I've had a major problem with my laptop for quite a while now.
When I launch certain programs I get the following error ->
X.exe - Application Error
The application failed to initialize properly (0xc000007b) Click OK to terminate the application.
This error comes up if I try to start my video card control program (Catalys Control Center). It also comes up if I try to launch my mouse control program (Steelseries Engine). Also with many other .exe files/programs.
Even certain online games that use security software such as X-Trap won't run properly as they get shutdown following with an error "Abnormal client detected - system might be infected".
Now I've done loads of searching and researching and come up with 4 answers.
1. Microsoft .NET framework is somehow corrupted deep in the system.
2. Microsoft Visual C++ is somehow corrupted deep in the system.
3. There is some sort of malware or or worse hidden deep in the system and just jacking off the computer.
4. My hard disk is damaged/scratched.
I'm getting really desperate here and I'm tired of just accepting that certain programs won't work for me.
I use this laptop for school, work and home entertainment and I'd like to be completely sure that the fault lies with the hard disk before I replace it.
I've done deep scans with my Malwarebytes anti-malware program only to find some small time adwares but I'm sure there is some abomination in there laughing at my face every time I get an error.
I don't have a recovery cd-disk, but I have a recovery hard disk in my computer.
I ran the gmer rootkit scanner and followed the instructions but it resulted with BSOD with error "xdva401.sys". So I followed the second option as instructed.
=========
DDS
=========
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.21.2
Run by Akom at 18:40:53 on 2013-04-23
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.358.1033.18.3069.1809 [GMT 3:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\aestsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\FsUsbExService.Exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_fi&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_fi&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_fi&c=91&bd=Pavilion&pf=cnnb
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [SteelSeries Engine] c:\program files\steelseries\steelseries engine\SteelSeriesEngine.exe
uRun: [Advanced SystemCare 6] "c:\program files\iobit\advanced systemcare 6\ASCTray.exe" /AutoStart
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Akamai NetSession Interface] "c:\users\akom\appdata\local\akamai\netsession_win.exe"
uRunOnce: [DeleteMarkAny] c:\windows\system32\masetupcleaner.exe c:\program files\markany\ContentSafer
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 193.210.19.19 192.168.252.17
TCP: Interfaces\{2CFCB727-F0E1-4DE9-B09A-2F7E6EA5F71C} : DHCPNameServer = 193.210.19.19 192.168.252.17
TCP: Interfaces\{4692153B-A67F-4633-B1E5-726619AE9ED4} : DHCPNameServer = 193.210.19.19 192.168.252.17
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - <orphaned>
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\akom\appdata\roaming\mozilla\firefox\profiles\ici6h830.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\users\akom\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\akom\appdata\roaming\gentek\npthinclient.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - ExtSQL: 2013-03-23 17:01; jid1-QpHD8URtZWJC2A@jetpack; c:\users\akom\appdata\roaming\mozilla\firefox\profiles\ici6h830.default\extensions\jid1-QpHD8URtZWJC2A@jetpack.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2013-1-7 15672]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2012/12/24 17:26:35];c:\program files\hewlett-packard\media\dvd\000.fcl [2008-11-29 87536]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\iobit\advanced systemcare 6\ASCService.exe [2013-2-4 465216]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c92065b9\AEstSrv.exe [2012-12-25 77824]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-11-16 244736]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2012-11-16 291840]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2013-3-29 262144]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-2-24 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVCapSvc.exe [2008-11-27 296320]
R2 TVSched;TV Task Scheduler (TVTS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVSched.exe [2008-11-27 116096]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2012-12-25 37944]
R3 AVerAF15;HP DVB-T TV Tuner;c:\windows\system32\drivers\AVerAF15.sys [2012-12-25 280448]
R3 busenum;SteelBusSvc;c:\windows\system32\drivers\SteelBus.sys [2012-11-12 110464]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-2-24 222512]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-4 54784]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2013-3-29 37344]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2013-1-15 72832]
R3 SAlphamHid;SteelHIDSvc;c:\windows\system32\drivers\SAlpham.sys [2012-10-15 34304]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2012-12-25 22072]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 BecHelperService;BecHelperService;c:\program files\mobiililaajakaista\mobiililaajakaista\BecHelperService.exe [2012-12-25 1958272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-19 26168]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-11 398184]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-11 682344]
S3 apf003;apf003;c:\windows\system32\apf003.sys [2013-1-29 13232]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2011-8-1 45288]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2013-1-15 102784]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2013-1-15 116736]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-12-5 109408]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-11 21104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [2013-4-4 661600]
S4 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
.
=============== Created Last 30 ================
.
2013-04-21 00:19:23 -------- d-----w- c:\program files\TeamSpeak 3 Client
2013-04-19 13:50:19 -------- d-----w- c:\users\akom\appdata\local\Gameforge4d
2013-04-19 10:01:22 -------- d-----w- c:\windows\DEA314C409294250BC9298E4C105F28D.TMP
2013-04-19 09:25:40 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-18 19:11:04 -------- d-----w- c:\program files\Aeria Games
2013-04-18 18:32:11 -------- d-----w- c:\users\akom\appdata\local\Akamai
2013-04-18 18:32:10 -------- d-----w- C:\AeriaGames
2013-04-18 14:42:00 -------- d-----w- c:\users\akom\appdata\roaming\.mono
2013-04-18 13:43:29 -------- d-----w- c:\users\akom\appdata\roaming\gentek
2013-04-18 13:43:25 925328 ------w- c:\users\akom\appdata\roaming\microsoft\windows\templates\temp_launcher.exe
2013-04-15 18:21:36 -------- d-----w- c:\programdata\Stardock
2013-04-10 10:46:23 -------- d-----w- c:\programdata\BlueStacksSetup
2013-04-07 16:19:34 -------- d-----w- c:\users\akom\appdata\roaming\Mael
2013-04-07 16:19:14 -------- d-----w- c:\program files\HxD
2013-04-06 17:08:47 79256 ----a-w- c:\windows\system32\npOGPPlugin.dll
2013-04-06 17:08:46 271768 ----a-w- c:\windows\system32\OGPIEPlugin.ocx
2013-04-06 17:08:44 -------- d-----w- c:\program files\OGPlanet
2013-04-06 16:06:06 -------- d-----w- C:\GPlayOn
2013-04-05 10:40:00 -------- d-----w- c:\program files\PointMMO
2013-04-04 16:04:17 -------- d-----w- c:\program files\Pando Networks
2013-04-04 10:53:39 661600 ----a-w- c:\windows\system32\xsherlock.xem
2013-04-04 10:42:16 -------- d-----w- c:\programdata\WEBZEN
2013-04-02 16:00:34 -------- d-----w- c:\program files\BP DOWNLOADER
2013-03-29 11:00:11 -------- d-----w- c:\program files\MyFree Codec
2013-03-29 10:59:18 37344 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2013-03-29 10:59:18 262144 ----a-w- c:\windows\system32\FsUsbExService.Exe
2013-03-29 10:59:18 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2013-03-29 10:52:12 -------- d-----w- c:\program files\MarkAny
2013-03-29 10:50:35 -------- d-----w- c:\users\akom\appdata\local\Samsung
2013-03-29 10:50:33 -------- d-----w- c:\users\akom\appdata\roaming\Samsung
2013-03-29 01:58:45 4659712 ----a-w- c:\windows\system32\Redemption.dll
2013-03-29 01:57:03 -------- d-----w- c:\programdata\Samsung
2013-03-29 01:57:03 -------- d-----w- c:\program files\Samsung
.
==================== Find3M ====================
.
2013-04-13 23:17:19 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-13 23:17:19 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-06 15:56:10 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-04-06 15:56:10 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-20 08:02:20 53248 ----a-w- c:\windows\system32\MASetupCleaner.exe
2013-03-20 08:02:20 200704 ----a-w- c:\windows\system32\muzapp.exe
2013-03-14 13:44:45 967 ----a-w- c:\windows\ScUnin.pif
2013-03-14 13:44:45 122880 ----a-w- c:\windows\ScUnin.exe
2013-02-15 02:17:06 140360 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-02-15 02:16:59 283032 ----a-w- c:\windows\system32\PnkBstrB.xtr
2013-02-15 02:16:59 283032 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-02-13 10:38:27 281120 ----a-w- c:\windows\system32\PnkBstrB.ex0
2013-02-13 10:09:28 138904 ----a-w- c:\users\akom\appdata\roaming\PnkBstrK.sys
2013-01-29 09:31:59 16304 ------w- c:\windows\system32\apl003.sys
2013-01-29 09:31:59 13232 ------w- c:\windows\system32\apf003.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 6.0.6002 Disk: WDC_WD2500BEVT-60ZCT1 rev.13.01A13 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
c:\windows\system32\drivers\hpdskflt.sys Hewlett-Packard Company Mobile Data Protection System
1 ntkrnlpa!IofCallDriver[0x82251936] -> \Device\Harddisk0\DR0[0x85F1AAC8]
3 CLASSPNP[0x807A88B3] -> ntkrnlpa!IofCallDriver[0x82251936] -> [0x85E5D6D0]
5 hpdskflt[0x8B7B5F92] -> ntkrnlpa!IofCallDriver[0x82251936] -> \Device\Ide\IdeDeviceP0T0L0-0[0x85E3C5E0]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
.
============= FINISH: 18:42:28,17 ===============
When I launch certain programs I get the following error ->
X.exe - Application Error
The application failed to initialize properly (0xc000007b) Click OK to terminate the application.
This error comes up if I try to start my video card control program (Catalys Control Center). It also comes up if I try to launch my mouse control program (Steelseries Engine). Also with many other .exe files/programs.
Even certain online games that use security software such as X-Trap won't run properly as they get shutdown following with an error "Abnormal client detected - system might be infected".
Now I've done loads of searching and researching and come up with 4 answers.
1. Microsoft .NET framework is somehow corrupted deep in the system.
2. Microsoft Visual C++ is somehow corrupted deep in the system.
3. There is some sort of malware or or worse hidden deep in the system and just jacking off the computer.
4. My hard disk is damaged/scratched.
I'm getting really desperate here and I'm tired of just accepting that certain programs won't work for me.
I use this laptop for school, work and home entertainment and I'd like to be completely sure that the fault lies with the hard disk before I replace it.
I've done deep scans with my Malwarebytes anti-malware program only to find some small time adwares but I'm sure there is some abomination in there laughing at my face every time I get an error.
I don't have a recovery cd-disk, but I have a recovery hard disk in my computer.
I ran the gmer rootkit scanner and followed the instructions but it resulted with BSOD with error "xdva401.sys". So I followed the second option as instructed.
=========
DDS
=========
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.21.2
Run by Akom at 18:40:53 on 2013-04-23
Microsoft® Windows Vista Home Premium 6.0.6002.2.1252.358.1033.18.3069.1809 [GMT 3:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\aestsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Windows\system32\FsUsbExService.Exe
c:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_fi&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_fi&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_fi&c=91&bd=Pavilion&pf=cnnb
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [SteelSeries Engine] c:\program files\steelseries\steelseries engine\SteelSeriesEngine.exe
uRun: [Advanced SystemCare 6] "c:\program files\iobit\advanced systemcare 6\ASCTray.exe" /AutoStart
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Akamai NetSession Interface] "c:\users\akom\appdata\local\akamai\netsession_win.exe"
uRunOnce: [DeleteMarkAny] c:\windows\system32\masetupcleaner.exe c:\program files\markany\ContentSafer
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 193.210.19.19 192.168.252.17
TCP: Interfaces\{2CFCB727-F0E1-4DE9-B09A-2F7E6EA5F71C} : DHCPNameServer = 193.210.19.19 192.168.252.17
TCP: Interfaces\{4692153B-A67F-4633-B1E5-726619AE9ED4} : DHCPNameServer = 193.210.19.19 192.168.252.17
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - <orphaned>
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\akom\appdata\roaming\mozilla\firefox\profiles\ici6h830.default\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\users\akom\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\akom\appdata\roaming\gentek\npthinclient.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - ExtSQL: 2013-03-23 17:01; jid1-QpHD8URtZWJC2A@jetpack; c:\users\akom\appdata\roaming\mozilla\firefox\profiles\ici6h830.default\extensions\jid1-QpHD8URtZWJC2A@jetpack.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2013-1-7 15672]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2012/12/24 17:26:35];c:\program files\hewlett-packard\media\dvd\000.fcl [2008-11-29 87536]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\iobit\advanced systemcare 6\ASCService.exe [2013-2-4 465216]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c92065b9\AEstSrv.exe [2012-12-25 77824]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-11-16 244736]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2012-11-16 291840]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2013-3-29 262144]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-2-24 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVCapSvc.exe [2008-11-27 296320]
R2 TVSched;TV Task Scheduler (TVTS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVSched.exe [2008-11-27 116096]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2012-12-25 37944]
R3 AVerAF15;HP DVB-T TV Tuner;c:\windows\system32\drivers\AVerAF15.sys [2012-12-25 280448]
R3 busenum;SteelBusSvc;c:\windows\system32\drivers\SteelBus.sys [2012-11-12 110464]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-2-24 222512]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-4 54784]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2013-3-29 37344]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys [2013-1-15 72832]
R3 SAlphamHid;SteelHIDSvc;c:\windows\system32\drivers\SAlpham.sys [2012-10-15 34304]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2012-12-25 22072]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 BecHelperService;BecHelperService;c:\program files\mobiililaajakaista\mobiililaajakaista\BecHelperService.exe [2012-12-25 1958272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-19 26168]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-11 398184]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-11 682344]
S3 apf003;apf003;c:\windows\system32\apf003.sys [2013-1-29 13232]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2011-8-1 45288]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys [2013-1-15 102784]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2013-1-15 116736]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-12-5 109408]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-11 21104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [2013-4-4 661600]
S4 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
.
=============== Created Last 30 ================
.
2013-04-21 00:19:23 -------- d-----w- c:\program files\TeamSpeak 3 Client
2013-04-19 13:50:19 -------- d-----w- c:\users\akom\appdata\local\Gameforge4d
2013-04-19 10:01:22 -------- d-----w- c:\windows\DEA314C409294250BC9298E4C105F28D.TMP
2013-04-19 09:25:40 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-18 19:11:04 -------- d-----w- c:\program files\Aeria Games
2013-04-18 18:32:11 -------- d-----w- c:\users\akom\appdata\local\Akamai
2013-04-18 18:32:10 -------- d-----w- C:\AeriaGames
2013-04-18 14:42:00 -------- d-----w- c:\users\akom\appdata\roaming\.mono
2013-04-18 13:43:29 -------- d-----w- c:\users\akom\appdata\roaming\gentek
2013-04-18 13:43:25 925328 ------w- c:\users\akom\appdata\roaming\microsoft\windows\templates\temp_launcher.exe
2013-04-15 18:21:36 -------- d-----w- c:\programdata\Stardock
2013-04-10 10:46:23 -------- d-----w- c:\programdata\BlueStacksSetup
2013-04-07 16:19:34 -------- d-----w- c:\users\akom\appdata\roaming\Mael
2013-04-07 16:19:14 -------- d-----w- c:\program files\HxD
2013-04-06 17:08:47 79256 ----a-w- c:\windows\system32\npOGPPlugin.dll
2013-04-06 17:08:46 271768 ----a-w- c:\windows\system32\OGPIEPlugin.ocx
2013-04-06 17:08:44 -------- d-----w- c:\program files\OGPlanet
2013-04-06 16:06:06 -------- d-----w- C:\GPlayOn
2013-04-05 10:40:00 -------- d-----w- c:\program files\PointMMO
2013-04-04 16:04:17 -------- d-----w- c:\program files\Pando Networks
2013-04-04 10:53:39 661600 ----a-w- c:\windows\system32\xsherlock.xem
2013-04-04 10:42:16 -------- d-----w- c:\programdata\WEBZEN
2013-04-02 16:00:34 -------- d-----w- c:\program files\BP DOWNLOADER
2013-03-29 11:00:11 -------- d-----w- c:\program files\MyFree Codec
2013-03-29 10:59:18 37344 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2013-03-29 10:59:18 262144 ----a-w- c:\windows\system32\FsUsbExService.Exe
2013-03-29 10:59:18 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2013-03-29 10:52:12 -------- d-----w- c:\program files\MarkAny
2013-03-29 10:50:35 -------- d-----w- c:\users\akom\appdata\local\Samsung
2013-03-29 10:50:33 -------- d-----w- c:\users\akom\appdata\roaming\Samsung
2013-03-29 01:58:45 4659712 ----a-w- c:\windows\system32\Redemption.dll
2013-03-29 01:57:03 -------- d-----w- c:\programdata\Samsung
2013-03-29 01:57:03 -------- d-----w- c:\program files\Samsung
.
==================== Find3M ====================
.
2013-04-13 23:17:19 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-13 23:17:19 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-06 15:56:10 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-04-06 15:56:10 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-20 08:02:20 53248 ----a-w- c:\windows\system32\MASetupCleaner.exe
2013-03-20 08:02:20 200704 ----a-w- c:\windows\system32\muzapp.exe
2013-03-14 13:44:45 967 ----a-w- c:\windows\ScUnin.pif
2013-03-14 13:44:45 122880 ----a-w- c:\windows\ScUnin.exe
2013-02-15 02:17:06 140360 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2013-02-15 02:16:59 283032 ----a-w- c:\windows\system32\PnkBstrB.xtr
2013-02-15 02:16:59 283032 ----a-w- c:\windows\system32\PnkBstrB.exe
2013-02-13 10:38:27 281120 ----a-w- c:\windows\system32\PnkBstrB.ex0
2013-02-13 10:09:28 138904 ----a-w- c:\users\akom\appdata\roaming\PnkBstrK.sys
2013-01-29 09:31:59 16304 ------w- c:\windows\system32\apl003.sys
2013-01-29 09:31:59 13232 ------w- c:\windows\system32\apf003.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 6.0.6002 Disk: WDC_WD2500BEVT-60ZCT1 rev.13.01A13 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
c:\windows\system32\drivers\hpdskflt.sys Hewlett-Packard Company Mobile Data Protection System
1 ntkrnlpa!IofCallDriver[0x82251936] -> \Device\Harddisk0\DR0[0x85F1AAC8]
3 CLASSPNP[0x807A88B3] -> ntkrnlpa!IofCallDriver[0x82251936] -> [0x85E5D6D0]
5 hpdskflt[0x8B7B5F92] -> ntkrnlpa!IofCallDriver[0x82251936] -> \Device\Ide\IdeDeviceP0T0L0-0[0x85E3C5E0]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
.
============= FINISH: 18:42:28,17 ===============
