85CFE6EE689C385660D0D
     
  8. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    All looks clean to me.
    Are you having any current issues?
     
  9. rds11

    rds11 TS Rookie Topic Starter

    No, no current issues.
    As I mentioned, Essentials caught and removed a few things in the past 2 days (most recently this morning), which never happened before.
    The only strange thing that happened is the hard drive failure notice I received when I opened up my PC yesterday...here's UnHide log, first thing I ran yesterday :


    UnHide


    Unhide by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Unhide.exe can be found at this link:
    http://www.bleepingcomputer.com/forums/topic405109.html

    Program started at: 03/30/2012 06:00:53 PM
    Windows Version: Windows 7

    Please be patient while your files are made visible again.

    Processing the C:\ drive
    Finished processing the C:\ drive. 331748 files processed.

    Restoring the Start Menu.
    * 311 Shortcuts and Desktop items were restored.


    Searching for Windows Registry changes made by FakeHDD rogues.
    - Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    * NoActiveDesktopChanges policy was found and deleted!
    - Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    - Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    * Start_TrackDocs was set to 0! It was set back to 1!
    * Start_TrackProgs was set to 0! It was set back to 1!

    Program finished at: 03/30/2012 06:15:55 PM
    Execution time: 0 hours(s), 15 minute(s), and 1 seconds(s)



    Let me know if you think of something else to check...
    Thank you very much for your help !!
     
  10. Broni

    Broni Malware Annihilator Posts: 47,022   +255

    It looks you got hit with something but current logs indicate no infection being present.
    You should be good to go.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.