SxS x86 files are risky! Any guru here agree?

February 27, 2013 at 23:44:08
Specs: Windows 7, 2.5 gig

WHY?
1. They download without warning. Maybe not on your machine, but I doubt your OS is missing Panther, Software Distribution...and other carriers/delivery mechanisms of these EVIL files :-)You shut off machine and and occassionally be surprised..you may have 100 that load quickly. You weren't told you had any Windows updates nor approved this
2. The very first hack I had (April 2012) was a popup with an InstallShield request to update something...it all looked legit. Next I know.... it delivers 80 files of the same type called "Native Images"...these are in the same family of what i believe are basically (generalizing) REMOTE MANAGEMENT FILES. It gives them a way to control the machine. I am and always have kept MS updates current

3. The ONLY real guru at a 'shop' who I've talked to (few months back after 4 reloads of XP....each lasting 10 days before I said H with it ...told me "SxS 86 files have no business being in an XP installation. He no longer works there...he also said the biggest hacking huge issue in most machines were rampant /unrestrained Svchost operations. I only have about 10 in mine..

4. These x86 files come from many sources in Windows...Panther, Software Distribution and then go through some file rename process consisting of 20-30 letters and numbers. My Registry cleaner is constantly saying 40 files doesnt exist where they should....and to be found. I think this is due to renaminthe uninstall strings for most products are unable to be found...nor can the original file....i can see this renaming happens every few days. The CBS log shows this

RESULTING PROBLEMS?
A . AN ANTIVIRUS PROGRAM LASTS MAYBE 4 DAYS BEFORE SOME KIND OF MALFUNCTION. I'VE USED ALL THE GOOD ONES ON NOW MY 8TH REINSTALL OF AN OS IN AS MANY MONTHS
B. THE FIREWALL IS NEXT TO GO...THEY WONT START...MOST GIVE A 'WE HAVE A PROBLEM' MESSAGE
C I cant UNINSTALL most of the AVs....and I use Revo. NONE....and I mean NONE of the regular uninstall methods work from Windows or the uninstall file in the program itself (in folder)
D, Windows update quits working....the sound goes out....cant play a video or hear a cd...

From ComboFix to 5 other Rootkit programs (GMER is great but over my head) ...Online Scanners,,,,NOTHING ever shows a virus. MBAM....that may show one minor trojan and then NOTHING from that point forward.

Then the BIG control...the icing on the cake...they control the OS via Group Policy. GP is never on the OS ...but seems to find its way in within about a week. They take my admin rights away...and numerous functions dont work or are greyed out....such as certain areas of Services. My Windows Defender (Ive seen the code ) has been "coded' to NOT run,,,and I cant get the product itself out. (I think WD was a default install with Win7. I've even removed some AV products in previous installations (XP) ...but cant get others in because the new AV recognizes the one already in,,,,but I can see it anywhere. Its hidden in another account...a service account or something...I find days and days later. No permissions for me there !!

Finally,,,,Sysinternals has a good program that will show permissions for every file in the entire machine..Reg keys included.

*** This thing is so sophisticated***in that regard (they are set to not allow me to see anything re security, config, etc ) ...I'm wondering if A) I'm not a practice dummy for the Chinese Hacking Team or somehow I keep getting a variant of that Virus found about April in Europe called 'The Flame'

My girlfriend said she saw it on the news....back when that broke but she read me articles and at the time it was called 'Poison Ivy' Shes in another state

I dont go to BAD sites...and frankly 80% fo computing time is on Facebook. What if we find out she is the hacker?

I sure need some advice....because I need the net to make a living. My income is down 70% since this began,,,,and YES...I am off Facebook for good.

Final thought. AVG identified 5 or 6 of these files as Trojans /Pups ..forget which.But AVG lasted a total of 3 days,,if that,,,before literally wilting before my very eyes. Ive seen the same with Avast...and most recently...watched Bitdefender count down 6..5..4 .3..2 ..1 and disappear from the taskbar. I cant get AVG in ANY of the 8 installations I have mentioned...except for this brief 3 days in this machine.

The SxS (name of file) x86 I believe gives them the ability to get in...possibly through NetFramework? Thats a whole 'nother story....that feature needs to be locked down itself.NetFramework has its own permissions.

I'll bet 1 in 4000 home users even understands this...MS should be....you know,,,

Sorry, for the VERBOSE mode,,,,hoping to get a bit of a code jockey to help, as this is NOT your average bear. I deeply appreciate your slugging through this,,,,for the few who didnt say,,,,"ON to the next one' Lol.

Thanks


See More: SxS x86 files are risky! Any guru here agree?

Report •


#1
February 28, 2013 at 11:52:35

The badies are always ahead of the goodies, be aware, this can be a very long process, involving many different tools to clean up an infected comp.
Some infections are irremovable.

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
A introduction as to what this program does.
http://www.bleepingcomputer.com/for...
For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items. With this in mind, I have created some scripts to restore the default Start Menu for specific versions of Windows that I have access to. You can view the available versions below. I will be adding more as time goes on.
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Please download and run ListParts by Farbar (for 32-bit system):
http://download.bleepingcomputer.co...
Please download and run ListParts64 by Farbar (for 64-bit system):
http://download.bleepingcomputer.co...
Click on the Scan button.
The scan results will open in Notepad.
Post those contents in your next reply.


Report •

#2
February 28, 2013 at 11:58:11

If you do decide to reinstall W7, make sure when you reinstall, you delete ALL partitions & format to NTFS.

W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
http://www.blackviper.com/os-instal...
http://www.blackviper.com/os-instal...

Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...


Report •

#3
March 2, 2013 at 12:13:02

I'm just going to assume you're talking about WinSxS, a.k.a. Windows Side-by-side assembly, Microsoft's more recent attempt to prevent DLL Hell.

1. [T]hese EVIL files
They're not evil. They aren't EVIL, either. They're a part of the DLL package your programs use. Without it, your application would refuse to run because it would be missing required executable code.

2. [I]t delivers 80 files of the same type called "Native Images"...these are in the same family of what i believe are basically (generalizing) REMOTE MANAGEMENT FILES. It gives them a way to control the machine.
They're not; those files are a part of whatever application you installed. Apperently whatever you installed either uses a lot of DLL files, or you installed the .NET runtime. What would make you believe they are anything else?

3. The ONLY real guru at a 'shop' who I've talked to . . .
Is he the "ONLY real guru" because he was the most brash and boisterous, or because he's the only one who listened?
...told me "SxS 86 files have no business being in an XP installation.
Perhaps not on a fresh install of WinXP, but they are part of the .NET runtime, which I believe MS does optionally install via Windows Update. I think it's optional and not required because it needs specific features of NTFS not found in FAT32. All versions of Windows NT since (I believe) Vista have this system in place on install, because running Windows from NTFS is required.
the biggest hacking huge issue in most machines were rampant /unrestrained Svchost operations.
He either was mistaken or misunderstood. Svchost runs your services, required for your system to operate. You can check your services from Services, found under Administrative Tools. While it's true a compromised service equates to a compromised machine, svchost itself is benign. You can check to see which svchost is running which set of services from the Command Prompt. Type tasklist /svc.

4. then go through some file rename process consisting of 20-30 letters and numbers.
The names are <type>_<internal name>_<public key token>_<version>_<language>_<some WinSxS record key>. And now you know.

RESULTING PROBLEMS?
Sounds like you have a virus. Do not attempt cleanup. Do a fresh install of Windows. If it keeps coming back after a fresh reinstall, examine what programs you're installing (especially pirated copies of programs) and look at where you're surfing that 20% of the time you're not on Facebook.

What if we find out she is the hacker?
I don't know; break up with her? What makes you think she's a hacker?

How To Ask Questions The Smart Way


Report •

Related Solutions

#4
March 7, 2013 at 16:22:51

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/for...

Program started at: 03/07/2013 03:27:04 AM
Windows Version: Windows 7

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 116140 files processed.

Processing the E:\ drive
Finished processing the E:\ drive. 77 files processed.

The C:\Users\ADMINI~1.000\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
* Start_ShowMyMusic was set to 0! It was set back to 1!
* Start_TrackDocs was set to 0! It was set back to 1!

Program finished at: 03/07/2013 03:34:24 AM
Execution time: 0 hours(s), 7 minute(s), and 19 seconds(s)


Report •

#5
March 7, 2013 at 16:24:54

I hope this is working. My responses/thanks yous and first log post aren't showing.

ok>>>NOW i SEE THEM. THANKS GUYS


Report •

#6
March 7, 2013 at 16:33:14

Now for the ListParts results.

Report •

#7
March 7, 2013 at 21:58:20

1. PSS..Avast just found a 'Native Image' file as a trojan. I looked it up and

one of the top answers was on this board. I was having trouble posting. I went

back to my email...tried to ask a question..(I couldn't even log in ) and the

email was kicked back. It had a INFO address attached..so I tried that one.

SPYBOT JUMPED UP AND WARNED that I was being spoofed ! This is getting

...well, a Twilight Zone episodecomes to mind.


2. RE below...THE MICROSOFT MECHANISM THAT CHECKS MEMORY,,SAID IT WAS OK. tHIS

WAS SOME LONG PROCESS WHEN MACHINE RECOVERED FROM SERIOUS ERROR about 3 weeks

ago. IT WAS AUTOMATIC..extensive, and took 15-20 minutes.

WONDERING IF THERE IS A DRIVER RELATED TO MEMORY MISSING OR NEEDS UPDATING OR

USE THE ALTERNATIVE.

I deeply appreciate you and Razors help.

I'd just wipe it, but this has been ongoing with 3 machines, 2 Os's XP-Win 7

..for 6 months. Its formladic..the same thing happens every time. First goes

the firewall, AV a day later, Updates oent work, etc etc. so it will happen

AGAIN, unless I can know the source..in the OS. Will PAY to find the real

SOURCE (LoL)...a possible 'Anonymous' member.

Would you be adverse to seeing a DDS log? Its far more extensive than

HiJACK..the answer or part of this, is likely in there...to someone with the

expertise and knowledge.

Please advise THANKS !


----------------------------------------------------------------------------

ListParts by Farbar Version: 06-03-2013
Ran by Administrator (administrator) on 07-03-2013 at 04:27:21
Windows 7 (X86)
Running From: C:\Users\Administrator.000\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 32%
Total physical RAM: 2550.05 MB
Available physical RAM: 1709.46 MB
Total Pagefile: 6375.05 MB
Available Pagefile: 5358.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.38 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:55.79 GB) (Free:28.9 GB) NTFS
3 Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.03 GB) NTFS ==>

[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 55 GB 0 B

Partitions of Disk 0:
===============

Disk ID: 13FACE2A

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 55 GB 101 MB

==============================================================================

========================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- ---------

--------
* Volume 2 E System Rese NTFS Partition 100 MB Healthy System

(partition with boot components)

==============================================================================

========================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- ---------

--------
* Volume 3 C NTFS Partition 55 GB Healthy Boot

==============================================================================

========================

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=E:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {deb85289-3298-11e2-898c-987622ee9934}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {deb8528b-3298-11e2-898c-987622ee9934}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {deb85289-3298-11e2-898c-987622ee9934}
nx OptOut
bootlog No

Windows Boot Loader
-------------------
identifier {deb8528b-3298-11e2-898c-987622ee9934}
device ramdisk=[C:]\Recovery\deb8528b-3298-11e2-898c-

987622ee9934\Winre.wim,{deb8528c-3298-11e2-898c-987622ee9934}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[C:]\Recovery\deb8528b-3298-11e2-898c-

987622ee9934\Winre.wim,{deb8528c-3298-11e2-898c-987622ee9934}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {deb85289-3298-11e2-898c-987622ee9934}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
pae No
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=E:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {deb8528c-3298-11e2-898c-987622ee9934}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\deb8528b-3298-11e2-898c-

987622ee9934\boot.sdi


****** End Of Log ******


Report •

#8
March 7, 2013 at 22:15:08

Having a whale of a time posting a screenshot...let me try this (in case it may help give you a clue)
The trojan? This machine would boot with a Group Policy message...and GP is not a PART of Win 7 Home Premium.

The GP message is not loading..since quarantine....and I'm thrilled.

_____________________________________________________________


Thanks for reading...I need the help badly. I'm being put out of business !

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457
Run by Administrator at 18:40:07 on 2013-03-07
#Option Extended Search is enabled.
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Soft4Ever\looknstop\LnsSvcVista.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\tcpsvcs.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Users\Administrator.000\Desktop\TCPView\Tcpview.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_6_602_171.exe
C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_11_6_602_171.exe
C:\Windows\System32\NOTEPAD.EXE
C:\Windows\System32\NOTEPAD.EXE
C:\Windows\System32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = about:blank
BHO: AutorunsDisabled - <orphaned>
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - c:\program files\pandasecuritytb\pandasecurityDx.dll
TB: Panda Security Toolbar: {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - c:\program files\pandasecuritytb\pandasecurityDx.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [HijackThis startup scan] c:\users\administrator.000\downloads\HijackThis.exe /startupscan
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [Panda Security URL Filtering] "c:\programdata\panda security url filtering\Panda_URL_Filtering.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Look 'n' Stop] "c:\program files\soft4ever\looknstop\looknstop.exe" -auto
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:221
mPolicies-Explorer: NoDriveTypeAutoRun = dword:28
mPolicies-Explorer: MemCheckBoxInRunDlg = dword:0
mPolicies-Explorer: EnableShellExecuteHooks = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.14.1 71.22.6.12 64.13.115.12
TCP: Interfaces\{7B3BC00F-54FE-4C67-9B73-9C43039E4F2E} : DHCPNameServer = 192.168.14.1 71.22.6.12 64.13.115.12
TCP: Interfaces\{9C19A051-FCFF-4DF9-9D81-219B915A6F19}\16474777966696 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{9C19A051-FCFF-4DF9-9D81-219B915A6F19}\16474777966696 : DHCPNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{9C19A051-FCFF-4DF9-9D81-219B915A6F19}\25572697D4F6F63756D27657563747 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{9C19A051-FCFF-4DF9-9D81-219B915A6F19}\25572697D4F6F63756D27657563747 : DHCPNameServer = 192.168.7.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - <orphaned>
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: gopher - <Clsid value has no data>
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned>
Handler: tv - <Clsid value has no data>
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator.000\appdata\roaming\mozilla\firefox\profiles\hupxj7wx.default\
FF - prefs.js: browser.search.selectedEngine - blekko
FF - prefs.js: browser.startup.homepage - hxxp://pandasecurity.mystart.com/?source=5b97eeb3&tbp=homepage&toolbarid=pandasecuritytb&v=4_0&u=3B637DF763EBFB4BDCDC18512C20B921
FF - prefs.js: keyword.URL - hxxp://blekko.com/ws/?source=5b97eeb3&tbp=url&toolbarid=pandasecuritytb&u=3B637DF763EBFB4BDCDC18512C20B921&q=
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_171.dll
FF - ExtSQL: 2013-02-25 20:41; {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}; c:\users\administrator.000\appdata\roaming\mozilla\firefox\profiles\hupxj7wx.default\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}
FF - ExtSQL: 2013-03-02 01:25; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
FF - ExtSQL: 2013-03-06 06:12; https-everywhere@eff.org; c:\users\administrator.000\appdata\roaming\mozilla\firefox\profiles\hupxj7wx.default\extensions\https-everywhere@eff.org
.
============= SERVICES / DRIVERS ===============
.
R? AdvancedSystemCareService;Advanced SystemCare Service
R? afw;Agnitum Firewall Driver
R? afwcore;afwcore
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? BIOSCHK;BIOSCHK
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? CXLMRDOPO;CXLMRDOPO
R? DrvAgent32;DrvAgent32
R? efavdrv;efavdrv
R? esihdrv;esihdrv
R? FOR;FOR
R? HXNHX;HXNHX
R? OADevice;OADriver
R? PORTMON;PORTMON
R? QXJDIX;QXJDIX
R? RTCore32;RTCore32
R? SDUpdateService;Spybot-S&D 2 Updating Service
R? TsUsbFlt;TsUsbFlt
R? UDT;UDT
R? usbrndis6;USB RNDIS6 Adapter
R? WatAdminSvc;Windows Activation Technologies Service
S? aswFsBlk;aswFsBlk
S? aswMonFlt;aswMonFlt
S? aswRvrt;aswRvrt
S? aswSnx;aswSnx
S? aswSP;aswSP
S? aswVmm;aswVmm
S? avast! Antivirus;avast! Antivirus
S? lnsfw1;lnsfw1
S? lnssvcVista;Look 'n' Stop Service
S? netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit
S? SbieDrv;SbieDrv
S? SDScannerService;Spybot-S&D 2 Scanner Service
S? SDWSCService;Spybot-S&D 2 Security Center Service
.
=============== File Associations ===============
.
ShellExec: EXCEL.EXE: New="c:\program files\microsoft office\office14\EXCEL.EXE"
.
=============== Created Last 60 ================
.
2013-03-07 21:25:39 -------- d-----w- c:\users\administrator.000\appdata\local\Macromedia
2013-03-07 21:25:17 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-07 21:25:17 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-07 19:28:19 -------- d-----w- c:\program files\RightMark Memory Analyzer
2013-03-07 04:30:53 -------- d-----w- c:\programdata\DigiCert
2013-03-07 04:30:53 -------- d-----w- c:\program files\DigiCert
2013-03-07 03:57:50 -------- d-----w- c:\users\administrator.000\appdata\local\Vidalia
2013-03-07 03:55:43 -------- d-----w- c:\users\administrator.000\appdata\roaming\tor
2013-03-05 11:45:03 -------- d-----w- c:\windows\system32\catroot2
2013-03-04 21:47:05 -------- d-----w- c:\program files\Belarc
2013-03-04 11:52:22 -------- d-----w- C:\077a248479538910785897fa17ed373b
2013-03-03 12:35:42 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-03-03 12:35:28 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-03-03 11:31:08 -------- d-----r- C:\Sandbox
2013-03-03 11:29:09 -------- d-----w- c:\program files\Sandboxie
2013-03-03 09:51:56 -------- dc----w- c:\users\administrator.000\appdata\local\MigWiz
2013-03-02 22:56:51 -------- d-----w- c:\users\administrator.000\appdata\local\WindowsUpdate
2013-03-02 08:36:17 219136 ----a-w- c:\windows\system32\ncrypt.dll
2013-03-02 07:32:40 -------- d-----w- c:\users\administrator.000\appdata\local\Google
2013-03-02 07:25:37 163784 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-02 07:25:36 49320 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-02 07:17:23 -------- d-----w- c:\users\administrator.000\appdata\local\looknstop
2013-03-02 07:10:28 82176 ----a-w- c:\windows\system32\drivers\lnsfw1.sys
2013-03-02 07:10:28 59488 ----a-w- c:\windows\system32\drivers\lnsfw.sys
2013-03-02 07:10:28 36352 ----a-w- c:\windows\system32\fwapi.dll
2013-03-02 07:10:07 -------- d-----w- c:\program files\Soft4Ever
2013-03-02 05:49:27 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\ctor.dll
2013-03-02 05:49:27 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\DotNetInstaller.exe
2013-03-02 05:49:27 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2013-03-02 05:49:27 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iscript.dll
2013-03-02 05:49:27 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iuser.dll
2013-03-02 05:49:26 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iKernel.dll
2013-03-02 05:49:23 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\setup.dll
2013-03-02 05:49:23 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iGdi.dll
2013-03-01 05:46:52 60728 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-03-01 05:46:50 765808 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-01 05:46:49 66408 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-01 05:46:38 41664 ----a-w- c:\windows\avastSS.scr
2013-03-01 05:46:21 -------- d-----w- c:\program files\AVAST Software
2013-03-01 03:02:47 -------- d-----w- c:\users\administrator.000\appdata\roaming\AVG
2013-03-01 03:01:34 -------- d-----w- c:\programdata\AVG
2013-02-28 22:20:08 -------- d-----w- c:\users\administrator.000\appdata\local\Apps
2013-02-28 13:53:01 -------- d-s---r- C:\RavBin
2013-02-28 13:52:09 -------- d-----w- c:\program files\RAV
2013-02-28 13:14:23 -------- d-----w- c:\users\administrator.000\appdata\local\eSupport.com
2013-02-28 10:49:04 -------- d-----w- c:\users\administrator.000\appdata\local\Secunia PSI
2013-02-28 10:48:26 -------- d-----w- c:\program files\Secunia
2013-02-28 05:04:52 -------- d-----w- c:\program files\Rising
2013-02-27 07:34:27 -------- d-----w- c:\program files\NirSoft
2013-02-27 01:00:20 -------- d-----w- c:\users\administrator.000\appdata\roaming\OnlineArmor
2013-02-27 00:58:55 -------- d-----w- c:\program files\Online Armor
2013-02-26 19:47:44 -------- d-----w- c:\users\administrator.000\appdata\local\temp
2013-02-26 19:46:32 -------- d-sh--w- C:\$RECYCLE.BIN
2013-02-26 15:57:29 -------- d-----w- c:\windows\softwaredistribution.bak
2013-02-26 08:12:13 -------- d-----w- c:\users\administrator.000\appdata\local\ElevatedDiagnostics
2013-02-26 02:42:13 -------- d-----w- c:\users\administrator.000\appdata\local\panda4_0dn
2013-02-26 02:42:11 -------- d-----w- c:\users\administrator.000\appdata\roaming\Panda Security
2013-02-26 02:41:53 -------- d-----w- c:\programdata\Panda Security URL Filtering
2013-02-26 02:41:33 -------- d-----w- c:\program files\Toolbar Cleaner
2013-02-26 02:40:57 -------- d-----w- c:\program files\pandasecuritytb
2013-02-26 02:38:53 -------- d-----w- c:\programdata\Panda Security
2013-02-26 02:38:53 -------- d-----w- c:\program files\Panda Security
2013-02-26 02:20:20 -------- d-----w- c:\users\administrator.000\appdata\local\MFAData
2013-02-26 02:20:20 -------- d-----w- c:\users\administrator.000\appdata\local\Avg2013
2013-02-26 01:19:46 -------- d-----w- c:\users\administrator.000\appdata\local\Mozilla
2013-02-25 14:36:44 -------- d-----w- c:\users\administrator.000\appdata\roaming\SUPERAntiSpyware.com
2013-02-25 12:50:52 -------- d-----w- c:\users\administrator.000\appdata\roaming\Auslogics
2013-02-25 12:17:23 852 ----a-w- C:\temp386.bat
2013-02-25 12:17:05 1259 ----a-w- C:\temp918.bat
2013-02-24 12:59:40 -------- d-----w- c:\program files\Siber Systems
2013-02-24 12:08:32 -------- d-----w- c:\programdata\MFAData
2013-02-24 00:40:34 -------- d-----w- c:\users\administrator.000\appdata\roaming\Runscanner.net
2013-02-23 11:42:23 -------- d-----w- c:\users\administrator.000\appdata\roaming\Malwarebytes
2013-02-23 11:41:32 -------- d-----w- c:\users\administrator.000\appdata\local\Programs
2013-02-23 11:14:13 256000 ----a-w- c:\windows\PEV.exe
2013-02-22 22:38:08 -------- d-sh--w- c:\windows\Installer
2013-02-22 20:00:09 -------- d-----w- C:\TRANSFER PROCESS TO NEW INSTALL
2013-02-22 12:31:56 3829760 ----a-w- c:\windows\system32\igdumd32.dll
2013-02-22 12:31:55 5702656 ----a-w- c:\windows\system32\igfxress.dll
2013-02-22 12:31:55 4808192 ----a-w- c:\windows\system32\drivers\igdkmd32.sys
2013-02-22 12:31:54 672792 ----a-w- c:\windows\system32\igfxcfg.exe
2013-02-22 12:31:54 199680 ----a-w- c:\windows\system32\igfxpph.dll
2013-02-22 12:31:54 173592 ----a-w- c:\windows\system32\hkcmd.exe
2013-02-22 12:31:54 150552 ----a-w- c:\windows\system32\igfxpers.exe
2013-02-22 12:31:54 141848 ----a-w- c:\windows\system32\igfxtray.exe
2013-02-21 08:08:52 -------- d-----w- c:\program files\Trend Micro
2013-02-20 06:23:30 -------- d-----w- c:\program files\Helge Klein
2013-02-19 07:07:51 -------- d-----w- c:\programdata\TinyWall
2013-02-19 07:07:51 -------- d-----w- c:\program files\TinyWall
2013-02-18 23:28:54 -------- d-----w- c:\program files\Safer Networking
2013-02-18 19:49:22 -------- d-----w- c:\program files\Auslogics
2013-02-18 12:05:48 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-02-16 12:04:15 -------- d-----w- c:\program files\IObit
2013-02-16 11:29:07 -------- d-----w- C:\Microsoft
2013-02-14 07:44:55 -------- d-----w- c:\program files\CCleaner
2013-02-13 04:20:46 828 ----a-w- C:\temp260.bat
2013-02-13 04:12:42 1152 ----a-w- C:\temp23.bat
2013-02-13 01:50:34 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{61b08379-a0aa-4d2c-812c-36e0b94b30c9}\mpengine.dll
2013-02-09 00:05:02 64392 ----a-w- c:\windows\system32\drivers\PROCMON23.SYS
2013-02-05 05:40:51 -------- d-----w- c:\program files\NirSoft Utilities
2013-02-05 05:33:31 -------- d-----w- c:\program files\Sysinternals Suite
2013-02-05 02:30:23 20104 ----a-w- c:\windows\system32\drivers\Dbgv.sys
2013-01-31 09:13:22 -------- d-----w- c:\program files\VideoLAN
2013-01-31 04:47:18 -------- d---a-w- c:\program files\Privacyware
2013-01-30 10:31:06 131344 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2013-01-29 10:46:28 -------- d-----w- c:\programdata\AVAST Software
2013-01-29 08:36:03 -------- d-----w- c:\program files\FreeFixer
2013-01-28 23:12:46 83096 ----a-w- c:\windows\system32\SSSensor.dll
2013-01-28 07:58:03 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2013-01-26 22:33:29 74703 ----a-w- c:\windows\system32\mfc45.dll
2013-01-26 22:33:20 -------- d-----w- c:\programdata\iolo
2013-01-26 21:32:30 -------- d-----w- c:\program files\DLLSuite
2013-01-22 21:56:38 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-01-22 21:54:45 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2013-01-21 03:59:11 -------- d-----w- C:\sa130d0v190
2013-01-15 05:49:22 -------- d-----w- C:\Softwrap
2013-01-15 05:49:22 -------- d-----w- C:\Fonts
2013-01-15 05:49:22 -------- d-----w- C:\Config
2013-01-14 20:11:12 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-14 02:35:47 -------- d-----w- c:\users\administrator.000\Pavark
2013-01-10 06:55:42 94208 ----a-w- c:\windows\system32\vbalIml6.ocx
2013-01-10 06:55:42 65536 ----a-w- c:\windows\system32\vbalProgBar6.ocx
2013-01-10 06:55:42 53248 ----a-w- c:\windows\system32\SSubTmr6.dll
2013-01-10 06:55:42 262144 ----a-w- c:\windows\system32\vbaListView6.ocx
2013-01-10 06:55:42 200704 ----a-w- c:\windows\system32\vbalExpBar6.ocx
2013-01-10 06:55:41 61440 ----a-w- c:\windows\system32\mkcHyperlink.ocx
2013-01-10 06:55:38 -------- d-----w- c:\program files\Registry Smoker
2013-01-10 06:20:00 89600 ----a-w- c:\windows\system32\GRID32.OCX
2013-01-10 06:20:00 205824 ----a-w- c:\windows\system32\CRESIZE5.OCX
2013-01-10 06:19:59 608448 ----a-w- c:\windows\system32\COMCTL32.OCX
2013-01-10 06:19:59 570128 ----a-w- c:\program files\common files\microsoft shared\dao\DAO350.dll
2013-01-10 06:19:59 24848 ----a-w- c:\windows\system32\MSJtEr35.dll
2013-01-10 06:19:59 143872 ----a-w- c:\windows\system32\unzip32.dll
2013-01-10 06:19:59 123664 ----a-w- c:\windows\system32\MSJInt35.dll
2013-01-10 06:19:59 115920 ----a-w- c:\windows\system32\MSINET.OCX
2013-01-07 05:15:15 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
.
==================== Find6M ====================
.
2013-02-24 23:09:39 14088 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS
2013-02-22 06:41:27 2853 ----a-w- c:\windows\_default.pif
2013-02-08 16:03:30 173832 ----a-w- c:\windows\system32\sqlitewrapper.dll
2013-01-04 02:43:35 3584 ----a-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-01-04 02:43:34 6144 ----a-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-01-04 02:43:34 4608 ----a-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-01-04 02:43:34 3072 ----a-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-01-04 02:24:29 2 --shatr- c:\windows\winstart.bat
2013-01-03 04:52:47 2853 ----a-w- c:\windows\system32\dosx.PIF
2012-12-14 04:52:00 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-12-10 09:09:21 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-12-10 09:09:21 1060864 ----a-w- c:\windows\system32\mfc71.dll
2012-12-08 08:38:37 66048 ----a-w- c:\windows\system32\icardie(2307).dll
2012-12-08 08:38:37 35840 ----a-w- c:\windows\system32\imgutil(2322).dll
2012-12-08 08:38:37 353584 ----a-w- c:\windows\system32\iedkcs32(2315).dll
2012-12-08 08:38:37 203776 ----a-w- c:\windows\system32\webcheck(2419).dll
2012-12-08 08:38:37 162304 ----a-w- c:\windows\system32\msrating(2375).dll
2012-12-08 08:38:37 161792 ----a-w- c:\windows\system32\msls31(2364).dll
2012-12-08 08:38:37 150528 ----a-w- c:\windows\system32\iexpress(2317).exe
2012-12-08 08:38:37 118784 ----a-w- c:\windows\system32\iepeers(2316).dll
2012-12-08 08:38:37 110592 ----a-w- c:\windows\system32\IEAdvpack(2314).dll
2012-12-08 08:36:01 801792 ----a-w- c:\windows\system32\FntCache.dll
2012-12-08 08:36:01 801792 ----a-w- c:\windows\system32\FntCache(2291).dll
2012-12-08 08:36:01 3181568 ----a-w- c:\windows\system32\mf.dll
2012-12-08 08:36:01 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2012-12-08 08:36:01 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2012-12-08 08:36:01 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
2012-12-08 08:36:01 1495040 ----a-w- c:\windows\system32\ExplorerFrame(2272).dll
2012-12-08 08:36:01 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
2012-11-20 00:06:02 505128 ----a-w- c:\windows\system32\msvcp71.dll
2012-11-20 00:06:02 353576 ----a-w- c:\windows\system32\msvcr71.dll
2012-11-08 17:29:12 1402312 ----a-w- c:\windows\system32\msxml4.dll
2012-10-18 17:57:28 2344960 ----a-w- c:\windows\system32\win32k.sys
2012-10-16 20:34:37 559104 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-16 18:13:14 62664 ----a-w- c:\windows\system32\driverctrl.exe
2012-10-08 07:42:31 607744 ----a-w- c:\windows\system32\msfeeds(2361).dll
2012-09-28 16:32:56 5989776 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-09-28 16:32:56 44544 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-09-25 21:55:17 78336 ----a-w- c:\windows\system32\synceng.dll
2012-09-14 18:30:38 2048 ----a-w- c:\windows\system32\tzres.dll
2012-09-14 18:30:38 2048 ----a-w- c:\windows\system32\tzres(2411).dll
.
============= FINISH: 18:41:12.13 ===============


Report •

#9
March 7, 2013 at 22:23:42

what is THIS???
c:\windows\system32\wpdshserviceobj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
---------------------------------------------

I did a Spybot scan and it had my host list
as 127.0.0.1
then showed about 50 domain addresses as a part of the analysis.
??????

No joke


Report •

#10
March 7, 2013 at 22:25:25

Re my post #1.

I am still waiting on the ListParts details.


Report •

#11
March 8, 2013 at 18:04:35

ListParts by Farbar Version: 06-03-2013
Ran by Administrator (administrator) on 07-03-2013 at 04:27:21
Windows 7 (X86)
Running From: C:\Users\Administrator.000\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 32%
Total physical RAM: 2550.05 MB
Available physical RAM: 1709.46 MB
Total Pagefile: 6375.05 MB
Available Pagefile: 5358.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.38 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:55.79 GB) (Free:28.9 GB) NTFS
3 Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.03 GB) NTFS ==>

[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 55 GB 0 B

Partitions of Disk 0:
===============

Disk ID: 13FACE2A

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 55 GB 101 MB

==============================================================================

========================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- ---------

--------
* Volume 2 E System Rese NTFS Partition 100 MB Healthy System

(partition with boot components)

==============================================================================

========================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- ---------

--------
* Volume 3 C NTFS Partition 55 GB Healthy Boot

==============================================================================

========================

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=E:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {deb85289-3298-11e2-898c-987622ee9934}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {deb8528b-3298-11e2-898c-987622ee9934}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {deb85289-3298-11e2-898c-987622ee9934}
nx OptOut
bootlog No

Windows Boot Loader
-------------------
identifier {deb8528b-3298-11e2-898c-987622ee9934}
device ramdisk=[C:]\Recovery\deb8528b-3298-11e2-898c-

987622ee9934\Winre.wim,{deb8528c-3298-11e2-898c-987622ee9934}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[C:]\Recovery\deb8528b-3298-11e2-898c-

987622ee9934\Winre.wim,{deb8528c-3298-11e2-898c-987622ee9934}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {deb85289-3298-11e2-898c-987622ee9934}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
pae No
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=E:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {deb8528c-3298-11e2-898c-987622ee9934}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\deb8528b-3298-11e2-898c-

987622ee9934\boot.sdi


****** End Of Log ******

PLEASE NOTICE MY COMMENTS ABOVE...THIS LIST WAS POSTED BELOW RE THE OS CHECK OF THE MEMORY....

BUT I DONT DISPUTE THE findings...but memory is the least of my problems...(I was doing a backup possibly near the same time when this was run...i had to do something as there was some space issue,,,and memory was mentioned. I deleted the restore points and all was fine..only memory comment Ive had from the OS


Report •

#12
March 8, 2013 at 19:31:35

Run ESET Online Scanner, Copy & Paste the contents of the log please. This scan may take a very long while, so please be patient. Start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a thumb drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...

Report •

#13
March 9, 2013 at 14:24:13

I apologize for my 'newbie' status...the only way I can even log in to this site..is from the link sent to my email. I believe I have this all down now. Thank you
---------------------------------RESULT PAGE

ListParts by Farbar Version: 08-03-2013
Ran by Administrator (administrator) on 09-03-2013 at 16:18:36
Windows 7 (X86)
Running From: C:\Users\Administrator.000\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 45%
Total physical RAM: 2550.05 MB
Available physical RAM: 1395.32 MB
Total Pagefile: 6375.05 MB
Available Pagefile: 4937.67 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.37 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:55.79 GB) (Free:27.4 GB) NTFS
2 Drive d: (Mar 05 2013) (CDROM) (Total:0.56 GB) (Free:0.18 GB) UDF
3 Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 55 GB 0 B

Partitions of Disk 0:
===============

Disk ID: 13FACE2A

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 55 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E System Rese NTFS Partition 100 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 55 GB Healthy Boot

======================================================================================================

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=E:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {deb85289-3298-11e2-898c-987622ee9934}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {deb8528b-3298-11e2-898c-987622ee9934}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {deb85289-3298-11e2-898c-987622ee9934}
nx OptOut
bootlog No

Windows Boot Loader
-------------------
identifier {deb8528b-3298-11e2-898c-987622ee9934}
device ramdisk=[C:]\Recovery\deb8528b-3298-11e2-898c-987622ee9934\Winre.wim,{deb8528c-3298-11e2-898c-987622ee9934}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[C:]\Recovery\deb8528b-3298-11e2-898c-987622ee9934\Winre.wim,{deb8528c-3298-11e2-898c-987622ee9934}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {deb85289-3298-11e2-898c-987622ee9934}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
pae No
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=E:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {deb8528c-3298-11e2-898c-987622ee9934}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\deb8528b-3298-11e2-898c-987622ee9934\boot.sdi


****** End Of Log ******


Report •

#14
March 9, 2013 at 19:20:37

HitmanPro 3.7.2.190
www.hitmanpro.com

Computer name . . . . : WIN7-PC
Windows . . . . . . . : 6.1.0.7600.X86/1
User name . . . . . . : win7-PC\Administrator
UAC . . . . . . . . . : Disabled
License . . . . . . . : Free

Scan date . . . . . . : 2013-03-09 20:20:36
Scan mode . . . . . . : Normal
Scan duration . . . . : 3m 20s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 22

Objects scanned . . . : 956,823
Files scanned . . . . : 10,763
Remnants scanned . . : 233,176 files / 712,884 keys

Suspicious files ____________________________________________________________

C:\Users\Administrator.000\Downloads\uninstall_flash_player.exe
Size . . . . . . . : 699,912 bytes
Age . . . . . . . : 15.2 days (2013-02-22 14:43:13)
Entropy . . . . . : 7.8
SHA-256 . . . . . :

49C183B4EECAFCB977D17DAF3FC1D79155C552EEE2F7835C614A7B9A6A67C9C5
Product . . . . . : Adobe® Flash® Player Installer/Uninstaller
Publisher . . . . : Adobe Systems Incorporated
Description . . . : Adobe® Flash® Player Installer/Uninstaller 11.5

r502
Version . . . . . : 11,5,502,146
Copyright . . . . : Copyright © 1996 Adobe Systems Incorporated
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 29.0
Program is altered or corrupted since it was code signed by its

author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted,

compressed or obfuscated. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.

C:\Windows\system32\FlashPlayerApp.exe
Size . . . . . . . : 691,568 bytes
Age . . . . . . . : 2.2 days (2013-03-07 15:25:17)
Entropy . . . . . : 6.7
SHA-256 . . . . . :

709D2AD37A0A88CA78DB3BB1181279AC62A0C767251B0630608941173F098650
Product . . . . . : Adobe Flash Player Control Panel Applet
Publisher . . . . : Adobe Systems Incorporated
Description . . . : Adobe Flash Player Control Panel Applet
Version . . . . . : 11,6,602,171
Copyright . . . . : Copyright © 1996 Adobe Systems Incorporated. All

Rights Reserved. Adobe and Flash are either trademarks or registered

trademarks in the United States and/or other countries.
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 24.0
Program is altered or corrupted since it was code signed by its

author. This is typical for malware and pirated software.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system

files from Windows. This is not typical for most programs and is only common

to system tools, drivers and hacking utilities.
Forensic Cluster
-0.9s C:\Windows\System32\Macromed\Flash\NPSWF32_11_6_602_171.dll
-0.7s C:\Windows\System32\Macromed\Flash

\FlashUtil32_11_6_602_171_Plugin.exe
-0.4s C:\Windows\System32\Macromed\Flash\plugin.vch
-0.4s C:\Windows\System32\Macromed\Flash\flashplayer.xpt
-0.1s C:\Windows\system32\FlashPlayerCPLApp.cpl
-0.1s C:\Windows\system32\Macromed\Flash

\FlashPlayerPlugin_11_6_602_171.exe
0.0s C:\Windows\system32\FlashPlayerApp.exe
0.1s C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe

C:\Windows\system32\FlashPlayerCPLApp.cpl
Size . . . . . . . : 71,024 bytes
Age . . . . . . . : 2.2 days (2013-03-07 15:25:17)
Entropy . . . . . : 6.1
SHA-256 . . . . . :

723E71B54A04DC1E07A15EA39A1DE61F0148E390B7F7A1BE22DE0BF5BF743F8E
Product . . . . . : Adobe Flash Player Control Panel Applet
Publisher . . . . : Adobe Systems Incorporated
Description . . . : Adobe Flash Player Control Panel Applet
Version . . . . . : 11,6,602,171
Copyright . . . . : Copyright © 1996 Adobe Systems Incorporated. All

Rights Reserved. Adobe and Flash are either trademarks or registered

trademarks in the United States and/or other countries.
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 24.0
Program is altered or corrupted since it was code signed by its

author. This is typical for malware and pirated software.
Time indicates that the file appeared recently on this computer.
The file is located in a folder that contains core operating system

files from Windows. This is not typical for most programs and is only common

to system tools, drivers and hacking utilities.
Forensic Cluster
-0.9s C:\Windows\System32\Macromed\Flash\NPSWF32_11_6_602_171.dll
-0.7s C:\Windows\System32\Macromed\Flash

\FlashUtil32_11_6_602_171_Plugin.exe
-0.3s C:\Windows\System32\Macromed\Flash\plugin.vch
-0.3s C:\Windows\System32\Macromed\Flash\flashplayer.xpt
0.0s C:\Windows\system32\FlashPlayerCPLApp.cpl
0.0s C:\Windows\system32\Macromed\Flash

\FlashPlayerPlugin_11_6_602_171.exe
0.1s C:\Windows\system32\FlashPlayerApp.exe
0.2s C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_171.exe
Size . . . . . . . : 1,820,016 bytes
Age . . . . . . . : 2.2 days (2013-03-07 15:25:17)
Entropy . . . . . : 6.7
SHA-256 . . . . . :

AC67AB17293A0EE054AF35687BE5CE19ACFEA54DFB543072742FB9382AAF9E5F
Product . . . . . : Shockwave Flash
Publisher . . . . : Adobe Systems, Inc.
Description . . . : Adobe Flash Player 11.6 r602
Version . . . . . : 11,6,602,171
Copyright . . . . : Adobe® Flash® Player. Copyright © 1996 Adobe

Systems Incorporated. All Rights Reserved. Adobe and Flash are either

trademarks or registered trademarks in the United States and/or other

countries.
RSA Key Size . . . : 2048
Parent Name . . . : C:\Program Files\Mozilla Firefox\plugin-

container.exe
Authenticode . . . : Invalid
Running processes : 3924, 2768
Fuzzy . . . . . . : 28.0
Program is altered or corrupted since it was code signed by its

author. This is typical for malware and pirated software.
Program is running but currently exposes no human-computer interface

(GUI).
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
Forensic Cluster
-0.9s C:\Windows\System32\Macromed\Flash\NPSWF32_11_6_602_171.dll
-0.7s C:\Windows\System32\Macromed\Flash

\FlashUtil32_11_6_602_171_Plugin.exe
-0.3s C:\Windows\System32\Macromed\Flash\plugin.vch
-0.3s C:\Windows\System32\Macromed\Flash\flashplayer.xpt
0.0s C:\Windows\system32\FlashPlayerCPLApp.cpl
0.0s C:\Windows\system32\Macromed\Flash

\FlashPlayerPlugin_11_6_602_171.exe
0.1s C:\Windows\system32\FlashPlayerApp.exe
0.2s C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe

C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe
Size . . . . . . . : 251,248 bytes
Age . . . . . . . : 2.2 days (2013-03-07 15:25:17)
Entropy . . . . . : 6.5
SHA-256 . . . . . :

9EE0D305060C670F0CB93678E4529DC6C43DED2C55B4DB5F2863A02EBCA184CB
Product . . . . . : Adobe® Flash® Player Update Service
Publisher . . . . : Adobe Systems Incorporated
Description . . . : Adobe® Flash® Player Update Service 11.6 r602
Version . . . . . : 11,6,602,171
Copyright . . . . : Copyright © 1996 Adobe Systems Incorporated
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 22.0
Program is altered or corrupted since it was code signed by its

author. This is typical for malware and pirated software.
Time indicates that the file appeared recently on this computer.

C:\Windows\System32\Macromed\Flash\FlashUtil32_11_6_602_171_Plugin.exe
Size . . . . . . . : 701,808 bytes
Age . . . . . . . : 2.2 days (2013-03-07 15:25:17)
Entropy . . . . . : 7.8
SHA-256 . . . . . :

3BCC443C8FEEF7C764399E1A0BCD07027175A88168868467FEF7BFF7DBE2377B
Product . . . . . : Adobe® Flash® Player Installer/Uninstaller
Publisher . . . . : Adobe Systems Incorporated
Description . . . : Adobe® Flash® Player Installer/Uninstaller 11.6

r602
Version . . . . . : 11,6,602,171
Copyright . . . . : Copyright © 1996 Adobe Systems Incorporated
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 32.0
Program is altered or corrupted since it was code signed by its

author. This is typical for malware and pirated software.
Entropy (or randomness) indicates the program is encrypted,

compressed or obfuscated. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.

C:\Windows\System32\Macromed\Flash\NPSWF32_11_6_602_171.dll
Size . . . . . . . : 14,718,320 bytes
Age . . . . . . . : 2.2 days (2013-03-07 15:25:16)
Entropy . . . . . : 7.1
SHA-256 . . . . . :

B73EC297EFB758F993F4B77E65E90141D67CCEC526E37EA3E4D232C68A04DED1
RSA Key Size . . . : 2048
Authenticode . . . : Invalid
Fuzzy . . . . . . : 39.0
Program is altered or corrupted since it was code signed by its

author. This is typical for malware and pirated software.
Program is running but currently exposes no human-computer interface

(GUI).
Entropy (or randomness) indicates the program is encrypted,

compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most

programs.
Version control is missing. This file is probably created by an

individual. This is not typical for most programs.
Program starts automatically without user intervention.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
Startup
HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer\
References
C:\Windows\system32\Macromed\Flash\flashplayer.xpt
Forensic Cluster
0.0s C:\Windows\System32\Macromed\Flash\NPSWF32_11_6_602_171.dll
0.2s C:\Windows\System32\Macromed\Flash

\FlashUtil32_11_6_602_171_Plugin.exe
0.5s C:\Windows\System32\Macromed\Flash\plugin.vch
0.6s C:\Windows\System32\Macromed\Flash\flashplayer.xpt
0.9s C:\Windows\system32\FlashPlayerCPLApp.cpl
0.9s C:\Windows\system32\Macromed\Flash

\FlashPlayerPlugin_11_6_602_171.exe
0.9s C:\Windows\system32\FlashPlayerApp.exe
1.0s C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe


Cookies _____________________________________________________________________

C:\Users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles

\h4v04yec.default\cookies.sqlite:ads.p161.net
C:\Users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles

\h4v04yec.default\cookies.sqlite:at.atwola.com
C:\Users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles

\h4v04yec.default\cookies.sqlite:collective-media.net
C:\Users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles

\h4v04yec.default\cookies.sqlite:invitemedia.com
C:\Users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles

\h4v04yec.default\cookies.sqlite:kontera.com
C:\Users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles

\h4v04yec.default\cookies.sqlite:media6degrees.com
C:\Users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles

\h4v04yec.default\cookies.sqlite:questionmarket.com
C:\Users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles

\h4v04yec.default\cookies.sqlite:ru4.com
C:\Users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles

\h4v04yec.default\cookies.sqlite:xiti.com


Report •

#15
March 9, 2013 at 19:42:35

RogueKiller V8.5.2 [Mar 9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 03/09/2013 21:38:35
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[Microsoft][HJNAME] notepad.exe -- C:\Windows\System32\notepad.exe [7] -> KILLED [TermProc]
[SUSP PATH] Tcpview.exe -- C:\Users\Administrator.000\Desktop\TCPView\Tcpview.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][Tst.HjT] HKCU\[...]\Run : HijackThis startup scan (C:\Users\Administrator.000\Downloads\HijackThis.exe /startupscan) [-] -> FOUND
[RUN][Tst.HjT] HKUS\S-1-5-21-3769438369-2632674587-593466790-500[...]\Run : HijackThis startup scan (C:\Users\Administrator.000\Downloads\HijackThis.exe /startupscan) [-] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
_INLINE_ : NtTraceEvent -> HOOKED (Unknown @ 0x80751C00)

¤¤¤ Infection : Tst.HjT ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Disk drive +++++
--- User ---
[MBR] e61ad200f3aa4540e5775a33b5d4ddc2
[BSP] b5a323188b24eedb45e970e8bda54dbb : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 57129 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03092013_02d2138.txt >>
RKreport[1]_S_03092013_02d2138.txt


Report •

#16
March 9, 2013 at 20:25:16

Run ComboFix & post the contents of the log please.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.techsupportforum.com/sec...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Report •

#17
March 10, 2013 at 21:00:06

JOHN W,
THE COMBOFIX LOG IS BELOW THIS TEXT. THESE WERE A FEW I WANTED TO HIGHLIGHT...SO I COPIED TO TOP IN CASE THEY JUMPED OUT TO YOU AS AREAS TO ADDRESS.

AAAA)
1. DEREGISTERED SERVICES/DRIVERS ...IS THIS ABNORMAL?...A WAY TO 'ESCAPE DETECTION'
(SO TO SPEAK)
2 SAME--ESPECIALLY THE GPSvcGROUP...GROUP POLICY..WHICH DOES NOT COME WITH MY OS
3. PLEASE ADVISE....

BBBBB) LOCKED REG KEYS....ANTIVIRUS PROGRAMS CANNOT SCAN THESE..OR ONES ENDING IN A
WILDCARD (\ *)
SHOULD I REMOVE THE WILDCARD SYMBOL AS THESE SHOULD BE SCANNED, MY OBVIOUS PREFERENCE
4. THE DELETIONS WERE A HASH FILE PROGRAM I RAN LAST NIGHT...GIVING GREAT INSIGHT...
SHOWED EVERY FOLDER OR FILE THAT WAS INACCESSABLE/ NOT PERMITTED TO SEE.

--- Other Services/Drivers In Memory ---
.
AAAA) *Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
GPSvcGroup REG_MULTI_SZ GPSvc

BBBBB)--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,3b,1b,25,b5,e6,
ab,1f,59,35,0c,a5,2f,09,f3,02,cb,44,e1
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,3b,1b,f1,07,41,
35,c8,0c,09,03,b7,ae,84,e9,65,6b,04,8f
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:40,89,47,83,c6,10,ce,01
.
[HKEY_USERS\S-1-5-21-3769438369-2632674587-593466790-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,3b,1b,f1,07,41,
35,c8,0c,09,03,b7,ae,84,e9,65,6b,04,8f
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,3b,1b,72,64,65,
4c,4a,38,3f,68,39,49,6b,2d,7b,07,0e,51
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,3b,1b,44,3b,4b,
91,13,fa,d3,0d,b3,20,9a,3f,02,cc,cb,18
-------------------------------------------------------------------------------------------------

ComboFix 13-03-10.02 - Administrator 03/10/2013 19:24:11.5.1 - x86
Running from: c:\users\Administrator.000\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\msocache\TestFiles.exe
c:\users\Administrator.000\Favorites\TestFiles.exe
c:\users\Administrator.000\videos\TestFiles.exe
c:\windows\apppatch\TestFiles.exe
c:\windows\Fonts\TestFiles.exe
c:\windows\Minidump\TestFiles.exe
c:\windows\Tasks\TestFiles.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-02-11 to 2013-03-11 )))))))))))))))))))))))))))))))
.
.
2013-03-11 00:36 . 2013-03-11 00:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-03-11 00:36 . 2013-03-11 00:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-10 07:38 . 2009-02-20 19:06 372928 ----a-w- c:\windows\system\TestFiles.exe
2013-03-10 07:04 . 2009-02-20 19:06 372928 ----a-w- c:\users\Public\TestFiles.exe
2013-03-10 07:04 . 2009-02-20 19:06 372928 ----a-w- c:\users\Default\TestFiles.exe
2013-03-10 06:49 . 2009-02-20 19:06 372928 ----a-w- c:\program files\TestFiles.exe
2013-03-10 05:48 . 2009-02-20 19:06 372928 ----a-w- c:\windows\TestFiles.exe
2013-03-10 05:31 . 2009-02-20 19:06 372928 ----a-w- c:\users\TestFiles.exe
2013-03-10 05:26 . 2009-02-20 19:06 372928 ----a-w- c:\programdata\TestFiles.exe
2013-03-10 05:25 . 2009-02-20 19:06 372928 ----a-w- c:\program files\Windows Sidebar\TestFiles.exe
2013-03-10 05:25 . 2009-02-20 19:06 372928 ----a-w- c:\program files\Windows Portable Devices\TestFiles.exe
2013-03-10 05:25 . 2009-02-20 19:06 372928 ----a-w- c:\program files\Windows NT\TestFiles.exe
2013-03-10 05:25 . 2009-02-20 19:06 372928 ----a-w- c:\program files\Windows Media Player\TestFiles.exe
2013-03-10 05:24 . 2009-02-20 19:06 372928 ----a-w- c:\program files\Windows Mail\TestFiles.exe
2013-03-10 05:24 . 2009-02-20 19:06 372928 ----a-w- c:\program files\Windows Defender\TestFiles.exe
2013-03-10 05:24 . 2009-02-20 19:06 372928 ----a-w- c:\program files\Uninstall Information\TestFiles.exe
2013-03-10 05:21 . 2009-02-20 19:06 372928 ----a-w- c:\program files\MSBuild\TestFiles.exe
2013-03-10 05:15 . 2009-02-20 19:06 372928 ----a-w- c:\program files\Internet Explorer\TestFiles.exe
2013-03-10 04:45 . 2009-02-20 19:06 372928 ----a-w- c:\windows\system32\TestFiles.exe
2013-03-10 04:37 . 2013-03-10 04:37 -------- d-----w- c:\program files\ExactFile
2013-03-10 02:18 . 2013-03-10 02:19 -------- d-----w- c:\program files\HitmanPro
2013-03-10 02:17 . 2013-03-10 02:29 -------- d-----w- c:\programdata\HitmanPro
2013-03-09 19:12 . 2013-03-09 19:12 -------- d-----w- c:\program files\NoVirusThanks
2013-03-09 00:56 . 2013-03-09 00:56 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-03-07 21:25 . 2013-03-07 21:25 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-07 21:25 . 2013-03-07 21:25 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-07 19:28 . 2013-03-07 19:40 -------- d-----w- c:\program files\RightMark Memory Analyzer
2013-03-07 04:30 . 2013-03-07 04:30 -------- d-----w- c:\programdata\DigiCert
2013-03-07 04:30 . 2013-03-07 04:30 -------- d-----w- c:\program files\DigiCert
2013-03-05 11:45 . 2013-03-07 20:21 -------- d-----w- c:\windows\system32\catroot2
2013-03-04 21:47 . 2013-03-04 21:47 -------- d-----w- c:\program files\Belarc
2013-03-04 11:52 . 2013-03-10 06:47 -------- d-----w- C:\077a248479538910785897fa17ed373b
2013-03-03 12:35 . 2009-01-25 18:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-03-03 12:35 . 2013-03-10 05:23 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-03-03 11:31 . 2013-03-10 06:56 -------- d-----r- C:\Sandbox
2013-03-03 11:29 . 2013-03-10 05:22 -------- d-----w- c:\program files\Sandboxie
2013-03-02 08:36 . 2012-11-20 05:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2013-03-02 07:32 . 2013-03-02 07:32 -------- d-----w- c:\program files\Google
2013-03-02 07:25 . 2013-03-06 23:33 164736 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-02 07:25 . 2013-03-06 23:33 49248 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-02 07:10 . 2013-03-02 07:10 82176 ----a-w- c:\windows\system32\drivers\lnsfw1.sys
2013-03-02 07:10 . 2013-03-02 07:10 59488 ----a-w- c:\windows\system32\drivers\lnsfw.sys
2013-03-02 07:10 . 2013-03-02 07:10 36352 ----a-w- c:\windows\system32\fwapi.dll
2013-03-02 07:10 . 2013-03-10 05:23 -------- d-----w- c:\program files\Soft4Ever
2013-03-02 05:50 . 2013-03-02 05:50 -------- d-----w- c:\program files\InstallShield Installation Information
2013-03-02 05:49 . 2013-03-02 05:49 -------- d-----w- c:\program files\Common Files\InstallShield
2013-03-01 05:47 . 2013-03-06 23:33 368176 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-03-01 05:47 . 2013-03-06 23:33 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-03-01 05:46 . 2013-03-06 23:33 60656 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-03-01 05:46 . 2013-03-06 23:33 62376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-03-01 05:46 . 2013-03-06 23:33 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-01 05:46 . 2013-03-06 23:33 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-01 05:46 . 2013-03-06 23:32 41664 ----a-w- c:\windows\avastSS.scr
2013-03-01 05:46 . 2013-03-06 23:32 228600 ----a-w- c:\windows\system32\aswBoot.exe
2013-03-01 05:46 . 2013-03-10 05:14 -------- d-----w- c:\program files\AVAST Software
2013-03-01 03:01 . 2013-03-03 05:02 -------- d-----w- c:\programdata\AVG
2013-02-28 13:53 . 2013-03-10 06:55 -------- d-----r- C:\RavBin
2013-02-28 13:52 . 2013-03-01 03:35 -------- d-----w- c:\program files\RAV
2013-02-28 10:48 . 2013-02-28 10:48 -------- d-----w- c:\program files\Secunia
2013-02-28 05:04 . 2013-03-02 07:49 -------- d-----w- c:\program files\Rising
2013-02-27 07:34 . 2013-02-27 07:34 -------- d-----w- c:\program files\NirSoft
2013-02-27 00:58 . 2013-03-10 05:22 -------- d-----w- c:\program files\Online Armor
2013-02-26 15:57 . 2013-02-27 01:01 -------- d-----w- c:\windows\softwaredistribution.bak
2013-02-26 02:41 . 2013-02-26 02:42 -------- d-----w- c:\programdata\Panda Security URL Filtering
2013-02-26 02:41 . 2013-02-26 02:41 -------- d-----w- c:\program files\Toolbar Cleaner
2013-02-26 02:40 . 2013-02-26 02:42 -------- d-----w- c:\program files\pandasecuritytb
2013-02-26 02:38 . 2013-02-26 02:38 -------- d-----w- c:\programdata\Panda Security
2013-02-26 02:38 . 2013-02-26 02:38 -------- d-----w- c:\program files\Panda Security
2013-02-25 12:17 . 2013-02-25 12:17 852 ----a-w- C:\temp386.bat
2013-02-25 12:17 . 2013-02-25 12:17 1259 ----a-w- C:\temp918.bat
2013-02-24 12:59 . 2013-02-24 12:59 -------- d-----w- c:\program files\Siber Systems
2013-02-24 12:08 . 2013-02-26 02:22 -------- d-----w- c:\programdata\MFAData
2013-02-22 22:38 . 2013-03-05 04:01 -------- d-sh--w- c:\windows\Installer
2013-02-22 20:00 . 2013-02-22 20:00 -------- d-----w- C:\TRANSFER PROCESS TO NEW INSTALL
2013-02-22 13:11 . 2013-02-25 04:03 -------- d-----w- c:\users\Administrator
2013-02-22 12:31 . 2009-09-24 01:18 3829760 ----a-w- c:\windows\system32\igdumd32.dll
2013-02-22 12:31 . 2009-09-24 01:18 4808192 ----a-w- c:\windows\system32\drivers\igdkmd32.sys
2013-02-22 12:31 . 2009-09-24 00:48 5702656 ----a-w- c:\windows\system32\igfxress.dll
2013-02-22 12:31 . 2009-09-24 01:30 672792 ----a-w- c:\windows\system32\igfxcfg.exe
2013-02-22 12:31 . 2009-09-24 01:30 173592 ----a-w- c:\windows\system32\hkcmd.exe
2013-02-22 12:31 . 2009-09-24 01:30 150552 ----a-w- c:\windows\system32\igfxpers.exe
2013-02-22 12:31 . 2009-09-24 01:30 141848 ----a-w- c:\windows\system32\igfxtray.exe
2013-02-22 12:31 . 2009-09-24 00:49 199680 ----a-w- c:\windows\system32\igfxpph.dll
2013-02-21 08:08 . 2013-02-28 19:11 -------- d-----w- c:\program files\Trend Micro
2013-02-20 06:23 . 2013-02-21 22:58 -------- d-----w- c:\program files\Helge Klein
2013-02-19 07:07 . 2013-02-20 21:07 -------- d-----w- c:\program files\TinyWall
2013-02-19 07:07 . 2013-02-20 02:11 -------- d-----w- c:\programdata\TinyWall
2013-02-18 23:28 . 2013-02-18 23:28 -------- d-----w- c:\program files\Safer Networking
2013-02-18 19:49 . 2013-02-21 22:57 -------- d-----w- c:\program files\Auslogics
2013-02-18 12:05 . 2013-03-06 11:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-02-16 12:04 . 2013-02-16 12:04 -------- d-----w- c:\users\Default\AppData\Roaming\IObit
2013-02-16 12:04 . 2013-02-16 12:04 -------- d-----w- c:\program files\IObit
2013-02-16 11:29 . 2013-03-10 06:49 -------- d-----w- C:\Microsoft
2013-02-15 08:15 . 2013-02-17 05:24 -------- d-----w- c:\users\Default\AppData\Roaming\Wise Care 365
2013-02-15 08:01 . 2013-03-10 07:05 -------- d-----w- c:\users\ServiceExpo
2013-02-15 05:50 . 2013-02-15 08:59 -------- d-----w- c:\users\Default\AppData\Roaming\WSCC2
2013-02-14 07:44 . 2013-02-21 23:44 -------- d-----w- c:\program files\CCleaner
2013-02-13 04:26 . 2013-03-10 05:19 -------- d-----w- c:\program files\Reference Assemblies
2013-02-13 04:20 . 2013-02-13 04:20 828 ----a-w- C:\temp260.bat
2013-02-13 04:12 . 2013-02-13 04:12 1152 ----a-w- C:\temp23.bat
2013-02-13 01:50 . 2012-11-08 18:00 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{61B08379-A0AA-4D2C-812C-36E0B94B30C9}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-05 11:39 . 2012-12-14 08:06 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-02-24 23:09 . 2012-12-31 06:37 14088 ----a-w- c:\windows\system32\drivers\PROCEXP141.SYS
2013-02-22 06:41 . 2009-07-13 21:30 2853 ----a-w- c:\windows\_default.pif
2013-02-09 00:05 . 2013-02-09 00:05 64392 ----a-w- c:\windows\system32\drivers\PROCMON23.SYS
2013-02-05 02:30 . 2013-02-05 02:30 20104 ----a-w- c:\windows\system32\drivers\Dbgv.sys
2013-01-30 10:31 . 2013-01-30 10:31 131344 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2013-01-29 04:13 . 2013-01-28 07:58 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2013-01-26 22:33 . 2013-01-26 22:33 74703 ----a-w- c:\windows\system32\mfc45.dll
2013-01-14 20:11 . 2013-01-14 20:11 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2013-01-04 02:24 . 2013-01-04 02:24 2 --shatr- c:\windows\winstart.bat
2013-01-03 04:52 . 2013-01-03 04:52 2853 ----a-w- c:\windows\system32\dosx.PIF
2012-12-30 01:04 . 2012-12-30 01:04 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-12-30 01:04 . 2012-12-30 01:04 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-12-30 01:04 . 2012-12-30 01:04 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-12-30 01:04 . 2012-12-30 01:04 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-12-30 01:04 . 2012-12-30 01:04 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-12-30 01:04 . 2012-12-30 01:04 367104 ----a-w- c:\windows\system32\html.iec
2012-12-30 01:04 . 2012-12-30 01:04 161792 ----a-w- c:\windows\system32\msls31.dll
2012-12-30 01:04 . 2012-12-30 01:04 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-12-30 01:04 . 2012-12-30 01:04 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-12-30 01:04 . 2012-12-30 01:04 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-12-30 01:04 . 2012-12-30 01:04 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-12-30 01:04 . 2012-12-30 01:04 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-12-30 01:04 . 2012-12-30 01:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-30 01:04 . 2012-12-30 01:04 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-12-30 01:04 . 2012-12-30 01:04 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-12-30 01:04 . 2012-12-30 01:04 152064 ----a-w- c:\windows\system32\wextract.exe
2012-12-30 01:04 . 2012-12-30 01:04 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-12-30 01:04 . 2012-12-30 01:04 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-12-30 01:04 . 2012-12-30 01:04 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-12-30 01:04 . 2012-12-30 01:04 11776 ----a-w- c:\windows\system32\mshta.exe
2012-12-30 01:04 . 2012-12-30 01:04 101888 ----a-w- c:\windows\system32\admparse.dll
2012-12-14 04:52 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2013-03-07 14:31 . 2013-03-09 00:56 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]
2013-01-08 15:56 87768 ----a-w- c:\program files\pandasecuritytb\pandasecurityDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\pandasecuritytb\pandasecurityDx.dll" [2013-01-08 87768]
.
[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 23:32 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-12-16 545552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Panda Security URL Filtering"="c:\programdata\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2013-01-04 222424]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
"Look 'n' Stop"="c:\program files\Soft4Ever\looknstop\looknstop.exe" [2013-03-02 589008]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 0 (0x0)
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeePass 2 PreLoad
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-24 01:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-24 01:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R2 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [x]
R3 afw;Agnitum Firewall Driver;c:\windows\system32\DRIVERS\afw.sys [x]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [x]
R3 BIOSCHK;BIOSCHK;c:\users\win7\AppData\Local\Temp\TII72C0.tmp\disk1\BIOSCHK.SYS [x]
R3 CXLMRDOPO;CXLMRDOPO;c:\users\ADMINI~1.000\AppData\Local\Temp\CXLMRDOPO.exe [x]
R3 DrvAgent32;DrvAgent32;c:\windows\system32\Drivers\DrvAgent32.sys [x]
R3 efavdrv;efavdrv;c:\windows\system32\drivers\efavdrv.sys [x]
R3 esihdrv;esihdrv;c:\users\win7\AppData\Local\Temp\esihdrv.sys [x]
R3 FOR;FOR;c:\users\ADMINI~1.000\AppData\Local\Temp\FOR.exe [x]
R3 PORTMON;PORTMON;c:\program files\Sysinternals Suite\PORTMSYS.SYS [x]
R3 RTCore32;RTCore32;c:\program files\RightMark Memory Analyzer\RTCore32.sys [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UDT;UDT;c:\users\ADMINI~1.000\AppData\Local\Temp\UDT.exe [x]
R3 usbrndis6;USB RNDIS6 Adapter;c:\windows\system32\DRIVERS\usb80236.sys [x]
R4 HXNHX;HXNHX;c:\users\ADMINI~1.000\AppData\Local\Temp\HXNHX.exe [x]
R4 QXJDIX;QXJDIX;c:\users\ADMINI~1.000\AppData\Local\Temp\QXJDIX.exe [x]
S0 aswRvrt;aswRvrt; [x]
S0 aswVmm;aswVmm; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 lnsfw1;lnsfw1;c:\windows\system32\drivers\lnsfw1.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [x]
S2 lnssvcVista;Look 'n' Stop Service;c:\program files\Soft4Ever\looknstop\LnsSvcVista.exe [x]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
GPSvcGroup REG_MULTI_SZ GPSvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = about:blank
TCP: DhcpNameServer = 192.168.14.1 71.22.6.12 64.13.115.12
TCP: Interfaces\{9C19A051-FCFF-4DF9-9D81-219B915A6F19}\16474777966696: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{9C19A051-FCFF-4DF9-9D81-219B915A6F19}\25572697D4F6F63756D27657563747: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles\h4v04yec.default\
FF - ExtSQL: 2013-03-08 02:07; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: 2013-03-08 19:49; https-everywhere@eff.org; c:\users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles\h4v04yec.default\extensions\https-everywhere@eff.org
FF - ExtSQL: 2013-03-09 09:38; extension@hidemyass.com; c:\users\Administrator.000\AppData\Roaming\Mozilla\Firefox\Profiles\h4v04yec.default\extensions\extension@hidemyass.com.xpi
.
.
------- File Associations -------
.
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-SDWinLogon - SDWinLogon.dll
MSConfigStartUp-APSDaemon - c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,3b,1b,25,b5,e6,
ab,1f,59,35,0c,a5,2f,09,f3,02,cb,44,e1
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,3b,1b,f1,07,41,
35,c8,0c,09,03,b7,ae,84,e9,65,6b,04,8f
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:40,89,47,83,c6,10,ce,01
.
[HKEY_USERS\S-1-5-21-3769438369-2632674587-593466790-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,3b,1b,f1,07,41,
35,c8,0c,09,03,b7,ae,84,e9,65,6b,04,8f
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,3b,1b,72,64,65,
4c,4a,38,3f,68,39,49,6b,2d,7b,07,0e,51
"{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}"=hex:51,66,7a,6c,4c,1d,3b,1b,44,3b,4b,
91,13,fa,d3,0d,b3,20,9a,3f,02,cc,cb,18
.
[HKEY_USERS\S-1-5-21-3769438369-2632674587-593466790-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,e4,43,1c,29,9a,25,45,bf,72,f4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,e4,43,1c,29,9a,25,45,bf,72,f4,\
.
[HKEY_USERS\S-1-5-21-3769438369-2632674587-593466790-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-3769438369-2632674587-593466790-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-3769438369-2632674587-593466790-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-3769438369-2632674587-593466790-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-3769438369-2632674587-593466790-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
Completion time: 2013-03-10 19:39:30
ComboFix-quarantined-files.txt 2013-03-11 00:39
.
Pre-Run: 33,109,831,680 bytes free
Post-Run: 33,047,482,368 bytes free
.
- - End Of File - - 09493A7E0092030E2B5D9491E8417CEF


Report •

#18
March 10, 2013 at 22:39:54

"JOHN W,
THE COMBOFIX LOG IS BELOW THIS TEXT. THESE WERE A FEW I WANTED TO HIGHLIGHT...SO I COPIED TO TOP IN CASE THEY JUMPED OUT TO YOU AS AREAS TO ADDRESS"
Thanks MSshouldbesued. I am focused on running a series of programs that should, with a bit of luck, eventually tell me you are clean.

Once I think you are clean, I will let you know.

There are trillions of combinations of different problems.

You are not doing me or yourself any favors, by playing around with programs, other than what I'm suggesting during the cleanup procedure.

I will now try to work out our next best step.


Report •

#19
March 10, 2013 at 23:07:36

Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://general-changelog-team.fr/en...
http://www.raymond.cc/blog/adwclean...
Please download AdwCleaner by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Run Junkware Removal Tool
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool to your desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. http://www.bleepingcomputer.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Copy and Paste the JRT.txt log into your next message.


Report •

#20
March 15, 2013 at 22:38:40

John,
Apologize for the delay. Something happened to my machine again...
PS...I will follow instructions.
QUESTION: Are there any scanners you are aware of that will look and identify
suppressive policies in the registry? I believe thats what we are dealing with..
REMEMBER...I have Group Policy loading at startup. My OS does NOT have Group Policy....this was put into my machine from the outside.

Report •

#21
March 15, 2013 at 23:24:03

# AdwCleaner v2.114 - Logfile created 03/16/2013 at 00:47:57
# Updated 05/03/2013 by Xplode
# Operating system : Windows 7 Home Premium (32 bits)
# User : Administrator - WIN7-PC
# Boot Mode : Normal
# Running from : C:\Users\Administrator.000\Desktop\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

*************************

AdwCleaner[R1].txt - [545 octets] - [16/03/2013 00:47:57]

########## EOF - C:\AdwCleaner[R1].txt - [604 octets] ##########


Report •

#22
March 15, 2013 at 23:24:58

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.2 (03.15.2013:1)
OS: Windows 7 Home Premium x86
Ran by Administrator on Sat 03/16/2013 at 1:02:10.36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ FireFox

Successfully deleted: [File] C:\Users\Administrator.000\AppData\Roaming\mozilla\firefox\profiles\h4v04yec.default\user.js

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 03/16/2013 at 1:06:49.78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#23
March 15, 2013 at 23:39:47

Hi MSshouldbesued, thanks for the logs, let me get my head around your post #20.

In the meantime, run this please.

Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.


Report •

#24
March 16, 2013 at 15:57:55

Will do...thanks, John.
One thing... so I get the best results...if I do need to be connected to net to run a program...that would be good to know. I'm have doing just that with all; disabling AV and FW during...so I cringe; with possible good reason, Will run these and post...thanks a million,

Cringe?:
A Somehow, about 5 days ago, ...something/ someone /some process in machine,,,,went out and grabbed a program..."Intel GMA Driver." This was already in machine ! No need for the driver,,,bo upgrade to it..nothing.This, under normal OS conditionals, would have ZERO reason to go looking, find it, silent install..etc. That item, the GMA Driver, allows you to switch screen resolutions quickly via GUI.
B It was an 'unseen' to me/ background install using Installshield...same OLD STORY !
.. but this thing (probably more InstallShiled) ALWAYS.opens up another floodgate of SxS files;

Installshield is the delivery mechanism. I'm not mistaking, not making incorrect assumptions. (I should Google this ..never thought of it before)
C I have seen this so many times that I know it by now...but this was FIRST time it *reinstalled itself.* They key is at the end of this description. Previous, fresh installs.. seem to want to go get this INTEL DRIVER within 26-36 hrs from Microsoft in the traditional update process. This item DRIVER was already in machine when I bought it..and I WONT try anything new (ie delete it just after someone has sold me a machine/w fresh OS )

Well...I was flooded with the same files again...and things went haywire for a number of days, Just an FYI...for my AWOL

***The only thing I can surmise, having seen this now maybe 10 times, id that if anything gets FIXED with this..the process doesn't like it...and need those files. The system then goes through a silent reload...from some backup stored. Theres a report name to this..Ive read far too many of them.

THAT is what happens, It doesn't change...this thing is perfectly formulaic


Report •

#25
March 16, 2013 at 17:08:25

Go through every program you have installed (this includes flash & java) & in options/preferences, turn off auto updates

Also, do the same for Windows Updates.


Report •

#26
March 16, 2013 at 17:42:38

Results of screen317's Security Check version 0.99.59
Windows 7 x86 (UAC is enabled) ---NO IT IS NOT !!!!!! WONT WORK SINCE PROBLEMS BEGAN
[url=http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1][color=red][b]Out of date service pack!![/color][/url][/b]
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Spybot - Search & Destroy
CCleaner
Auslogics Registry Cleaner
EasyCleaner
Adobe Flash Player 11.6.602.171
Mozilla Firefox (19.0.2)
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
[b][color=red]Spybot Teatimer.exe is disabled![/color][/b]
Privatefirewall 6.1 pfsvc.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 2%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Report •

#27
March 16, 2013 at 17:47:01

John,
I ran this again last night ...but didn't TOUCH any results/fix etc. Wondering if this series of items at bottom means anything to address? Thanks
-----------------------------------------------------------------------------------------------------------------------
RogueKiller V8.5.3 [Mar 13 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/file...
Website : http://tigzy.geekstogo.com/roguekil...
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 03/16/2013 01:32:34
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[12] : NtAdjustPrivilegesToken @ 0x83E86D7F -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D23F0)
SSDT[59] : ExpInterlockedPopEntrySListResume @ 0x83E5577E -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D5770)
SSDT[66] : NtCreateFile @ 0x83E67221 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D49F0)
SSDT[70] : NtCreateKey @ 0x83E40570 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D2080)
SSDT[77] : NtCreatePort @ 0x83E867EC -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D5AC0)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x83E06D3F -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D4F80)
SSDT[87] : NtCreateThread @ 0x83EEDBE2 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D5DC0)
SSDT[93] : NtCreateUserProcess @ 0x83E3F8C8 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D5300)
SSDT[96] : NtDebugActiveProcess @ 0x83EC090C -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D1B50)
SSDT[103] : NtDeleteKey @ 0x83DF3B9E -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D4270)
SSDT[106] : NtDeleteValueKey @ 0x83DF984E -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D43D0)
SSDT[179] : NtOpenFile @ 0x83E72478 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D4CF0)
SSDT[182] : NtOpenKey @ 0x83E6CA8F -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D1E80)
SSDT[190] : NtOpenProcess @ 0x83E34AC1 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D4590)
SSDT[194] : NtOpenSection @ 0x83E8155B -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D16A0)
SSDT[198] : NtOpenThread @ 0x83E8A5AD -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D22A0)
SSDT[304] : NtResumeThread @ 0x83E44B7D -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D5250)
SSDT[312] : NtSecureConnectPort @ 0x83E47238 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D5910)
SSDT[329] : NtSetInformationFile @ 0x83E53737 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D50A0)
SSDT[358] : NtSetValueKey @ 0x83E7E395 -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D40A0)
SSDT[371] : NtTerminateThread @ 0x83E4C5BA -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D48D0)
S_SSDT[7] : NtGdiAlphaBlend -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D3780)
S_SSDT[14] : NtGdiBitBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D3480)
S_SSDT[125] : NtGdiDeleteObjectApp -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D3300)
S_SSDT[200] : NtGdiGetPixel -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D3800)
S_SSDT[237] : NtGdiMaskBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D35D0)
S_SSDT[243] : NtGdiOpenDCW -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D3240)
S_SSDT[247] : NtGdiPlgBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D3680)
S_SSDT[302] : NtGdiStretchBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D3520)
S_SSDT[308] : NtGdiTransparentBlt -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D3700)
S_SSDT[318] : NtUserAttachThreadInput -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D2CF0)
S_SSDT[402] : NtUserGetAsyncKeyState -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D2FF0)
S_SSDT[436] : NtUserGetKeyState -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D2F40)
S_SSDT[490] : NtUserMessageCall -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D2820)
S_SSDT[508] : NtUserPostMessage -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D29D0)
S_SSDT[509] : NtUserPostThreadMessage -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D2B60)
S_SSDT[524] : NtUserRegisterRawInputDevices -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D2DF0)
S_SSDT[536] : NtUserSendInput -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D30A0)
S_SSDT[544] : NtUserSetClipboardViewer -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D31A0)
S_SSDT[552] : NtUserSetInformationThread -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D24C0)
S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D25A0)
S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (\SystemRoot\system32\DRIVERS\pwipf6.sys @ 0x904D2680)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Disk drive +++++
--- User ---
[MBR] e61ad200f3aa4540e5775a33b5d4ddc2
[BSP] b5a323188b24eedb45e970e8bda54dbb : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 57129 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03162013_02d0132.txt >>
RKreport[1]_S_03162013_02d0132.txt


Report •

#28
March 16, 2013 at 19:11:13

"but didn't TOUCH any results/fix etc"
Make sure you have the latest version > 8.5.3
Run again & Fix.

"Wondering if this series of items at bottom means anything"
That is Normal.

Run ESET again.


Report •

#29
March 21, 2013 at 02:04:48

--------------------------------------------------------------------------e files; so they were in essence, false positives ) In the last 6 months, my admin rights have been --------------------------------------------
"""RogueKiller V8.5.3------ [Mar 13 2013] by Tigzy"""

Yes, John, that was the version I ran. Applied the fixes to clear maybe 8 new host files. I ran one today that showed 200 !!! (a different scanner...so this is a real issue)
I deeply appreciate the help. The discovery of the HOSTS issue is our biggest WIN so far...and below you will se that it is EXTENSIVE.

I can assure you this is a combination of several programming/hacking/ routine running on the machine type problem...NOT virus issues...as the only items showing in a

scan were PUPS that were part of SysInternals (100 programs..a few with remote access typ

removed..is the biggest issue. Maybe Win 7 is a 'harder installation' vs XP, but there are still things I am blocked from doing.

Re: Virus/Trojans Only TWO files were deemed risky with trojan designations and both were SxS files---x86 files, during the last month. One from Avast..one from AVG.
The BIGGEST issues are as follows, and I hope we can move more in this direction, as these are more Permission, Lockdown...and guarding the fort type challenges.

1. I don't have full admin control. For instance, I have never used AUTOMATED TASKS before...but I found some bizarre stuff in that area. I was shocked to see 43 tasks set to run..some several time s a day..These either do something someone has set up....or are resource heavy at certain dates and hours...bogging the machine down, possibly for an entry attempt. (?????) I found that Avast was set to Emergency Update every minute. I have the screen shots. Not regular updates...EMERGENCY updates. I believe that file/function in Avast is no longer working. I never saw it happening, but it sure was set to..and was active/ 'live.' Another task was set to restore the Registry weekly. The list of these is

long...but it simply amounts to full control...when they want it. Its not 'defrag' or some routine type task, It's obviously part of the overall control and automated readjustment, should I make any changes...to try and stop all of this.
550 tasks were run last week. I feel certain that the user must request these...even Spybot was setup for this...I sure didn't do it. I just had to reinstall the thing !

1.My 120 Windows updates are gone, and it will no longer update. In fact, MS has 'Fix it' ..an automated type fix issues area on their site, that no longer runs; I get error messages.
2. UAC doesnt work anymore. Security type programs begin to fail quickly, and the uninstall path for ALL OF THEM...are changed. As a result,drivers are left behind..just seems like a potential conflict if old firewall and AV drivers aren't cleared out properly. I'm learning..I do it manually or use a remove product from the mfg these days. Windows installer has to be repaired constantly.
I'm only listing half the issues, BTW.

3. Many many screen are greyed out in Services (and other) areas...meaning I can't change some. As in the buttons dont work. They should BE changeable, I have looked up the recommended settings..and some that should be 'manual' are locked on Automatic.

4. They have applied Group Policy (this OS doesnt have it) and they control MMC. The area in add/remove programs? The one that allows you to remove features? It's
blank now (used to be a great feature vs XP version) ...and they added WMI about the time it went blank. There are MANY features in that section that crack open ACCESS features...and they probably are all checked off/installed.

BOTTOM LINE....this is predominantly a Permission /Registry control issue and an inability to keep these guys out. I have worked in the past on many large income producing projects. This may be a case of whats called 'Industrial Espionage;...i.e., stealing your ideas.
A handful of people around the country know my ability to create such projects/ventures. This is the likely intent...and a secondary form of cyber terrorism, as I no longer can complete them. Yes...I've called the FBI. Unless I'm a bank...or huge entity, there is no help. Local to National. But what money I had
is gone due to the 6 months of constant shelling,

I would love to know how to lock it down, so on the next install...I can avoid whats happened for 6 months. One item also strange: THE MRU AREAS IN THE REGISTRY are so extensive, literally HUNDREDS AND HUNDREDS of keys and subkeys...with duplicate backups of each (2 backups) ....they know every document, every zip drive I put in, every title of item, what was transferred where...to see it is astounding.
I find it impossible to believe this is remotely close to default from Microsoft.

Please read and tell me if this is something that fits your expertise, or one on your staff of wonderful helpers may be of assistance/extra info. If no relief can be gained; the items I mentioned ...which amounts to TOTAL LOCKDOWN .....and complete control....if the good folks at TOMS do not handle this , is there a forum that does?

I ran some SysInternals programs from the flash drive today...and the info they show is both shocking and elaborate....to see whats still in the machine weeks later; a record of all computer 'transactions'...names of all, well...CC Cleaner just cant even touch the sophistication and humbering system they have to sort and store this info.

I will post a log that will show that this HOSTS issue has returned WITH A VENGEANCE....and that is something I dont quite understand how to solve (other than possibly deleting all the DOMAIN KEYS in the registry...minus the small amount of sites I visit. ?????) Without spending 2 hours on the net since my last post, there are a list of 200 or so. It;s the registry refresh, you see...the whole routine will auto correct itself. It's been the same procedure...not one thing has changed in 'technique' for 6-8 months. It's the same person...obviously.

Thank you so much for your time and help, John. I'm really hoping to put an end to this and 'compute' like everyone else in the world...and be trouble free in the future,

YES, MSshould be.....lol


Report •

#30
March 21, 2013 at 02:30:23

12800 hosts !!!! ????

BTW....I HAVE ABOUT 8 '6 to 4' drivers/adapters set up.
I've looked at DEVICE MANAGER for 15 years...have NEVER seen this....and THIS is NEW to this machine; est no more than 3 weeks was this altered ...I sure didnt do it,,,I dont understand adapters, Winsock, etc.
----------------------------------------------------------------------------------------------
MiniToolBox by Farbar Version:10-01-2013
Ran by Administrator (administrator) on 21-03-2013 at 04:15:16
Running from "C:\Users\Administrator.000\Downloads"
Windows 7 Home Premium (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================


::1 localhost

127.0.0.1 localhost
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 abcstats.com
127.0.0.1 a.abv.bg
127.0.0.1 adserver.abv.bg
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 ca.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 www.accuserveadsystem.com
127.0.0.1 achmedia.com
127.0.0.1 aconti.net
127.0.0.1 secure.aconti.net
127.0.0.1 www.aconti.net 127.0.0.1 am1.activemeter.com 127.0.0.1 www.activemeter.com 127.0.0.1 ads.activepower.net

There are 12837 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================

Intel(R) PRO/Wireless 3945ABG Network Connection = Wireless Network Connection (Connected)
Remote NDIS based Device = Local Area Connection 3 (Connected)
Intel(R) PRO/100 VE Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : win7-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : clearwire-wmx.net

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . : clearwire-wmx.net
Description . . . . . . . . . . . : Remote NDIS based Device
Physical Address. . . . . . . . . : 00-1D-88-81-1E-FC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::94a0:6364:ce57:3e42%37(Preferred)
IPv4 Address. . . . . . . . . . . : 50.11.128.126(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.192.0
Lease Obtained. . . . . . . . . . : Thursday, March 21, 2013 1:43:10 AM
Lease Expires . . . . . . . . . . : Thursday, March 21, 2013 4:20:33 AM
Default Gateway . . . . . . . . . : 50.11.128.1
DHCP Server . . . . . . . . . . . : 192.168.14.1
DHCPv6 IAID . . . . . . . . . . . : 721427848
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-3C---------------------
DNS Servers . . . . . . . . . . . : 192.XXXXXXXXXX
71.22.6.12
64.13.115.12
Primary WINS Server . . . . . . . : 192.XXX XX X
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection
Physical Address. . . . . . . . . : 00-A0-D1-4B-01-CE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 15:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::86d:30e6:cdf4:7f81%11(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 369098752
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-3C-6C-66-00-A0-D1-4B-01-CE
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.clearwire-wmx.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : clearwire-wmx.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #8
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{E052BA8F-4FC5-4B70-ADEE-1E46A38B1079}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter 6TO4 Adapter:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 16:

Connection-specific DNS Suffix . : clearwire-wmx.net
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #9
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:320b:807e::320b:807e(Preferred)
Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
DNS Servers . . . . . . . . . . . : 192.168.14.1
71.22.6.12
64.13.115.12
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter 6TO4 Adapter:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #7
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{F596915B-C929-405C-B67C-222FC692434F}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 18:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #11
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 17:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #10
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 29:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #16
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 19:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #12
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 26:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #13
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 27:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #14
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 28:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #15
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 30:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #17
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 31:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #18
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.14.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

Pinging google.com [74.125.225.232] with 32 bytes of data:
Reply from 74.125.225.232: bytes=32 time=90ms TTL=56
Reply from 74.125.225.232: bytes=32 time=137ms TTL=56

Ping statistics for 74.125.225.232:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 90ms, Maximum = 137ms, Average = 113ms
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.14.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=126ms TTL=52
Reply from 98.139.183.24: bytes=32 time=206ms TTL=52

Ping statistics for 98.139.183.24:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 126ms, Maximum = 206ms, Average = 166ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
37...00 1d 88 81 1e fc ......Remote NDIS based Device
21...00 a0 d1 4b 01 ce ......Intel(R) PRO/100 VE Network Connection
1...........................Software Loopback Interface 1
23...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
11...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
34...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
35...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #8
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
36...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #9
22...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #7
24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
26...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #11
25...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #10
31...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #16
27...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #12
28...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #13
29...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #14
30...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #15
32...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #17
33...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #18
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 50.11.128.1 50.11.128.126 20
50.11.128.0 255.255.192.0 On-link 50.11.128.126 276
50.11.128.126 255.255.255.255 On-link 50.11.128.126 276
50.11.191.255 255.255.255.255 On-link 50.11.128.126 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.14.0 255.255.255.0 On-link 50.11.128.126 21
192.168.14.1 255.255.255.255 50.11.128.126 50.11.128.126 21
192.168.14.255 255.255.255.255 On-link 50.11.128.126 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 50.11.128.126 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 50.11.128.126 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
36 1125 ::/0 2002:c058:6301::c058:6301
1 306 ::1/128 On-link
36 1025 2002::/16 On-link
36 281 2002:320b:807e::320b:807e/128
On-link
37 276 fe80::/64 On-link
11 306 fe80::/64 On-link
11 306 fe80::86d:30e6:cdf4:7f81/128
On-link
37 276 fe80::94a0:6364:ce57:3e42/128
On-link
1 306 ff00::/8 On-link
11 306 ff00::/8 On-link
37 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [51712] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 29 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 30 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 31 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 32 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 33 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 34 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 35 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 36 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 37 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 38 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 39 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 40 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 41 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 42 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 43 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 44 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 45 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 46 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 47 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 48 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 49 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 50 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 51 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 52 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 53 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 54 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================

System errors:
=============
Error: (03/21/2013 01:31:48 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
crcdisk
OADevice

Error: (03/21/2013 01:31:30 AM) (Source: Service Control Manager) (User: )
Description: The TinyWall Service service failed to start due to the following error:
%%1053

Error: (03/21/2013 01:31:30 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the TinyWall Service service to connect.

Error: (03/21/2013 01:30:55 AM) (Source: APPHOSTSVC) (User: )
Description: The Application Host Helper Service encountered an error while reading the data for SID mapping. Please ensure that the application pool name data is correct in the configuration file. To resolve this issue, please recommit the changes or restart this service. The data field contains the error number.

Error: (03/21/2013 01:26:33 AM) (Source: DCOM) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (03/21/2013 00:31:46 AM) (Source: Microsoft-Windows-DNS-Client) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.


Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
Date: 2013-03-09 15:31:32.981
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\NoVirusThanks\WriteProcessMemory Monitor\WriteProcessMemory_Hook.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-09 15:10:49.325
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\NoVirusThanks\WriteProcessMemory Monitor\WriteProcessMemory_Hook.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-09 15:04:12.305
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\NoVirusThanks\WriteProcessMemory Monitor\WriteProcessMemory_Hook.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-03-09 13:30:36.434
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\NoVirusThanks\WriteProcessMemory Monitor\WriteProcessMemory_Hook.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-02-25 07:46:00.878
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\win7\Documents\ProcAlyzer Dumps\gzserv.exe--2013-02-18--18-47-27.dump because the set of per-page image hashes could not be found on the system.

Date: 2013-02-25 07:46:00.878
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\win7\Documents\ProcAlyzer Dumps\gzserv.exe--2013-02-18--18-47-27.dump because the set of per-page image hashes could not be found on the system.

Date: 2013-02-25 07:46:00.878
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\win7\Documents\ProcAlyzer Dumps\gzserv.exe--2013-02-18--18-47-27.dump because the set of per-page image hashes could not be found on the system.

Date: 2013-02-25 07:46:00.847
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\win7\Documents\ProcAlyzer Dumps\gzserv.exe--2013-02-18--18-47-06.dump because the set of per-page image hashes could not be found on the system.

Date: 2013-02-25 07:46:00.847
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\win7\Documents\ProcAlyzer Dumps\gzserv.exe--2013-02-18--18-47-06.dump because the set of per-page image hashes could not be found on the system.

Date: 2013-02-25 07:46:00.831
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Users\win7\Documents\ProcAlyzer Dumps\gzserv.exe--2013-02-18--18-47-06.dump because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

Adobe Flash Player 11 Plugin (Version: 11.6.602.171)
Advanced SystemCare 4 (Version: 4.0.0)
Auslogics Registry Cleaner (Version: 2.5)
avast! Free Antivirus (Version: 8.0.1483.0)
Belarc Advisor 8.3 (Version: 8.3.0.0)
CCleaner (Version: 3.08)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DigiCert Discovery (Version: 1.05)
DLL Suite 2013
Driver Fusion (Version: 1.5.0)
EasyCleaner (Version: 2.0.6.380)
ExactFile 1.0.0.15
FreeFixer (Version: 1.01)
HitmanPro 3.7 (Version: 3.7.2.190)
Intel(R) Graphics Media Accelerator Driver (Version: 8.15.10.1930)
Internet Explorer (Enable DEP)
jv16 PowerTools 2012 (Version: )
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Windows Debugging Symbols (Version: 7601)
Mozilla Firefox 19.0.2 (x86 en-US) (Version: 19.0.2)
Mozilla Maintenance Service (Version: 19.0.2)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP3 Parser (KB2721691) (Version: 4.30.2114.0)
MSXML 4.0 SP3 Parser (KB2758694) (Version: 4.30.2117.0)
MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
NirSoft ServiWin
Panda Security Toolbar (Version: 4.0.0.17)
Registry Smoker 1.5 (Version: 1.5)
Revo Uninstaller 1.94 (Version: 1.94)
Spybot - Search & Destroy (Version: 2.0.12)
TinyWall (Version: 2.0.1.0)
TIPCI (Version: 1.23.0000)
Tweaking.com - Advanced System Tweaker (Version: 1.1.3)
Tweaking.com - Simple System Tweaker (Version: 1.1.3)
Tweaking.com - Windows Repair (All in One) (Version: 1.9.7)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553092)
WSCC 2.1.0.0

========================= Devices: ================================

Name: Crcdisk Filter Driver
Description: Crcdisk Filter Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: crcdisk
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


========================= Memory info: ===================================

Percentage of memory in use: 41%
Total physical RAM: 2550.05 MB
Available physical RAM: 1479.34 MB
Total Pagefile: 6375.05 MB
Available Pagefile: 4947.49 MB
Total Virtual: 2047.88 MB
Available Virtual: 1931.57 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:55.79 GB) (Free:25.72 GB) NTFS
2 Drive d: (Mar 19 2013) (CDROM) (Total:0.69 GB) (Free:0.41 GB) UDF
3 Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.03 GB) NTFS

========================= Users: ========================================

User accounts for \\WIN7-PC

Administrator Guest

========================= Minidump Files ==================================

No minidump file found

========================= Restore Points ==================================

18-03-2013 02:55:03 Windows Backup
18-03-2013 08:09:20 Online Armor installation
18-03-2013 10:47:38 Installed TinyWall
21-03-2013 00:06:17 Removed TinyWall
21-03-2013 02:49:41 Installed TinyWall

**** End of log ****


Report •

#31
March 21, 2013 at 20:05:56

Windows Forensics: Have I been Hacked?
http://www.bleepingcomputer.com/tut...

Report •

#32
March 21, 2013 at 21:12:33

When I googled, the 127.0.0.1 does not seem to be a problem, with noknojon saying > Do not worry about that - So is mine - Posted 25 October 2012 - 07:25 AM

more lines starting with "127.0.0.1"
http://is.gd/bt6kpT

http://www.bleepingcomputer.com/for...
There are 15266 more lines starting with "127.0.0.1"

http://forums.spybot.info/showthrea...
There are 15218 more lines starting with "127.0.0.1"

http://www.techspot.com/community/t...
There are 14883 more lines starting with "127.0.0.1"

http://forums.whatthetech.com/index...
There are 26315 more lines starting with "127.0.0.1"

http://www.computerhope.com/forum/i...
There are 14897 more lines starting with "127.0.0.1"

http://www.pchelpforum.com/xf/threa...
There are 14677 more lines starting with "127.0.0.1"

http://www.geekstogo.com/forum/topi...
There are 15218 more lines starting with "127.0.0.1"

http://www.geekstogo.com/forum/topi...
There are 14132 more lines starting with "127.0.0.1"


Report •

#33
March 21, 2013 at 21:19:36

Run TFC
http://www.geekstogo.com/forum/file...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Please double-click TFC.exe to run it. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Report •

#34
March 22, 2013 at 17:05:36

"I'm really hoping to put an end to this and 'compute' like everyone else in the world...and be trouble free in the future"

Malware Prevention
http://www.malwarevault.com/prevent...
"There is no magic involved. The majority of malware is installed by the user themselves"
What's that message mean? click, click.


Report •


Ask Question