Jump to content


[RESOLVED] Malware causing Black Screen of Death

Started By aceharmonic, Jan 02 2012 04:11 AM

41 replies to this topic

#1 aceharmonic

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 02 January 2012 - 04:11 AM

I have been trying for a day to get this resolved on my own and I can't figure it out. I have something that is not allowing my desktop to load. I can function through Safe Mode, but any form of networking (Safe Mode with Networking or standard boot) will not load. I have tried all things that I can find on the web, but still can't get my issue resolved. Get it corrected and I will be happy to donate to this board. Any help would be appreciated.

Malwarebytes log
=====================

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5067

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.7601.17514

1/1/2012 7:39:27 PM
mbam-log-2012-01-01 (19-39-27).txt

Scan type: Quick scan
Objects scanned: 170427
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

==============
GMER log
==============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-01 20:40:47
Windows 6.1.7601 Service Pack 1
Running: mlb6d9bf.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313f97dcf
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcbdadf65
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313f97dcf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcbdadf65 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

==============
aswMBR log
==============

aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-01 20:42:07
-----------------------------
20:42:07.151 OS Version: Windows x64 6.1.7601 Service Pack 1
20:42:07.151 Number of processors: 4 586 0x2505
20:42:07.151 ComputerName: CLARK UserName: Mike
20:42:20.021 Initialize success
20:42:32.252 AVAST engine download error: 0
20:42:41.596 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
20:42:41.596 Disk 0 Vendor: SAMSUNG_ 2AC1 Size: 476940MB BusType: 3
20:42:41.628 Disk 0 MBR read successfully
20:42:41.628 Disk 0 MBR scan
20:42:41.659 Disk 0 Windows 7 default MBR code
20:42:41.674 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10836 MB offset 2048
20:42:41.690 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 22194176
20:42:41.706 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 466002 MB offset 22398976
20:42:41.737 Service scanning
20:42:42.439 Service rwoPrePd C:\Windows\System32\drivers\rwoPrePd.sys **LOCKED** 32
20:42:43.063 Modules scanning
20:42:43.063 Disk 0 trace - called modules:
20:42:43.094 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
20:42:43.125 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b9b060]
20:42:43.141 3 CLASSPNP.SYS[fffff88001db943f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa80048e1050]
20:42:43.141 Scan finished successfully
20:43:25.230 Disk 0 MBR has been saved successfully to "G:\Fix Laptop\MBR.dat"
20:43:25.245 The log file has been saved successfully to "G:\Fix Laptop\aswMBR.txt"


==============
DDS log
==============

.
DDS (Ver_2011-06-23.01) - NTFSAMD64 MINIMAL
Internet Explorer: 8.0.7601.17514
Run by Mike at 21:02:02 on 2012-01-01
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3766.2920 [GMT -7:00]
.
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
uRun: [WLSync] "C:\Program Files (x86)\Windows Live\Mesh\WLSync.exe" /background
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [SmartWiHelper] "C:\Program Files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" /WindowsStartup
mRun: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
mRun: [PMBVolumeWatcher] c:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [{9ABA99F9-A8FE-7E89-8E99-AE8b85E9AE9B}] "C:\Program Files (x86)\Cricket Broadband Connect\AvqAutoRun.exe" "C:\Program Files (x86)\Cricket Broadband Connect\mphonetools.exe" /OnPlug=%s
mRun: [M-Audio Taskbar Icon] C:\Windows\system32\MAFWTray.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ul
mRunOnce: [InstallShieldSetup] C:\PROGRA~2\INSTAL~1\{36C5B~1\setup.exe -rebootC:\PROGRA~2\INSTAL~1\{36C5B~1\reboot.ini
StartupFolder: C:\Users\Mike\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files (x86)\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: Interfaces\{0F938084-FD3B-4980-9BC6-A13A11C80062} : DhcpNameServer = 192.168.42.129
TCP: Interfaces\{8BE1240A-F4FA-42B3-9F86-0A2AE07D60E8} : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{DC021824-3036-4DDB-B5CB-923602A21399} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{DC021824-3036-4DDB-B5CB-923602A21399}\3425F4353575146554D263431353 : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{DC021824-3036-4DDB-B5CB-923602A21399}\34F627077457563747 : DhcpNameServer = 4.2.2.2
TCP: Interfaces\{DC021824-3036-4DDB-B5CB-923602A21399}\4456661657C647 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{DC021824-3036-4DDB-B5CB-923602A21399}\C4574786F6270234F62707 : DhcpNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [SmartWiHelper] "C:\Program Files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" /WindowsStartup
mRun-x64: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
mRun-x64: [PMBVolumeWatcher] c:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [{9ABA99F9-A8FE-7E89-8E99-AE8b85E9AE9B}] "C:\Program Files (x86)\Cricket Broadband Connect\AvqAutoRun.exe" "C:\Program Files (x86)\Cricket Broadband Connect\mphonetools.exe" /OnPlug=%s
mRun-x64: [M-Audio Taskbar Icon] C:\Windows\system32\MAFWTray.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [WRSVC] "C:\Program Files\Webroot\WRSA.exe" -ul
mRunOnce-x64: [InstallShieldSetup] C:\PROGRA~2\INSTAL~1\{36C5B~1\setup.exe -rebootC:\PROGRA~2\INSTAL~1\{36C5B~1\reboot.ini
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R0 rwoPrePd;rwoPrePd;C:\Windows\system32\drivers\rwoPrePd.sys --> C:\Windows\system32\drivers\rwoPrePd.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [?]
R2 rimspci;rimspci;C:\Windows\system32\drivers\rimssne64.sys --> C:\Windows\system32\drivers\rimssne64.sys [?]
R2 risdsnpe;risdsnpe;C:\Windows\system32\drivers\risdsne64.sys --> C:\Windows\system32\drivers\risdsne64.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\drivers\HECIx64.sys --> C:\Windows\system32\drivers\HECIx64.sys [?]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\system32\DRIVERS\ew_jubusenum.sys --> C:\Windows\system32\DRIVERS\ew_jubusenum.sys [?]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\drivers\SFEP.sys --> C:\Windows\system32\drivers\SFEP.sys [?]
S1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111027.001\BHDrvx64.sys [2011-11-1 1155704]
S1 GizmoDrv;Gizmo Device Driver;C:\Windows\system32\drivers\GizmoDrv.sys --> C:\Windows\system32\drivers\GizmoDrv.sys [?]
S1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20111110.030\IDSviA64.sys [2011-11-10 488568]
S1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [?]
S1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\N360x64\0501000.01D\SYMNETS.SYS [?]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 Gizmo Central;Gizmo Central;C:\Program Files (x86)\Gizmo\gservice.exe [2010-8-29 31856]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-28 135664]
S2 HMuKstOr;Kensington TrackballWorks Orbit USB HID Device Filter Driver;C:\Windows\system32\DRIVERS\HMuKstOr.sys --> C:\Windows\system32\DRIVERS\HMuKstOr.sys [?]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-4-21 13336]
S2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe [2011-7-30 130008]
S2 O&O CleverCache;O&O CleverCache;C:\Program Files\OO Software\CleverCache\ooccag.exe [2009-10-30 843592]
S2 Oasis2Service;Oasis2Service;C:\Program Files (x86)\DDNi\Oasis2Service\Oasis2Service.exe [2011-8-13 49152]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
S2 SampleCollector;VAIO Care Performance Service;C:\Program Files\Sony\VAIO Care\VCPerfService.exe [2011-12-15 259192]
S2 uCamMonitor;CamMonitor;C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2010-8-28 104960]
S2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-4-21 2320920]
S2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-2-19 529776]
S2 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-2-19 386416]
S2 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
S2 WRSVC;WRSVC;C:\Program Files\Webroot\WRSA.exe [2011-11-15 637208]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 androidusb;ADB Interface Driver;C:\Windows\system32\Drivers\smhwadb.sys --> C:\Windows\system32\Drivers\smhwadb.sys [?]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys --> C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys [?]
S3 btwampfl;Bluetooth AMP USB Filter;C:\Windows\system32\drivers\btwampfl.sys --> C:\Windows\system32\drivers\btwampfl.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\system32\DRIVERS\btwl2cap.sys --> C:\Windows\system32\DRIVERS\btwl2cap.sys [?]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\system32\DRIVERS\ew_hwusbdev.sys --> C:\Windows\system32\DRIVERS\ew_hwusbdev.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;C:\Windows\system32\DRIVERS\ewusbnet.sys --> C:\Windows\system32\DRIVERS\ewusbnet.sys [?]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-28 135664]
S3 Impcd;Impcd;C:\Windows\system32\drivers\Impcd.sys --> C:\Windows\system32\drivers\Impcd.sys [?]
S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
S3 L6PODHD4;Service - Line 6 POD HD400;C:\Windows\system32\Drivers\L6PODHD464.sys --> C:\Windows\system32\Drivers\L6PODHD464.sys [?]
S3 MAFW;Service for M-Audio FireWire;C:\Windows\system32\DRIVERS\mafw.sys --> C:\Windows\system32\DRIVERS\mafw.sys [?]
S3 MSSQL$DDNI;SQL Server (DDNI);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe [2009-3-30 43010392]
S3 RDPDISPM;RDPDISPM;C:\Windows\system32\DRIVERS\rdpdispm.sys --> C:\Windows\system32\DRIVERS\rdpdispm.sys [?]
S3 smhwdev;SmartPhone dummy USB PNP Device (Normal);C:\Windows\system32\DRIVERS\smhwdev.sys --> C:\Windows\system32\DRIVERS\smhwdev.sys [?]
S3 smhwser;USB Device for Legacy Serial Communication (Normal);C:\Windows\system32\DRIVERS\smhwser.sys --> C:\Windows\system32\DRIVERS\smhwser.sys [?]
S3 SOHCImp;VAIO Media plus Content Importer;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-9-10 108400]
S3 SOHDms;VAIO Media plus Digital Media Server;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-10-12 423280]
S3 SOHDs;VAIO Media plus Device Searcher;C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-9-10 67952]
S3 SpfService;VAIO Entertainment Common Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-1-20 286936]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);C:\Windows\system32\DRIVERS\ssadserd.sys --> C:\Windows\system32\DRIVERS\ssadserd.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 VAIO Power Management;VAIO Power Management;C:\Program Files\Sony\VAIO Power Management\SPMService.exe [2010-8-28 574320]
S3 VCFw;VAIO Content Folder Watcher;C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2011-1-20 887000]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-2-19 115568]
S3 VCService;VCService;C:\Program Files\Sony\VAIO Care\VCService.exe [2011-12-15 44736]
S3 VUAgent;VUAgent;C:\Program Files\Sony\VAIO Update Common\VUAgent.exe [2011-9-23 1429608]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-3-30 47128]
S4 SQLAgent$DDNI;SQL Server Agent (DDNI);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2012-01-02 02:42:24 108896 ----a-w- C:\Windows\System32\drivers\dWwsydIO.sys
2012-01-01 23:56:35 108896 ----a-w- C:\Windows\System32\drivers\xjiDbpFQ.sys
2012-01-01 23:29:36 108896 ----a-w- C:\Windows\System32\drivers\aJeKEaUZ.sys
2012-01-01 10:45:45 -------- d-----w- C:\Users\Mike\AppData\Local\{264393B0-EA8B-4AC4-9313-F69E00C34D53}
2012-01-01 06:08:04 -------- d-----w- C:\cleanup
2012-01-01 00:46:50 -------- d-----w- C:\Users\Mike\AppData\Local\{C70E3E8A-9734-4989-B374-D65E9F3ECAD7}
2011-12-31 12:46:26 -------- d-----w- C:\Users\Mike\AppData\Local\{6B38F189-2144-433A-93E9-B68A629D4317}
2011-12-31 00:46:03 -------- d-----w- C:\Users\Mike\AppData\Local\{69662AB5-E4C7-4898-8A9F-775297CBE353}
2011-12-30 12:45:40 -------- d-----w- C:\Users\Mike\AppData\Local\{44E374EC-9DEF-4084-9018-019484ECC93B}
2011-12-30 00:45:16 -------- d-----w- C:\Users\Mike\AppData\Local\{8A491DF6-85A0-43F1-A195-144DAAC5F310}
2011-12-29 12:44:52 -------- d-----w- C:\Users\Mike\AppData\Local\{490E7BD1-C3E4-41E3-8C9E-34DE6391DD45}
2011-12-29 00:44:29 -------- d-----w- C:\Users\Mike\AppData\Local\{0FA6254A-9F6E-4493-938E-4D8D9C113F59}
2011-12-28 12:43:52 -------- d-----w- C:\Users\Mike\AppData\Local\{55E42B7B-5F0F-4656-80E0-8F8E623AD1FD}
2011-12-28 00:39:58 -------- d-----w- C:\Users\Mike\AppData\Local\{E394FCB7-5656-458F-8727-7FED912A2F29}
2011-12-27 12:39:36 -------- d-----w- C:\Users\Mike\AppData\Local\{90AF81A8-2519-4207-812D-20811BA20E9C}
2011-12-27 00:38:53 -------- d-----w- C:\Users\Mike\AppData\Local\{EE0A9F5B-F448-4AFD-ACF0-8FDD50F44EE5}
2011-12-27 00:38:36 -------- d-----w- C:\Users\Mike\AppData\Local\{61F89C26-233D-4B33-A1B5-5A3CE5332196}
2011-12-23 05:02:16 -------- d-----w- C:\Users\Mike\AppData\Local\{EF4EF56D-A222-49D3-851D-BD61397C6088}
2011-12-22 17:01:53 -------- d-----w- C:\Users\Mike\AppData\Local\{C746FE88-CCB7-409D-B47C-F7DF10C68614}
2011-12-22 07:50:21 108896 ----a-w- C:\Windows\System32\drivers\vKbbSQbZ.sys
2011-12-22 05:01:31 -------- d-----w- C:\Users\Mike\AppData\Local\{97C2E110-4AA3-4072-AE86-8C041DC77870}
2011-12-21 17:01:08 -------- d-----w- C:\Users\Mike\AppData\Local\{6D1ADCCE-DF42-4BA8-A4DD-B4ADCD9FED3C}
2011-12-21 07:38:44 108896 ----a-w- C:\Windows\System32\drivers\paurXARX.sys
2011-12-21 05:00:44 -------- d-----w- C:\Users\Mike\AppData\Local\{A5F33D77-2794-477F-85AD-758D85DC382E}
2011-12-20 17:00:21 -------- d-----w- C:\Users\Mike\AppData\Local\{A6BF7E6A-97A4-4493-93A6-1F9C0ADEE054}
2011-12-20 07:29:35 108896 ----a-w- C:\Windows\System32\drivers\liUAzgPF.sys
2011-12-20 04:59:59 -------- d-----w- C:\Users\Mike\AppData\Local\{71A2030E-CD3F-44FC-B464-5E0120B2D80D}
2011-12-19 16:59:36 -------- d-----w- C:\Users\Mike\AppData\Local\{F33CFE90-0AB1-400B-A81E-CE05ECF54CBE}
2011-12-19 07:24:25 108896 ----a-w- C:\Windows\System32\drivers\CQwPmpKt.sys
2011-12-19 04:59:14 -------- d-----w- C:\Users\Mike\AppData\Local\{54DE513B-1544-4181-80F1-CD8ACC70C7B1}
2011-12-18 16:58:40 -------- d-----w- C:\Users\Mike\AppData\Local\{EFC6F9E0-C48D-430E-B350-D3FAF6B96723}
2011-12-17 15:43:03 108896 ----a-w- C:\Windows\System32\drivers\loTihGQI.sys
2011-12-17 14:45:51 -------- d-----w- C:\Users\Mike\AppData\Local\{4D56C514-A765-4DE0-95E4-A4F425FC0738}
2011-12-17 02:45:29 -------- d-----w- C:\Users\Mike\AppData\Local\{1C46C948-85CB-4382-A378-DBF6580A4A46}
2011-12-16 15:41:32 108896 ----a-w- C:\Windows\System32\drivers\fdFchSuE.sys
2011-12-16 14:45:07 -------- d-----w- C:\Users\Mike\AppData\Local\{3A4C1D8C-A375-42AB-87F3-3D8E3557155B}
2011-12-16 02:44:45 -------- d-----w- C:\Users\Mike\AppData\Local\{8B31CC46-1DE3-452A-9E4F-7733480BA987}
2011-12-15 15:30:26 108896 ----a-w- C:\Windows\System32\drivers\LfidZRkv.sys
2011-12-15 14:44:21 -------- d-----w- C:\Users\Mike\AppData\Local\{FBB80616-DC39-4452-8022-2C28589CCCF5}
2011-12-15 14:44:11 -------- d-----w- C:\Users\Mike\AppData\Local\{AD683C1A-D5B8-493C-8DD5-1BC43B90FD34}
2011-12-15 10:25:54 108896 ----a-w- C:\Windows\System32\drivers\CFbjXzCc.sys
2011-12-15 01:26:06 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-12-15 01:26:00 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-12-15 01:21:52 -------- d-----w- C:\Users\Mike\AppData\Local\{062F1677-8734-43D8-9EC1-CD2D380433D2}
2011-12-14 11:05:49 -------- d-----w- C:\Users\Mike\AppData\Local\{E2132F26-A393-4C48-8088-863304352535}
2011-12-14 04:41:18 108896 ----a-w- C:\Windows\System32\drivers\iFOWzyTB.sys
2011-12-13 23:05:26 -------- d-----w- C:\Users\Mike\AppData\Local\{390B2A78-ECED-4B1A-B7BB-32781CB987DF}
2011-12-13 11:05:04 -------- d-----w- C:\Users\Mike\AppData\Local\{98ABCC75-9279-40BE-8A25-C6DBFB979161}
2011-12-13 04:28:45 108896 ----a-w- C:\Windows\System32\drivers\wOMyxktU.sys
2011-12-12 23:04:42 -------- d-----w- C:\Users\Mike\AppData\Local\{3BB525E6-208A-422C-BD18-CBFDB1BAE225}
2011-12-12 11:04:20 -------- d-----w- C:\Users\Mike\AppData\Local\{F3FB503C-8532-4B06-8C33-9E32CF8B1A38}
2011-12-12 04:08:30 108896 ----a-w- C:\Windows\System32\drivers\hBYfpolU.sys
2011-12-11 23:03:55 -------- d-----w- C:\Users\Mike\AppData\Local\{E23896F1-A6C5-4990-A5F7-25BFA863C4FD}
2011-12-11 23:03:45 -------- d-----w- C:\Users\Mike\AppData\Local\{BEB7347C-3424-4F74-8AB7-65A505A96B62}
2011-12-11 03:48:17 108896 ----a-w- C:\Windows\System32\drivers\aNyIAIJI.sys
2011-12-10 14:33:34 108896 ----a-w- C:\Windows\System32\drivers\ovUwOiWm.sys
2011-12-09 14:33:26 108896 ----a-w- C:\Windows\System32\drivers\WEFFdUyi.sys
2011-12-09 03:32:45 108896 ----a-w- C:\Windows\System32\drivers\zCFaoMVY.sys
2011-12-07 18:30:33 108896 ----a-w- C:\Windows\System32\drivers\nIGmjdaL.sys
2011-12-07 12:30:12 108896 ----a-w- C:\Windows\System32\drivers\OQZwYIZA.sys
2011-12-06 12:16:54 108896 ----a-w- C:\Windows\System32\drivers\vIZhGPeF.sys
2011-12-05 04:55:15 108896 ----a-w- C:\Windows\System32\drivers\LEsAmJLk.sys
2011-12-04 03:58:35 108896 ----a-w- C:\Windows\System32\drivers\BYUDcPzw.sys
2011-12-03 11:55:10 108896 ----a-w- C:\Windows\System32\drivers\iqKvxpTI.sys
.
==================== Find3M ====================
.
2011-12-15 15:30:26 91832 ----a-w- C:\Windows\System32\WRusr.dll
2011-12-15 15:30:26 141272 ----a-w- C:\Windows\SysWow64\WRusr.dll
2011-12-15 15:30:26 108896 ----a-w- C:\Windows\System32\drivers\rwoPrePd.sys
2011-12-02 03:09:02 108896 ----a-w- C:\Windows\System32\drivers\eoKaWoWV.sys
2011-11-30 16:57:35 108896 ----a-w- C:\Windows\System32\drivers\gUBgSHNj.sys
2011-11-29 16:56:27 108896 ----a-w- C:\Windows\System32\drivers\ZfdjgAQe.sys
2011-11-24 17:36:52 108896 ----a-w- C:\Windows\System32\drivers\PyWmhMJG.sys
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-23 17:35:41 108896 ----a-w- C:\Windows\System32\drivers\jIkWlOea.sys
2011-11-23 07:35:00 107336 ----a-w- C:\Windows\System32\drivers\DYkZVYDQ.sys
2011-11-22 07:29:51 107336 ----a-w- C:\Windows\System32\drivers\ZClZrfjh.sys
2011-11-20 19:53:59 107336 ----a-w- C:\Windows\System32\drivers\qkhquXMe.sys
2011-11-19 19:52:13 107336 ----a-w- C:\Windows\System32\drivers\COWSBUcL.sys
2011-11-18 15:13:26 107336 ----a-w- C:\Windows\System32\drivers\WzFFgWpm.sys
2011-11-17 15:12:49 107336 ----a-w- C:\Windows\System32\drivers\DUIzOdRU.sys
2011-11-16 15:01:36 107336 ----a-w- C:\Windows\System32\drivers\IFVfOTEO.sys
2011-11-16 10:19:41 107336 ----a-w- C:\Windows\System32\drivers\djOOXtve.sys
2011-11-16 02:04:51 107336 ----a-w- C:\Windows\System32\drivers\xHkBEhtL.sys
2011-11-05 05:32:50 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 04:26:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-15 06:31:56 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-10-15 05:38:59 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
.
============= FINISH: 21:02:19.47 ===============

===========
Attach log
===========

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/28/2010 7:33:30 PM
System Uptime: 1/1/2012 5:00:42 PM (4 hours ago)
.
Motherboard: Sony Corporation | | VAIO
Processor: Intel® Core™ i3 CPU U 330 @ 1.20GHz | N/A | 1197/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 455 GiB total, 399.602 GiB free.
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Security Processor Loader Driver
Device ID: ROOT\LEGACY_SPLDR\0000
Manufacturer:
Name: Security Processor Loader Driver
PNP Device ID: ROOT\LEGACY_SPLDR\0000
Service: spldr
.
==== System Restore Points ===================
.
RP138: 12/2/2011 9:00:34 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP139: 12/2/2011 9:37:24 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP140: 12/10/2011 - Scheduled Checkpoint
RP141: 12/15/2011 3:01:12 AM - Windows Update
RP142: 12/15/2011 8:01:57 AM - Removed VAIO Care
RP143: 12/15/2011 8:02:27 AM - Installed VAIO Care
RP144: 12/15/2011 6:35:14 PM - Installed VAIO Update 5
RP145: 12/23/2011 12:00:01 AM - Scheduled Checkpoint
RP146: 12/30/2011 3:04:43 PM - Device Driver Package Install: Line 6
RP147: 12/30/2011 3:05:15 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP148: 12/30/2011 3:05:38 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP149: 12/30/2011 3:06:00 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP150: 12/30/2011 3:06:23 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP151: 12/30/2011 3:06:45 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP152: 12/30/2011 3:07:06 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP153: 12/30/2011 3:07:29 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP154: 12/30/2011 3:07:51 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP155: 12/30/2011 3:08:13 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP156: 12/30/2011 3:08:36 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP157: 12/30/2011 3:08:57 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP158: 12/30/2011 3:09:18 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP159: 12/30/2011 3:09:42 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP160: 12/30/2011 3:10:05 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP161: 12/30/2011 3:10:26 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP162: 12/30/2011 3:10:50 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP163: 12/30/2011 3:11:13 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP164: 12/30/2011 3:11:38 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP165: 12/30/2011 3:11:59 PM - Device Driver Package Install: Line 6 Sound, video and game controllers
RP166: 12/30/2011 6:47:19 PM - Installed Adobe Reader X (10.1.0).
.
==== Installed Programs ======================
.
.
Update for Microsoft Office 2007 (KB2508958)
Acoustica Beatcraft
Acoustica Effects Pack
Acoustica Mixcraft 5
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
AmpegSVX
AmpliTube 3
AmpliTube Fender
AmpliTube Jimi Hendrix
AmpliTube Metal
AmpliTube X-GEAR
Application Manager for VAIO
ArcSoft Magic-i Visual Effects 2
ArcSoft WebCam Companion 3
ASIO4ALL
CCleaner
Cricket Broadband Connect
Cricket Broadband CROSSWAVE
D3DX10
Evernote
Gizmo Central
Google Chrome
Google Update Helper
Intel® Control Center
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Components
Intel® Rapid Storage Technology
Intel® Turbo Boost Technology Driver
Java Auto Updater
Java™ 6 Update 24
Junk Mail filter update
LeapFrog Connect
LeapFrog My Pals Plugin
Line 6 Uninstaller
Malwarebytes' Anti-Malware
Media Gallery
Mesh Runtime
Messenger Companion
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mobile PhoneTools
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Security Suite
Oasis2Service
Okoker MP3 Splitter 5.0
OOBE
PMB
PMB VAIO Edition Guide
PMB VAIO Edition plug-in (VAIO Image Optimizer)
PMB VAIO Edition plug-in (VAIO Movie Story)
Realtek High Definition Audio Driver
Remote Keyboard
Remote Play with PlayStation 3
Sansa Updater
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Groove 2007 (KB2552997)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Service Pack 1 for SQL Server 2008 (KB968369)
Setting Utility Series
Skype™ 5.6
SmartWi Connection Utility
SOHLib Merge Module
Sony Home Network Library
Spotify
Sql Server Customer Experience Improvement Program
T-RackS 3 Deluxe
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin)
VAIO - Remote Keyboard
VAIO - Remote Play with PlayStation®3
VAIO Care
VAIO Content Monitoring Settings
VAIO Control Center
VAIO Data Restore Tool
VAIO Entertainment Platform
VAIO Event Service
VAIO Gate
VAIO Gate Default
VAIO Hardware Diagnostics
VAIO Help and Support
VAIO Media plus
VAIO Media plus Opening Movie
VAIO Messenger
VAIO Movie Story Template Data
VAIO Original Function Settings
VAIO Power Management
VAIO Sample Contents
VAIO Survey
VAIO Transfer Support
VAIO Update
VAIO Wallpaper Contents
VLC media player 1.1.5
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Winrar 3.93
.
==== Event Viewer Messages From Past Week ========
.
12/31/2011 9:01:23 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Adobe Acrobat Update Service service to connect.
12/31/2011 8:01:35 PM, Error: Service Control Manager [7031] - The WRSVC service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
12/28/2011 2:50:50 AM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{DC021824-3036-4DDB-B5CB-923602A21399} because another computer on the network has the same name. The server could not start.
1/1/2012 8:43:11 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
1/1/2012 5:42:37 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Volume Shadow Copy service to connect.
1/1/2012 5:42:37 AM, Error: Service Control Manager [7000] - The Volume Shadow Copy service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 5:32:52 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Peer Networking Identity Manager service to connect.
1/1/2012 5:32:52 AM, Error: Service Control Manager [7001] - The Peer Networking Grouping service depends on the Peer Networking Identity Manager service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 5:32:52 AM, Error: Service Control Manager [7001] - The Peer Name Resolution Protocol service depends on the Peer Networking Identity Manager service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 5:32:52 AM, Error: Service Control Manager [7000] - The Peer Networking Identity Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 5:30:42 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
1/1/2012 5:30:42 AM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 5:02:46 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
1/1/2012 5:02:46 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
1/1/2012 5:01:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/1/2012 5:01:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/1/2012 5:01:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
1/1/2012 5:01:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
1/1/2012 5:01:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/1/2012 5:01:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
1/1/2012 5:01:05 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx64 cdrom CSC DfsC discache eeCtrl GizmoDrv IDSVia64 NetBIOS NetBT nsiproxy Psched rdbss spldr SRTSPX SymIM SymIRON SymNetS tdx vpcnfltr vpcvmm vwififlt Wanarpv6 WfpLwf
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2012 5:01:05 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2012 4:48:28 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SQL Server VSS Writer service to connect.
1/1/2012 4:48:28 PM, Error: Service Control Manager [7000] - The SQL Server VSS Writer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 4:46:18 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the PMBDeviceInfoProvider service to connect.
1/1/2012 4:46:18 PM, Error: Service Control Manager [7000] - The PMBDeviceInfoProvider service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 4:44:15 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the O&O CleverCache service to connect.
1/1/2012 4:44:15 PM, Error: Service Control Manager [7000] - The O&O CleverCache service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 4:41:58 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Norton Security Suite service to connect.
1/1/2012 4:41:58 PM, Error: Service Control Manager [7000] - The Norton Security Suite service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 4:39:48 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intel® Management and Security Application Local Management Service service to connect.
1/1/2012 4:39:48 PM, Error: Service Control Manager [7000] - The Intel® Management and Security Application Local Management Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 4:38:42 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the LeapFrog Connect Device Service service to connect.
1/1/2012 4:36:32 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Gizmo Central service to connect.
1/1/2012 4:36:32 PM, Error: Service Control Manager [7000] - The Gizmo Central service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 4:35:27 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Function Discovery Resource Publication service to connect.
1/1/2012 4:35:27 PM, Error: Service Control Manager [7000] - The Function Discovery Resource Publication service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 4:34:22 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Bluetooth Service service to connect.
1/1/2012 4:34:22 PM, Error: Service Control Manager [7000] - The Bluetooth Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 4:31:14 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Print Spooler service to connect.
1/1/2012 4:31:14 PM, Error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 4:25:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/1/2012 4:07:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
1/1/2012 4:00:04 PM, Error: Service Control Manager [7022] - The Background Intelligent Transfer Service service hung on starting.
1/1/2012 3:57:59 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the IPsec Policy Agent service to connect.
1/1/2012 3:57:59 PM, Error: Service Control Manager [7000] - The IPsec Policy Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 3:54:53 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
1/1/2012 3:54:23 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx64 cdrom SymIRON
1/1/2012 3:50:35 PM, Error: Service Control Manager [7022] - The Server service hung on starting.
1/1/2012 3:47:27 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.
1/1/2012 3:47:27 PM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 3:44:47 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live Mesh remote connections service service to connect.
1/1/2012 3:44:47 PM, Error: Service Control Manager [7000] - The Windows Live Mesh remote connections service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 3:42:07 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the VAIO Content Metadata Intelligent Network Service Manager service to connect.
1/1/2012 3:42:07 PM, Error: Service Control Manager [7000] - The VAIO Content Metadata Intelligent Network Service Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 3:39:27 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the VAIO Content Metadata Intelligent Analyzing Manager service to connect.
1/1/2012 3:39:27 PM, Error: Service Control Manager [7000] - The VAIO Content Metadata Intelligent Analyzing Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 3:37:22 AM, Error: Service Control Manager [7034] - The O&O CleverCache service terminated unexpectedly. It has done this 1 time(s).
1/1/2012 3:36:47 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the VAIO Event Service service to connect.
1/1/2012 3:36:47 PM, Error: Service Control Manager [7000] - The VAIO Event Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 3:34:37 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the CamMonitor service to connect.
1/1/2012 3:34:37 PM, Error: Service Control Manager [7000] - The CamMonitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 3:32:27 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Image Acquisition (WIA) service to connect.
1/1/2012 3:32:27 PM, Error: Service Control Manager [7000] - The Windows Image Acquisition (WIA) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 3:26:42 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: After starting, the service hung in a start-pending state.
1/1/2012 3:24:12 AM, Error: Service Control Manager [7022] - The Function Discovery Provider Host service hung on starting.
1/1/2012 3:21:07 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
1/1/2012 3:21:07 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 3:21:07 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
1/1/2012 3:20:21 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
1/1/2012 3:15:47 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
1/1/2012 3:00:06 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
1/1/2012 2:55:35 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Block Level Backup Engine Service service to connect.
1/1/2012 2:55:35 AM, Error: Service Control Manager [7000] - The Block Level Backup Engine Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 2:41:42 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service wbengine with arguments "" in order to run the server: {37734C4D-FFA8-4139-9AAC-60FBE55BF3DF}
1/1/2012 2:04:37 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/1/2012 12:56:49 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.
1/1/2012 10:47:46 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VCService with arguments "" in order to run the server: {6028EEB8-6D2B-4D62-A101-C03407994679}
1/1/2012 10:39:29 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the VcmINSMgr service.
1/1/2012 10:38:59 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the VcmIAlzMgr service.
1/1/2012 10:13:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Spooler service.
1/1/2012 10:02:20 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
1/1/2012 1:55:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wuauserv service.
1/1/2012 1:55:41 AM, Error: Service Control Manager [7000] - The Windows Update service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 1:54:14 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
1/1/2012 1:53:44 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NlaSvc service.
1/1/2012 1:48:26 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intel® Management & Security Application User Notification Service service to connect.
1/1/2012 1:48:26 AM, Error: Service Control Manager [7000] - The Intel® Management & Security Application User Notification Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 1:46:13 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
1/1/2012 1:46:12 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx64 cdrom discache eeCtrl GizmoDrv IDSVia64 spldr SRTSPX SymIRON SymNetS vpcvmm Wanarpv6
1/1/2012 1:45:46 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Software Protection service to connect.
1/1/2012 1:45:46 AM, Error: Service Control Manager [7000] - The Software Protection service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 1:42:58 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the VAIO Care Performance Service service to connect.
1/1/2012 1:42:58 AM, Error: Service Control Manager [7000] - The VAIO Care Performance Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 1:40:18 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Oasis2Service service to connect.
1/1/2012 1:40:18 AM, Error: Service Control Manager [7000] - The Oasis2Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 1:34:58 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intel® Rapid Storage Technology service to connect.
1/1/2012 1:34:58 AM, Error: Service Control Manager [7000] - The Intel® Rapid Storage Technology service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 1:29:38 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect.
1/1/2012 1:29:38 AM, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/1/2012 1:21:38 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X64 service to connect.
1/1/2012 1:16:11 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
1/1/2012 1:05:49 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WRSVC service.
1/1/2012 1:04:39 AM, Error: Service Control Manager [7022] - The O&O CleverCache service hung on starting.
.
==== End Of File ===========================
Check out my band, Dogs of Prague

#2 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 02 January 2012 - 04:23 AM

Welcome aboard Posted Image

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================================================

First of all you're running two AV programs, Webroot and Norton.
You must uninstall one of them.
If Norton make sure to use following tool: https://www-secure.s...redirect_pubweb

Do you have another working computer and USB flash drive so we can transfer some tools?
Posted Image Posted Image


#3 aceharmonic Re: [RESOLVED] Malware causing Black Screen of Death

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 02 January 2012 - 04:36 AM

I noticed that Norton was still on after reviewing my post. Norton has been removed, so I only have Webroot. I also have another laptop and a jump drive to transfer what we need. Thanks in advance.
Check out my band, Dogs of Prague

#4 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 02 January 2012 - 04:43 AM

There are some files in DDS log which I really don't like, but let's see if we can make your computer more stable first.

Uninstall MBAM on your bad computer as it's a very outdated version.

On your good computer download fresh MBAM installer, transfer it to bad computer and install it there.
Since you don't have internet connection for now just run "Quick scan" without updating MBAM.

Also transfer and run following tools....

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

========================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Posted Image Posted Image


#5 aceharmonic Re: [RESOLVED] Malware causing Black Screen of Death

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 02 January 2012 - 05:28 AM

You didn't mention whether you wanted the new log from MBAM, so I added it anyway.

==============
MBAM log
==============

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.24.05

Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
Internet Explorer 8.0.7601.17514
Mike :: CLARK [administrator]

Protection: Disabled

1/1/2012 9:57:26 PM
mbam-log-2012-01-01 (21-57-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216214
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

=============
aswMBR log
=============

aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-01 22:01:10
-----------------------------
22:01:10.119 OS Version: Windows x64 6.1.7601 Service Pack 1
22:01:10.119 Number of processors: 4 586 0x2505
22:01:10.119 ComputerName: CLARK UserName: Mike
22:01:12.209 Initialize success
22:01:16.889 AVAST engine download error: 0
22:01:21.803 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:01:21.803 Disk 0 Vendor: SAMSUNG_ 2AC1 Size: 476940MB BusType: 3
22:01:21.819 Disk 0 MBR read successfully
22:01:21.850 Disk 0 MBR scan
22:01:21.850 Disk 0 Windows 7 default MBR code
22:01:21.850 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10836 MB offset 2048
22:01:21.866 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 22194176
22:01:21.897 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 466002 MB offset 22398976
22:01:21.928 Service scanning
22:01:22.817 Service rwoPrePd C:\Windows\System32\drivers\rwoPrePd.sys **LOCKED** 32
22:01:23.582 Modules scanning
22:01:23.582 Disk 0 trace - called modules:
22:01:23.597 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
22:01:23.644 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b95060]
22:01:23.644 3 CLASSPNP.SYS[fffff88001b6843f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0xfffffa80048c9050]
22:01:23.660 Scan finished successfully
22:01:41.085 Disk 0 MBR has been saved successfully to "G:\Fix Laptop\MBR.dat"
22:01:41.132 The log file has been saved successfully to "G:\Fix Laptop\aswMBR2.txt"

==============
FSS log
==============

Farbar Service Scanner
Ran by Mike (administrator) on 01-01-2012 at 22:03:08
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Minimal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Nsi Service is not running. Checking service configuration:
The start type of Nsi service is OK.
The ImagePath of Nsi service is OK.
The ServiceDll of Nsi service is OK.

nsiproxy Service is not running. Checking service configuration:
The start type of nsiproxy service is OK.
The ImagePath of nsiproxy service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

===============
ComboFix log
===============

ComboFix 12-01-01.06 - Mike 01/01/2012 22:07:48.1.4 - x64 MINIMAL
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3766.3168 [GMT -7:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\hpeDC4A.dll
c:\windows\system32\java.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 05:19 . 2012-01-02 05:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 05:03 . 2012-01-02 05:03 108896 ----a-w- c:\windows\system32\drivers\ZeCanfvc.sys
2012-01-02 02:42 . 2012-01-02 02:42 108896 ----a-w- c:\windows\system32\drivers\dWwsydIO.sys
2012-01-01 23:56 . 2012-01-01 23:56 108896 ----a-w- c:\windows\system32\drivers\xjiDbpFQ.sys
2012-01-01 23:29 . 2012-01-01 23:29 108896 ----a-w- c:\windows\system32\drivers\aJeKEaUZ.sys
2012-01-01 06:08 . 2012-01-01 07:55 -------- d-----w- C:\cleanup
2012-01-01 05:19 . 2012-01-01 07:55 -------- d-----w- c:\users\Admin
2011-12-22 07:50 . 2011-12-22 07:50 108896 ----a-w- c:\windows\system32\drivers\vKbbSQbZ.sys
2011-12-21 07:38 . 2011-12-21 07:38 108896 ----a-w- c:\windows\system32\drivers\paurXARX.sys
2011-12-20 07:29 . 2011-12-20 07:29 108896 ----a-w- c:\windows\system32\drivers\liUAzgPF.sys
2011-12-19 07:24 . 2011-12-19 07:24 108896 ----a-w- c:\windows\system32\drivers\CQwPmpKt.sys
2011-12-17 15:43 . 2011-12-17 15:43 108896 ----a-w- c:\windows\system32\drivers\loTihGQI.sys
2011-12-16 15:41 . 2011-12-16 15:41 108896 ----a-w- c:\windows\system32\drivers\fdFchSuE.sys
2011-12-15 15:30 . 2011-12-15 15:30 108896 ----a-w- c:\windows\system32\drivers\LfidZRkv.sys
2011-12-15 10:25 . 2011-12-15 10:25 108896 ----a-w- c:\windows\system32\drivers\CFbjXzCc.sys
2011-12-15 01:26 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 01:26 . 2011-11-05 05:41 1188864 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 04:41 . 2011-12-14 04:41 108896 ----a-w- c:\windows\system32\drivers\iFOWzyTB.sys
2011-12-13 04:28 . 2011-12-13 04:28 108896 ----a-w- c:\windows\system32\drivers\wOMyxktU.sys
2011-12-12 04:08 . 2011-12-12 04:08 108896 ----a-w- c:\windows\system32\drivers\hBYfpolU.sys
2011-12-11 03:48 . 2011-12-11 03:48 108896 ----a-w- c:\windows\system32\drivers\aNyIAIJI.sys
2011-12-10 14:33 . 2011-12-10 14:33 108896 ----a-w- c:\windows\system32\drivers\ovUwOiWm.sys
2011-12-09 14:33 . 2011-12-09 14:33 108896 ----a-w- c:\windows\system32\drivers\WEFFdUyi.sys
2011-12-09 03:32 . 2011-12-09 03:32 108896 ----a-w- c:\windows\system32\drivers\zCFaoMVY.sys
2011-12-07 18:30 . 2011-12-07 18:30 108896 ----a-w- c:\windows\system32\drivers\nIGmjdaL.sys
2011-12-07 12:30 . 2011-12-07 12:30 108896 ----a-w- c:\windows\system32\drivers\OQZwYIZA.sys
2011-12-06 12:16 . 2011-12-06 12:16 108896 ----a-w- c:\windows\system32\drivers\vIZhGPeF.sys
2011-12-05 04:55 . 2011-12-05 04:55 108896 ----a-w- c:\windows\system32\drivers\LEsAmJLk.sys
2011-12-04 03:58 . 2011-12-04 03:58 108896 ----a-w- c:\windows\system32\drivers\BYUDcPzw.sys
2011-12-03 11:55 . 2011-12-03 11:55 108896 ----a-w- c:\windows\system32\drivers\iqKvxpTI.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 15:30 . 2011-11-23 17:35 91832 ----a-w- c:\windows\system32\WRusr.dll
2011-12-15 15:30 . 2011-11-16 02:04 141272 ----a-w- c:\windows\SysWow64\WRusr.dll
2011-12-15 15:30 . 2011-11-16 02:04 108896 ----a-w- c:\windows\system32\drivers\rwoPrePd.sys
2011-12-10 22:24 . 2010-11-07 20:46 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-02 03:09 . 2011-12-02 03:09 108896 ----a-w- c:\windows\system32\drivers\eoKaWoWV.sys
2011-11-30 16:57 . 2011-11-30 16:57 108896 ----a-w- c:\windows\system32\drivers\gUBgSHNj.sys
2011-11-29 16:56 . 2011-11-29 16:56 108896 ----a-w- c:\windows\system32\drivers\ZfdjgAQe.sys
2011-11-24 17:36 . 2011-11-24 17:36 108896 ----a-w- c:\windows\system32\drivers\PyWmhMJG.sys
2011-11-23 17:35 . 2011-11-23 17:35 108896 ----a-w- c:\windows\system32\drivers\jIkWlOea.sys
2011-11-23 07:35 . 2011-11-23 07:35 107336 ----a-w- c:\windows\system32\drivers\DYkZVYDQ.sys
2011-11-22 07:29 . 2011-11-22 07:29 107336 ----a-w- c:\windows\system32\drivers\ZClZrfjh.sys
2011-11-20 19:53 . 2011-11-20 19:53 107336 ----a-w- c:\windows\system32\drivers\qkhquXMe.sys
2011-11-19 19:52 . 2011-11-19 19:52 107336 ----a-w- c:\windows\system32\drivers\COWSBUcL.sys
2011-11-18 15:13 . 2011-11-18 15:13 107336 ----a-w- c:\windows\system32\drivers\WzFFgWpm.sys
2011-11-17 15:12 . 2011-11-17 15:12 107336 ----a-w- c:\windows\system32\drivers\DUIzOdRU.sys
2011-11-16 15:01 . 2011-11-16 15:01 107336 ----a-w- c:\windows\system32\drivers\IFVfOTEO.sys
2011-11-16 10:19 . 2011-11-16 10:19 107336 ----a-w- c:\windows\system32\drivers\djOOXtve.sys
2011-11-16 02:04 . 2011-11-16 02:04 107336 ----a-w- c:\windows\system32\drivers\xHkBEhtL.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WLSync"="c:\program files (x86)\Windows Live\Mesh\WLSync.exe" [2011-05-13 1449312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-12-24 284696]
"SmartWiHelper"="c:\program files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2010-01-20 82944]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2010-01-15 316784]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-01-22 597792]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"{9ABA99F9-A8FE-7E89-8E99-AE8b85E9AE9B}"="c:\program files (x86)\Cricket Broadband Connect\AvqAutoRun.exe" [2009-10-19 73728]
"M-Audio Taskbar Icon"="c:\windows\system32\MAFWTray.exe" [2009-07-29 252424]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2011-12-15 637208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"InstallShieldSetup"="c:\progra~2\INSTAL~1\{36C5B~1\setup.exe" [2011-11-08 377536]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-3-12 1125152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 GizmoDrv;Gizmo Device Driver; [x]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Gizmo Central;Gizmo Central;c:\program files (x86)\Gizmo\gservice.exe [2010-08-29 31856]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 135664]
R2 HMuKstOr;Kensington TrackballWorks Orbit USB HID Device Filter Driver;c:\windows\system32\DRIVERS\HMuKstOr.sys [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-12-24 13336]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-25 652872]
R2 O&O CleverCache;O&O CleverCache;c:\program files\OO Software\CleverCache\ooccag.exe [2009-10-31 843592]
R2 Oasis2Service;Oasis2Service;c:\program files (x86)\DDNi\Oasis2Service\Oasis2Service.exe [2011-08-14 49152]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R2 SampleCollector;VAIO Care Performance Service;c:\program files\Sony\VAIO Care\VCPerfService.exe [2011-01-29 259192]
R2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-12-09 2320920]
R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-02-20 529776]
R2 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-02-20 386416]
R2 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [2011-12-15 637208]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\smhwadb.sys [x]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 135664]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
R3 L6PODHD4;Service - Line 6 POD HD400;c:\windows\system32\Drivers\L6PODHD464.sys [x]
R3 MAFW;Service for M-Audio FireWire;c:\windows\system32\DRIVERS\mafw.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MSSQL$DDNI;SQL Server (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe [2009-03-30 43010392]
R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [x]
R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [x]
R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [x]
R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [x]
R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [x]
R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [x]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\DRIVERS\rdpdispm.sys [x]
R3 smhwdev;SmartPhone dummy USB PNP Device (Normal);c:\windows\system32\DRIVERS\smhwdev.sys [x]
R3 smhwser;USB Device for Legacy Serial Communication (Normal);c:\windows\system32\DRIVERS\smhwser.sys [x]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-09-10 108400]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-10-12 423280]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-09-10 67952]
R3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-01-20 286936]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2010-01-20 574320]
R3 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2011-01-20 887000]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-02-20 115568]
R3 VCService;VCService;c:\program files\Sony\VAIO Care\VCService.exe [2011-02-14 44736]
R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update Common\VUAgent.exe [2011-09-23 1429608]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
R4 SQLAgent$DDNI;SQL Server Agent (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S0 rwoPrePd;rwoPrePd;c:\windows\System32\drivers\rwoPrePd.sys [x]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [x]
S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-01 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2010-07-30 19:18]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 00:04]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 00:04]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-09 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-09 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-09 411672]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-17 10060320]
"ooccctrl.exe"="c:\program files\OO Software\CleverCache\ooccctrl.exe" [2009-10-31 4313928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\VCPerfService.exe\" \"/service\" \"/sstates\" \"/sampleinterval=5000\" \"/procinterval=5\" \"/dllinterval=120\" \"/counter=\Processor(_Total)\% Processor Time:1/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:1\" \"/counter=\Network Interface(*)\Bytes Total/sec:1\" \"/expandcounter=\Processor Information(*)\Processor Frequency:1\" \"/expandcounter=\Processor(*)\% Idle Time:1\" \"/expandcounter=\Processor(*)\% C1 Time:1\" \"/expandcounter=\Processor(*)\% C2 Time:1\" \"/expandcounter=\Processor(*)\% C3 Time:1\" \"/expandcounter=\Processor(*)\% Processor Time:1\" \"/directory=c:\programdata\Sony Corporation\VAIO Care\inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OOCC7.00.00.01PROSTATION"="67723810BDC610F285810B636A28BC79E63E7E2ACC76FEF3D4E0A7EF6DBCDA6DFD08B57CDAF74E8A05811AEB8B078187A2E53C7E436B05735E7AC05310591F4EC7F3605854192EE151724E9D60B590822D64316F9E022A89442A2344CC616DB0B28D4E7947F07C32621012DBE0715940A4FC380BD10A1FC7EDD23B1FAE5A55840F021E29765A4D67106CD2FEA6868DCA0CC33056EDE65674A8B278B461DC2BEC13CF6FFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808BA7FD869164D6794A9C6AECB7A5D1407A2D97226D213B555CB259707E194CD27CB3AC885117E3EEE26997032C6B195D19800D3464A7C6E698E0246189ADD61A587C0FE2CBE86825D54BA34D0EC6E9FFA23A28FCEFCF366AD6147EB27AF913D335E94E9E1BF9D0A2DD1984A6AC71C3207A0A0A504F925F3EE006365BF9ED41458DA3B1A12EDCE4E9594EE1AEC2F4F27FE921170F235CD7A2799E421B01AB06B9FF85CB46D590F9B5507A09C89B084AF72712FE1EE5991ADD45301A58D090F1F1A2AC574E7C43190AB07B360B40C99527026587A8EC3F898FCC50D0AAD05435E59D2E824B9A9EF21DDE6D008A735506710919152A985ED99A3FB86FA2B5DFEAB77CDD8275E32E79533EAC64ADFD4CF9AEA867F95E0644161D3760DB86594DC5D0E66507217BE9A0AF94F07EF1EC823EC1ECAEE82945A26F49D28E59680E0571E3F5DAA8DE7E0EE6C03C129596820B634CB9ACC6CEB9432AF127A767E63AC50ED2BE86A981863AB03A1E264F607A0DD971AA5AEBB5074E2BFC849CB6BB9970C1EFB323342353E00642FC998CF86414F16B18CC96A708F97A5DC63176EEFF1B2565D56CE518DA37D7B0981C67E3AAF267EBF68F8883FAF92366B0EAA2CBC455010FD64A81FB6F597098E859530B44DDE7677C2BBB871D17B1E9881FD5B15C8559C1263D398084C2A2124C94EA8D12C5DF60E9C343202A7DD580AE72FC934ED961CD1CB04BD9E7370ABB3345EBCAB96674CBCE7A9C12E97A939EA63FBD61A554C86770B12265AE90E63A99DD8D7A689A797410B87C479B931646907C9770AD69227C280FB795EE306587655F27765B32DCC5DE0DBAFA85DAC5339DB9FB30A7B6A1C788460F593C7446E8E9C072ED1FA68B5D63A5A89C681B8D6905C29A66603B8D860DB06EA26B294DD6AAA92A21977B1EE77D8D8EDA25ED18E29F83703AE60C3A2C447D4C086F3A8328727B78E2D76C2E88C73548ACC5CDC6FC295BC8A34B7B91576755B6EE88D954BE5333CC042773AE8E6B669249B18A2C41F8B52978EE52B9F490C4803C3B8555C0BDD891BD1AE1A86DDBF5C912A64CBAB06A5B3151AF90B8493A4729DD5DF456EFD2FAF141985C8AFCAA213BED6476A16C0254003753333DA31CBD0F39DA3"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-01 22:23:04
ComboFix-quarantined-files.txt 2012-01-02 05:23
.
Pre-Run: 432,990,781,440 bytes free
Post-Run: 432,936,660,992 bytes free
.
- - End Of File - - F3EC7AA58951CD0891EA15EC278DC375
Check out my band, Dogs of Prague

#6 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 02 January 2012 - 05:52 AM

I'm afraid we MAY be dealing here with Ramnit file infector which is not curable.
Not to panic yet.
We have to check.

Now, you have to proceed VERY carefully and follow my instructions to a "dot".

1. Install following utility on your laptop. We'll have to get couple of files from your bad computer, copy them to USB flash drive and scan them through your laptop.
Utility listed below will prevent anything residing on USB flash drive from selfexecuting onto your laptop.
Make sure you don't have anything important on your USB flash drive so we can format it afterwards.

Install one of these on your laptop: Panda USB Vaccine, or BitDefender’s USB Immunizer

2. On your bad computer...
Insert USB flash drive.
Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Copy following files and paste them on USB flash drive:
- c:\windows\system32\drivers\xjiDbpFQ.sys
- c:\windows\system32\drivers\dWwsydIO.sys
- c:\windows\system32\drivers\ZeCanfvc.sys

3. Move USB flash drive to your laptop.
Do NOT transfer those files to your laptop. Leave them on a flash drive.

4. Upload those files to http://www.virustotal.com/ for security check.
You go to the above site first, click on "Browse" button and navigate to files location on your flash drive.
If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
Posted Image Posted Image


#7 aceharmonic Re: [RESOLVED] Malware causing Black Screen of Death

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 02 January 2012 - 06:15 AM

See the logs below and thanks for introducing me to virustotal; that is a useful site.

============
File name: dWwsydIO.sys
============

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: dWwsydIO.sys
Submission date: 2012-01-02 05:59:30 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2012.01.01.00 2012.01.01 -
AntiVir 7.11.20.98 2012.01.01 -
Antiy-AVL 2.0.3.7 2012.01.02 -
Avast 6.0.1289.0 2012.01.01 -
AVG 10.0.0.1190 2012.01.01 -
BitDefender 7.2 2012.01.02 -
ByteHero 1.0.0.1 2011.12.31 -
CAT-QuickHeal 12.00 2012.01.02 -
ClamAV 0.97.3.0 2012.01.02 -
Commtouch 5.3.2.6 2012.01.01 -
Comodo 11165 2012.01.01 -
DrWeb 5.0.2.03300 2012.01.02 -
Emsisoft 5.1.0.11 2012.01.02 -
eSafe 7.0.17.0 2012.01.01 -
eTrust-Vet 37.0.9655 2011.12.30 -
F-Prot 4.6.5.141 2012.01.01 -
F-Secure 9.0.16440.0 2012.01.02 -
Fortinet 4.3.388.0 2012.01.02 -
GData 22 2012.01.02 -
Ikarus T3.1.1.109.0 2011.12.31 -
Jiangmin 13.0.900 2012.01.01 -
K7AntiVirus 9.123.5823 2011.12.31 -
Kaspersky 9.0.0.837 2012.01.02 -
McAfee 5.400.0.1158 2012.01.02 -
McAfee-GW-Edition 2010.1E 2012.01.01 -
Microsoft 1.7903 2012.01.02 -
NOD32 6759 2012.01.02 -
Norman 6.07.13 2012.01.01 -
nProtect 2012-01-01.01 2012.01.01 -
Panda 10.0.3.5 2012.01.01 -
PCTools 8.0.0.5 2012.01.02 -
Prevx 3.0 2012.01.02 -
Rising 23.90.05.01 2011.12.31 -
Sophos 4.72.0 2012.01.02 -
SUPERAntiSpyware 4.40.0.1006 2011.12.30 -
Symantec 20111.2.0.82 2012.01.02 -
TheHacker 6.7.0.1.368 2011.12.31 -
TrendMicro 9.500.0.1008 2012.01.02 -
TrendMicro-HouseCall 9.500.0.1008 2012.01.02 -
VBA32 3.12.16.4 2011.12.30 -
VIPRE 11339 2012.01.02 -
ViRobot 2012.1.2.4858 2012.01.02 -
VirusBuster 14.1.144.0 2012.01.01 -
Additional informationShow all
MD5 : cb220fcf67a7c469af85126fd70ccccb
SHA1 : efd6f5e33c7c52506bd7799492404ba62d54b484
SHA256: 058a17f9de182770ec2c5d5327ef0fe0a37fa5125dd4a02a55e5b3a4c7a4c62e
ssdeep: 3072:Qaocih6eNkdj9m2H5AB5yQMNrD7SU3hDfzCdt+LJy2QzJ:QyVBF3hDfzC7+Lc26J
File size : 108896 bytes
First seen: 2011-12-16 14:54:18
Last seen : 2012-01-02 05:59:30
TrID:
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Webroot
copyright....: © Webroot 2006-2011
product......: Webroot SecureAnywhere
description..: Webroot SecureAnywhere
original name: WRkrn.sys
internal name: WRkrn.sys
file version.: 8.0.1.44
comments.....: n/a
signers......: Webroot Software, Inc.
VeriSign Class 3 Code Signing 2009-2 CA
Class 3 Public Primary Certification Authority
signing date.: 4:24 14/12/2011
verified.....: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xFA50
timedatestamp....: 0x4EE816F3 (Wed Dec 14 03:24:35 2011)
machinetype......: 0x8664 (AMD64)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x101EF, 0x10200, 6.12, 761500943c61d1f333b97b6cfebee080
.rdata, 0x12000, 0x2B8C, 0x2C00, 4.78, da19801dcd6e189f8b7e3cf1384ca4a7
.data, 0x15000, 0x8B8, 0xA00, 2.03, 337f5733e2e186710b120a137a9d2f5d
.pdata, 0x16000, 0x1890, 0x1A00, 4.87, ec95ea1357af204553366c8c46b8df16
PAGE, 0x18000, 0x19F7, 0x1A00, 6.22, 65f27a6a2eaaf7befd92b905c53264ad
INIT, 0x1A000, 0x121A, 0x1400, 4.85, 6b1fe9abdec6443aeb3fca4f9d3b01b1
.rsrc, 0x1C000, 0x340, 0x400, 2.80, 5e52ff22ba6d383756ee9bed4eb97d9a
.reloc, 0x1D000, 0x220, 0x400, 2.10, 0f3c33f34bd9a9786356f6bfad6882ab

[[ 3 import(s) ]]
ntoskrnl.exe: ExpInterlockedPushEntrySList, MmGetSystemRoutineAddress, IoRegisterLastChanceShutdownNotification, RtlAppendUnicodeToString, IoCreateFile, KeInitializeEvent, RtlQueryRegistryValues, PsSetCreateThreadNotifyRoutine, ZwQuerySystemInformation, KeAcquireInStackQueuedSpinLock, ExpInterlockedPopEntrySList, IoDetachDevice, PsSetCreateProcessNotifyRoutine, IoFreeMdl, KeUnstackDetachProcess, ZwSetInformationFile, IoCancelIrp, KeDelayExecutionThread, RtlFreeUnicodeString, ObQueryNameString, IoFileObjectType, IoDriverObjectType, ZwCreateFile, wcsrchr, PsCreateSystemThread, MmMapLockedPagesSpecifyCache, IoGetDeviceObjectPointer, IoRegisterBootDriverReinitialization, ZwQueryValueKey, PsTerminateSystemThread, IoGetCurrentProcess, ZwSetInformationProcess, PoStartNextPowerIrp, RtlPrefixUnicodeString, ZwClose, KeBugCheck, RtlAppendUnicodeStringToString, IofCompleteRequest, ExQueryDepthSList, strchr, KeWaitForSingleObject, IoFreeIrp, RtlWriteRegistryValue, MmProbeAndLockPages, ZwDeleteFile, PoCallDriver, PsGetVersion, PsThreadType, IoAllocateIrp, IoGetDeviceInterfaces, ZwOpenProcess, RtlCompareMemory, MmUnlockPages, strrchr, ZwQueryInformationProcess, IoGetTopLevelIrp, toupper, IoCreateSymbolicLink, PsGetCurrentThreadId, PsGetCurrentProcessId, MmIsAddressValid, ObfDereferenceObject, ObReferenceObjectByName, IoCreateDevice, ZwOpenFile, ZwTerminateProcess, ZwQueryInformationFile, ZwWriteFile, RtlDeleteRegistryValue, ObReferenceObjectByPointer, ObOpenObjectByPointer, KeStackAttachProcess, IoRegisterFsRegistrationChange, IoAllocateMdl, IofCallDriver, ZwOpenKey, wcsncpy, KeSetEvent, IoDeleteDevice, RtlInitUnicodeString, IoGetRelatedDeviceObject, ZwReadFile, _wcsnicmp, IoBuildSynchronousFsdRequest, PsLookupProcessByProcessId, IoAttachDeviceToDeviceStackSafe, KeReleaseInStackQueuedSpinLock, PsSetLoadImageNotifyRoutine, ExAcquireFastMutex, ExInitializeNPagedLookasideList, ExReleaseFastMutex, KeResetEvent, ExFreePoolWithTag, IoReuseIrp, PsProcessType, ExAllocatePoolWithTag, _strnicmp, towlower, _stricmp, ObReferenceObjectByHandle, MmUnmapLockedPages, ZwSetSecurityObject, IoDeviceObjectType, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlAbsoluteToSelfRelativeSD, IoIsWdmVersionAvailable, SeExports, wcschr, RtlLengthSid, RtlAddAccessAllowedAce, RtlGetSaclSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, ZwCreateKey, ZwSetValueKey, KeBugCheckEx, __C_specific_handler
TDI.SYS: TdiMapUserRequest
FLTMGR.SYS: FltParseFileNameInformation, FltReleaseFileNameInformation, FltRegisterFilter, FltBuildDefaultSecurityDescriptor, FltCloseCommunicationPort, FltUnregisterFilter, FltGetFileNameInformation, FltAllocateContext, FltClose, FltReleaseContext, FltQueryInformationFile, FltCreateFile, FltIsDirectory, FltFreeSecurityDescriptor, FltReadFile, FltCreateCommunicationPort, FltSetCallbackDataDirty, FltGetDestinationFileNameInformation, FltCloseClientPort, FltCancelFileOpen, FltSetStreamHandleContext, FltSendMessage, FltGetStreamHandleContext, FltStartFiltering
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 77824
CompanyName: Webroot
EntryPoint: 0xfa50
FileDescription: Webroot SecureAnywhere
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 106 kB
FileSubtype: 7
FileType: Win64 EXE
FileVersion: 8.0.1.44
FileVersionNumber: 8.0.1.44
ImageVersion: 6.1
InitializedDataSize: 22528
InternalName: WRkrn.sys
LanguageCode: English (U.S.)
LegalCopyright: © Webroot 2006-2011
LinkerVersion: 9.0
MIMEType: application/octet-stream
MachineType: AMD AMD64
OSVersion: 6.1
ObjectFileType: Driver
OriginalFilename: WRkrn.sys
PEType: PE32+
ProductName: Webroot SecureAnywhere
ProductVersion: 8.0.1.44
ProductVersionNumber: 8.0.1.44
Subsystem: Native
SubsystemVersion: 6.0
TimeStamp: 2011:12:14 04:24:35+01:00
UninitializedDataSize: 0

============
File name: xjiDbpFQ.sys
============

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: xjiDbpFQ.sys
Submission date: 2012-01-02 06:02:20 (UTC)
Current status: finished
Result: 0/ 42 (0.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2012.01.01.00 2012.01.01 -
AntiVir 7.11.20.98 2012.01.01 -
Antiy-AVL 2.0.3.7 2012.01.02 -
Avast 6.0.1289.0 2012.01.01 -
AVG 10.0.0.1190 2012.01.01 -
BitDefender 7.2 2012.01.02 -
ByteHero 1.0.0.1 2011.12.31 -
CAT-QuickHeal 12.00 2012.01.02 -
ClamAV 0.97.3.0 2012.01.02 -
Commtouch 5.3.2.6 2012.01.01 -
Comodo 11165 2012.01.01 -
DrWeb 5.0.2.03300 2012.01.02 -
Emsisoft 5.1.0.11 2012.01.02 -
eSafe 7.0.17.0 2012.01.01 -
eTrust-Vet 37.0.9655 2011.12.30 -
F-Prot 4.6.5.141 2012.01.01 -
F-Secure 9.0.16440.0 2012.01.02 -
Fortinet 4.3.388.0 2012.01.02 -
GData 22.328/22.619 2012.01.02 -
Ikarus T3.1.1.109.0 2011.12.31 -
Jiangmin 13.0.900 2012.01.01 -
K7AntiVirus 9.123.5823 2011.12.31 -
McAfee 5.400.0.1158 2012.01.02 -
McAfee-GW-Edition 2010.1E 2012.01.01 -
Microsoft 1.7903 2012.01.02 -
NOD32 6759 2012.01.02 -
Norman 6.07.13 2012.01.01 -
nProtect 2012-01-01.01 2012.01.01 -
Panda 10.0.3.5 2012.01.01 -
PCTools 8.0.0.5 2012.01.02 -
Prevx 3.0 2012.01.02 -
Rising 23.90.05.01 2011.12.31 -
Sophos 4.72.0 2012.01.02 -
SUPERAntiSpyware 4.40.0.1006 2011.12.30 -
Symantec 20111.2.0.82 2012.01.02 -
TheHacker 6.7.0.1.368 2011.12.31 -
TrendMicro 9.500.0.1008 2012.01.02 -
TrendMicro-HouseCall 9.500.0.1008 2012.01.02 -
VBA32 3.12.16.4 2011.12.30 -
VIPRE 11339 2012.01.02 -
ViRobot 2012.1.2.4858 2012.01.02 -
VirusBuster 14.1.144.0 2012.01.01 -
Additional informationShow all
MD5 : cb220fcf67a7c469af85126fd70ccccb
SHA1 : efd6f5e33c7c52506bd7799492404ba62d54b484
SHA256: 058a17f9de182770ec2c5d5327ef0fe0a37fa5125dd4a02a55e5b3a4c7a4c62e
ssdeep: 3072:Qaocih6eNkdj9m2H5AB5yQMNrD7SU3hDfzCdt+LJy2QzJ:QyVBF3hDfzC7+Lc26J
File size : 108896 bytes
First seen: 2011-12-16 14:54:18
Last seen : 2012-01-02 06:02:20
TrID:
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Webroot
copyright....: © Webroot 2006-2011
product......: Webroot SecureAnywhere
description..: Webroot SecureAnywhere
original name: WRkrn.sys
internal name: WRkrn.sys
file version.: 8.0.1.44
comments.....: n/a
signers......: Webroot Software, Inc.
VeriSign Class 3 Code Signing 2009-2 CA
Class 3 Public Primary Certification Authority
signing date.: 4:24 14/12/2011
verified.....: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xFA50
timedatestamp....: 0x4EE816F3 (Wed Dec 14 03:24:35 2011)
machinetype......: 0x8664 (AMD64)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x101EF, 0x10200, 6.12, 761500943c61d1f333b97b6cfebee080
.rdata, 0x12000, 0x2B8C, 0x2C00, 4.78, da19801dcd6e189f8b7e3cf1384ca4a7
.data, 0x15000, 0x8B8, 0xA00, 2.03, 337f5733e2e186710b120a137a9d2f5d
.pdata, 0x16000, 0x1890, 0x1A00, 4.87, ec95ea1357af204553366c8c46b8df16
PAGE, 0x18000, 0x19F7, 0x1A00, 6.22, 65f27a6a2eaaf7befd92b905c53264ad
INIT, 0x1A000, 0x121A, 0x1400, 4.85, 6b1fe9abdec6443aeb3fca4f9d3b01b1
.rsrc, 0x1C000, 0x340, 0x400, 2.80, 5e52ff22ba6d383756ee9bed4eb97d9a
.reloc, 0x1D000, 0x220, 0x400, 2.10, 0f3c33f34bd9a9786356f6bfad6882ab

[[ 3 import(s) ]]
ntoskrnl.exe: ExpInterlockedPushEntrySList, MmGetSystemRoutineAddress, IoRegisterLastChanceShutdownNotification, RtlAppendUnicodeToString, IoCreateFile, KeInitializeEvent, RtlQueryRegistryValues, PsSetCreateThreadNotifyRoutine, ZwQuerySystemInformation, KeAcquireInStackQueuedSpinLock, ExpInterlockedPopEntrySList, IoDetachDevice, PsSetCreateProcessNotifyRoutine, IoFreeMdl, KeUnstackDetachProcess, ZwSetInformationFile, IoCancelIrp, KeDelayExecutionThread, RtlFreeUnicodeString, ObQueryNameString, IoFileObjectType, IoDriverObjectType, ZwCreateFile, wcsrchr, PsCreateSystemThread, MmMapLockedPagesSpecifyCache, IoGetDeviceObjectPointer, IoRegisterBootDriverReinitialization, ZwQueryValueKey, PsTerminateSystemThread, IoGetCurrentProcess, ZwSetInformationProcess, PoStartNextPowerIrp, RtlPrefixUnicodeString, ZwClose, KeBugCheck, RtlAppendUnicodeStringToString, IofCompleteRequest, ExQueryDepthSList, strchr, KeWaitForSingleObject, IoFreeIrp, RtlWriteRegistryValue, MmProbeAndLockPages, ZwDeleteFile, PoCallDriver, PsGetVersion, PsThreadType, IoAllocateIrp, IoGetDeviceInterfaces, ZwOpenProcess, RtlCompareMemory, MmUnlockPages, strrchr, ZwQueryInformationProcess, IoGetTopLevelIrp, toupper, IoCreateSymbolicLink, PsGetCurrentThreadId, PsGetCurrentProcessId, MmIsAddressValid, ObfDereferenceObject, ObReferenceObjectByName, IoCreateDevice, ZwOpenFile, ZwTerminateProcess, ZwQueryInformationFile, ZwWriteFile, RtlDeleteRegistryValue, ObReferenceObjectByPointer, ObOpenObjectByPointer, KeStackAttachProcess, IoRegisterFsRegistrationChange, IoAllocateMdl, IofCallDriver, ZwOpenKey, wcsncpy, KeSetEvent, IoDeleteDevice, RtlInitUnicodeString, IoGetRelatedDeviceObject, ZwReadFile, _wcsnicmp, IoBuildSynchronousFsdRequest, PsLookupProcessByProcessId, IoAttachDeviceToDeviceStackSafe, KeReleaseInStackQueuedSpinLock, PsSetLoadImageNotifyRoutine, ExAcquireFastMutex, ExInitializeNPagedLookasideList, ExReleaseFastMutex, KeResetEvent, ExFreePoolWithTag, IoReuseIrp, PsProcessType, ExAllocatePoolWithTag, _strnicmp, towlower, _stricmp, ObReferenceObjectByHandle, MmUnmapLockedPages, ZwSetSecurityObject, IoDeviceObjectType, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlAbsoluteToSelfRelativeSD, IoIsWdmVersionAvailable, SeExports, wcschr, RtlLengthSid, RtlAddAccessAllowedAce, RtlGetSaclSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, ZwCreateKey, ZwSetValueKey, KeBugCheckEx, __C_specific_handler
TDI.SYS: TdiMapUserRequest
FLTMGR.SYS: FltParseFileNameInformation, FltReleaseFileNameInformation, FltRegisterFilter, FltBuildDefaultSecurityDescriptor, FltCloseCommunicationPort, FltUnregisterFilter, FltGetFileNameInformation, FltAllocateContext, FltClose, FltReleaseContext, FltQueryInformationFile, FltCreateFile, FltIsDirectory, FltFreeSecurityDescriptor, FltReadFile, FltCreateCommunicationPort, FltSetCallbackDataDirty, FltGetDestinationFileNameInformation, FltCloseClientPort, FltCancelFileOpen, FltSetStreamHandleContext, FltSendMessage, FltGetStreamHandleContext, FltStartFiltering
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 77824
CompanyName: Webroot
EntryPoint: 0xfa50
FileDescription: Webroot SecureAnywhere
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 106 kB
FileSubtype: 7
FileType: Win64 EXE
FileVersion: 8.0.1.44
FileVersionNumber: 8.0.1.44
ImageVersion: 6.1
InitializedDataSize: 22528
InternalName: WRkrn.sys
LanguageCode: English (U.S.)
LegalCopyright: © Webroot 2006-2011
LinkerVersion: 9.0
MIMEType: application/octet-stream
MachineType: AMD AMD64
OSVersion: 6.1
ObjectFileType: Driver
OriginalFilename: WRkrn.sys
PEType: PE32+
ProductName: Webroot SecureAnywhere
ProductVersion: 8.0.1.44
ProductVersionNumber: 8.0.1.44
Subsystem: Native
SubsystemVersion: 6.0
TimeStamp: 2011:12:14 04:24:35+01:00
UninitializedDataSize: 0

===========
File name: ZeCanfvc.sys
===========

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: ZeCanfvc.sys
Submission date: 2012-01-02 06:05:23 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2012.01.01.00 2012.01.01 -
AntiVir 7.11.20.98 2012.01.01 -
Antiy-AVL 2.0.3.7 2012.01.02 -
Avast 6.0.1289.0 2012.01.01 -
AVG 10.0.0.1190 2012.01.01 -
BitDefender 7.2 2012.01.02 -
ByteHero 1.0.0.1 2011.12.31 -
CAT-QuickHeal 12.00 2012.01.02 -
ClamAV 0.97.3.0 2012.01.02 -
Commtouch 5.3.2.6 2012.01.01 -
Comodo 11165 2012.01.01 -
DrWeb 5.0.2.03300 2012.01.02 -
Emsisoft 5.1.0.11 2012.01.02 -
eSafe 7.0.17.0 2012.01.01 -
eTrust-Vet 37.0.9655 2011.12.30 -
F-Prot 4.6.5.141 2012.01.01 -
F-Secure 9.0.16440.0 2012.01.02 -
Fortinet 4.3.388.0 2012.01.02 -
GData 22 2012.01.02 -
Ikarus T3.1.1.109.0 2011.12.31 -
Jiangmin 13.0.900 2012.01.01 -
K7AntiVirus 9.123.5823 2011.12.31 -
Kaspersky 9.0.0.837 2012.01.02 -
McAfee 5.400.0.1158 2012.01.02 -
McAfee-GW-Edition 2010.1E 2012.01.01 -
Microsoft 1.7903 2012.01.02 -
NOD32 6759 2012.01.02 -
Norman 6.07.13 2012.01.01 -
nProtect 2012-01-01.01 2012.01.01 -
Panda 10.0.3.5 2012.01.01 -
PCTools 8.0.0.5 2012.01.02 -
Prevx 3.0 2012.01.02 -
Rising 23.90.05.01 2011.12.31 -
Sophos 4.72.0 2012.01.02 -
SUPERAntiSpyware 4.40.0.1006 2011.12.30 -
Symantec 20111.2.0.82 2012.01.02 -
TheHacker 6.7.0.1.368 2011.12.31 -
TrendMicro 9.500.0.1008 2012.01.02 -
TrendMicro-HouseCall 9.500.0.1008 2012.01.02 -
VBA32 3.12.16.4 2011.12.30 -
VIPRE 11339 2012.01.02 -
ViRobot 2012.1.2.4858 2012.01.02 -
VirusBuster 14.1.144.0 2012.01.01 -
Additional informationShow all
MD5 : cb220fcf67a7c469af85126fd70ccccb
SHA1 : efd6f5e33c7c52506bd7799492404ba62d54b484
SHA256: 058a17f9de182770ec2c5d5327ef0fe0a37fa5125dd4a02a55e5b3a4c7a4c62e
ssdeep: 3072:Qaocih6eNkdj9m2H5AB5yQMNrD7SU3hDfzCdt+LJy2QzJ:QyVBF3hDfzC7+Lc26J
File size : 108896 bytes
First seen: 2011-12-16 14:54:18
Last seen : 2012-01-02 06:05:23
TrID:
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Webroot
copyright....: © Webroot 2006-2011
product......: Webroot SecureAnywhere
description..: Webroot SecureAnywhere
original name: WRkrn.sys
internal name: WRkrn.sys
file version.: 8.0.1.44
comments.....: n/a
signers......: Webroot Software, Inc.
VeriSign Class 3 Code Signing 2009-2 CA
Class 3 Public Primary Certification Authority
signing date.: 4:24 14/12/2011
verified.....: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xFA50
timedatestamp....: 0x4EE816F3 (Wed Dec 14 03:24:35 2011)
machinetype......: 0x8664 (AMD64)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x101EF, 0x10200, 6.12, 761500943c61d1f333b97b6cfebee080
.rdata, 0x12000, 0x2B8C, 0x2C00, 4.78, da19801dcd6e189f8b7e3cf1384ca4a7
.data, 0x15000, 0x8B8, 0xA00, 2.03, 337f5733e2e186710b120a137a9d2f5d
.pdata, 0x16000, 0x1890, 0x1A00, 4.87, ec95ea1357af204553366c8c46b8df16
PAGE, 0x18000, 0x19F7, 0x1A00, 6.22, 65f27a6a2eaaf7befd92b905c53264ad
INIT, 0x1A000, 0x121A, 0x1400, 4.85, 6b1fe9abdec6443aeb3fca4f9d3b01b1
.rsrc, 0x1C000, 0x340, 0x400, 2.80, 5e52ff22ba6d383756ee9bed4eb97d9a
.reloc, 0x1D000, 0x220, 0x400, 2.10, 0f3c33f34bd9a9786356f6bfad6882ab

[[ 3 import(s) ]]
ntoskrnl.exe: ExpInterlockedPushEntrySList, MmGetSystemRoutineAddress, IoRegisterLastChanceShutdownNotification, RtlAppendUnicodeToString, IoCreateFile, KeInitializeEvent, RtlQueryRegistryValues, PsSetCreateThreadNotifyRoutine, ZwQuerySystemInformation, KeAcquireInStackQueuedSpinLock, ExpInterlockedPopEntrySList, IoDetachDevice, PsSetCreateProcessNotifyRoutine, IoFreeMdl, KeUnstackDetachProcess, ZwSetInformationFile, IoCancelIrp, KeDelayExecutionThread, RtlFreeUnicodeString, ObQueryNameString, IoFileObjectType, IoDriverObjectType, ZwCreateFile, wcsrchr, PsCreateSystemThread, MmMapLockedPagesSpecifyCache, IoGetDeviceObjectPointer, IoRegisterBootDriverReinitialization, ZwQueryValueKey, PsTerminateSystemThread, IoGetCurrentProcess, ZwSetInformationProcess, PoStartNextPowerIrp, RtlPrefixUnicodeString, ZwClose, KeBugCheck, RtlAppendUnicodeStringToString, IofCompleteRequest, ExQueryDepthSList, strchr, KeWaitForSingleObject, IoFreeIrp, RtlWriteRegistryValue, MmProbeAndLockPages, ZwDeleteFile, PoCallDriver, PsGetVersion, PsThreadType, IoAllocateIrp, IoGetDeviceInterfaces, ZwOpenProcess, RtlCompareMemory, MmUnlockPages, strrchr, ZwQueryInformationProcess, IoGetTopLevelIrp, toupper, IoCreateSymbolicLink, PsGetCurrentThreadId, PsGetCurrentProcessId, MmIsAddressValid, ObfDereferenceObject, ObReferenceObjectByName, IoCreateDevice, ZwOpenFile, ZwTerminateProcess, ZwQueryInformationFile, ZwWriteFile, RtlDeleteRegistryValue, ObReferenceObjectByPointer, ObOpenObjectByPointer, KeStackAttachProcess, IoRegisterFsRegistrationChange, IoAllocateMdl, IofCallDriver, ZwOpenKey, wcsncpy, KeSetEvent, IoDeleteDevice, RtlInitUnicodeString, IoGetRelatedDeviceObject, ZwReadFile, _wcsnicmp, IoBuildSynchronousFsdRequest, PsLookupProcessByProcessId, IoAttachDeviceToDeviceStackSafe, KeReleaseInStackQueuedSpinLock, PsSetLoadImageNotifyRoutine, ExAcquireFastMutex, ExInitializeNPagedLookasideList, ExReleaseFastMutex, KeResetEvent, ExFreePoolWithTag, IoReuseIrp, PsProcessType, ExAllocatePoolWithTag, _strnicmp, towlower, _stricmp, ObReferenceObjectByHandle, MmUnmapLockedPages, ZwSetSecurityObject, IoDeviceObjectType, _snwprintf, RtlLengthSecurityDescriptor, SeCaptureSecurityDescriptor, RtlCreateSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlAbsoluteToSelfRelativeSD, IoIsWdmVersionAvailable, SeExports, wcschr, RtlLengthSid, RtlAddAccessAllowedAce, RtlGetSaclSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, ZwCreateKey, ZwSetValueKey, KeBugCheckEx, __C_specific_handler
TDI.SYS: TdiMapUserRequest
FLTMGR.SYS: FltParseFileNameInformation, FltReleaseFileNameInformation, FltRegisterFilter, FltBuildDefaultSecurityDescriptor, FltCloseCommunicationPort, FltUnregisterFilter, FltGetFileNameInformation, FltAllocateContext, FltClose, FltReleaseContext, FltQueryInformationFile, FltCreateFile, FltIsDirectory, FltFreeSecurityDescriptor, FltReadFile, FltCreateCommunicationPort, FltSetCallbackDataDirty, FltGetDestinationFileNameInformation, FltCloseClientPort, FltCancelFileOpen, FltSetStreamHandleContext, FltSendMessage, FltGetStreamHandleContext, FltStartFiltering
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 77824
CompanyName: Webroot
EntryPoint: 0xfa50
FileDescription: Webroot SecureAnywhere
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 106 kB
FileSubtype: 7
FileType: Win64 EXE
FileVersion: 8.0.1.44
FileVersionNumber: 8.0.1.44
ImageVersion: 6.1
InitializedDataSize: 22528
InternalName: WRkrn.sys
LanguageCode: English (U.S.)
LegalCopyright: © Webroot 2006-2011
LinkerVersion: 9.0
MIMEType: application/octet-stream
MachineType: AMD AMD64
OSVersion: 6.1
ObjectFileType: Driver
OriginalFilename: WRkrn.sys
PEType: PE32+
ProductName: Webroot SecureAnywhere
ProductVersion: 8.0.1.44
ProductVersionNumber: 8.0.1.44
Subsystem: Native
SubsystemVersion: 6.0
TimeStamp: 2011:12:14 04:24:35+01:00
UninitializedDataSize: 0
Check out my band, Dogs of Prague

#8 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 02 January 2012 - 06:23 AM

Interesting...

Just in case format your USB flash drive.

I'll be going to bed but I'll leave you with a "homework".
I'll check on you tomorrow morning.

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

SecCenter::
{63DF5164-9100-186D-2187-8DC619EFD8BF}
{5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
{D8BEB080-B73A-17E3-1B37-B6B462689202}

File::
c:\windows\system32\drivers\iqKvxpTI.sys
c:\windows\system32\drivers\BYUDcPzw.sys
c:\windows\system32\drivers\LEsAmJLk.sys
c:\windows\system32\drivers\vIZhGPeF.sys
c:\windows\system32\drivers\OQZwYIZA.sys
c:\windows\system32\drivers\nIGmjdaL.sys
c:\windows\system32\drivers\zCFaoMVY.sys
c:\windows\system32\drivers\WEFFdUyi.sys
c:\windows\system32\drivers\ovUwOiWm.sys
c:\windows\system32\drivers\aNyIAIJI.sys
c:\windows\system32\drivers\hBYfpolU.sys
c:\windows\system32\drivers\wOMyxktU.sys
c:\windows\system32\drivers\iFOWzyTB.sys
c:\windows\system32\drivers\CFbjXzCc.sys
c:\windows\system32\drivers\LfidZRkv.sys
c:\windows\system32\drivers\fdFchSuE.sys
c:\windows\system32\drivers\loTihGQI.sys
c:\windows\system32\drivers\CQwPmpKt.sys
c:\windows\system32\drivers\liUAzgPF.sys
c:\windows\system32\drivers\paurXARX.sys
c:\windows\system32\drivers\vKbbSQbZ.sys
c:\windows\system32\drivers\aJeKEaUZ.sys
c:\windows\system32\drivers\xjiDbpFQ.sys
c:\windows\system32\drivers\dWwsydIO.sys
c:\windows\system32\drivers\ZeCanfvc.sys
c:\windows\system32\drivers\xHkBEhtL.sys
c:\windows\system32\drivers\djOOXtve.sys
c:\windows\system32\drivers\IFVfOTEO.sys
c:\windows\system32\drivers\DUIzOdRU.sys
c:\windows\system32\drivers\WzFFgWpm.sys
c:\windows\system32\drivers\COWSBUcL.sys
c:\windows\system32\drivers\qkhquXMe.sys
c:\windows\system32\drivers\ZClZrfjh.sys
c:\windows\system32\drivers\DYkZVYDQ.sys
c:\windows\system32\drivers\jIkWlOea.sys
c:\windows\system32\drivers\PyWmhMJG.sys
c:\windows\system32\drivers\ZfdjgAQe.sys
c:\windows\system32\drivers\gUBgSHNj.sys
c:\windows\system32\drivers\eoKaWoWV.sys
c:\windows\system32\drivers\rwoPrePd.sys

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

Posted Image Posted Image


#9 aceharmonic Re: [RESOLVED] Malware causing Black Screen of Death

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 02 January 2012 - 04:20 PM

It still states that Webroot is running; however I disabled it (unless I missed something). Log below

===============

ComboFix 12-01-01.06 - Mike 01/02/2012 8:37.2.4 - x64 MINIMAL
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3766.3036 [GMT -7:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
Command switches used :: c:\users\Mike\Desktop\CFScript.txt
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\drivers\aJeKEaUZ.sys"
"c:\windows\system32\drivers\aNyIAIJI.sys"
"c:\windows\system32\drivers\BYUDcPzw.sys"
"c:\windows\system32\drivers\CFbjXzCc.sys"
"c:\windows\system32\drivers\COWSBUcL.sys"
"c:\windows\system32\drivers\CQwPmpKt.sys"
"c:\windows\system32\drivers\djOOXtve.sys"
"c:\windows\system32\drivers\DUIzOdRU.sys"
"c:\windows\system32\drivers\dWwsydIO.sys"
"c:\windows\system32\drivers\DYkZVYDQ.sys"
"c:\windows\system32\drivers\eoKaWoWV.sys"
"c:\windows\system32\drivers\fdFchSuE.sys"
"c:\windows\system32\drivers\gUBgSHNj.sys"
"c:\windows\system32\drivers\hBYfpolU.sys"
"c:\windows\system32\drivers\iFOWzyTB.sys"
"c:\windows\system32\drivers\IFVfOTEO.sys"
"c:\windows\system32\drivers\iqKvxpTI.sys"
"c:\windows\system32\drivers\jIkWlOea.sys"
"c:\windows\system32\drivers\LEsAmJLk.sys"
"c:\windows\system32\drivers\LfidZRkv.sys"
"c:\windows\system32\drivers\liUAzgPF.sys"
"c:\windows\system32\drivers\loTihGQI.sys"
"c:\windows\system32\drivers\nIGmjdaL.sys"
"c:\windows\system32\drivers\OQZwYIZA.sys"
"c:\windows\system32\drivers\ovUwOiWm.sys"
"c:\windows\system32\drivers\paurXARX.sys"
"c:\windows\system32\drivers\PyWmhMJG.sys"
"c:\windows\system32\drivers\qkhquXMe.sys"
"c:\windows\system32\drivers\rwoPrePd.sys"
"c:\windows\system32\drivers\vIZhGPeF.sys"
"c:\windows\system32\drivers\vKbbSQbZ.sys"
"c:\windows\system32\drivers\WEFFdUyi.sys"
"c:\windows\system32\drivers\wOMyxktU.sys"
"c:\windows\system32\drivers\WzFFgWpm.sys"
"c:\windows\system32\drivers\xHkBEhtL.sys"
"c:\windows\system32\drivers\xjiDbpFQ.sys"
"c:\windows\system32\drivers\zCFaoMVY.sys"
"c:\windows\system32\drivers\ZClZrfjh.sys"
"c:\windows\system32\drivers\ZeCanfvc.sys"
"c:\windows\system32\drivers\ZfdjgAQe.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\aJeKEaUZ.sys
c:\windows\system32\drivers\aNyIAIJI.sys
c:\windows\system32\drivers\BYUDcPzw.sys
c:\windows\system32\drivers\CFbjXzCc.sys
c:\windows\system32\drivers\COWSBUcL.sys
c:\windows\system32\drivers\CQwPmpKt.sys
c:\windows\system32\drivers\djOOXtve.sys
c:\windows\system32\drivers\DUIzOdRU.sys
c:\windows\system32\drivers\dWwsydIO.sys
c:\windows\system32\drivers\DYkZVYDQ.sys
c:\windows\system32\drivers\eoKaWoWV.sys
c:\windows\system32\drivers\fdFchSuE.sys
c:\windows\system32\drivers\gUBgSHNj.sys
c:\windows\system32\drivers\hBYfpolU.sys
c:\windows\system32\drivers\iFOWzyTB.sys
c:\windows\system32\drivers\IFVfOTEO.sys
c:\windows\system32\drivers\iqKvxpTI.sys
c:\windows\system32\drivers\jIkWlOea.sys
c:\windows\system32\drivers\LEsAmJLk.sys
c:\windows\system32\drivers\LfidZRkv.sys
c:\windows\system32\drivers\liUAzgPF.sys
c:\windows\system32\drivers\loTihGQI.sys
c:\windows\system32\drivers\nIGmjdaL.sys
c:\windows\system32\drivers\OQZwYIZA.sys
c:\windows\system32\drivers\ovUwOiWm.sys
c:\windows\system32\drivers\paurXARX.sys
c:\windows\system32\drivers\PyWmhMJG.sys
c:\windows\system32\drivers\qkhquXMe.sys
c:\windows\system32\drivers\rwoPrePd.sys
c:\windows\system32\drivers\vIZhGPeF.sys
c:\windows\system32\drivers\vKbbSQbZ.sys
c:\windows\system32\drivers\WEFFdUyi.sys
c:\windows\system32\drivers\wOMyxktU.sys
c:\windows\system32\drivers\WzFFgWpm.sys
c:\windows\system32\drivers\xHkBEhtL.sys
c:\windows\system32\drivers\xjiDbpFQ.sys
c:\windows\system32\drivers\zCFaoMVY.sys
c:\windows\system32\drivers\ZClZrfjh.sys
c:\windows\system32\drivers\ZeCanfvc.sys
c:\windows\system32\drivers\ZfdjgAQe.sys
.
Infected copy of c:\windows\SysWow64\user32.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache86\user32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_rwoPrePd
-------\Service_rwoPrePd
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 15:42 . 2012-01-02 15:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-02 15:26 . 2012-01-02 15:26 108896 ----a-w- c:\windows\system32\drivers\akqpYeGh.sys
2012-01-01 06:08 . 2012-01-01 07:55 -------- d-----w- C:\cleanup
2012-01-01 05:19 . 2012-01-01 07:55 -------- d-----w- c:\users\Admin
2011-12-15 01:26 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 01:26 . 2011-11-05 05:41 1188864 ----a-w- c:\windows\system32\wininet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 15:30 . 2011-11-23 17:35 91832 ----a-w- c:\windows\system32\WRusr.dll
2011-12-15 15:30 . 2011-11-16 02:04 141272 ----a-w- c:\windows\SysWow64\WRusr.dll
2011-12-10 22:24 . 2010-11-07 20:46 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-02_05.19.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-01-02 04:47 . 2012-01-02 04:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-02 15:45 . 2012-01-02 15:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-02 15:45 . 2012-01-02 15:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-02 04:47 . 2012-01-02 04:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WLSync"="c:\program files (x86)\Windows Live\Mesh\WLSync.exe" [2011-05-13 1449312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-12-24 284696]
"SmartWiHelper"="c:\program files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2010-01-20 82944]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2010-01-15 316784]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-01-22 597792]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"{9ABA99F9-A8FE-7E89-8E99-AE8b85E9AE9B}"="c:\program files (x86)\Cricket Broadband Connect\AvqAutoRun.exe" [2009-10-19 73728]
"M-Audio Taskbar Icon"="c:\windows\system32\MAFWTray.exe" [2009-07-29 252424]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2011-12-15 637208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"InstallShieldSetup"="c:\progra~2\INSTAL~1\{36C5B~1\setup.exe" [2011-11-08 377536]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-3-12 1125152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 GizmoDrv;Gizmo Device Driver; [x]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Gizmo Central;Gizmo Central;c:\program files (x86)\Gizmo\gservice.exe [2010-08-29 31856]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 135664]
R2 HMuKstOr;Kensington TrackballWorks Orbit USB HID Device Filter Driver;c:\windows\system32\DRIVERS\HMuKstOr.sys [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-12-24 13336]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-25 652872]
R2 O&O CleverCache;O&O CleverCache;c:\program files\OO Software\CleverCache\ooccag.exe [2009-10-31 843592]
R2 Oasis2Service;Oasis2Service;c:\program files (x86)\DDNi\Oasis2Service\Oasis2Service.exe [2011-08-14 49152]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R2 SampleCollector;VAIO Care Performance Service;c:\program files\Sony\VAIO Care\VCPerfService.exe [2011-01-29 259192]
R2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-12-09 2320920]
R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-02-20 529776]
R2 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-02-20 386416]
R2 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [2011-12-15 637208]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\smhwadb.sys [x]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 135664]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
R3 L6PODHD4;Service - Line 6 POD HD400;c:\windows\system32\Drivers\L6PODHD464.sys [x]
R3 MAFW;Service for M-Audio FireWire;c:\windows\system32\DRIVERS\mafw.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MSSQL$DDNI;SQL Server (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe [2009-03-30 43010392]
R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [x]
R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [x]
R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [x]
R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [x]
R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [x]
R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [x]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\DRIVERS\rdpdispm.sys [x]
R3 smhwdev;SmartPhone dummy USB PNP Device (Normal);c:\windows\system32\DRIVERS\smhwdev.sys [x]
R3 smhwser;USB Device for Legacy Serial Communication (Normal);c:\windows\system32\DRIVERS\smhwser.sys [x]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-09-10 108400]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-10-12 423280]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-09-10 67952]
R3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-01-20 286936]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2010-01-20 574320]
R3 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2011-01-20 887000]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-02-20 115568]
R3 VCService;VCService;c:\program files\Sony\VAIO Care\VCService.exe [2011-02-14 44736]
R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update Common\VUAgent.exe [2011-09-23 1429608]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
R4 SQLAgent$DDNI;SQL Server Agent (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [x]
S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-01 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2010-07-30 19:18]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 00:04]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 00:04]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-09 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-09 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-09 411672]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-17 10060320]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"ooccctrl.exe"="c:\program files\OO Software\CleverCache\ooccctrl.exe" [2009-10-31 4313928]
"combofix"="c:\combofix\CF29391.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"combofix"="c:\combofix\CF29391.3XE" [2010-11-20 345088]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\VCPerfService.exe\" \"/service\" \"/sstates\" \"/sampleinterval=5000\" \"/procinterval=5\" \"/dllinterval=120\" \"/counter=\Processor(_Total)\% Processor Time:1/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:1\" \"/counter=\Network Interface(*)\Bytes Total/sec:1\" \"/expandcounter=\Processor Information(*)\Processor Frequency:1\" \"/expandcounter=\Processor(*)\% Idle Time:1\" \"/expandcounter=\Processor(*)\% C1 Time:1\" \"/expandcounter=\Processor(*)\% C2 Time:1\" \"/expandcounter=\Processor(*)\% C3 Time:1\" \"/expandcounter=\Processor(*)\% Processor Time:1\" \"/directory=c:\programdata\Sony Corporation\VAIO Care\inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OOCC7.00.00.01PROSTATION"="67723810BDC610F285810B636A28BC79E63E7E2ACC76FEF3D4E0A7EF6DBCDA6DFD08B57CDAF74E8A05811AEB8B078187A2E53C7E436B05735E7AC05310591F4EC7F3605854192EE151724E9D60B590822D64316F9E022A89442A2344CC616DB0B28D4E7947F07C32621012DBE0715940A4FC380BD10A1FC7EDD23B1FAE5A55840F021E29765A4D67106CD2FEA6868DCA0CC33056EDE65674A8B278B461DC2BEC13CF6FFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808BA7FD869164D6794A9C6AECB7A5D1407A2D97226D213B555CB259707E194CD27CB3AC885117E3EEE26997032C6B195D19800D3464A7C6E698E0246189ADD61A587C0FE2CBE86825D54BA34D0EC6E9FFA23A28FCEFCF366AD6147EB27AF913D335E94E9E1BF9D0A2DD1984A6AC71C3207A0A0A504F925F3EE006365BF9ED41458DA3B1A12EDCE4E9594EE1AEC2F4F27FE921170F235CD7A2799E421B01AB06B9FF85CB46D590F9B5507A09C89B084AF72712FE1EE5991ADD45301A58D090F1F1A2AC574E7C43190AB07B360B40C99527026587A8EC3F898FCC50D0AAD05435E59D2E824B9A9EF21DDE6D008A735506710919152A985ED99A3FB86FA2B5DFEAB77CDD8275E32E79533EAC64ADFD4CF9AEA867F95E0644161D3760DB86594DC5D0E66507217BE9A0AF94F07EF1EC823EC1ECAEE82945A26F49D28E59680E0571E3F5DAA8DE7E0EE6C03C129596820B634CB9ACC6CEB9432AF127A767E63AC50ED2BE86A981863AB03A1E264F607A0DD971AA5AEBB5074E2BFC849CB6BB9970C1EFB323342353E00642FC998CF86414F16B18CC96A708F97A5DC63176EEFF1B2565D56CE518DA37D7B0981C67E3AAF267EBF68F8883FAF92366B0EAA2CBC455010FD64A81FB6F597098E859530B44DDE7677C2BBB871D17B1E9881FD5B15C8559C1263D398084C2A2124C94EA8D12C5DF60E9C343202A7DD580AE72FC934ED961CD1CB04BD9E7370ABB3345EBCAB96674CBCE7A9C12E97A939EA63FBD61A554C86770B12265AE90E63A99DD8D7A689A797410B87C479B931646907C9770AD69227C280FB795EE306587655F27765B32DCC5DE0DBAFA85DAC5339DB9FB30A7B6A1C788460F593C7446E8E9C072ED1FA68B5D63A5A89C681B8D6905C29A66603B8D860DB06EA26B294DD6AAA92A21977B1EE77D8D8EDA25ED18E29F83703AE60C3A2C447D4C086F3A8328727B78E2D76C2E88C73548ACC5CDC6FC295BC8A34B7B91576755B6EE88D954BE5333CC042773AE8E6B669249B18A2C41F8B52978EE52B9F490C4803C3B8555C0BDD891BD1AE1A86DDBF5C912A64CBAB06A5B3151AF90B8493A4729DD5DF456EFD2FAF141985C8AFCAA213BED6476A16C0254003753333DA31CBD0F39DA3"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-02 08:51:16 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-02 15:51
ComboFix2.txt 2012-01-02 05:23
.
Pre-Run: 431,495,483,392 bytes free
Post-Run: 431,001,370,624 bytes free
.
- - End Of File - - 0E6C492E34DF91AC990F32191ED6C914
Check out my band, Dogs of Prague

#10 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 02 January 2012 - 04:40 PM

That looks much better.
Still one file left.
How is computer doing?

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\akqpYeGh.sys

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

Posted Image Posted Image


#11 aceharmonic Re: [RESOLVED] Malware causing Black Screen of Death

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 02 January 2012 - 10:32 PM

I haven't tried to do anything outside of what you instructed and all through safe mode. After this run through ComboFix, I tried to let it reboot to normal mode and it seemed to run faster to get to the black screen after login, but still hung there. I let it sit for 10 minutes to see if it was just loading slow, but no dice; had to do a soft shutdown. I then tried to power on and go into Safe Mode with Networking; same result. I am back in regular safe mode now.

==============
ComboFix Log
==============

ComboFix 12-01-01.06 - Mike 01/02/2012 14:58:38.3.4 - x64 MINIMAL
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3766.3024 [GMT -7:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
Command switches used :: c:\users\Mike\Desktop\CFScript.txt
AV: Webroot SecureAnywhere *Enabled/Updated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Webroot SecureAnywhere *Enabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\windows\system32\drivers\akqpYeGh.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\akqpYeGh.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2012-01-02 22:04 . 2012-01-02 22:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-01 06:08 . 2012-01-01 07:55 -------- d-----w- C:\cleanup
2012-01-01 05:19 . 2012-01-01 07:55 -------- d-----w- c:\users\Admin
2011-12-15 01:26 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-15 01:26 . 2011-11-05 05:41 1188864 ----a-w- c:\windows\system32\wininet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-15 15:30 . 2011-11-23 17:35 91832 ----a-w- c:\windows\system32\WRusr.dll
2011-12-15 15:30 . 2011-11-16 02:04 141272 ----a-w- c:\windows\SysWow64\WRusr.dll
2011-12-10 22:24 . 2010-11-07 20:46 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-02_05.19.55 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-01-02 04:47 . 2012-01-02 04:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-02 15:45 . 2012-01-02 15:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-02 15:45 . 2012-01-02 15:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-01-02 04:47 . 2012-01-02 04:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WLSync"="c:\program files (x86)\Windows Live\Mesh\WLSync.exe" [2011-05-13 1449312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-12-24 284696]
"SmartWiHelper"="c:\program files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2010-01-20 82944]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2010-01-15 316784]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-01-22 597792]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"{9ABA99F9-A8FE-7E89-8E99-AE8b85E9AE9B}"="c:\program files (x86)\Cricket Broadband Connect\AvqAutoRun.exe" [2009-10-19 73728]
"M-Audio Taskbar Icon"="c:\windows\system32\MAFWTray.exe" [2009-07-29 252424]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2011-12-15 637208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"InstallShieldSetup"="c:\progra~2\INSTAL~1\{36C5B~1\setup.exe" [2011-11-08 377536]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-3-12 1125152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 GizmoDrv;Gizmo Device Driver; [x]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Gizmo Central;Gizmo Central;c:\program files (x86)\Gizmo\gservice.exe [2010-08-29 31856]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 135664]
R2 HMuKstOr;Kensington TrackballWorks Orbit USB HID Device Filter Driver;c:\windows\system32\DRIVERS\HMuKstOr.sys [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-12-24 13336]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-25 652872]
R2 O&O CleverCache;O&O CleverCache;c:\program files\OO Software\CleverCache\ooccag.exe [2009-10-31 843592]
R2 Oasis2Service;Oasis2Service;c:\program files (x86)\DDNi\Oasis2Service\Oasis2Service.exe [2011-08-14 49152]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R2 SampleCollector;VAIO Care Performance Service;c:\program files\Sony\VAIO Care\VCPerfService.exe [2011-01-29 259192]
R2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-12-09 2320920]
R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2010-02-20 529776]
R2 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2010-02-20 386416]
R2 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [2011-12-15 637208]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\smhwadb.sys [x]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 135664]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [x]
R3 L6PODHD4;Service - Line 6 POD HD400;c:\windows\system32\Drivers\L6PODHD464.sys [x]
R3 MAFW;Service for M-Audio FireWire;c:\windows\system32\DRIVERS\mafw.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 MSSQL$DDNI;SQL Server (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\sqlservr.exe [2009-03-30 43010392]
R3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys [x]
R3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys [x]
R3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys [x]
R3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys [x]
R3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys [x]
R3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys [x]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\DRIVERS\rdpdispm.sys [x]
R3 smhwdev;SmartPhone dummy USB PNP Device (Normal);c:\windows\system32\DRIVERS\smhwdev.sys [x]
R3 smhwser;USB Device for Legacy Serial Communication (Normal);c:\windows\system32\DRIVERS\smhwser.sys [x]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2010-09-10 108400]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2010-10-12 423280]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2010-09-10 67952]
R3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [2011-01-20 286936]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2010-01-20 574320]
R3 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2011-01-20 887000]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2010-02-20 115568]
R3 VCService;VCService;c:\program files\Sony\VAIO Care\VCService.exe [2011-02-14 44736]
R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update Common\VUAgent.exe [2011-09-23 1429608]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-03-31 47128]
R4 SQLAgent$DDNI;SQL Server Agent (DDNI);c:\program files (x86)\Microsoft SQL Server\MSSQL10.DDNI\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [x]
S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [x]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-01 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df64.exe [2010-07-30 19:18]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 00:04]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-29 00:04]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-09 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-09 391192]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-09 411672]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-17 10060320]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"ooccctrl.exe"="c:\program files\OO Software\CleverCache\ooccctrl.exe" [2009-10-31 4313928]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\VCPerfService.exe\" \"/service\" \"/sstates\" \"/sampleinterval=5000\" \"/procinterval=5\" \"/dllinterval=120\" \"/counter=\Processor(_Total)\% Processor Time:1/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:1\" \"/counter=\Network Interface(*)\Bytes Total/sec:1\" \"/expandcounter=\Processor Information(*)\Processor Frequency:1\" \"/expandcounter=\Processor(*)\% Idle Time:1\" \"/expandcounter=\Processor(*)\% C1 Time:1\" \"/expandcounter=\Processor(*)\% C2 Time:1\" \"/expandcounter=\Processor(*)\% C3 Time:1\" \"/expandcounter=\Processor(*)\% Processor Time:1\" \"/directory=c:\programdata\Sony Corporation\VAIO Care\inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OOCC7.00.00.01PROSTATION"="67723810BDC610F285810B636A28BC79E63E7E2ACC76FEF3D4E0A7EF6DBCDA6DFD08B57CDAF74E8A05811AEB8B078187A2E53C7E436B05735E7AC05310591F4EC7F3605854192EE151724E9D60B590822D64316F9E022A89442A2344CC616DB0B28D4E7947F07C32621012DBE0715940A4FC380BD10A1FC7EDD23B1FAE5A55840F021E29765A4D67106CD2FEA6868DCA0CC33056EDE65674A8B278B461DC2BEC13CF6FFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808BA7FD869164D6794A9C6AECB7A5D1407A2D97226D213B555CB259707E194CD27CB3AC885117E3EEE26997032C6B195D19800D3464A7C6E698E0246189ADD61A587C0FE2CBE86825D54BA34D0EC6E9FFA23A28FCEFCF366AD6147EB27AF913D335E94E9E1BF9D0A2DD1984A6AC71C3207A0A0A504F925F3EE006365BF9ED41458DA3B1A12EDCE4E9594EE1AEC2F4F27FE921170F235CD7A2799E421B01AB06B9FF85CB46D590F9B5507A09C89B084AF72712FE1EE5991ADD45301A58D090F1F1A2AC574E7C43190AB07B360B40C99527026587A8EC3F898FCC50D0AAD05435E59D2E824B9A9EF21DDE6D008A735506710919152A985ED99A3FB86FA2B5DFEAB77CDD8275E32E79533EAC64ADFD4CF9AEA867F95E0644161D3760DB86594DC5D0E66507217BE9A0AF94F07EF1EC823EC1ECAEE82945A26F49D28E59680E0571E3F5DAA8DE7E0EE6C03C129596820B634CB9ACC6CEB9432AF127A767E63AC50ED2BE86A981863AB03A1E264F607A0DD971AA5AEBB5074E2BFC849CB6BB9970C1EFB323342353E00642FC998CF86414F16B18CC96A708F97A5DC63176EEFF1B2565D56CE518DA37D7B0981C67E3AAF267EBF68F8883FAF92366B0EAA2CBC455010FD64A81FB6F597098E859530B44DDE7677C2BBB871D17B1E9881FD5B15C8559C1263D398084C2A2124C94EA8D12C5DF60E9C343202A7DD580AE72FC934ED961CD1CB04BD9E7370ABB3345EBCAB96674CBCE7A9C12E97A939EA63FBD61A554C86770B12265AE90E63A99DD8D7A689A797410B87C479B931646907C9770AD69227C280FB795EE306587655F27765B32DCC5DE0DBAFA85DAC5339DB9FB30A7B6A1C788460F593C7446E8E9C072ED1FA68B5D63A5A89C681B8D6905C29A66603B8D860DB06EA26B294DD6AAA92A21977B1EE77D8D8EDA25ED18E29F83703AE60C3A2C447D4C086F3A8328727B78E2D76C2E88C73548ACC5CDC6FC295BC8A34B7B91576755B6EE88D954BE5333CC042773AE8E6B669249B18A2C41F8B52978EE52B9F490C4803C3B8555C0BDD891BD1AE1A86DDBF5C912A64CBAB06A5B3151AF90B8493A4729DD5DF456EFD2FAF141985C8AFCAA213BED6476A16C0254003753333DA31CBD0F39DA3"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-02 15:07:39
ComboFix-quarantined-files.txt 2012-01-02 22:07
ComboFix2.txt 2012-01-02 15:51
ComboFix3.txt 2012-01-02 05:23
.
Pre-Run: 431,054,852,096 bytes free
Post-Run: 430,992,175,104 bytes free
.
- - End Of File - - A1187C2AC531E110D97FD1EB60645254
Check out my band, Dogs of Prague

#12 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 02 January 2012 - 11:10 PM

Please Boot to the System Recovery Options
If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...

On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt

Choose Command Prompt
You should see X:\SOURCES>...

Execute the following commands in bold.
Press Enter after every one of them.

bootrec /fixmbr (<--- there is a "space" after "bootrec")

bootrec /fixboot (<--- there is a "space" after "bootrec")

exit

Attempt to start in normal mode.
Posted Image Posted Image


#13 aceharmonic Re: [RESOLVED] Malware causing Black Screen of Death

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 03 January 2012 - 12:42 AM

Same result. Back in Safe Mode.
Check out my band, Dogs of Prague

#14 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 03 January 2012 - 12:57 AM

While in safe mode....

Go Start>Run (Start Search in Vista), type in:
msconfig
Click OK (hit Enter in Vista).

Click on Startup tab.
Click Disable all
IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

Click Services tab.
Put checkmark in Hide all Microsoft services
Click Disable all.

Click OK.
Attempt restarting to Normal Mode.

NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
If you use Windows firewall, you're fine.

Same problem?
Posted Image Posted Image


#15 aceharmonic Re: [RESOLVED] Malware causing Black Screen of Death

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 03 January 2012 - 01:09 AM

Ok...I am in normal mode, so there is some service or program that is causing it to hang. I believe next you are probably going to tell me to enable one at a time to see if I can find it and remove the program?
Check out my band, Dogs of Prague

#16 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 03 January 2012 - 01:14 AM

It looks like you have a crystal ball....LOL....
Yes, you'll need big cup of coffee and some time :)
Posted Image Posted Image


#17 aceharmonic Re: [RESOLVED] Malware causing Black Screen of Death

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 03 January 2012 - 01:22 AM

Appreciate the clean up and apologize for wasting some of your time, because I should have checked the services before. I skipped it, because this same thing happened about two months ago and the Prevx fixshell corrected the issue. This time, it did nothing.

I am going to donate to the board now. Update Webroot, MBAM, and scan. Then start checking the services. Thanks again.
Check out my band, Dogs of Prague

#18 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 03 January 2012 - 01:24 AM

When you're done with investigating I still suggest we run some scans from normal mode.
Posted Image Posted Image


#19 aceharmonic Re: [RESOLVED] Malware causing Black Screen of Death

    Member

  • 21 posts
  • Joined: January 02, 2012
  • 1 topics
  • Local time: 09:30 AM
  • Zodiac:Aquarius
  • OS:Windows 7
  • Country:
Offline
  • Time Online: 8h 7m 5s

Posted 03 January 2012 - 01:27 AM

Sounds good. Let me get through the re-activating of services and I will update this post.
Check out my band, Dogs of Prague

#20 Broni Re: [RESOLVED] Malware causing Black Screen of Death

    Malware Annihilator

  • 24,883 posts
  • Joined: October 04, 2004
  • 1,860 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:30 AM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Online
  • Time Online: 57d 11h 50m 50s

Posted 03 January 2012 - 01:45 AM

Cool :)
Posted Image Posted Image


Back to Virus, Spyware and Malware Removal · Next Unread Topic →


4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users


This topic has been visited by 8 user(s)

  1. Smartest Computing
  2. > Security
  3. > Virus, Spyware and Malware Removal
  4. SmartestComputing rules