Inactive Windows 7 restore virus/failed hard drive

rds11 · Mar 30, 2012

Yesterday I got a message on Windows Essentials that it caught something and the recommended action was to remove it, which I did.

When I restarted the PC today, I had a hard drive failure notice (well several of them) and every programs and icons were gone. In fact, my problem was very similar to the one from this thread :
https://www.techspot.com/vb/topic166419.html

So I downloaded the UnHide program, ran it, and now almost everything is back, except a few shortcuts that I had pinned to my task bar and my desktop wallscreen picture.

My OS is Windows 7 Home Premium

System
--------------------------------------------------------------------------------

Manufacturer Gigabyte Technology Co., Ltd.
Model P55A-UD4P
Total amount of system memory 8,00 GB RAM
System type 64-bit operating system
Number of processor cores 4

Storage
--------------------------------------------------------------------------------

Total size of hard disk(s) 931 GB
Disk partition (C

242 GB Free (931 GB Total)

So, what should I do next to clean up my PC ?

Broni · Mar 30, 2012

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

rds11 · Mar 30, 2012

Thanks for the quick reply !
Here are the logs:

Malwarebytes Log
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.31.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Remi-David :: REMI-DAVID-PC [administrator]

2012-03-30 22:42:10
mbam-log-2012-03-30 (22-42-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198501
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

GMER

Produced no log...found no system modification.

DDS
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Remi-David at 23:14:03 on 2012-03-30
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8187.6221 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files (x86)\USB TV\EM28XX\BDARemote.exe
C:\Program Files (x86)\Marvell\raid\Apache2\bin\httpd.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\CyberLink\Shared files\RichVideo64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Marvell\raid\Apache2\bin\httpd.exe
C:\Program Files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
C:\Program Files (x86)\Marvell\raid\svc\mvraidsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI\Catalyst Media Center\CMCService.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.ca/search?q=%s
uURLSearchHooks: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
mURLSearchHooks: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
BHO: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [MRUTray] C:\Program Files (x86)\Marvell\raid\tray\MarvellTray.exe
mRun: [NeroCheck] C:\Windows\SysWOW64\\NeroCheck.exe
mRun: [CMCService] "C:\Program Files (x86)\ATI\Catalyst Media Center\CMCService.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [TrayServer] C:\Program Files (x86)\MAGIX\Movie_Edit_Pro_17_Plus_Download_Version\TrayServer_en.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime Alternative\QTTask.exe" -atboottime
mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BDAREM~1.LNK - C:\Program Files (x86)\USB TV\EM28XX\BDARemote.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 24.48.19.13 24.202.72.13 24.53.0.2
TCP: Interfaces\{8C574716-7B0F-47A2-BC8F-953292042010} : DhcpNameServer = 24.48.19.13 24.202.72.13 24.53.0.2
BHO-X64: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
BHO-X64: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO-X64: Canon Easy-WebPrint EX BHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: uTorrentBar_FR Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - C:\Program Files (x86)\uTorrentBar_FR\tbuTor.dll
TB-X64: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll
TB-X64: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun-x64: [MRUTray] C:\Program Files (x86)\Marvell\raid\tray\MarvellTray.exe
mRun-x64: [NeroCheck] C:\Windows\SysWOW64\\NeroCheck.exe
mRun-x64: [CMCService] "C:\Program Files (x86)\ATI\Catalyst Media Center\CMCService.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [TrayServer] C:\Program Files (x86)\MAGIX\Movie_Edit_Pro_17_Plus_Download_Version\TrayServer_en.exe
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime Alternative\QTTask.exe" -atboottime
mRun-x64: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Remi-David\AppData\Roaming\Mozilla\Firefox\Profiles\i4p0nccw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.laahs.info/home.php?team=0
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin.dll
FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin2.dll
FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin3.dll
FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin4.dll
FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin5.dll
FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin6.dll
FF - plugin: C:\Program Files (x86)\QuickTime Alternative\Plugins\npqtplugin7.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
.
============= SERVICES / DRIVERS ===============
.
R0 mv91cons;Marvell 91xx Config Device Driver;C:\Windows\system32\DRIVERS\mv91cons.sys --> C:\Windows\system32\DRIVERS\mv91cons.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 Fabs;FABS - Helping agent for MAGIX media database;C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-8-27 1253376]
R2 Marvell RAID;Marvell RAID Event Agent;C:\Program Files (x86)\Marvell\raid\svc\mvraidsvc.exe [2009-10-5 151552]
R2 MRUWebService;MRU Web Service;C:\Program Files (x86)\Marvell\raid\Apache2\bin\httpd.exe [2009-4-8 24635]
R2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\CyberLink\Shared files\RichVideo64.exe [2012-1-15 386344]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Doteri;Doteri; [x]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-8-7 3276800]
S3 hcwhdpvr;Hauppauge HD PVR Capture Device;C:\Windows\system32\DRIVERS\hcwhdpvr.sys --> C:\Windows\system32\DRIVERS\hcwhdpvr.sys [?]
S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\system32\DRIVERS\ivusb.sys --> C:\Windows\system32\DRIVERS\ivusb.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-31 02:40:42 -------- d-----w- C:\Users\Remi-David\AppData\Roaming\Malwarebytes
2012-03-31 02:40:34 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-31 02:40:33 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-31 02:40:33 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-30 22:52:09 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0F29EEE1-5FD3-4A3C-8C06-8F24702762FF}\mpengine.dll
2012-03-30 22:51:26 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-30 22:30:55 98816 ----a-w- C:\Windows\sed.exe
2012-03-30 22:30:55 518144 ----a-w- C:\Windows\SWREG.exe
2012-03-30 22:30:55 256000 ----a-w- C:\Windows\PEV.exe
2012-03-30 22:30:55 208896 ----a-w- C:\Windows\MBR.exe
2012-03-14 01:30:19 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-14 01:30:18 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-14 01:30:18 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-13 21:33:18 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-13 21:33:18 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-13 21:33:16 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-13 21:32:51 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-13 21:32:51 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-13 21:32:51 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-13 21:32:38 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-13 21:32:38 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-13 21:32:38 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-13 21:32:38 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
.
==================== Find3M ====================
.
2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
.
============= FINISH: 23:14:15,54 ===============

Attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 2009-12-22 20:08:36
System Uptime: 2012-03-30 18:50:53 (5 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | P55A-UD4P
Processor: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz | Socket 1156 | 2794/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 931 GiB total, 241,593 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP544: 2012-03-30 18:30:57 - ComboFix created restore point
.
==== Installed Programs ======================
.
.
Update for Microsoft Office 2007 (KB2508958)
µTorrent
3DMark06
AC3Filter 1.63b
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Reader 9.4.3
Apple Application Support
Apple Software Update
Applian Director
ArcSoft TotalMedia Extreme
ATI Catalyst Registration
Audacity 1.3.12 (Unicode)
AviSynth 2.5
Canon Easy-WebPrint EX
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Navigator EX 3.1
Canon Speed Dial Utility
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Media Center
Catalyst Media Center DVD Authoring Module
CCC Help English
CDRoller version 9.30
Cisco Connect
Conduit Engine
CyberLink BD Advisor 2.0
CyberLink PowerDirector
CyberLink PowerDirector 10
CyberLink WaveEditor
Dracula 2
Dracula Resurrection
ffdshow [rev 3154] [2009-12-09]
FFmpeg for Audacity on Windows
Firebird SQL Server - MAGIX Edition
Gigabyte Raid Configurer
H.264 Encoder 1.5
Haali Media Splitter
Handbrake 0.9.4
Hauppauge HDPVR Scheduler
Huffyuv AVI lossless video codec (Remove Only)
HydraVision
ImgBurn
Internet TV for Windows Media Center
Java Auto Updater
Java(TM) 6 Update 24
Lagarith Lossless Codec (1.3.27)
MAGIX Movie Edit Pro 17 Plus Download Version
MAGIX Screenshare
MAGIX Speed burnR (MSI)
MainConcept Reference v2
Malwarebytes Anti-Malware version 1.60.1.1000
Marvell MRU V4
McAfee Security Scan Plus
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox (3.6.18)
MSVCRT Redists
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Neat Video v2.2 Pro plug-in for VirtualDub
NEC Electronics USB 3.0 Host Controller Driver
Nero - Burning Rom
PS3 Media Server
QuickTime
QuickTime Alternative 1.81
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
SimonT Hockey Simulator Support Files
SmartSound Quicktracks 5
SmartSound Quicktracks for Premiere Elements 8.0
SmartSound Quicktracks Plugin
The Lord of the Rings FREE Trial
TMPGEnc Authoring Works 4
tsDemux 1.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
USB Video Driver
uTorrentBar_FR Toolbar
Video Enhancer 1.9.6
VideoReDo TVSuite Version 4.20.7.629
Windows Installer Clean Up
WinPcap 4.0.2
x264vfw - H.264/MPEG-4 AVC codec for x64 (remove only)
.
==== Event Viewer Messages From Past Week ========
.
2012-03-30 18:51:30, Error: Service Control Manager [7000] - The Cyberlink RichVideo Service(CRVS) service failed to start due to the following error: The system cannot find the file specified.
2012-03-30 18:42:18, Error: Service Control Manager [7023] - The Windows Defender service terminated with the following error: The specified module could not be found.
2012-03-30 18:40:45, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
2012-03-30 18:39:57, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
2012-03-30 17:17:51, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
2012-03-29 21:18:39, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "2" attempting to start the service RichVideo with arguments "-Service" in order to run the server: {889CA1C3-E115-47E1-88EC-20DF644E982A}
2012-03-29 20:33:31, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
2012-03-28 08:09:47, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
2012-03-25 08:59:53, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
.
==== End Of File ===========================

Broni · Mar 30, 2012

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===================================================================

Download Bootkit Remover to your desktop.

Unzip downloaded file to your Desktop.
Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
It will show a Black screen with some data on it.
Right click on the screen and click Select All.
Press CTRL+C
Open a Notepad and press CTRL+V
Post the output back here.

rds11 · Mar 31, 2012

When I opened up my PC this morning, before doing the latest steps shown above, Windows Essentials identified 7 potential severe threats and removed all 7. In the history, all 7 are related to Java.

Then, I proceeded with the aswMBR and bootkit remover steps.

So here it goes :

aswmbr

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-31 08:47:32
-----------------------------
08:47:32.087 OS Version: Windows x64 6.1.7601 Service Pack 1
08:47:32.087 Number of processors: 8 586 0x1E05
08:47:32.087 ComputerName: REMI-DAVID-PC UserName: Remi-David
08:47:34.052 Initialize success
08:47:36.876 AVAST engine defs: 12033100
08:48:03.146 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-6
08:48:03.146 Disk 0 Vendor: WDC_WD10EADS-00P8B0 01.00A01 Size: 953869MB BusType: 3
08:48:03.178 Disk 0 MBR read successfully
08:48:03.178 Disk 0 MBR scan
08:48:03.193 Disk 0 Windows 7 default MBR code
08:48:03.193 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
08:48:03.209 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
08:48:03.287 Disk 0 scanning C:\Windows\system32\drivers
08:48:18.996 Service scanning
08:48:43.332 Modules scanning
08:48:43.332 Disk 0 trace - called modules:
08:48:43.379 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
08:48:43.395 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800778a790]
08:48:43.410 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8007223520]
08:48:43.410 5 ACPI.sys[fffff88000fa47a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP5T0L0-6[0xfffffa8007209680]
08:48:45.688 AVAST engine scan C:\Windows
08:49:22.098 AVAST engine scan C:\Windows\system32
08:53:01.903 AVAST engine scan C:\Windows\system32\drivers
08:53:16.379 AVAST engine scan C:\Users\Remi-David
09:03:59.163 AVAST engine scan C:\ProgramData
09:07:55.316 Scan finished successfully
09:08:40.478 Disk 0 MBR has been saved successfully to "C:\Users\Remi-David\Desktop\MBR.dat"
09:08:40.525 The log file has been saved successfully to "C:\Users\Remi-David\Desktop\aswMBR1.txt"

bootkit

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;
Press any key to quit...

Broni · Mar 31, 2012

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

Double-click on the Rkill icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

rds11 · Mar 31, 2012

Combofix ran fine, I didn't have to use rkill

Combofix log

ComboFix 12-03-30.06 - Remi-David 2012-03-31 12:35:16.2.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8187.5553 [GMT -4:00]
Running from: c:\users\Remi-David\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-31 )))))))))))))))))))))))))))))))
.
.
2012-03-31 16:38 . 2012-03-31 16:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-31 03:16 . 2012-03-14 03:27 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7125BDD2-6D24-40DD-92FF-55C45337855A}\mpengine.dll
2012-03-31 02:40 . 2012-03-31 02:40 -------- d-----w- c:\users\Remi-David\AppData\Roaming\Malwarebytes
2012-03-31 02:40 . 2012-03-31 02:40 -------- d-----w- c:\programdata\Malwarebytes
2012-03-31 02:40 . 2012-03-31 02:40 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-31 02:40 . 2011-12-10 19:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-14 01:30 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 01:30 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 01:30 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-13 21:33 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 21:33 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-13 21:33 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 21:32 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-13 21:32 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-13 21:32 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-13 21:32 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-13 21:32 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-13 21:32 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-13 21:32 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-14 03:27 . 2011-06-13 21:55 8669240 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-10 21:56 . 2012-02-10 21:57 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E50D4B0F-37E6-496C-B0AB-79895B44D60A}\gapaengine.dll
2012-01-31 12:44 . 2009-12-23 01:42 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-04 10:44 . 2012-02-16 00:24 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-04 08:58 . 2012-02-16 00:24 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-30_22.42.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-23 01:20 . 2012-03-31 12:31 51952 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-31 12:31 32768 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-12-23 01:15 . 2012-03-31 12:31 17542 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3952311282-3270686217-2811382985-1000_UserData.bin
+ 2009-12-23 01:05 . 2012-03-30 23:45 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-23 01:05 . 2012-03-21 22:14 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-23 01:05 . 2012-03-30 23:45 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-23 01:05 . 2012-03-21 22:14 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-21 22:14 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-30 23:45 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-03-31 02:12 94384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2012-03-30 22:42 . 2012-03-30 22:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-31 16:39 . 2012-03-31 16:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-31 16:39 . 2012-03-31 16:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-30 22:42 . 2012-03-30 22:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-03-30 22:27 626262 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-31 12:34 626262 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-31 12:34 107538 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-03-30 22:27 107538 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-03-30 22:40 413688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-31 16:38 413688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-09 02:35 . 2012-03-31 16:38 3527080 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-02-09 02:35 . 2012-03-30 22:40 3527080 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-03-06 04:20 . 2012-03-31 16:38 1305374 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3952311282-3270686217-2811382985-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}"= "c:\program files (x86)\uTorrentBar_FR\tbuTor.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}]
2010-11-29 20:26 3908192 ----a-w- c:\program files (x86)\uTorrentBar_FR\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 20:26 3908192 ----a-w- c:\program files (x86)\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}"= "c:\program files (x86)\uTorrentBar_FR\tbuTor.dll" [2010-11-29 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
.
[HKEY_CLASSES_ROOT\clsid\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-09-25 106496]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"MRUTray"="c:\program files (x86)\Marvell\raid\tray\MarvellTray.exe" [2009-10-09 741376]
"NeroCheck"="c:\windows\SysWOW64\\NeroCheck.exe" [2001-07-09 155648]
"CMCService"="c:\program files (x86)\ATI\Catalyst Media Center\CMCService.exe" [2008-06-06 172032]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"TrayServer"="c:\program files (x86)\MAGIX\Movie_Edit_Pro_17_Plus_Download_Version\TrayServer_en.exe" [2008-11-13 90112]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 343168]
"QuickTime Task"="c:\program files (x86)\QuickTime Alternative\QTTask.exe" [2011-07-05 421888]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-3-29 113664]
BDARemote.lnk - c:\program files (x86)\USB TV\EM28XX\BDARemote.exe [2010-9-26 81997]
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 Doteri;Doteri; [x]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 hcwhdpvr;Hauppauge HD PVR Capture Device;c:\windows\system32\DRIVERS\hcwhdpvr.sys [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\DRIVERS\mv91cons.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 archlp;archlp;SysWOW64\drivers\archlp.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 Marvell RAID;Marvell RAID Event Agent;c:\program files (x86)\Marvell\raid\svc\mvraidsvc.exe [2009-10-05 151552]
S2 MRUWebService;MRU Web Service;c:\program files (x86)\Marvell\raid\Apache2\bin\httpd.exe [2009-04-09 24635]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2010-08-19 386344]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-01 2710856]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-03 767312]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.ca/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 24.48.19.13 24.202.72.13 24.53.0.2
FF - ProfilePath - c:\users\Remi-David\AppData\Roaming\Mozilla\Firefox\Profiles\i4p0nccw.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.laahs.info/home.php?team=0
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Adobe DLM (powered by getPlus(R)): {CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - %profile%\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{05EEB91A-AEF7-4F8A-978F-FB83E7B03F8E} - (no file)
.
.
"ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z
[\]^_¦\00\00¦\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~¦\00\00¦\00\00\00\00m\00\00\00\00\00\00\00\00‘’“"
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3952311282-3270686217-2811382985-1000\Software\CyberLink\Common\claud\yberLink PD8\PowerDirector\P* *\PDR8]
"AuDsInterface"=dword:00000008
"AuHDMIMode"=dword:00000000
"AuDsDnmx"=dword:00000008
"AuDsDualMono"=dword:00000000
"AuDsDHMode"=dword:00000002
"AuDsDVSMode"=dword:00000005
"AuDsCLHMode"=dword:00000002
"AuDsCLVSMode"=dword:00000002
"AuDsTSOn"=dword:00000001
"AuDsFocusOn"=dword:00000001
"AuDsTBOn"=dword:00000001
"AuDsFocusLevel"=dword:00000005
"AuDsTBLevel"=dword:00000008
"AuDsSpkSize"=dword:00000001
"AuDsDTSS2SpeakWidth"=dword:0000000a
"AuDsDTSS2DialGain"=dword:00000000
"AuDsDTSS2BassRGain"=dword:00000000
"AuDsChanExpand"=dword:00000004
"AuDsPL2Mode"=dword:00000003
"AuDsPL2XPanorama"=dword:00000000
"AuDsPL2XCntrWidth"=dword:00000003
"AuDsMEIMode"=dword:00000014
"AuDsMEIVolFront"=dword:0000001e
"AuDsMEIVolRear"=dword:0000001e
"AuDsMEIVolCenter"=dword:0000001e
"AuDsMEIVolLFE"=dword:0000001e
"AuDsNeo6Mode"=dword:00000000
"AU_DRC_MODE"=dword:00000002
"LFEON"=dword:00000001
"AuDsCntrMix"=dword:00000000
.
[HKEY_USERS\S-1-5-21-3952311282-3270686217-2811382985-1000\Software\CyberLink\Common\claud\yberLink PD8\PowerDirector\P*! *\PDR8]
"AuDsInterface"=dword:00000008
"AuHDMIMode"=dword:00000000
"AuDsDnmx"=dword:00000008
"AuDsDualMono"=dword:00000000
"AuDsDHMode"=dword:00000002
"AuDsDVSMode"=dword:00000005
"AuDsCLHMode"=dword:00000002
"AuDsCLVSMode"=dword:00000002
"AuDsTSOn"=dword:00000001
"AuDsFocusOn"=dword:00000001
"AuDsTBOn"=dword:00000001
"AuDsFocusLevel"=dword:00000005
"AuDsTBLevel"=dword:00000008
"AuDsSpkSize"=dword:00000001
"AuDsDTSS2SpeakWidth"=dword:0000000a
"AuDsDTSS2DialGain"=dword:00000000
"AuDsDTSS2BassRGain"=dword:00000000
"AuDsChanExpand"=dword:00000004
"AuDsPL2Mode"=dword:00000003
"AuDsPL2XPanorama"=dword:00000000
"AuDsPL2XCntrWidth"=dword:00000003
"AuDsMEIMode"=dword:00000014
"AuDsMEIVolFront"=dword:0000001e
"AuDsMEIVolRear"=dword:0000001e
"AuDsMEIVolCenter"=dword:0000001e
"AuDsMEIVolLFE"=dword:0000001e
"AuDsNeo6Mode"=dword:00000000
"AU_DRC_MODE"=dword:00000002
"LFEON"=dword:00000001
"AuDsCntrMix"=dword:00000000
.
[HKEY_USERS\S-1-5-21-3952311282-3270686217-2811382985-1000\Software\CyberLink\Common\claud\yberLink PD8\PowerDirector\P*9 *\PDR8]
"AuDsInterface"=dword:00000008
"AuHDMIMode"=dword:00000000
"AuDsDnmx"=dword:00000008
"AuDsDualMono"=dword:00000000
"AuDsDHMode"=dword:00000002
"AuDsDVSMode"=dword:00000005
"AuDsCLHMode"=dword:00000002
"AuDsCLVSMode"=dword:00000002
"AuDsTSOn"=dword:00000001
"AuDsFocusOn"=dword:00000001
"AuDsTBOn"=dword:00000001
"AuDsFocusLevel"=dword:00000005
"AuDsTBLevel"=dword:00000008
"AuDsSpkSize"=dword:00000001
"AuDsDTSS2SpeakWidth"=dword:0000000a
"AuDsDTSS2DialGain"=dword:00000000
"AuDsDTSS2BassRGain"=dword:00000000
"AuDsChanExpand"=dword:00000004
"AuDsPL2Mode"=dword:00000003
"AuDsPL2XPanorama"=dword:00000000
"AuDsPL2XCntrWidth"=dword:00000003
"AuDsMEIMode"=dword:00000014
"AuDsMEIVolFront"=dword:0000001e
"AuDsMEIVolRear"=dword:0000001e
"AuDsMEIVolCenter"=dword:0000001e
"AuDsMEIVolLFE"=dword:0000001e
"AuDsNeo6Mode"=dword:00000000
"AU_DRC_MODE"=dword:00000002
"LFEON"=dword:00000001
"AuDsCntrMix"=dword:00000000
.
[HKEY_USERS\S-1-5-21-3952311282-3270686217-2811382985-1000\Software\CyberLink\Common\claud\yberLink PD8\P*o*w*e*r*D*i*r*e*c*t* \PDR8]
"AuDsInterface"=dword:00000008
"AuHDMIMode"=dword:00000000
"AuDsDnmx"=dword:00000008
"AuDsDualMono"=dword:00000000
"AuDsDHMode"=dword:00000002
"AuDsDVSMode"=dword:00000005
"AuDsCLHMode"=dword:00000002
"AuDsCLVSMode"=dword:00000002
"AuDsTSOn"=dword:00000001
"AuDsFocusOn"=dword:00000001
"AuDsTBOn"=dword:00000001
"AuDsFocusLevel"=dword:00000005
"AuDsTBLevel"=dword:00000008
"AuDsSpkSize"=dword:00000001
"AuDsDTSS2SpeakWidth"=dword:0000000a
"AuDsDTSS2DialGain"=dword:00000000
"AuDsDTSS2BassRGain"=dword:00000000
"AuDsChanExpand"=dword:00000004
"AuDsPL2Mode"=dword:00000003
"AuDsPL2XPanorama"=dword:00000000
"AuDsPL2XCntrWidth"=dword:00000003
"AuDsMEIMode"=dword:00000014
"AuDsMEIVolFront"=dword:0000001e
"AuDsMEIVolRear"=dword:0000001e
"AuDsMEIVolCenter"=dword:0000001e
"AuDsMEIVolLFE"=dword:0000001e
"AuDsNeo6Mode"=dword:00000000
"AU_DRC_MODE"=dword:00000002
"LFEON"=dword:00000001
"AuDsCntrMix"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\13E4ECADC9B1CE008E87AC078D24AD3E\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_085742B0AA254FE28249C52D2D7A040F"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\23A912A2A082758DA5C00BF6A1746E7B\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_EC1CA8611CFD480088A21E7682C6DCC7"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\3700BE3FD0A3A8EC5847E42297A7D613\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_83872715E6364546B5048FE457997193"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\5E85D89A38458734F3227589B40B7782\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_4B248A8164944DCD8C25EB5F0DBEFCB8"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\6CDEB16487467ED4EC02A2D1661BF6FE\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_7E96D84B37CA48BC9687664158242F3A"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\7F86AC179D474AB2596F49005FCDB601\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_1CC9B7DEA775434C8B61FC6B49D961F2"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\83B5EA6023B8427B7B2862F947F8247A\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_8CAA40EF7A0143BDAB6DC8401985E629"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\B8BE940BCE9B4A66E0C73BBD86C4F751\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_F266FF3447AD40FDA3F3B8FF18BC47B2"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\C50B7CF4156CD2ABEA3B03ED957D92B7\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_8EB2EF0875E64D5CA0F1B6BF249440A0"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\C6425C0E4BCC6476F1C91FE39E325760\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_0EFB980BDFA242CC86DD8B4F12357AE7"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\CB71F54A36ACDEE5D329F24C34D3B5CB\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_C783F6346E1D4CCAA83B648553F277EF"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\CF2F662EEFEC901998E4C3A068B5519A\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_2C7757251EDF40B0BC3D4D566BBB68D5"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\F1C31A7E47AF1535CA90226029EA4A13\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_DB5392730B2A4EFA9047E4BCC4CF9B60"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\FA268A91897FEC97BF092CDBE996F6D4\A4287689D68C38A4F8C37E8AB60EFA3D]
@DACL=(02 0000)
"PatchGUID"=""
"MediaCabinet"=""
"File"="_8F55ACBE7A0B434E89114645DD6CFCD9"
"ComponentVersion"="100.0.0.0"
"ProductVersion"="7.0.0"
"PatchSize"="0"
"PatchAttributes"="0"
"PatchSequence"="0"
"SharedComponent"="0"
"IsFullFile"="0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe
c:\program files (x86)\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe
c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE
c:\program files (x86)\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe
.
**************************************************************************
.
Completion time: 2012-03-31 12:44:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-31 16:44
.
Pre-Run: 258*629*705*728 bytes free
Post-Run: 258*434*527*232 bytes free
.
- - End Of File - - 7802875E83B85CFE6EE689C385660D0D

Broni · Mar 31, 2012

All looks clean to me.
Are you having any current issues?

rds11 · Mar 31, 2012

No, no current issues.
As I mentioned, Essentials caught and removed a few things in the past 2 days (most recently this morning), which never happened before.
The only strange thing that happened is the hard drive failure notice I received when I opened up my PC yesterday...here's UnHide log, first thing I ran yesterday :

UnHide

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 03/30/2012 06:00:53 PM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 331748 files processed.

Restoring the Start Menu.
* 311 Shortcuts and Desktop items were restored.

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoActiveDesktopChanges policy was found and deleted!
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_TrackDocs was set to 0! It was set back to 1!
* Start_TrackProgs was set to 0! It was set back to 1!

Program finished at: 03/30/2012 06:15:55 PM
Execution time: 0 hours(s), 15 minute(s), and 1 seconds(s)

Let me know if you think of something else to check...
Thank you very much for your help !!

Broni · Mar 31, 2012

It looks you got hit with something but current logs indicate no infection being present.
You should be good to go.

Inactive Windows 7 restore virus/failed hard drive

rds11

Broni

Posts: 56,041 +516

rds11

Broni

Posts: 56,041 +516

rds11

Broni

Posts: 56,041 +516

rds11

Broni

Posts: 56,041 +516

rds11

Broni

Posts: 56,041 +516

Similar threads

Latest posts