therealjeremiah's infection thread

therealjeremiah · Jun 7, 2011

I had similar "windows 7 recovery" malware problems. followed steps given and ran malwarebyte, combofix and finally hijackthis. Help would be appreciated. The logs are as follows :

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6794

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/6/2011 2:39:06 PM
mbam-log-2011-06-07 (14-39-06).txt

Scan type: Quick scan
Objects scanned: 158351
Time elapsed: 1 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NfeiQASGuw (Trojan.FakeMS) -> Value: NfeiQASGuw -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\nfeiqasguw.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\programdata\38854392.exe (Trojan.Agent.GD) -> Quarantined and deleted successfully.

ComboFix 11-06-06.03 - MSI 07/06/2011 15:15:54.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.65.1033.18.8174.6053 [GMT 8:00]
Running from: c:\users\MSI\Downloads\spyware\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\MSI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
c:\users\MSI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Uninstall Windows 7 Recovery.lnk
c:\users\MSI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Windows 7 Recovery.lnk
c:\users\MSI\Desktop\Windows 7 Recovery.lnk
.
.
((((((((((((((((((((((((( Files Created from 2011-05-07 to 2011-06-07 )))))))))))))))))))))))))))))))
.
.
2011-06-07 07:23 . 2011-06-07 07:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-07 06:46 . 2011-06-07 06:46 388096 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-07 06:46 . 2011-06-07 06:46 -------- d-----w- c:\program files (x86)\Trend Micro
2011-06-07 05:53 . 2011-06-07 05:53 -------- d-----w- c:\users\MSI\AppData\Roaming\Malwarebytes
2011-06-07 05:53 . 2011-05-29 01:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-07 05:53 . 2011-06-07 05:53 -------- d-----w- c:\programdata\Malwarebytes
2011-06-07 05:53 . 2011-05-29 01:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-07 05:53 . 2011-06-07 05:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-06-07 05:04 . 2011-06-07 05:04 -------- d-----w- c:\users\MSI\AppData\Local\{CCECCF41-D22A-42B8-A38A-E70D67116522}
2011-06-06 04:59 . 2011-06-06 04:59 -------- d-----w- c:\users\MSI\AppData\Local\{AA909C9D-7D98-4DDA-B6A3-5A37CEC125F7}
2011-06-05 16:50 . 2011-06-05 16:59 -------- d-----w- c:\users\MSI\AppData\Local\{F613709A-6044-4470-B0A4-17FAD7B59F4D}
2011-06-05 04:37 . 2011-06-05 04:37 -------- d-----w- c:\users\MSI\AppData\Local\{D260C901-F78E-431C-9851-B84EA6DC7862}
2011-06-04 07:02 . 2011-06-04 07:02 -------- d-----w- c:\users\MSI\AppData\Local\{6770DE9A-245C-47A7-80AA-25BAD5976396}
2011-06-03 19:01 . 2011-06-03 19:01 -------- d-----w- c:\users\MSI\AppData\Local\{CCC85EDA-7313-46AA-AB37-498B982B09CC}
2011-06-03 07:14 . 2011-05-09 22:00 8718160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EE0CB7A7-2AE5-45A0-A613-5B9C96C97FAA}\mpengine.dll
2011-06-03 07:01 . 2011-06-03 07:01 -------- d-----w- c:\users\MSI\AppData\Local\{A86C7BB6-5F51-4AA1-A17D-7893EE5EEF80}
2011-06-02 15:09 . 2011-06-02 15:09 -------- d-----w- c:\users\MSI\AppData\Local\{2D1403B7-86B4-4192-BBC0-F91270645772}
2011-06-02 03:08 . 2011-06-02 03:09 -------- d-----w- c:\users\MSI\AppData\Local\{172E1CCF-C96F-44A4-8A26-162F7EB32452}
2011-06-01 09:04 . 2011-06-01 09:04 -------- d-----w- c:\users\MSI\AppData\Local\{CABE255D-A330-4C17-B02A-9DD8F665716D}
2011-05-31 09:33 . 2011-05-31 09:33 -------- d-----w- c:\users\MSI\AppData\Local\{1C82C26C-2B54-4FF7-8C96-23B9445AEAC6}
2011-05-30 10:02 . 2011-05-30 10:04 -------- d-----w- c:\users\MSI\AppData\Local\{C1525130-373F-4E88-A4BA-C6C9B9D869F8}
2011-05-29 14:22 . 2011-05-29 14:23 -------- d-----w- c:\users\MSI\AppData\Local\{7E146287-7AF1-4D9F-9D80-B5E5B1868875}
2011-05-28 16:35 . 2011-05-28 16:37 -------- d-----w- c:\users\MSI\AppData\Roaming\vlc
2011-05-28 16:34 . 2011-05-28 16:34 -------- d-----w- c:\program files (x86)\VideoLAN
2011-05-28 16:12 . 2011-05-28 16:12 -------- d-----w- c:\users\MSI\AppData\Local\{13B14426-4D9B-4328-B46B-C088543F902A}
2011-05-27 12:58 . 2011-05-27 12:58 -------- d-----w- c:\users\MSI\AppData\Local\{070F7DEE-0BA5-412F-923E-415AD06B0003}
2011-05-26 15:05 . 2011-05-26 15:05 -------- d-----w- c:\users\MSI\AppData\Local\{A9066070-40C6-43D2-A193-A511F392E1A5}
2011-05-26 01:54 . 2011-05-26 01:54 -------- d-----w- c:\users\MSI\AppData\Local\{DED6681B-6223-428D-98BB-43299BB94366}
2011-05-25 06:36 . 2011-04-22 20:18 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-25 06:33 . 2011-05-25 06:34 -------- d-----w- c:\users\MSI\AppData\Local\{7C5C3CB7-75B3-417A-9DFD-86E0235B4FC6}
2011-05-25 06:26 . 2011-05-25 06:26 -------- d-----w- c:\users\MSI\AppData\Local\{A5408DE4-0FAA-488F-B33A-0865397F4EFD}
2011-05-24 09:56 . 2011-05-24 09:56 -------- d-----w- c:\users\MSI\AppData\Local\{23394DCA-4C63-4FA0-B793-6D7F6EADE7F8}
2011-05-23 12:19 . 2011-05-23 12:19 -------- d-----w- c:\users\MSI\AppData\Local\{57396278-8EE9-42B5-A4BC-BDCBDE6ABDB1}
2011-05-22 15:04 . 2011-05-22 15:04 -------- d-----w- c:\users\MSI\AppData\Local\{0C737C84-4FA9-40B0-8013-5A6131B388E8}
2011-05-22 03:04 . 2011-05-22 03:04 -------- d-----w- c:\users\MSI\AppData\Local\{5EBBB2BB-27A3-4347-86BF-4043DCCFCF3B}
2011-05-21 13:21 . 2011-05-21 13:23 -------- d-----w- c:\users\MSI\AppData\Local\{3AD506CA-2D36-4C31-9395-2DC472036C10}
2011-05-20 11:10 . 2011-05-20 11:10 -------- d-----w- c:\users\MSI\AppData\Local\{0DA00C0A-6B26-4171-8015-2C503A48BE58}
2011-05-19 11:25 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-05-19 11:25 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
2011-05-19 08:40 . 2011-05-19 08:41 -------- d-----w- c:\users\MSI\AppData\Local\{6B92F213-B4CB-4F44-8ACA-11CF24B2A496}
2011-05-18 11:25 . 2011-05-18 11:25 -------- d-----w- c:\users\MSI\AppData\Local\{2A38E595-1C56-428F-90D4-38FD374E0339}
2011-05-17 07:51 . 2011-05-17 07:51 -------- d-----w- c:\users\MSI\AppData\Local\{CEB99370-96A5-447F-8B5A-1305F48D889E}
2011-05-16 17:26 . 2011-05-16 17:26 -------- d-----w- c:\users\MSI\AppData\Local\{C639CE69-75F5-433D-9E32-AFE833B149C9}
2011-05-16 17:22 . 2011-05-16 17:22 -------- d-----w- c:\users\MSI\AppData\Local\{3CA91346-1EFF-4D32-91CA-68ED23A47BA9}
2011-05-16 13:48 . 2011-05-16 13:48 -------- d-----w- c:\users\MSI\AppData\Local\{864A5BE5-52B9-464F-AE3B-C018CEC6DFD1}
2011-05-15 16:57 . 2011-05-15 16:57 -------- d-----w- c:\users\MSI\AppData\Local\{EB931F71-93EA-4DCA-B04B-14C3FC13B73C}
2011-05-15 05:58 . 2011-05-15 05:58 -------- d-----w- c:\users\MSI\AppData\Local\{8E35A195-D3DB-4E95-9A5D-931B1A759411}
2011-05-14 14:33 . 2011-05-14 14:33 -------- d-----w- c:\users\MSI\AppData\Local\{728A9569-97B6-4F68-9D30-FA7B2FEFFC8A}
2011-05-13 09:13 . 2011-05-13 09:13 -------- d-----w- c:\users\MSI\AppData\Local\{6E95B916-8AA3-4A2C-B293-49B791790BD8}
2011-05-12 15:37 . 2011-05-12 15:37 -------- d-----w- c:\users\MSI\AppData\Local\{1D034D37-40F1-4A1D-806D-6A5B46CC5C11}
2011-05-12 03:36 . 2011-05-12 03:36 -------- d-----w- c:\users\MSI\AppData\Local\{1513A288-F172-40FA-A826-30246EF61439}
2011-05-11 16:10 . 2011-04-09 06:45 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-11 16:10 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-05-11 16:10 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-05-11 16:10 . 2011-03-25 03:23 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-05-11 16:10 . 2011-03-25 03:23 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-05-11 16:10 . 2011-03-25 03:23 324608 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-05-11 16:10 . 2011-03-25 03:22 52224 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-05-11 16:10 . 2011-03-25 03:22 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-05-11 16:10 . 2011-03-25 03:22 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-05-11 16:10 . 2011-03-25 03:22 7936 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-05-11 08:13 . 2011-05-11 08:13 -------- d-----w- c:\users\MSI\AppData\Local\{61BB7123-9DF8-49FE-B97D-1A554297CC9F}
2011-05-10 16:04 . 2011-05-10 16:04 -------- d-----w- c:\users\MSI\AppData\Local\{CC92F69F-38A4-4206-8593-9E10BCBCACB7}
2011-05-09 12:00 . 2011-05-09 12:02 -------- d-----w- c:\users\MSI\AppData\Local\{3F40C622-74B5-480C-A08C-8D34A2FEF98C}
2011-05-08 13:34 . 2011-05-08 13:34 -------- d--h--r- c:\users\MSI\AppData\Roaming\SecuROM
2011-05-08 13:17 . 2011-05-08 13:17 -------- d--h--w- c:\programdata\Media Center Programs
2011-05-08 13:17 . 2011-05-08 13:17 -------- d-----w- c:\program files (x86)\Common Files\BioWare
2011-05-08 12:59 . 2011-05-08 13:29 -------- d-----w- c:\program files (x86)\Mass Effect
2011-05-08 09:14 . 2011-05-08 09:15 -------- d-----w- c:\users\MSI\AppData\Local\{ECF6A266-1C90-483C-B0B3-F0F017A5A40D}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:56 . 2011-04-14 16:56 159080 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
2011-04-06 08:26 . 2011-04-06 08:26 96544 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 08:26 . 2011-04-06 08:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 08:26 . 2011-04-06 08:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 08:26 . 2011-04-06 08:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 08:20 . 2011-04-06 08:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-04-06 08:20 . 2011-04-06 08:20 75040 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-04-06 08:20 . 2011-04-06 08:20 197920 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-04-06 08:20 . 2011-04-06 08:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-03-28 16:44 . 2010-06-24 03:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut9_D69843EAB3A7466DB379F3690A060551.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut8_50394084064C4B969199EFF76239F102.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut7_C4DF95A26CF3494285CF71E8D252859D.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut6_807DF9A1007F4A84B0B87FEED3A7F509.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut4_37167FF79BC940BF9038BFD6CA655A79.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut30_5B7329CF70094E33A1612C6AEC11D446.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut29_435025C5E8D44ED8A934B36973EEC383.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut28_8A35088ECEFF4FB792311AFC0797F6DA.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut27_56CDEE2C401546629093C73374AD9A9B.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut26_E6B93E3060FB48C9B5EC83092D8E75B8.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut25_D8A2EE5033A64EA1884E55AC8680FE38.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut24_945BBF10D8CD457491BD4FF67A286AD2.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut23_16E5FC852D664F89810C53C320D84D22.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut22_ADB206C3BCE3480DB899742A1EB06B78.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut21_8DC5DC4FC42943169872A6DA1096B72E.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut20_B3CE772A376F4856AC70EDAD3E9E3F37.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut19_12A456F8B842488194ED46BF5EE5600B.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut18_D6A07D0479E14EABB8875220B035C986.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut17_3AA0F3A123EF4B5385E135AFFC3F7ED2.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut16_5C8EBF28592F464FB90E2FD48539E7DD.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut15_E9E408ED02724D489DEACF2C8393600F.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut14_6AD66DB4E349430D81E39122AF35AADB.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut13_18F78736FD5246E1B66265076FAADB95.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut12_9D1CC64D29D04C368E37DDC93E47C24A.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut11_F5A625A51C614F29ADAAA0EE562CFA2F.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut10_D8C18D7E712544D38BBCC213733CFF06.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut1_45F4EDFDEAE341C2AD10AFD1EEE655C0.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\ARPPRODUCTICON.exe
2011-03-27 11:58 . 2011-03-27 11:58 6 ----a-w- c:\windows\silentOnce.tmp
2011-03-12 12:03 . 2011-04-27 08:24 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-12 11:31 . 2011-04-27 08:24 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-03-11 06:23 . 2011-04-27 08:24 187264 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 06:23 . 2011-04-27 08:24 1657216 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 06:23 . 2011-04-27 08:24 166272 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 06:23 . 2011-04-27 08:24 148352 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 06:23 . 2011-04-27 08:24 410496 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 06:22 . 2011-04-27 08:24 107904 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 06:22 . 2011-04-27 08:24 27008 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 06:19 . 2011-04-15 09:02 1395712 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 06:19 . 2011-04-15 09:02 1359872 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 06:18 . 2011-04-27 08:24 2566144 ----a-w- c:\windows\system32\esent.dll
2011-03-11 06:15 . 2011-04-27 08:24 96768 ----a-w- c:\windows\system32\fsutil.exe
2011-03-11 05:40 . 2011-04-15 09:02 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
2011-03-11 05:40 . 2011-04-15 09:02 1137664 ----a-w- c:\windows\SysWow64\mfc42.dll
2011-03-11 05:39 . 2011-04-27 08:24 1686016 ----a-w- c:\windows\SysWow64\esent.dll
2011-03-11 05:37 . 2011-04-27 08:24 74240 ----a-w- c:\windows\SysWow64\fsutil.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-03-27 1242448]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 102400]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"MGSysCtrl"="c:\program files (x86)\System Control Manager\MGSysCtrl.exe" [2010-01-08 2396160]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"Razer Orochi Driver"="c:\program files (x86)\Razer\Orochi\RazerOrochiTray.exe" [2009-10-22 2548056]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BTMCOM;Bluetooth Serial Port;c:\windows\System32\Drivers\btmcom.sys [x]
R3 BTMHID;BTMHID;c:\windows\system32\DRIVERS\btmhid.sys [x]
R3 BTMUSB;Motorola Bluetooth Radio Service;c:\windows\system32\Drivers\btmusb.sys [x]
R3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [x]
R3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [x]
R3 MGHwCtrl;MGHwCtrl;c:\program files\msi\msi Software Install\MGHwCtrl.sys [x]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Motorola\Bluetooth\obexsrv.exe [2009-12-21 637192]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S2 Micro Star SCM;Micro Star SCM;c:\program files (x86)\System Control Manager\MSIService.exe [2009-07-09 160768]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 Bluetooth Device Manager;Bluetooth Device Manager;c:\program files\Motorola\Bluetooth\devmgrsrv.exe [2010-01-25 4154120]
S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Motorola\Bluetooth\audiosrv.exe [2010-01-26 1029896]
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-25 245760]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-07-27 1028096]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1629781980-492140922-1869571010-1000Core.job
- c:\users\MSI\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-29 16:03]
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1629781980-492140922-1869571010-1000UA.job
- c:\users\MSI\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-29 16:03]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-01-12 9642528]
"BTMTrayAgent"="c:\program files\Motorola\Bluetooth\btmshell.dll" [2010-02-13 20433160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://msi.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\61t3tugw.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1629781980-492140922-1869571010-1000\Software\SecuROM\License information*]
"datasecu"=hex:06,6b,8a,b8,a0,d2,cc,b2,17,aa,ed,f8,b6,e3,c4,04,4d,3f,34,3a,34,
e0,89,e0,37,d3,f9,93,59,cb,4f,4c,88,f9,a9,5e,f4,82,ae,69,c4,b7,2e,38,2d,2a,\
"rkeysecu"=hex:ad,d4,1a,cb,1d,24,8d,83,fc,b0,a5,43,e4,c2,57,ba
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-06-07 15:26:23
ComboFix-quarantined-files.txt 2011-06-07 07:26
.
Pre-Run: 195,080,769,536 bytes free
Post-Run: 194,778,173,440 bytes free
.
- - End Of File - - FF3FB07F9101B7A62BE36BC7660E8359

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:28:24 PM, on 7/6/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Razer\Orochi\RazerOrochiTray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (xa86)\Browny02\Brother\BrStMonW.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msi.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Razer Orochi Driver] C:\Program Files (x86)\Razer\Orochi\RazerOrochiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Device Manager - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
O23 - Service: Bluetooth Media Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\audiosrv.exe
O23 - Service: Bluetooth OBEX Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\obexsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files (x86)\System Control Manager\MSIService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 8894 bytes

johnb35 · Jun 7, 2011

If you have files/folders/start menu entries that has disappeared on you then please download and run unhide.exe.

Please move the combofix file to your desktop so you can perform the following procedure.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:

folder::
c:\users\MSI\AppData\Local\{CCECCF41-D22A-42B8-A38A-E70D67116522}
c:\users\MSI\AppData\Local\{AA909C9D-7D98-4DDA-B6A3-5A37CEC125F7}
c:\users\MSI\AppData\Local\{F613709A-6044-4470-B0A4-17FAD7B59F4D}
c:\users\MSI\AppData\Local\{D260C901-F78E-431C-9851-B84EA6DC7862}
c:\users\MSI\AppData\Local\{6770DE9A-245C-47A7-80AA-25BAD5976396}
c:\users\MSI\AppData\Local\{CCC85EDA-7313-46AA-AB37-498B982B09CC}
c:\users\MSI\AppData\Local\{A86C7BB6-5F51-4AA1-A17D-7893EE5EEF80}
c:\users\MSI\AppData\Local\{2D1403B7-86B4-4192-BBC0-F91270645772}
c:\users\MSI\AppData\Local\{172E1CCF-C96F-44A4-8A26-162F7EB32452}
c:\users\MSI\AppData\Local\{CABE255D-A330-4C17-B02A-9DD8F665716D}
c:\users\MSI\AppData\Local\{1C82C26C-2B54-4FF7-8C96-23B9445AEAC6}
c:\users\MSI\AppData\Local\{C1525130-373F-4E88-A4BA-C6C9B9D869F8}
c:\users\MSI\AppData\Local\{7E146287-7AF1-4D9F-9D80-B5E5B1868875}
c:\users\MSI\AppData\Local\{13B14426-4D9B-4328-B46B-C088543F902A}
c:\users\MSI\AppData\Local\{070F7DEE-0BA5-412F-923E-415AD06B0003}
c:\users\MSI\AppData\Local\{A9066070-40C6-43D2-A193-A511F392E1A5}
c:\users\MSI\AppData\Local\{DED6681B-6223-428D-98BB-43299BB94366}
c:\users\MSI\AppData\Local\{7C5C3CB7-75B3-417A-9DFD-86E0235B4FC6}
c:\users\MSI\AppData\Local\{A5408DE4-0FAA-488F-B33A-0865397F4EFD}
c:\users\MSI\AppData\Local\{23394DCA-4C63-4FA0-B793-6D7F6EADE7F8}
c:\users\MSI\AppData\Local\{57396278-8EE9-42B5-A4BC-BDCBDE6ABDB1}
c:\users\MSI\AppData\Local\{0C737C84-4FA9-40B0-8013-5A6131B388E8}
c:\users\MSI\AppData\Local\{5EBBB2BB-27A3-4347-86BF-4043DCCFCF3B}
c:\users\MSI\AppData\Local\{3AD506CA-2D36-4C31-9395-2DC472036C10}
c:\users\MSI\AppData\Local\{0DA00C0A-6B26-4171-8015-2C503A48BE58}
c:\users\MSI\AppData\Local\{6B92F213-B4CB-4F44-8ACA-11CF24B2A496}
c:\users\MSI\AppData\Local\{2A38E595-1C56-428F-90D4-38FD374E0339}
c:\users\MSI\AppData\Local\{CEB99370-96A5-447F-8B5A-1305F48D889E}
c:\users\MSI\AppData\Local\{C639CE69-75F5-433D-9E32-AFE833B149C9}
c:\users\MSI\AppData\Local\{3CA91346-1EFF-4D32-91CA-68ED23A47BA9}
c:\users\MSI\AppData\Local\{864A5BE5-52B9-464F-AE3B-C018CEC6DFD1}
c:\users\MSI\AppData\Local\{EB931F71-93EA-4DCA-B04B-14C3FC13B73C}
c:\users\MSI\AppData\Local\{8E35A195-D3DB-4E95-9A5D-931B1A759411}
c:\users\MSI\AppData\Local\{728A9569-97B6-4F68-9D30-FA7B2FEFFC8A}
c:\users\MSI\AppData\Local\{6E95B916-8AA3-4A2C-B293-49B791790BD8}
c:\users\MSI\AppData\Local\{1D034D37-40F1-4A1D-806D-6A5B46CC5C11}
c:\users\MSI\AppData\Local\{1513A288-F172-40FA-A826-30246EF61439}
c:\users\MSI\AppData\Local\{61BB7123-9DF8-49FE-B97D-1A554297CC9F}
c:\users\MSI\AppData\Local\{CC92F69F-38A4-4206-8593-9E10BCBCACB7}
c:\users\MSI\AppData\Local\{3F40C622-74B5-480C-A08C-8D34A2FEF98C}
c:\users\MSI\AppData\Local\{ECF6A266-1C90-483C-B0B3-F0F017A5A40D}

Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Give me an update on how your system is running now.

therealjeremiah · Jun 7, 2011

Thanks for the reply. Ran unhide, didn't seem to work. Icons still missing and my D drive still reports as empty. Ran combofix, then hijackthis. Ran unhide again, still doesn't seem to work despite closing all antiviruses and running as admin (i'm using windows 7). Other than that, no popups occur, seems to run normally.
logs are as follows

ComboFix 11-06-06.03 - MSI 08/06/2011 1:24.2.8 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.65.1033.18.8174.6203 [GMT 8:00]
Running from: c:\users\MSI\Desktop\ComboFix.exe
Command switches used :: c:\users\MSI\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\MSI\AppData\Local\{070F7DEE-0BA5-412F-923E-415AD06B0003}
c:\users\MSI\AppData\Local\{0C737C84-4FA9-40B0-8013-5A6131B388E8}
c:\users\MSI\AppData\Local\{0DA00C0A-6B26-4171-8015-2C503A48BE58}
c:\users\MSI\AppData\Local\{13B14426-4D9B-4328-B46B-C088543F902A}
c:\users\MSI\AppData\Local\{1513A288-F172-40FA-A826-30246EF61439}
c:\users\MSI\AppData\Local\{172E1CCF-C96F-44A4-8A26-162F7EB32452}
c:\users\MSI\AppData\Local\{1C82C26C-2B54-4FF7-8C96-23B9445AEAC6}
c:\users\MSI\AppData\Local\{1D034D37-40F1-4A1D-806D-6A5B46CC5C11}
c:\users\MSI\AppData\Local\{23394DCA-4C63-4FA0-B793-6D7F6EADE7F8}
c:\users\MSI\AppData\Local\{2A38E595-1C56-428F-90D4-38FD374E0339}
c:\users\MSI\AppData\Local\{2D1403B7-86B4-4192-BBC0-F91270645772}
c:\users\MSI\AppData\Local\{3AD506CA-2D36-4C31-9395-2DC472036C10}
c:\users\MSI\AppData\Local\{3CA91346-1EFF-4D32-91CA-68ED23A47BA9}
c:\users\MSI\AppData\Local\{3F40C622-74B5-480C-A08C-8D34A2FEF98C}
c:\users\MSI\AppData\Local\{57396278-8EE9-42B5-A4BC-BDCBDE6ABDB1}
c:\users\MSI\AppData\Local\{5EBBB2BB-27A3-4347-86BF-4043DCCFCF3B}
c:\users\MSI\AppData\Local\{61BB7123-9DF8-49FE-B97D-1A554297CC9F}
c:\users\MSI\AppData\Local\{6770DE9A-245C-47A7-80AA-25BAD5976396}
c:\users\MSI\AppData\Local\{6B92F213-B4CB-4F44-8ACA-11CF24B2A496}
c:\users\MSI\AppData\Local\{6E95B916-8AA3-4A2C-B293-49B791790BD8}
c:\users\MSI\AppData\Local\{728A9569-97B6-4F68-9D30-FA7B2FEFFC8A}
c:\users\MSI\AppData\Local\{7C5C3CB7-75B3-417A-9DFD-86E0235B4FC6}
c:\users\MSI\AppData\Local\{7E146287-7AF1-4D9F-9D80-B5E5B1868875}
c:\users\MSI\AppData\Local\{864A5BE5-52B9-464F-AE3B-C018CEC6DFD1}
c:\users\MSI\AppData\Local\{8E35A195-D3DB-4E95-9A5D-931B1A759411}
c:\users\MSI\AppData\Local\{A5408DE4-0FAA-488F-B33A-0865397F4EFD}
c:\users\MSI\AppData\Local\{A86C7BB6-5F51-4AA1-A17D-7893EE5EEF80}
c:\users\MSI\AppData\Local\{A9066070-40C6-43D2-A193-A511F392E1A5}
c:\users\MSI\AppData\Local\{AA909C9D-7D98-4DDA-B6A3-5A37CEC125F7}
c:\users\MSI\AppData\Local\{C1525130-373F-4E88-A4BA-C6C9B9D869F8}
c:\users\MSI\AppData\Local\{C639CE69-75F5-433D-9E32-AFE833B149C9}
c:\users\MSI\AppData\Local\{CABE255D-A330-4C17-B02A-9DD8F665716D}
c:\users\MSI\AppData\Local\{CC92F69F-38A4-4206-8593-9E10BCBCACB7}
c:\users\MSI\AppData\Local\{CCC85EDA-7313-46AA-AB37-498B982B09CC}
c:\users\MSI\AppData\Local\{CCECCF41-D22A-42B8-A38A-E70D67116522}
c:\users\MSI\AppData\Local\{CEB99370-96A5-447F-8B5A-1305F48D889E}
c:\users\MSI\AppData\Local\{D260C901-F78E-431C-9851-B84EA6DC7862}
c:\users\MSI\AppData\Local\{DED6681B-6223-428D-98BB-43299BB94366}
c:\users\MSI\AppData\Local\{EB931F71-93EA-4DCA-B04B-14C3FC13B73C}
c:\users\MSI\AppData\Local\{ECF6A266-1C90-483C-B0B3-F0F017A5A40D}
c:\users\MSI\AppData\Local\{F613709A-6044-4470-B0A4-17FAD7B59F4D}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-07 to 2011-06-07 )))))))))))))))))))))))))))))))
.
.
2011-06-07 17:30 . 2011-06-07 17:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-07 17:04 . 2011-06-07 17:05 -------- d-----w- c:\users\MSI\AppData\Local\{BE35FE01-2B6F-4224-A4D9-08049299DBC3}
2011-06-07 08:59 . 2011-06-07 08:59 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2011-06-07 06:46 . 2011-06-07 06:46 388096 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-07 06:46 . 2011-06-07 06:46 -------- d-----w- c:\program files (x86)\Trend Micro
2011-06-07 05:53 . 2011-06-07 05:53 -------- d-----w- c:\users\MSI\AppData\Roaming\Malwarebytes
2011-06-07 05:53 . 2011-05-29 01:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-07 05:53 . 2011-06-07 05:53 -------- d-----w- c:\programdata\Malwarebytes
2011-06-07 05:53 . 2011-05-29 01:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-07 05:53 . 2011-06-07 05:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-06-03 07:14 . 2011-05-09 22:00 8718160 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EE0CB7A7-2AE5-45A0-A613-5B9C96C97FAA}\mpengine.dll
2011-05-28 16:35 . 2011-05-28 16:37 -------- d-----w- c:\users\MSI\AppData\Roaming\vlc
2011-05-28 16:34 . 2011-05-28 16:34 -------- d-----w- c:\program files (x86)\VideoLAN
2011-05-25 06:36 . 2011-04-22 20:18 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-19 11:25 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2011-05-19 11:25 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
2011-05-11 16:10 . 2011-04-09 06:45 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-11 16:10 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-05-11 16:10 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-05-11 16:10 . 2011-03-25 03:23 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-05-11 16:10 . 2011-03-25 03:23 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-05-11 16:10 . 2011-03-25 03:23 324608 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-05-11 16:10 . 2011-03-25 03:22 52224 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-05-11 16:10 . 2011-03-25 03:22 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-05-11 16:10 . 2011-03-25 03:22 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-05-11 16:10 . 2011-03-25 03:22 7936 ----a-w- c:\windows\system32\drivers\usbd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:56 . 2011-04-14 16:56 159080 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin
2011-04-06 08:26 . 2011-04-06 08:26 96544 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 08:26 . 2011-04-06 08:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 08:26 . 2011-04-06 08:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 08:26 . 2011-04-06 08:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 08:20 . 2011-04-06 08:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
2011-04-06 08:20 . 2011-04-06 08:20 75040 ----a-w- c:\windows\SysWow64\jdns_sd.dll
2011-04-06 08:20 . 2011-04-06 08:20 197920 ----a-w- c:\windows\SysWow64\dnssdX.dll
2011-04-06 08:20 . 2011-04-06 08:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
2011-03-28 16:44 . 2010-06-24 03:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut9_D69843EAB3A7466DB379F3690A060551.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut8_50394084064C4B969199EFF76239F102.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut7_C4DF95A26CF3494285CF71E8D252859D.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut6_807DF9A1007F4A84B0B87FEED3A7F509.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut4_37167FF79BC940BF9038BFD6CA655A79.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut30_5B7329CF70094E33A1612C6AEC11D446.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut29_435025C5E8D44ED8A934B36973EEC383.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut28_8A35088ECEFF4FB792311AFC0797F6DA.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut27_56CDEE2C401546629093C73374AD9A9B.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut26_E6B93E3060FB48C9B5EC83092D8E75B8.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut25_D8A2EE5033A64EA1884E55AC8680FE38.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut24_945BBF10D8CD457491BD4FF67A286AD2.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut23_16E5FC852D664F89810C53C320D84D22.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut22_ADB206C3BCE3480DB899742A1EB06B78.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut21_8DC5DC4FC42943169872A6DA1096B72E.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut20_B3CE772A376F4856AC70EDAD3E9E3F37.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut19_12A456F8B842488194ED46BF5EE5600B.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut18_D6A07D0479E14EABB8875220B035C986.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut17_3AA0F3A123EF4B5385E135AFFC3F7ED2.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut16_5C8EBF28592F464FB90E2FD48539E7DD.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut15_E9E408ED02724D489DEACF2C8393600F.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut14_6AD66DB4E349430D81E39122AF35AADB.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut13_18F78736FD5246E1B66265076FAADB95.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut12_9D1CC64D29D04C368E37DDC93E47C24A.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut11_F5A625A51C614F29ADAAA0EE562CFA2F.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut10_D8C18D7E712544D38BBCC213733CFF06.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\NewShortcut1_45F4EDFDEAE341C2AD10AFD1EEE655C0.exe
2011-03-27 15:41 . 2011-03-27 15:41 136512 ----a-r- c:\users\MSI\AppData\Roaming\Microsoft\Installer\{306D4754-BECE-4FC7-85F3-B7FEED274AA8}\ARPPRODUCTICON.exe
2011-03-27 11:58 . 2011-03-27 11:58 6 ----a-w- c:\windows\silentOnce.tmp
2011-03-12 12:03 . 2011-04-27 08:24 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-12 11:31 . 2011-04-27 08:24 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-03-11 06:23 . 2011-04-27 08:24 187264 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 06:23 . 2011-04-27 08:24 1657216 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 06:23 . 2011-04-27 08:24 166272 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 06:23 . 2011-04-27 08:24 148352 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 06:23 . 2011-04-27 08:24 410496 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 06:22 . 2011-04-27 08:24 107904 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 06:22 . 2011-04-27 08:24 27008 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 06:19 . 2011-04-15 09:02 1395712 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 06:19 . 2011-04-15 09:02 1359872 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 06:18 . 2011-04-27 08:24 2566144 ----a-w- c:\windows\system32\esent.dll
2011-03-11 06:15 . 2011-04-27 08:24 96768 ----a-w- c:\windows\system32\fsutil.exe
2011-03-11 05:40 . 2011-04-15 09:02 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
2011-03-11 05:40 . 2011-04-15 09:02 1137664 ----a-w- c:\windows\SysWow64\mfc42.dll
2011-03-11 05:39 . 2011-04-27 08:24 1686016 ----a-w- c:\windows\SysWow64\esent.dll
2011-03-11 05:37 . 2011-04-27 08:24 74240 ----a-w- c:\windows\SysWow64\fsutil.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-06-07_07.23.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 05:10 . 2011-06-07 06:44 41720 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-06-07 16:25 41720 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2010-12-02 16:19 . 2011-06-07 06:42 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-02 16:19 . 2011-06-07 16:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-02 16:19 . 2011-06-07 06:42 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-12-02 16:19 . 2011-06-07 16:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-06-07 06:42 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-06-07 16:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-27 15:32 . 2011-06-07 17:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-03-27 15:32 . 2011-06-07 07:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-27 15:32 . 2011-06-07 17:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-27 15:32 . 2011-06-07 07:09 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-27 16:21 . 2011-06-07 16:25 6304 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1629781980-492140922-1869571010-1000_UserData.bin
- 2011-03-27 16:21 . 2011-06-07 06:44 6304 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1629781980-492140922-1869571010-1000_UserData.bin
+ 2011-06-07 16:23 . 2011-06-07 16:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-06-07 06:42 . 2011-06-07 06:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-06-07 16:23 . 2011-06-07 16:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-06-07 06:42 . 2011-06-07 06:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-03-28 20:42 . 2011-06-07 08:23 262730 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2011-03-28 06:26 . 2011-06-07 08:12 261928 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 05:01 . 2011-06-07 10:05 305456 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-06-07 06:41 305456 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 02:34 . 2011-06-07 16:37 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2011-06-07 05:19 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2011-03-27 15:55 . 2011-06-07 06:41 12135472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1629781980-492140922-1869571010-1000-8192.dat
+ 2011-03-27 15:55 . 2011-06-07 10:05 12135472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1629781980-492140922-1869571010-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-03-27 1242448]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-11-09 4240760]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 102400]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"MGSysCtrl"="c:\program files (x86)\System Control Manager\MGSysCtrl.exe" [2010-01-08 2396160]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"Razer Orochi Driver"="c:\program files (x86)\Razer\Orochi\RazerOrochiTray.exe" [2009-10-22 2548056]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-02 35696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BTMCOM;Bluetooth Serial Port;c:\windows\System32\Drivers\btmcom.sys [x]
R3 BTMHID;BTMHID;c:\windows\system32\DRIVERS\btmhid.sys [x]
R3 BTMUSB;Motorola Bluetooth Radio Service;c:\windows\system32\Drivers\btmusb.sys [x]
R3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [x]
R3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [x]
R3 MGHwCtrl;MGHwCtrl;c:\program files\msi\msi Software Install\MGHwCtrl.sys [x]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Motorola\Bluetooth\obexsrv.exe [2009-12-21 637192]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S2 Micro Star SCM;Micro Star SCM;c:\program files (x86)\System Control Manager\MSIService.exe [2009-07-09 160768]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 Bluetooth Device Manager;Bluetooth Device Manager;c:\program files\Motorola\Bluetooth\devmgrsrv.exe [2010-01-25 4154120]
S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Motorola\Bluetooth\audiosrv.exe [2010-01-26 1029896]
S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-25 245760]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-07-27 1028096]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1629781980-492140922-1869571010-1000Core.job
- c:\users\MSI\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-29 16:03]
.
2011-06-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1629781980-492140922-1869571010-1000UA.job
- c:\users\MSI\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-29 16:03]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-01-12 9642528]
"BTMTrayAgent"="c:\program files\Motorola\Bluetooth\btmshell.dll" [2010-02-13 20433160]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://msi.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\MSI\AppData\Roaming\Mozilla\Firefox\Profiles\61t3tugw.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1629781980-492140922-1869571010-1000\Software\SecuROM\License information*]
"datasecu"=hex:ab,40,b8,29,ae,79,85,d8,a8,1d,89,de,65,99,d4,e8,a4,8e,58,de,9d,
85,ea,2b,40,22,f2,70,e6,ac,cd,9e,6c,d7,90,bf,33,06,0b,78,41,54,79,cc,70,43,\
"rkeysecu"=hex:2a,84,45,84,75,02,ea,77,36,3a,16,b6,6b,fd,e6,3c
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-06-08 01:34:17
ComboFix-quarantined-files.txt 2011-06-07 17:34
ComboFix2.txt 2011-06-07 07:26
.
Pre-Run: 195,181,465,600 bytes free
Post-Run: 194,878,521,344 bytes free
.
- - End Of File - - 88488B66D65594F0D2E2B287690DAD21

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:41:49 AM, on 8/6/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Razer\Orochi\RazerOrochiTray.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msi.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Razer Orochi Driver] C:\Program Files (x86)\Razer\Orochi\RazerOrochiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Device Manager - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
O23 - Service: Bluetooth Media Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\audiosrv.exe
O23 - Service: Bluetooth OBEX Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\obexsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files (x86)\System Control Manager\MSIService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 9194 bytes

johnb35 · Jun 11, 2011

OK, sorry for the late reply.

I really don't recommend doing this but in some cases, is required to do so. Please do a system restore to a few days before you got infected and then rescan your system with malwarebytes and hijackthis and post the logs. I just had to do the same thing the other day on one my of clients pc's.

therealjeremiah · Jun 11, 2011

Its alright, thanks for the help. I just got my laptop 2 months ago, never created a point to restore to though :< guess i'll just reinstall.... if i can find the win7 dvd, that is.

johnb35 · Jun 12, 2011

Windows automatically creates restore points almost on a daily basis unless you have system restore turned off.

therealjeremiah · Jun 13, 2011

oh, right. i was looking in the backup function instead. found it, restored. everything seems fine now, thanks! should i do one last hijackthis check?

johnb35 · Jun 13, 2011

Please rescan your system with malwarebytes and hijackthis and post the logs.

therealjeremiah · Jun 14, 2011

rescanned, logs are as follows :

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6848

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

14/6/2011 8:14:19 PM
mbam-log-2011-06-14 (20-14-19).txt

Scan type: Quick scan
Objects scanned: 162263
Time elapsed: 2 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:18:44 PM, on 14/6/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Razer\Orochi\RazerOrochiTray.exe
C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msi.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msi.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Razer Orochi Driver] C:\Program Files (x86)\Razer\Orochi\RazerOrochiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\MSI\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Device Manager - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe
O23 - Service: Bluetooth Media Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\audiosrv.exe
O23 - Service: Bluetooth OBEX Service - Motorola, Inc. - C:\Program Files\Motorola\Bluetooth\obexsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files (x86)\System Control Manager\MSIService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 10183 bytes

johnb35 · Jun 14, 2011

Your log looks good. Let me know if you start having issues again.

therealjeremiah · Jun 15, 2011

Ah, alright, thanks! You've been a real help, man! If I may ask though, what are all those "file missing"s at the end of the log?

johnb35 · Jun 16, 2011

It's just that you are running a 64 bit operating system and hijackthis doesn't know how to interpret some entries.

therealjeremiah · Jun 16, 2011

Oh, interesting. Well, thanks again for the help!

therealjeremiah's infection thread

therealjeremiah

New Member

johnb35

Administrator

therealjeremiah

New Member

johnb35

Administrator

therealjeremiah

New Member

johnb35

Administrator

therealjeremiah

New Member

johnb35

Administrator

therealjeremiah

New Member

johnb35

Administrator

therealjeremiah

New Member

johnb35

Administrator

therealjeremiah

New Member