Author Topic: [Resolved K] RootkitRevealer found a rootkit (Read 1852 times)

willynilly · « **on:** April 28, 2012, 11:02:58 AM »

Hello,
I am a returning victim, Steve (I believe) helped he about 2 years ago, hope he can do it again.
System was running ok, but I noticed small things like system would hang trying to shutdown, so I ran RootkitRevealer and it couldn't display its screen and other problems, I was put into a light blue screen and saw RootkitRevealer output which was full of bad things.
Here are the two DDS files, hope you can help me. I have the same problem on both my laptop machines by the way.

======= DDS.txt file =======
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.3.1
Run by Jay at 12:44:04 on 2012-04-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.1673 [GMT -4:00]
.
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\AsusService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\D-Link\SharePort Utility\Spnuhelper.exe
C:\Program Files\Norton 360\Engine\6.2.0.9\ccSvcHst.exe
C:\Program Files\Asus\Game Park\GameConsole\OberonGameConsoleService.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\PelService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Norton 360\Engine\6.2.0.9\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\WizMouse\WizMouse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
C:\Program Files\ASUS\LivCam\LivCam.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\PDF24\pdf24.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\FSRremoS.EXE
C:\Program Files\Lenovo\Lenovo Mouse Suite\Pelmiced.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\PelElvDm.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\6.2.0.9\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\6.2.0.9\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.0 runtime\bin\jp2ssv.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\6.2.0.9\coIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll"
uRun: [Google Update] "c:\users\jay\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [HotkeyMon] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotKeyMon.exe
mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [SuperHybridEngine] AsusSender.exe c:\program files\eeepc\she\SuperHybridEngine.exe
mRun: [LivCam] "c:\program files\asus\livcam\LivCam.exe"
mRun: [LiveUpdate] AsusSender.exe c:\program files\asus\liveupdate\LiveUpdate.exe auto
mRun: [SynAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Daemon for Mouse Suite] c:\program files\lenovo\lenovo mouse suite\ICO.EXE 60
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [PDFPrint] c:\program files\pdf24\pdf24.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\jay\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{BC4AA0A3-C68E-4DA7-80EB-3F3546A31A9B} : DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{E9C4B26F-5720-4C5D-B980-145E50CDA85E} : DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{E9C4B26F-5720-4C5D-B980-145E50CDA85E}\35072796E6768496C6C602355796475637 : DhcpNameServer = 24.25.5.60 24.25.5.61
TCP: Interfaces\{E9C4B26F-5720-4C5D-B980-145E50CDA85E}\46C696E6B6 : DhcpNameServer = 192.168.1.254
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jay\appdata\roaming\mozilla\firefox\profiles\n5jmtqjl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\users\jay\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0602000.009\symds.sys [2012-4-23 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0602000.009\symefa.sys [2012-4-23 905336]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2009-7-5 11832]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\bashdefs\20120413.001\BHDrvx86.sys [2012-4-21 821880]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\0602000.009\ccsetx86.sys [2012-4-23 132744]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\ipsdefs\20120427.001\IDSvix86.sys [2012-4-28 368248]
R1 pelmoubt;Mouse Suite Bluetooth Driver;c:\windows\system32\drivers\PELMOUBT.SYS [2011-9-21 18432]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0602000.009\ironx86.sys [2012-4-23 149624]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\0602000.009\symnets.sys [2012-4-23 318584]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [2010-9-10 219136]
R2 D-Link SharePort Helper;D-Link SharePort Helper;c:\program files\d-link\shareport utility\Spnuhelper.exe [2010-11-14 40960]
R2 N360;Norton 360;c:\program files\norton 360\engine\6.2.0.9\ccsvchst.exe [2012-4-23 138232]
R2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\asus\game park\gameconsole\OberonGameConsoleService.exe [2010-9-10 44312]
R2 PelService;Session Launcher Service;c:\program files\lenovo\lenovo mouse suite\PelService.exe [2011-9-21 184320]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-9-23 539248]
R2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter-a.exe [2011-8-19 423536]
R2 vmware-converter-server;VMware vCenter Converter Standalone Server;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2011-8-19 423536]
R2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2011-8-19 423536]
R2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [2011-7-12 22768]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-9-20 43944]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-9-20 29472]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-4 106104]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2010-9-10 51712]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-9-10 66592]
R3 pelbtm;Bluetooth Mouse Filter Driver;c:\windows\system32\drivers\PELBTM.SYS [2011-9-21 13312]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-1-29 997408]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-11-14 247304]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2011-3-15 54384]
S3 GEKB;GEKB;c:\users\jay\appdata\local\temp\gekb.exe --> c:\users\jay\appdata\local\temp\GEKB.exe [?]
S3 MEMOQDRV;MemoQ Voice Recorder;c:\windows\system32\drivers\memoqdrv.sys [2012-1-14 25664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-1 129976]
S3 NNI;NNI;c:\users\jay\appdata\local\temp\NNI.exe [2012-4-28 379776]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-11 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-10 1343400]
S4 RKSNCKM;RKSNCKM;c:\users\jay\appdata\local\temp\rksnckm.exe --> c:\users\jay\appdata\local\temp\RKSNCKM.exe [?]
S4 ZZSJBAURSRWCQ;ZZSJBAURSRWCQ;c:\users\jay\appdata\local\temp\zzsjbaursrwcq.exe --> c:\users\jay\appdata\local\temp\ZZSJBAURSRWCQ.exe [?]
.
=============== Created Last 30 ================
.
2012-04-23 23:00:21   905336   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\symefa.sys
2012-04-23 23:00:21   574072   ----a-w-   c:\windows\system32\drivers\n360\0602000.009\srtsp.sys
2012-04-23 23:00:21   340088   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\symds.sys
2012-04-23 23:00:21   32888   ----a-w-   c:\windows\system32\drivers\n360\0602000.009\srtspx.sys
2012-04-23 23:00:21   318584   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\symnets.sys
2012-04-23 23:00:21   149624   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\ironx86.sys
2012-04-23 23:00:21   132744   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\ccsetx86.sys
2012-04-23 23:00:09   4782   ----a-w-   c:\windows\system32\drivers\n360\0602000.009\symvtcer.dat
2012-04-23 23:00:09   --------   d-----w-   c:\windows\system32\drivers\n360\0602000.009
2012-04-22 14:18:27   35960   ----a-r-   c:\windows\system32\drivers\SymIMV.sys
2012-04-22 01:40:24   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-04-22 01:40:24   19824   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-04-22 01:40:24   172544   ----a-w-   c:\windows\system32\wintrust.dll
2012-04-22 01:40:24   159232   ----a-w-   c:\windows\system32\imagehlp.dll
2012-04-22 01:40:05   3968368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-04-22 01:40:04   3913072   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-06 19:42:36   418464   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-04-01 21:11:08   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2012-04-01 21:11:02   157352   ----a-w-   c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-01 21:11:02   129976   ----a-w-   c:\program files\mozilla firefox\maintenanceservice.exe
.
==================== Find3M ====================
.
2012-04-21 18:50:18   70304   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56:40   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-03-24 18:02:03   141944   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2012-02-28 01:18:55   1799168   ----a-w-   c:\windows\system32\jscript9.dll
2012-02-28 01:11:21   1427456   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07   1127424   ----a-w-   c:\windows\system32\wininet.dll
2012-02-28 01:03:16   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-02-17 05:34:22   826880   ----a-w-   c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22   24576   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-02-12 02:35:17   231760   ----a-w-   c:\windows\system32\drivers\truecrypt.sys
2012-02-10 05:38:43   1077248   ----a-w-   c:\windows\system32\DWrite.dll
2012-02-03 03:54:27   2343424   ----a-w-   c:\windows\system32\win32k.sys
2006-05-03 16:06:54   163328   --sha-r-   c:\windows\system32\flvDX.dll
2007-02-21 17:47:16   31232   --sha-r-   c:\windows\system32\msfDX.dll
2008-03-16 19:30:52   216064   --sha-r-   c:\windows\system32\nbDX.dll
2010-01-07 04:00:00   107520   --sha-r-   c:\windows\system32\TAKDSDecoder.dll
.
============= FINISH: 12:45:41.75 ===============

======= Attache.txt file ======
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/10/2010 2:11:17 PM
System Uptime: 4/28/2012 9:22:29 AM (3 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | 1201N
Processor: Intel(R) Atom(TM) CPU 330 @ 1.60GHz | CPU 1 | 1600/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 100 GiB total, 21.361 GiB free.
D: is FIXED (NTFS) - 366 GiB total, 55.274 GiB free.
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
7-Zip 9.20
AC3Filter 1.63b
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.1 MUI
AoA Video Joiner
Aspell English Dictionary-0.50-2
ASUS VIBE
ASUSUpdate for Eee PC
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Auslogics Disk Defrag
Avi2Dvd 0.6.1
AviSynth 2.5
Bing Bar
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Comcast Desktop Software (v1.2.0.9)
CoreAAC Audio Decoder (remove only)
CyberLink YouCam
Duplicate Cleaner 2.1b
EeeSplendid
Eraser 6.0.8.2273
ExamDiff 1.9 (Build 1.9.0.1)
ffdshow [rev 3299] [2010-03-03]
FontResizer
Game Park Console
GNU Aspell 0.50-3
Google Chrome
Haali Media Splitter
HiJackThis
Hotkey Service
Java Auto Updater
Java DB 10.5.3.0
Java(TM) 7 Update 3
Java(TM) SE Development Kit 7 Update 3
JavaFX 2.0.3
JavaFX 2.0.3 SDK
Lenovo Mouse Suite
LivCam
LiveUpdate
Malwarebytes Anti-Malware version 1.61.0.1400
MemoQ Driver Installer
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
Norton 360
Notepad++
NVIDIA Drivers
OpenOffice.org 3.3
PDF24 Creator 4.1.2
Polipo 1.0.4.1
PuTTY version 0.62
Realtek High Definition Audio Driver
REALTEK Wireless LAN Driver
ReNamer
SeaTools for Windows
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
SharePort Utility
Speccy
SRS Premium Sound Control Panel
SUPER © v2011.build.49 (July 1st, 2011) version v2011.build.49
Super Hybrid Engine
Synaptics Pointing Device Driver
TextCrawler 2.2
tools-freebsd
tools-linux
tools-netware
tools-solaris
tools-windows
tools-winPre2k
Tor 0.2.2.35
TrueCrypt
Unlocker 1.9.1
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Vidalia 0.2.15
VLC media player 2.0.1
VMware vCenter Converter Standalone
VMware Workstation
WIDCOMM Bluetooth Software
Windows Driver Package - Broadcom Bluetooth (07/17/2009 6.2.0.9403)
Windows Driver Package - Broadcom Bluetooth (07/29/2009 6.1.7100.0)
Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)
Windows Live ID Sign-in Assistant
WinMerge 2.12.4
WizMouse v1.6.0.2
Xvid 1.2.2 final uninstall
.
==== Event Viewer Messages From Past Week ========
.
4/28/2012 9:22:59 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
4/28/2012 8:14:31 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the NNI service to connect.
4/28/2012 8:14:31 AM, Error: Service Control Manager [7000] - The NNI service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/28/2012 8:14:00 AM, Error: Service Control Manager [7030] - The NNI service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
4/22/2012 8:53:27 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
4/22/2012 1:31:27 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
4/21/2012 9:37:27 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
4/21/2012 6:58:53 PM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
4/21/2012 10:52:14 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
.
==== End Of File ===========================

kevinf80 · « **Reply #1 on:** April 28, 2012, 11:18:37 AM »

Hello willynilly and welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin. Go Here and follow the instructions specific for your operating system.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Download aswMBR from Here
If it asks to update during the process please allow this to happen.

Save aswMBR.exe to your Desktop
Double click aswMBR.exe to run it
Ensure Quick scan is selected,then select Scan button to start the scan as illustrated below

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

Once the scan finishes click Save log to save the log to your Desktop.

Copy and paste the contents of aswMBR.txt back here for review

Kevin

willynilly · « **Reply #2 on:** April 28, 2012, 11:53:19 AM »

Hi Kevin,

Glad you are still on the job here. Sorry, I don't know why the name Steve came to mind, maybe because of the same number of letters.

Here is the output file. And thanks for your quick assistance again.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-28 13:30:03
-----------------------------
13:30:03.043 OS Version: Windows 6.1.7601 Service Pack 1
13:30:03.043 Number of processors: 4 586 0x1C02
13:30:03.043 ComputerName: GIZMO3 UserName: Jay
13:30:05.601 Initialize success
13:31:50.943 AVAST engine defs: 12042801
13:31:55.108 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:31:55.139 Disk 0 Vendor: ST95005620AS SD28 Size: 476940MB BusType: 3
13:31:55.155 Disk 0 MBR read successfully
13:31:55.155 Disk 0 MBR scan
13:31:55.170 Disk 0 unknown MBR code
13:31:55.186 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 102400 MB offset 2048
13:31:55.202 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 374537 MB offset 209717248
13:31:55.217 Disk 0 scanning sectors +976769024
13:31:55.248 Disk 0 scanning C:\Windows\system32\drivers
13:32:13.812 Service scanning
13:32:52.095 Modules scanning
13:33:10.113 Disk 0 trace - called modules:
13:33:10.144 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
13:33:10.690 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865e7030]
13:33:10.706 3 CLASSPNP.SYS[8c38259e] -> nt!IofCallDriver -> [0x864b7930]
13:33:10.737 5 ACPI.sys[8bcc73d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x857ac610]
13:33:12.016 AVAST engine scan C:\Windows
13:33:15.354 AVAST engine scan C:\Windows\system32
13:38:52.876 AVAST engine scan C:\Windows\system32\drivers
13:39:18.554 AVAST engine scan C:\Users\Jay
13:48:48.578 AVAST engine scan C:\ProgramData
13:49:45.892 Scan finished successfully
13:50:20.040 Disk 0 MBR has been saved successfully to "C:\Users\Jay\Desktop\MBR.dat"
13:50:20.056 The log file has been saved successfully to "C:\Users\Jay\Desktop\aswMBR.txt"

kevinf80 · « **Reply #3 on:** April 28, 2012, 12:29:19 PM »

Thanks for the log, yep i`m still here doing my bit for society.. lol

I note you mention two laptops having the sam issues. Whilst we work on this one disconnect the other if they are networked together...

Do the following:

Please download OTM by OldTimer.
Alternative Mirror 1
Alternative Mirror 2
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....

Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]

:Services
RKSNCKM
ZZSJBAURSRWCQ
:Files
ipconfig /flushdns /c
c:\users\jay\appdata\local\temp\ZZSJBAURSRWCQ.exe
c:\users\jay\appdata\local\temp\RKSNCKM.exe
:Commands
[EmptyTemp]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Let me see those two logs...

Kevin

willynilly · « **Reply #4 on:** April 28, 2012, 12:56:26 PM »

Hi Kevin,

Both machines are connected on the same network, I turned the other one off ( don't want two things biting at me at the same time :-)

The two logs follow:

All processes killed
========== SERVICES/DRIVERS ==========
Service RKSNCKM stopped successfully!
Service RKSNCKM deleted successfully!
Service ZZSJBAURSRWCQ stopped successfully!
Service ZZSJBAURSRWCQ deleted successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Jay\Desktop\cmd.bat deleted successfully.
C:\Users\Jay\Desktop\cmd.txt deleted successfully.
File/Folder c:\users\jay\appdata\local\temp\ZZSJBAURSRWCQ.exe not found.
File/Folder c:\users\jay\appdata\local\temp\RKSNCKM.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jay
->Temp folder emptied: 56188588 bytes
->Temporary Internet Files folder emptied: 87227818 bytes
->Java cache emptied: 168107 bytes
->FireFox cache emptied: 739692812 bytes
->Google Chrome cache emptied: 393293538 bytes
->Flash cache emptied: 41787 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10787234 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,228.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 04282012_143618

Files moved on Reboot...
C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-1264.log moved successfully.

Registry entries deleted on Reboot...

===============================================

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.28.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Jay :: GIZMO3 [administrator]

4/28/2012 2:46:32 PM
mbam-log-2012-04-28 (14-46-32).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190570
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

kevinf80 · « **Reply #5 on:** April 28, 2012, 01:20:59 PM »

I want you to re-run OTM again,

Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator. Be aware all processes will stopped during run, also Desktop will disappear, this will be put back on completion....

Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]

:Services
GEKB 
:Files
ipconfig /flushdns /c
c:\users\jay\appdata\local\temp\GEKB.exe
:Commands
[EmptyTemp]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Give me an update on issues/concerns with this system...

Kevin

willynilly · « **Reply #6 on:** April 28, 2012, 01:38:39 PM »

Hi again Kevin,

I downloaded the OTM from the second alternate site and ran that one, and also re-ran the Malwarebytes for safety sake. Here are the results:

===============================================

All processes killed
========== SERVICES/DRIVERS ==========
Error: No service named RKSNCKM was found to stop!
Service\Driver key RKSNCKM not found.
Error: No service named ZZSJBAURSRWCQ was found to stop!
Service\Driver key ZZSJBAURSRWCQ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Jay\Desktop\cmd.bat deleted successfully.
C:\Users\Jay\Desktop\cmd.txt deleted successfully.
File/Folder c:\users\jay\appdata\local\temp\ZZSJBAURSRWCQ.exe not found.
File/Folder c:\users\jay\appdata\local\temp\RKSNCKM.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jay
->Temp folder emptied: 5082 bytes
->Temporary Internet Files folder emptied: 1716253 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3384 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 04282012_152502

Files moved on Reboot...
C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-504.log moved successfully.

Registry entries deleted on Reboot...

===============================================

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.28.05

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Jay :: GIZMO3 [administrator]

4/28/2012 3:30:08 PM
mbam-log-2012-04-28 (15-30-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190352
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

kevinf80 · « **Reply #7 on:** April 28, 2012, 01:56:55 PM »

Read my reply #5 again, you have not done what was asked, you`ve ran OTM exactly as you did the first time...

willynilly · « **Reply #8 on:** April 28, 2012, 02:20:41 PM »

Hi Kevin,

Very sorry, I must have scrolled past reply #5 up to your earlier reply and copied the same code box. I stepped more carefully and beleive I have run the right code this time. This time the GEKB service was deleted.

===============================================

All processes killed
========== SERVICES/DRIVERS ==========
Service GEKB stopped successfully!
Service GEKB deleted successfully!
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Jay\Desktop\cmd.bat deleted successfully.
C:\Users\Jay\Desktop\cmd.txt deleted successfully.
File/Folder c:\users\jay\appdata\local\temp\GEKB.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Jay
->Temp folder emptied: 605811 bytes
->Temporary Internet Files folder emptied: 1041805 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4047 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 2.00 mb

OTM by OldTimer - Version 3.1.19.0 log created on 04282012_160814

Files moved on Reboot...
C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-584.log moved successfully.

Registry entries deleted on Reboot...

kevinf80 · « **Reply #9 on:** April 28, 2012, 02:35:26 PM »

How is your system responding, what issues remain...

willynilly · « **Reply #10 on:** April 28, 2012, 03:10:51 PM »

Hi Kevin,

I have been trying to follow you along (to help myself learn something about these problems).
It seems that anything that runs from the user\appdata\local\temp directory isn't a place where legitimate windows services should live.

So from the DSS report, I see these 4 services:

S3 GEKB;GEKB;c:\users\jay\appdata\local\temp\gekb.exe --> c:\users\jay\appdata\local\temp\GEKB.exe [?]

S3 NNI;NNI;c:\users\jay\appdata\local\temp\NNI.exe [2012-4-28 379776]

S4 RKSNCKM;RKSNCKM;c:\users\jay\appdata\local\temp\rksnckm.exe --> c:\users\jay\appdata\local\temp\RKSNCKM.exe [?]
S4 ZZSJBAURSRWCQ;ZZSJBAURSRWCQ;c:\users\jay\appdata\local\temp\zzsjbaursrwcq.exe --> c:\users\jay\appdata\local\temp\ZZSJBAURSRWCQ.exe [?]

We got rid of the last 2 (RKSNCKM and ZZSJBAURSRWCQ) in the first OTM, now we have gotten rid of the first one (GEKB) in the second OTM, so I am thinking we will remove the last one (NNI) as the last step.

I ran another DSS report and I see new services running from my appdata\local\temp ?? I am confused about what I thought I figured out. Please help me understand this.

===============================================

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.3.1
Run by Jay at 17:06:38 on 2012-04-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.1922 [GMT -4:00]
.
AV: Norton 360 *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton 360 *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\AsusService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\D-Link\SharePort Utility\Spnuhelper.exe
C:\Program Files\Norton 360\Engine\6.2.0.9\ccSvcHst.exe
C:\Program Files\Asus\Game Park\GameConsole\OberonGameConsoleService.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\PelService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Norton 360\Engine\6.2.0.9\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\WizMouse\WizMouse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe
C:\Program Files\EeePC\HotkeyService\HotkeyService.exe
C:\Program Files\ASUS\LivCam\LivCam.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\Program Files\EeePC\SHE\SuperHybridEngine.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\PDF24\pdf24.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\FSRremoS.EXE
C:\Program Files\Lenovo\Lenovo Mouse Suite\Pelmiced.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\PelElvDm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\6.2.0.9\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\6.2.0.9\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.0 runtime\bin\jp2ssv.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\6.2.0.9\coIEPlg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll"
uRun: [Google Update] "c:\users\jay\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [HotkeyMon] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotKeyMon.exe
mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam

\2.0"
mRun: [SuperHybridEngine] AsusSender.exe c:\program files\eeepc\she\SuperHybridEngine.exe
mRun: [LivCam] "c:\program files\asus\livcam\LivCam.exe"
mRun: [LiveUpdate] AsusSender.exe c:\program files\asus\liveupdate\LiveUpdate.exe auto
mRun: [SynAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Daemon for Mouse Suite] c:\program files\lenovo\lenovo mouse suite\ICO.EXE 60mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [vmware-tray] "c:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [PDFPrint] c:\program files\pdf24\pdf24.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\jay\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{BC4AA0A3-C68E-4DA7-80EB-3F3546A31A9B} : DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{E9C4B26F-5720-4C5D-B980-145E50CDA85E} : DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{E9C4B26F-5720-4C5D-B980-145E50CDA85E}\35072796E6768496C6C602355796475637 : DhcpNameServer = 24.25.5.60 24.25.5.61
TCP: Interfaces\{E9C4B26F-5720-4C5D-B980-145E50CDA85E}\46C696E6B6 : DhcpNameServer = 192.168.1.254
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jay\appdata\roaming\mozilla\firefox\profiles\n5jmtqjl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\users\jay\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0602000.009\symds.sys [2012-4-23 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0602000.009\symefa.sys [2012-4-23 905336]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2009-7-5 11832]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\bashdefs\20120413.001\BHDrvx86.sys [2012-4-21 821880]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\0602000.009\ccsetx86.sys [2012-4-23 132744]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\ipsdefs\20120427.001\IDSvix86.sys [2012-4-28 368248]
R1 pelmoubt;Mouse Suite Bluetooth Driver;c:\windows\system32\drivers\PELMOUBT.SYS [2011-9-21 18432]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0602000.009\ironx86.sys [2012-4-23 149624]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\n360\0602000.009\symnets.sys [2012-4-23 318584]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [2010-9-10 219136]
R2 D-Link SharePort Helper;D-Link SharePort Helper;c:\program files\d-link\shareport utility\Spnuhelper.exe [2010-11-14 40960]
R2 N360;Norton 360;c:\program files\norton 360\engine\6.2.0.9\ccsvchst.exe [2012-4-23 138232]
R2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\asus\game park\gameconsole\OberonGameConsoleService.exe [2010-9-10 44312]
R2 PelService;Session Launcher Service;c:\program files\lenovo\lenovo mouse suite\PelService.exe [2011-9-21 184320]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-9-23 539248]
R2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter-a.exe [2011-8-19

423536]
R2 vmware-converter-server;VMware vCenter Converter Standalone Server;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2011-8-19

423536]
R2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;c:\program files\vmware\vmware vcenter converter standalone\vmware-converter.exe [2011-8-19

423536]
R2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [2011-7-12 22768]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-9-20 43944]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-9-20 29472]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-3-4 106104]
R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2010-9-10 51712]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-9-10 66592]
R3 pelbtm;Bluetooth Mouse Filter Driver;c:\windows\system32\drivers\PELBTM.SYS [2011-9-21 13312]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-1-29 997408]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-11-14 247304]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2011-3-15 54384]
S3 ILPUTXJWWD;ILPUTXJWWD;c:\users\jay\appdata\local\temp\ilputxjwwd.exe --> c:\users\jay\appdata\local\temp\ILPUTXJWWD.exe [?]
S3 MEMOQDRV;MemoQ Voice Recorder;c:\windows\system32\drivers\memoqdrv.sys [2012-1-14 25664]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-1 129976]
S3 NNI;NNI;c:\users\jay\appdata\local\temp\nni.exe --> c:\users\jay\appdata\local\temp\NNI.exe [?]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-11 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-10 1343400]
.
=============== Created Last 30 ================
.
2012-04-28 18:36:18   --------   d-----w-   C:\_OTM
2012-04-23 23:00:21   905336   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\symefa.sys
2012-04-23 23:00:21   574072   ----a-w-   c:\windows\system32\drivers\n360\0602000.009\srtsp.sys
2012-04-23 23:00:21   340088   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\symds.sys
2012-04-23 23:00:21   32888   ----a-w-   c:\windows\system32\drivers\n360\0602000.009\srtspx.sys
2012-04-23 23:00:21   318584   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\symnets.sys
2012-04-23 23:00:21   149624   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\ironx86.sys
2012-04-23 23:00:21   132744   ----a-r-   c:\windows\system32\drivers\n360\0602000.009\ccsetx86.sys
2012-04-23 23:00:09   4782   ----a-w-   c:\windows\system32\drivers\n360\0602000.009\symvtcer.dat
2012-04-23 23:00:09   --------   d-----w-   c:\windows\system32\drivers\n360\0602000.009
2012-04-22 14:18:27   35960   ----a-r-   c:\windows\system32\drivers\SymIMV.sys
2012-04-22 01:40:24   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-04-22 01:40:24   19824   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-04-22 01:40:24   172544   ----a-w-   c:\windows\system32\wintrust.dll
2012-04-22 01:40:24   159232   ----a-w-   c:\windows\system32\imagehlp.dll
2012-04-22 01:40:05   3968368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-04-22 01:40:04   3913072   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-06 19:42:36   418464   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-04-01 21:11:08   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2012-04-01 21:11:02   157352   ----a-w-   c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-01 21:11:02   129976   ----a-w-   c:\program files\mozilla firefox\maintenanceservice.exe
.
==================== Find3M ====================
.
2012-04-21 18:50:18   70304   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56:40   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-03-24 18:02:03   141944   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2012-02-28 01:18:55   1799168   ----a-w-   c:\windows\system32\jscript9.dll
2012-02-28 01:11:21   1427456   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07   1127424   ----a-w-   c:\windows\system32\wininet.dll
2012-02-28 01:03:16   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-02-17 05:34:22   826880   ----a-w-   c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22   24576   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-02-12 02:35:17   231760   ----a-w-   c:\windows\system32\drivers\truecrypt.sys
2012-02-10 05:38:43   1077248   ----a-w-   c:\windows\system32\DWrite.dll
2012-02-03 03:54:27   2343424   ----a-w-   c:\windows\system32\win32k.sys
2006-05-03 16:06:54   163328   --sha-r-   c:\windows\system32\flvDX.dll
2007-02-21 17:47:16   31232   --sha-r-   c:\windows\system32\msfDX.dll
2008-03-16 19:30:52   216064   --sha-r-   c:\windows\system32\nbDX.dll
2010-01-07 04:00:00   107520   --sha-r-   c:\windows\system32\TAKDSDecoder.dll
.
============= FINISH: 17:07:50.07 ===============

kevinf80 · « **Reply #11 on:** April 28, 2012, 03:56:01 PM »

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
Close any open browsers and any other programs you might have running
Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
Instructions for running Combofix available Here if required.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*

If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

OK, I`d like to have another try at running Combofix, as follows please :-

Delete any version of ComboFix you have on your Desktop. Download a fresh copy from either of the following links:

Link 1
Link 2

Before you save it to the Desktop Make sure to rename it to sega.com

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and type this command exactly as shown or use copy/paste:

"%userprofile%\desktop\sega.com" /killall /nombr Tap enter or select OK.

See if it will run successfully now. Stop it after half an hour of no activity.

Post the log in next reply,

Kevin

willynilly · « **Reply #12 on:** April 28, 2012, 04:50:38 PM »

Kevin,

I have run Combofix once, according to the first part of your instructions. The second part of the instructions seemed to be a second note, that I wasn't sure applied to me. I am happy to run Combofix a second time using the second part of the instructions if you wish.

The Combofix ran to completion and produced a report which outline some deletes it had done. It did not re-boot my system.

One odd thing, on step 50, a small window appeared saying "pex.#XE had stopped working" and that I had to click cancel or search for a solution, I chose to cancel. Combofix kept running, but didn't execute any new steps, just went into the file deletes and produced the report.

=====================================

ComboFix 12-04-28.01 - Jay 04/28/2012 18:17:54.3.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.2032 [GMT -4:00]
Running from: c:\users\Jay\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jay\AppData\Roaming\.#
c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\weave\toFetch
c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\weave\toFetch\clients.json
c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\weave\toFetch\tabs.json
c:\windows\system32\aac_parser.ax
c:\windows\system32\ac3DX.ax
c:\windows\system32\AVCDX.ax
c:\windows\system32\bdaplgin.ax
c:\windows\system32\cero.rs
c:\windows\system32\CoreAAC.ax
c:\windows\system32\csrr.rs
c:\windows\system32\DiracSplitter.ax
c:\windows\system32\esrb.rs
c:\windows\system32\FLACDX.ax
c:\windows\system32\g711codc.ax
c:\windows\system32\grb.rs
c:\windows\system32\iac25_32.ax
c:\windows\system32\ir41_32.ax
c:\windows\system32\ivfsrc.ax
c:\windows\system32\ksproxy.ax
c:\windows\system32\kstvtune.ax
c:\windows\system32\Kswdmcap.ax
c:\windows\system32\ksxbar.ax
c:\windows\system32\MatroskaDX.ax
c:\windows\system32\MPCDx.ax
c:\windows\system32\Mpeg2Data.ax
c:\windows\system32\mpg2splt.ax
c:\windows\system32\MSDvbNP.ax
c:\windows\system32\MSNP.ax
c:\windows\system32\oflc.rs
c:\windows\system32\pegi-fi.rs
c:\windows\system32\pegi-pt.rs
c:\windows\system32\pegi.rs
c:\windows\system32\pegibbfc.rs
c:\windows\system32\psisrndr.ax
c:\windows\system32\RealMediaDX.ax
c:\windows\system32\RLAPEDec.ax
c:\windows\system32\RLMPCDec.ax
c:\windows\system32\RLOgg.ax
c:\windows\system32\RLSpeexDec.ax
c:\windows\system32\RLTheoraDec.ax
c:\windows\system32\RLVorbisDec.ax
c:\windows\system32\TAKDSDecoder.ax
c:\windows\system32\TTADSDecoder.ax
c:\windows\system32\TTADSSplitter.ax
c:\windows\system32\usk.rs
c:\windows\system32\VBICodec.ax
c:\windows\system32\vbisurf.ax
c:\windows\system32\vidcap.ax
c:\windows\system32\WEB.rs
c:\windows\system32\WSTPager.ax
c:\windows\system32\xvid.ax
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-28 )))))))))))))))))))))))))))))))
.
.
2012-04-28 22:35 . 2012-04-28 22:35   --------   d-----w-   c:\users\Jay\AppData\Local\temp
2012-04-28 22:35 . 2012-04-28 22:35   --------   d-----w-   c:\users\Public\AppData\Local\temp
2012-04-28 22:35 . 2012-04-28 22:35   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-04-28 20:11 . 2012-04-28 20:11   9310   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2012-04-28 20:11 . 2012-04-28 20:11   8646   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2012-04-28 20:11 . 2012-04-28 20:11   6429   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-04-28 20:11 . 2012-04-28 20:11   63115   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-04-28 20:11 . 2012-04-28 20:11   4599   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-04-28 20:11 . 2012-04-28 20:11   8613   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2012-04-28 20:11 . 2012-04-28 20:11   5927   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2012-04-28 20:11 . 2012-04-28 20:11   1651   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2012-04-28 20:11 . 2012-04-28 20:11   6910   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2012-04-28 20:11 . 2012-04-28 20:11   8288   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2012-04-28 20:11 . 2012-04-28 20:11   6208   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2012-04-28 20:11 . 2012-04-28 20:11   18541   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2012-04-28 20:10 . 2012-04-28 20:10   51852   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2012-04-28 20:10 . 2012-04-28 20:10   20719   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-04-28 20:10 . 2012-04-28 20:10   8782   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-04-28 20:10 . 2012-04-28 20:10   7271   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-04-28 20:10 . 2012-04-28 20:10   23327   ----a-w-   c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-04-28 18:36 . 2012-04-28 18:36   --------   d-----w-   C:\_OTM
2012-04-23 23:00 . 2012-04-28 12:07   --------   d-----w-   c:\windows\system32\drivers\N360\0602000.009
2012-04-22 14:18 . 2011-11-24 02:23   35960   ----a-r-   c:\windows\system32\drivers\SymIMV.sys
2012-04-22 01:40 . 2012-03-01 05:46   19824   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-04-22 01:40 . 2012-03-01 05:37   172544   ----a-w-   c:\windows\system32\wintrust.dll
2012-04-22 01:40 . 2012-03-01 05:33   159232   ----a-w-   c:\windows\system32\imagehlp.dll
2012-04-22 01:40 . 2012-03-01 05:29   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-04-22 01:40 . 2012-03-06 05:59   3968368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-04-22 01:40 . 2012-03-06 05:59   3913072   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-06 19:42 . 2012-04-21 18:50   418464   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-04-01 21:11 . 2012-04-23 22:39   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2012-04-01 21:11 . 2012-04-22 15:44   157352   ----a-w-   c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-01 21:11 . 2012-04-22 15:44   129976   ----a-w-   c:\program files\Mozilla Firefox\maintenanceservice.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-21 18:50 . 2011-05-20 01:09   70304   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2010-10-11 17:38   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-03-24 18:02 . 2012-03-04 17:57   141944   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2012-02-17 05:34 . 2012-03-13 23:27   826880   ----a-w-   c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-13 23:27   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-13 23:27   24576   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-02-12 02:35 . 2010-09-10 19:56   231760   ----a-w-   c:\windows\system32\drivers\truecrypt.sys
2012-02-10 05:38 . 2012-03-13 23:27   1077248   ----a-w-   c:\windows\system32\DWrite.dll
2012-02-03 03:54 . 2012-03-13 23:27   2343424   ----a-w-   c:\windows\system32\win32k.sys
2012-04-22 15:44 . 2012-03-03 19:02   97208   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 16:06   163328   --sha-r-   c:\windows\System32\flvDX.dll
2007-02-21 17:47   31232   --sha-r-   c:\windows\System32\msfDX.dll
2008-03-16 19:30   216064   --sha-r-   c:\windows\System32\nbDX.dll
2010-01-07 04:00   107520   --sha-r-   c:\windows\System32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotkeyMon"="AsusSender.exe" [2011-07-13 34728]
"HotkeyService"="AsusSender.exe" [2011-07-13 34728]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-29 7744032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-07 13797920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"SuperHybridEngine"="AsusSender.exe" [2011-07-13 34728]
"LivCam"="c:\program files\ASUS\LivCam\LivCam.exe" [2009-10-17 284160]
"LiveUpdate"="AsusSender.exe" [2011-07-13 34728]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-11-20 83240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-11-20 1594664]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-11-05 980368]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"Daemon for Mouse Suite"="c:\program files\Lenovo\Lenovo Mouse Suite\ICO.EXE" [2010-07-28 69632]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2011-09-24 129648]
"PDFPrint"="c:\program files\PDF24\pdf24.exe" [2011-12-16 220744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-2 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 D-Link SharePort Helper;D-Link SharePort Helper;c:\program files\D-Link\SharePort Utility\Spnuhelper.exe [2009-12-11 40960]
R2 PelService;Session Launcher Service;c:\program files\Lenovo\Lenovo Mouse Suite\PelService.exe [2010-04-22 184320]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-21 253088]
R3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2011-03-15 54384]
R3 ILPUTXJWWD;ILPUTXJWWD;c:\users\Jay\AppData\Local\Temp\ILPUTXJWWD.exe

R3 MEMOQDRV;MemoQ Voice Recorder;c:\windows\system32\DRIVERS\memoqdrv.sys [2010-01-22 25664]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-22 129976]
R3 NNI;NNI;c:\users\Jay\AppData\Local\Temp\NNI.exe

S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2011-02-09 11832]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20120413.001\BHDrvx86.sys [2012-04-02 821880]
S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\0602000.009\ccSetx86.sys [2011-11-04 132744]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20120427.001\IDSvix86.sys [2012-03-09 368248]
S1 pelmoubt;Mouse Suite Bluetooth Driver;c:\windows\system32\DRIVERS\pelmoubt.sys [2009-04-23 18432]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\6.2.0.9\ccSvcHst.exe [2012-03-27 138232]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Asus\Game Park\GameConsole\OberonGameConsoleService.exe [2009-09-15 44312]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-11-25 43944]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-11-25 29472]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-03-03 106104]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-11 66592]
S3 pelbtm;Bluetooth Mouse Filter Driver;c:\windows\system32\DRIVERS\pelbtm.sys [2007-09-20 13312]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 18:50]
.
2012-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272782862-793588217-2826545157-1000Core.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 00:57]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272782862-793588217-2826545157-1000UA.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Mouse Suite 98 Daemon - ICO.EXE
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\6.2.0.9\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\6.2.0.9\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2272782862-793588217-2826545157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c*o*m*_*9*b*4*c*a*e*5*a*5*a*c*Î³²y\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-2272782862-793588217-2826545157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c*o*m*_*c*4*7*b*c*2*7*4*3*2*2*Wñúr\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-2272782862-793588217-2826545157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*v*j†÷1\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
Completion time: 2012-04-28 18:39:59
ComboFix-quarantined-files.txt 2012-04-28 22:39
.
Pre-Run: 23,711,469,568 bytes free
Post-Run: 23,524,847,616 bytes free
.
- - End Of File - - 0D8E844220DF66F9D765E72DFA858518

kevinf80 · « **Reply #13 on:** April 29, 2012, 02:04:04 AM »

Thanks for the new log, we`ve had a bit of a hiccup with Combofix. Unfortunately CF has removed some legitimate files that belong to some type of video software, we will put those back later after we are sure your system is clean...

There is a discussion ongoing at the website of the cf developer regarding those files I mentioned, I will see what they recommend.

Regarding the second set of instructions for CF in my last reply, yep you were correct; bit of a faux pas on my behalf....

OK, do the following:

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code: [Select]

KillAll::
ClearJavaCache::
File::
c:\users\Jay\AppData\Local\Temp\NNI.exe
c:\users\Jay\AppData\Local\Temp\ILPUTXJWWD.exe
Driver::
ILPUTXJWWD
NNI
RegNull::
[HKEY_USERS\S-1-5-21-2272782862-793588217-2826545157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c*o*m*_*9*b*4*c*a*e*5*a*5*a*c*Î³²y\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
[HKEY_USERS\S-1-5-21-2272782862-793588217-2826545157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c*o*m*_*c*4*7*b*c*2*7*4*3*2*2*Wñúr\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
[HKEY_USERS\S-1-5-21-2272782862-793588217-2826545157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*v*j†÷1\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

Check
Click the button.
Accept any security warnings from your browser.
Check
Leave the tick out of remove found threats
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Let me see those two logs, also give update on current issues.

Thanks,

Kevin

willynilly · « **Reply #14 on:** April 29, 2012, 09:22:11 AM »

Hi Kevin,

I hope the time on your reply was incorrect, everyone needs sleep.

I ran the ComboFix and finished 76% of eset scan, both listing below.

Scan ran about 3.5 hours, I have a large harddrive.

I need to catch a business flight, but will attempt to run the complete eset scan this week.

Just don't want you to think I disappeared for no reason, business remands a lot.

Thank you, for everything so far, I will be back to complete this, for certain.

========================================================

ComboFix 12-04-29.01 - Jay 04/29/2012 7:21.4.4 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3327.2105 [GMT -4:00]
Running from: c:\users\Jay\Desktop\ComboFix.exe
Command switches used :: c:\users\Jay\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton 360 *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Jay\AppData\Local\Temp\ILPUTXJWWD.exe"
"c:\users\Jay\AppData\Local\Temp\NNI.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\searchplugins\bing-zugo.xml
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ILPUTXJWWD
-------\Service_NNI
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-29 )))))))))))))))))))))))))))))))
.
.
2012-04-29 11:37 . 2012-04-29 11:40   --------   d-----w-   c:\users\Jay\AppData\Local\temp
2012-04-29 11:37 . 2012-04-29 11:37   --------   d-----w-   c:\users\Public\AppData\Local\temp
2012-04-29 11:37 . 2012-04-29 11:37   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-04-28 18:36 . 2012-04-28 18:36   --------   d-----w-   C:\_OTM
2012-04-23 23:00 . 2012-04-28 12:07   --------   d-----w-   c:\windows\system32\drivers\N360\0602000.009
2012-04-22 14:18 . 2011-11-24 02:23   35960   ----a-r-   c:\windows\system32\drivers\SymIMV.sys
2012-04-22 01:40 . 2012-03-01 05:46   19824   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-04-22 01:40 . 2012-03-01 05:37   172544   ----a-w-   c:\windows\system32\wintrust.dll
2012-04-22 01:40 . 2012-03-01 05:33   159232   ----a-w-   c:\windows\system32\imagehlp.dll
2012-04-22 01:40 . 2012-03-01 05:29   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-04-22 01:40 . 2012-03-06 05:59   3968368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-04-22 01:40 . 2012-03-06 05:59   3913072   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-04-06 19:42 . 2012-04-21 18:50   418464   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-04-01 21:11 . 2012-04-23 22:39   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2012-04-01 21:11 . 2012-04-22 15:44   157352   ----a-w-   c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-01 21:11 . 2012-04-22 15:44   129976   ----a-w-   c:\program files\Mozilla Firefox\maintenanceservice.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-21 18:50 . 2011-05-20 01:09   70304   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 19:56 . 2010-10-11 17:38   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-03-24 18:02 . 2012-03-04 17:57   141944   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2012-02-17 05:34 . 2012-03-13 23:27   826880   ----a-w-   c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-13 23:27   183808   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-13 23:27   24576   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-02-12 02:35 . 2010-09-10 19:56   231760   ----a-w-   c:\windows\system32\drivers\truecrypt.sys
2012-02-10 05:38 . 2012-03-13 23:27   1077248   ----a-w-   c:\windows\system32\DWrite.dll
2012-02-03 03:54 . 2012-03-13 23:27   2343424   ----a-w-   c:\windows\system32\win32k.sys
2012-04-22 15:44 . 2012-03-03 19:02   97208   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
2006-05-03 16:06   163328   --sha-r-   c:\windows\System32\flvDX.dll
2007-02-21 17:47   31232   --sha-r-   c:\windows\System32\msfDX.dll
2008-03-16 19:30   216064   --sha-r-   c:\windows\System32\nbDX.dll
2010-01-07 04:00   107520   --sha-r-   c:\windows\System32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotkeyMon"="AsusSender.exe" [2011-07-13 34728]
"HotkeyService"="AsusSender.exe" [2011-07-13 34728]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-29 7744032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-07 13797920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"SuperHybridEngine"="AsusSender.exe" [2011-07-13 34728]
"LivCam"="c:\program files\ASUS\LivCam\LivCam.exe" [2009-10-17 284160]
"LiveUpdate"="AsusSender.exe" [2011-07-13 34728]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-11-20 83240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-11-20 1594664]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2010-11-05 980368]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"Daemon for Mouse Suite"="c:\program files\Lenovo\Lenovo Mouse Suite\ICO.EXE" [2010-07-28 69632]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2011-09-24 129648]
"PDFPrint"="c:\program files\PDF24\pdf24.exe" [2011-12-16 220744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-2 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ     kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-21 253088]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
R3 bmdrvr;Modified Clusters Tracking Driver;c:\windows\system32\drivers\bmdrvr.sys [2011-03-15 54384]
R3 MEMOQDRV;MemoQ Voice Recorder;c:\windows\system32\DRIVERS\memoqdrv.sys [2010-01-22 25664]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-22 129976]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-11 1343400]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0602000.009\SYMDS.SYS [2011-08-16 340088]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0602000.009\SYMEFA.SYS [2011-11-24 905336]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2011-02-09 11832]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\BASHDefs\20120413.001\BHDrvx86.sys [2012-04-02 821880]
S1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\N360\0602000.009\ccSetx86.sys [2011-11-04 132744]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.1.2\Definitions\IPSDefs\20120427.001\IDSvix86.sys [2012-03-09 368248]
S1 pelmoubt;Mouse Suite Bluetooth Driver;c:\windows\system32\DRIVERS\pelmoubt.sys [2009-04-23 18432]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0602000.009\Ironx86.SYS [2011-11-17 149624]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360\0602000.009\SYMNETS.SYS [2011-11-17 318584]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AsusService;Asus Launcher Service;c:\windows\System32\AsusService.exe [2009-08-19 219136]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
S2 D-Link SharePort Helper;D-Link SharePort Helper;c:\program files\D-Link\SharePort Utility\Spnuhelper.exe [2009-12-11 40960]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\6.2.0.9\ccSvcHst.exe [2012-03-27 138232]
S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\Asus\Game Park\GameConsole\OberonGameConsoleService.exe [2009-09-15 44312]
S2 PelService;Session Launcher Service;c:\program files\Lenovo\Lenovo Mouse Suite\PelService.exe [2010-04-22 184320]
S2 vmci;VMware vmci;c:\windows\system32\Drivers\vmci.sys [2011-09-24 70768]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-09-24 539248]
S2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2011-08-20 423536]
S2 vmware-converter-server;VMware vCenter Converter Standalone Server;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2011-08-20 423536]
S2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;c:\program files\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2011-08-20 423536]
S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);c:\windows\system32\drivers\vstor2-mntapi10-shared.sys [2011-07-12 22768]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-11-25 43944]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-11-25 29472]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-03-03 106104]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-11 66592]
S3 pelbtm;Bluetooth Mouse Filter Driver;c:\windows\system32\DRIVERS\pelbtm.sys [2007-09-20 13312]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-01-29 997408]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys [2009-07-03 247304]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 18:50]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272782862-793588217-2826545157-1000Core.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 00:57]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2272782862-793588217-2826545157-1000UA.job
- c:\users\Jay\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\n5jmtqjl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\6.2.0.9\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\6.2.0.9\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2272782862-793588217-2826545157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c*o*m*_*9*b*4*c*a*e*5*a*5*a*c*Î³²y\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-2272782862-793588217-2826545157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*c*o*m*_*c*4*7*b*c*2*7*4*3*2*2*Wñúr\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-2272782862-793588217-2826545157-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*f*l*v*j†÷1\OpenWithList]
@Class="Shell"
"a"="vlc.exe"
"MRUList"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2920)
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\windows\system32\vmnat.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\windows\system32\taskhost.exe
c:\program files\WizMouse\WizMouse.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\program files\EeePC\HotkeyService\HotKeyMon.exe
c:\program files\EeePC\HotkeyService\HotkeyService.exe
c:\program files\EeePC\SHE\SuperHybridEngine.exe
c:\program files\Asus\LiveUpdate\LiveUpdate.exe
c:\program files\Eraser\Eraser.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\DllHost.exe
c:\program files\Lenovo\Lenovo Mouse Suite\PelElvDm.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-04-29 07:44:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-29 11:43
ComboFix2.txt 2012-04-28 22:40
.
Pre-Run: 22,345,596,928 bytes free
Post-Run: 22,101,504,000 bytes free
.
- - End Of File - - BBBA6B4D57142C6D98D9B2E92FC83DB4

=====================================================================

C:\Users\Jay\Documents\CEH extras\Group2\Laura Chappell-video\DVD-3\dvd3\Hands-On_Self-Study\White Hat Toolbox\Course Evaluation Software\Hurricane Search\hsearch40.exe   probably a variant of Win32/Agent.BC trojan
C:\Users\Jay\Documents\CEH extras\Group2\Laura Chappell-video\DVD-3\dvd3\Hands-On_Self-Study\White Hat Toolbox\Course Evaluation Software\Hurricane Search\setup.exe   probably a variant of Win32/Agent.BC trojan

News:

Author Topic: [Resolved K] RootkitRevealer found a rootkit (Read 1852 times)

willynilly

[Resolved K] RootkitRevealer found a rootkit

kevinf80

Re: [Resolved K] RootkitRevealer found a rootkit

willynilly

Re: [Resolved K] RootkitRevealer found a rootkit

kevinf80

Re: [Resolved K] RootkitRevealer found a rootkit

willynilly

Re: [Resolved K] RootkitRevealer found a rootkit

kevinf80

Re: [Resolved K] RootkitRevealer found a rootkit

willynilly

Re: [Resolved K] RootkitRevealer found a rootkit

kevinf80

Re: [Resolved K] RootkitRevealer found a rootkit

willynilly

Re: [Resolved K] RootkitRevealer found a rootkit

kevinf80

Re: [Resolved K] RootkitRevealer found a rootkit

willynilly

Re: [Resolved K] RootkitRevealer found a rootkit

kevinf80

Re: [Resolved K] RootkitRevealer found a rootkit

willynilly

Re: [Resolved K] RootkitRevealer found a rootkit

kevinf80

Re: [Resolved K] RootkitRevealer found a rootkit

willynilly

Re: [Resolved K] RootkitRevealer found a rootkit