Bitcoin Forum
May 14, 2024, 04:43:09 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Other > Off-topic > [Solved] Windows infection: please help a security newbie
Pages: [1] 2 3 »  All
« previous topic next topic »
  Print  
Author Topic: [Solved] Windows infection: please help a security newbie  (Read 6526 times)
dree12 (OP)
Legendary
*
Offline Offline

Activity: 1246
Merit: 1077



View Profile
July 22, 2012, 09:58:10 PM
Last edit: July 24, 2012, 05:34:34 PM by dree12
 #1
My computer with Bitcoin on it has become infected.

There isn't anything of value to worry about. The wallet is encrypted and backed-up. And, I doubt the malware currently infecting the system is interested in stealing it anyways.

Right now, I'm more interested in salvaging the system (a clean install is likely to be both time-consuming and overwrite many files I didn't consider important enough to backup into my limited 4GB thumb drive).

I suspect the culprit is a rootkit. Neither Kaspersky's TDSSKiller nor Systematec's ZeroAccess rootkit killer found anything though. Malwarebytes is taking a long time to scan, and is at 2 infected objects found. I suspect Microsoft Safety Scanner has found the same two items.

How the malware bypassed UAC is unknown. The websites I visit should mostly come from the "safe sector of the net", and no websites in history are immediately suspicious. However, I do notice that "Adobe installation helper" has recently been run. This is the most likely culprit.

The symptoms of the infection are diverse. I'll try to list some of the most obvious ones below:
  • The system is extremely slow and input is often interupted.
  • Some services are missing (not stopped, but gone): Background Intelligent Transfer, Microsoft Antispyware, Windows Update, and Windows Firewall (probably more).
  • As a consequence, MSE, Windows Firewall, and Windows Update are disabled and cannot be enabled.
  • Google and Bing search results are sometimes randomly redirected to garbage websites.

My system is an genuine Windows 7 Professional install.

Any help would be greatly appreciated.
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1358
Merit: 1002



View Profile
July 22, 2012, 10:04:47 PM
 #2
Run this http://www.surfright.nl/en/hitmanpro/

No installation is needed so it may save your day
finkleshnorts
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250



View Profile
July 22, 2012, 10:30:16 PM
 #3
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
unclemantis
Member
**
Offline Offline

Activity: 98
Merit: 10


(:firstbits => "1mantis")


View Profile
July 22, 2012, 10:38:27 PM
 #4
I really need to get around to just biting the bullet and run nothing but linux
PHP, Ruby, Rails, ASP, JavaScript, SQL
20+ years experience w/ Internet Technologies
Bitcoin OTC | GPG Public Key                                                                               thoughts?
dree12 (OP)
Legendary
*
Offline Offline

Activity: 1246
Merit: 1077



View Profile
July 22, 2012, 11:03:33 PM
 #5
Quote from: honest bob on July 22, 2012, 10:30:16 PM
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
One of the advantages Bitcoin offers is greater security Smiley.

Quote from: honest bob on July 22, 2012, 10:30:16 PM
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
Running GMER right now. Meanwhile, I'm copying the files I mentioned to a USB key. Hopefully this works.
amencon
Sr. Member
****
Offline Offline

Activity: 410
Merit: 250


View Profile
July 22, 2012, 11:04:21 PM
 #6
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through.  I'd recommend in the future running a browser with the no-script plugin running.  This way no script is run without your consent and knowledge.

As for your current infection Malwarebytes and combofix are a good start.  The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).

If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
finkleshnorts
Sr. Member
****
Offline Offline

Activity: 336
Merit: 250



View Profile
July 22, 2012, 11:11:02 PM
 #7
Quote from: dree12 on July 22, 2012, 11:03:33 PM
Quote from: honest bob on July 22, 2012, 10:30:16 PM
Same thing happened to me. I ran GMER and some other tool on it, nothing was found, but I knew I was in trouble. My credit card ended up being used at an ATM in Russia shortly after. I just switched to Linux and changed all my PINs and passwords.
One of the advantages Bitcoin offers is greater security Smiley.

I consider myself lucky that they didn't get into my wallet or private keys (ditched those). The VISA refund was nice, too.

Good luck!
myrkul
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500


FIAT LIBERTAS RVAT CAELVM


View Profile WWW
July 22, 2012, 11:13:06 PM
 #8
Quote from: amencon on July 22, 2012, 11:04:21 PM
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through.  I'd recommend in the future running a browser with the no-script plugin running.  This way no script is run without your consent and knowledge.

This^

Ever since I switched to Firefox+Noscript, the only experiences I've had with malware of any sort is clearing it off my friends' computers.
BTC1MYRkuLv4XPBa6bGnYAronz55grPAGcxja
Need Dispute resolution? Public Key ID: 0x11D341CF
No person has the right to initiate force, threat of force, or fraud against another person or their property. VIM VI REPELLERE LICET
dree12 (OP)
Legendary
*
Offline Offline

Activity: 1246
Merit: 1077



View Profile
July 22, 2012, 11:42:26 PM
 #9
Quote from: amencon on July 22, 2012, 11:04:21 PM
To the best of my knowledge even "safe sector of the internet" sites sometimes let ads with malicious code slip through.  I'd recommend in the future running a browser with the no-script plugin running.  This way no script is run without your consent and knowledge.

As for your current infection Malwarebytes and combofix are a good start.  The browser hijacking may be due to a modified HOSTS file (how to reset the file http://pctechnotes.com/how-to-reset-windows-hosts-file/).

If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.
Thanks.

The hosts file is normal. The computer recently bluescreened, bringing Malwarebytes down with it (it's running again). Combofix isn't working (can't write "iexplore.exe").

I'm backing up the other important things now, in case worse goes to worse and a fresh install is necessary.
check_status
Full Member
***
Offline Offline

Activity: 196
Merit: 100


Web Dev, Db Admin, Computer Technician


View Profile
July 22, 2012, 11:43:31 PM
 #10
To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe.
Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.

Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues.
WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.

After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.

Cheers
For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
July 22, 2012, 11:51:10 PM
 #11
Quote from: amencon on July 22, 2012, 11:04:21 PM
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.

curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer.  I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first.

If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders.

If all else fails, post us a copy of your Hijack This log.

cheers
If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system.
- GA

It is being worked on by smart people.  -DamienBlack
check_status
Full Member
***
Offline Offline

Activity: 196
Merit: 100


Web Dev, Db Admin, Computer Technician


View Profile
July 23, 2012, 12:03:09 AM
 #12
Quote from: sadpandatech on July 22, 2012, 11:51:10 PM

Have you tried running rootkit revealer?
Really!! Mark still keeps this tool up to date, I thought he stopped developing it in 2008?
Quote from: sadpandatech on July 22, 2012, 11:51:10 PM
Do them all in safe mode first.
Some infections run even in safe mode, so this is not a solution.
For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
dree12 (OP)
Legendary
*
Offline Offline

Activity: 1246
Merit: 1077



View Profile
July 23, 2012, 12:08:53 AM
 #13
Quote from: check_status on July 22, 2012, 11:43:31 PM
To get Malwarebytes to run properly, open the folder where Malwarebytes resides, rename the .exe to explorer.exe or firefox.exe.
Now Right click, run as admin, your renamed .exe. Malwarebytes should run as normal. Some infections block specific processes by name.

Malwarebytes is a specialized scanner that doesn't look for common infections so you will need another scanner to look for other issues.
WinMHR, after your Malwarebytes scan would be a good choice. They supply all of the AV companies with samples, so there database is much more complete, but it doesn't clean, only detects known non rootkit malware.

After running WinMHR, you may have an MD5 to compare on a site like VirusTotal in their Hash search. This will tell you which AV companies are detecting it and so which ones can clean it.

Cheers
Noted. Malwarebytes is running fine.

Quote from: sadpandatech on July 22, 2012, 11:51:10 PM
Quote from: amencon on July 22, 2012, 11:04:21 PM
If malwarebytes/Combofix/GMER doesn't set you straight update the thread and let us know what still isn't working right.

Always be wary of the system in the future if you decide not to "nuke it from orbit" though.

curious here too. malwarebytes is probably not worth messing with in this situation. Be sure to boot up in safe mode and then run Combofix and Gmer.  I noticed you said you tried tdsskiller. Have you tried running rootkit revealer? Do them all in safe mode first.

If you still are not getting anything, you can try running process explorer from MS. It often will allow you to detect 'unusual' entries that may not be obvious to the kit finders.

If all else fails, post us a copy of your Hijack This log.

cheers
Rootkit revealer doesn't work on Windows 7.

Code:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:04:54, on 2012-07-22
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe
C:\Users\~\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.w3.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

--
End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect).

I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase.
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
July 23, 2012, 12:21:21 AM
 #14
Quote from: check_status on July 23, 2012, 12:03:09 AM
Quote from: sadpandatech on July 22, 2012, 11:51:10 PM
Do them all in safe mode first.
Some infections run even in safe mode, so this is not a solution.

It is not a solution. it's the right way to do it..

Sorry, I also did not realize this thread was supposed to be a tech support 'wang off'. ;p
If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system.
- GA

It is being worked on by smart people.  -DamienBlack
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
July 23, 2012, 12:28:43 AM
 #15
Quote from: dree12 on July 23, 2012, 12:08:53 AM
Rootkit revealer doesn't work on Windows 7.

Code:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:04:54, on 2012-07-22
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe
C:\Users\~\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.w3.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

--
End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect).

I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase.

What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep


Nothing else stands out to me atleast.
If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system.
- GA

It is being worked on by smart people.  -DamienBlack
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
July 23, 2012, 12:30:57 AM
 #16
If you do feel the need to move your coins, be sure to do it from a clean computer.

Did you mention the spec on your machine?

What processor, ram, vid card?
If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system.
- GA

It is being worked on by smart people.  -DamienBlack
dree12 (OP)
Legendary
*
Offline Offline

Activity: 1246
Merit: 1077



View Profile
July 23, 2012, 12:34:45 AM
 #17
Quote from: sadpandatech on July 23, 2012, 12:28:43 AM
Quote from: dree12 on July 23, 2012, 12:08:53 AM
Rootkit revealer doesn't work on Windows 7.

Code:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:04:54, on 2012-07-22
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\~\AppData\Local\Temp\Temp1_ProcessExplorer.zip\procexp.exe
C:\Users\~\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [TortoiseHgOverlayIconServer] C:\Program Files\TortoiseHg\TortoiseHgOverlayServer.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep
O4 - Startup: OpenOffice.org 3.4.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://www.w3.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {339C1EE2-1029-46B8-81F1-360217F26FC4} (PowerCreator VGAPlayer Control) - http://mms.hwjyw.com/courseware///courseware/2008-2-28/pengjunjiangzuo31204167051316/VGAPlayer.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D1278801-B2C0-4332-BD3E-2F64D2204EDF} (Windows Live Mesh Upload Tool) - https://www.mesh.com/0.9.4014.21/TSWeb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

--
End of file - 6224 bytes
(edited to remove my name, which means the byte count is incorrect).

I'm wondering, is it usually good practice to move the coins to a new wallet in this situation? The wallet is encrypted with a decent passphrase.

What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep


Nothing else stands out to me atleast.
Do I "fix" it?

Quote from: sadpandatech on July 23, 2012, 12:30:57 AM
If you do feel the need to move your coins, be sure to do it from a clean computer.

Did you mention the spec on your machine?

What processor, ram, vid card?
DxDiag output:
Code:
------------------
System Information
------------------
Time of this report: 7/22/2012, 20:32:16
       Machine name: ~-PC
   Operating System: Windows 7 Professional 32-bit (6.1, Build 7601) Service Pack 1 (7601.win7sp1_gdr.120330-1504)
           Language: English (Regional Setting: English)
System Manufacturer: Dell Inc.
       System Model: Inspiron 1545                   
               BIOS: Phoenix ROM BIOS PLUS Version 1.10 A07
          Processor: Pentium(R) Dual-Core CPU       T4200  @ 2.00GHz (2 CPUs), ~2.0GHz
             Memory: 3072MB RAM
Available OS Memory: 3034MB RAM
          Page File: 2120MB used, 3946MB available
        Windows Dir: C:\Windows
    DirectX Version: DirectX 11
DX Setup Parameters: Not found
   User DPI Setting: Using System DPI
 System DPI Setting: 96 DPI (100 percent)
    DWM DPI Scaling: Disabled
     DxDiag Version: 6.01.7601.17514 32bit Unicode

------------
DxDiag Notes
------------
      Display Tab 1: No problems found.
        Sound Tab 1: No problems found.
          Input Tab: No problems found.

--------------------
DirectX Debug Levels
--------------------
Direct3D:    0/4 (retail)
DirectDraw:  0/4 (retail)
DirectInput: 0/5 (retail)
DirectMusic: 0/5 (retail)
DirectPlay:  0/9 (retail)
DirectSound: 0/5 (retail)
DirectShow:  0/6 (retail)

---------------
Display Devices
---------------
          Card name: Mobile Intel(R) 4 Series Express Chipset Family
       Manufacturer: Intel Corporation
          Chip type: Mobile Intel(R) 4 Series Express Chipset Family
           DAC type: Internal
         Device Key: Enum\PCI\VEN_8086&DEV_2A42&SUBSYS_02AA1028&REV_07
     Display Memory: 1325 MB
   Dedicated Memory: 64 MB
      Shared Memory: 1261 MB
       Current Mode: 1366 x 768 (32 bit) (60Hz)
       Monitor Name: Generic PnP Monitor
      Monitor Model: unknown
         Monitor Id: SEC5441
        Native Mode: 1366 x 768(p) (59.998Hz)
        Output Type: Internal
        Driver Name: igdumdx32.dll,igd10umd32.dll
Driver File Version: 8.15.0010.2302 (English)
     Driver Version: 8.15.10.2302
        DDI Version: 10
       Driver Model: WDDM 1.1
  Driver Attributes: Final Retail
   Driver Date/Size: 2/11/2011 19:09:48, 571904 bytes
        WHQL Logo'd: Yes
    WHQL Date Stamp: 
  Device Identifier: {D7B78E66-6902-11CF-667B-A022A7C2C535}
          Vendor ID: 0x8086
          Device ID: 0x2A42
          SubSys ID: 0x02AA1028
        Revision ID: 0x0007
 Driver Strong Name: oem23.inf:Intel.Mfg:iCNT0:8.15.10.2302:pci\ven_8086&dev_2a42
     Rank Of Driver: 00E62001
        Video Accel: ModeMPEG2_A ModeMPEG2_C ModeWMV9_B ModeWMV9_C ModeVC1_B ModeVC1_C 
   Deinterlace Caps: {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering 
                     {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch 
                     {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(YUY2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend 
                     {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering 
                     {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch 
                     {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(UYVY,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend 
                     {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(YV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering 
                     {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(YV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch 
                     {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(YV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend 
                     {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(NV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering 
                     {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(NV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch 
                     {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(NV12,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend 
                     {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC1,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering 
                     {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC1,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch 
                     {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC1,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend 
                     {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC2,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering 
                     {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch 
                     {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC2,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend 
                     {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC3,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering 
                     {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC3,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch 
                     {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC3,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend 
                     {BF752EF6-8CC4-457A-BE1B-08BD1CAEEE9F}: Format(In/Out)=(IMC4,YUY2) Frames(Prev/Fwd/Back)=(0,0,1) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_EdgeFiltering 
                     {335AA36E-7884-43A4-9C91-7F87FAF3E37E}: Format(In/Out)=(IMC4,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend DeinterlaceTech_BOBVerticalStretch 
                     {5A54A0C9-C7EC-4BD9-8EDE-F3C75DC4393B}: Format(In/Out)=(IMC4,YUY2) Frames(Prev/Fwd/Back)=(0,0,0) Caps=VideoProcess_YUV2RGB VideoProcess_StretchX VideoProcess_StretchY VideoProcess_AlphaBlend 
       D3D9 Overlay: Supported
            DXVA-HD: Supported
       DDraw Status: Enabled
         D3D Status: Enabled
         AGP Status: Enabled

-------------
Sound Devices
-------------
            Description: Speakers (High Definition Audio Device)
 Default Sound Playback: Yes
 Default Voice Playback: Yes
            Hardware ID: HDAUDIO\FUNC_01&VEN_111D&DEV_76B2&SUBSYS_102802AA&REV_1003
        Manufacturer ID: 1
             Product ID: 65535
                   Type: WDM
            Driver Name: HdAudio.sys
         Driver Version: 6.01.7601.17514 (English)
      Driver Attributes: Final Retail
            WHQL Logo'd: Yes
          Date and Size: 11/20/2010 06:00:21, 304128 bytes
            Other Files: 
        Driver Provider: Microsoft
         HW Accel Level: Basic
              Cap Flags: 0xF1F
    Min/Max Sample Rate: 100, 200000
Static/Strm HW Mix Bufs: 1, 0
 Static/Strm HW 3D Bufs: 0, 0
              HW Memory: 0
       Voice Management: No
 EAX(tm) 2.0 Listen/Src: No, No
   I3DL2(tm) Listen/Src: No, No
Sensaura(tm) ZoomFX(tm): No

---------------------
Sound Capture Devices
---------------------
            Description: Microphone (High Definition Audio Device)
  Default Sound Capture: Yes
  Default Voice Capture: Yes
            Driver Name: HdAudio.sys
         Driver Version: 6.01.7601.17514 (English)
      Driver Attributes: Final Retail
          Date and Size: 11/20/2010 06:00:21, 304128 bytes
              Cap Flags: 0x1
           Format Flags: 0xFFFFF

-------------------
DirectInput Devices
-------------------
      Device Name: Mouse
         Attached: 1
    Controller ID: n/a
Vendor/Product ID: n/a
        FF Driver: n/a

      Device Name: Keyboard
         Attached: 1
    Controller ID: n/a
Vendor/Product ID: n/a
        FF Driver: n/a

      Device Name: Microsoft Hardware USB Mouse
         Attached: 1
    Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
        FF Driver: n/a

      Device Name: Micr
         Attached: 1
    Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
        FF Driver: n/a

      Device Name: Micr
         Attached: 1
    Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
        FF Driver: n/a

      Device Name: Micr
         Attached: 1
    Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
        FF Driver: n/a

      Device Name: Micr
         Attached: 1
    Controller ID: 0x0
Vendor/Product ID: 0x045E, 0x0745
        FF Driver: n/a

Poll w/ Interrupt: No

-----------
USB Devices
-----------
+ USB Root Hub
| Vendor/Product ID: 0x8086, 0x2936
| Matching Device ID: usb\root_hub
| Service: usbhub
| Driver: usbhub.sys, 3/24/2011 22:58:37, 258560 bytes
| Driver: usbd.sys, 3/24/2011 22:57:53, 5888 bytes

----------------
Gameport Devices
----------------

------------
PS/2 Devices
------------
+ Standard PS/2 Keyboard
| Matching Device ID: *pnp0303
| Service: i8042prt
| Driver: i8042prt.sys, 7/13/2009 19:11:24, 80896 bytes
| Driver: kbdclass.sys, 7/13/2009 21:20:36, 42576 bytes
| 
+ HID Keyboard Device
| Vendor/Product ID: 0x045E, 0x0745
| Matching Device ID: hid_device_system_keyboard
| Service: kbdhid
| Driver: kbdhid.sys, 11/20/2010 05:50:10, 28160 bytes
| Driver: kbdclass.sys, 7/13/2009 21:20:36, 42576 bytes
| 
+ Terminal Server Keyboard Driver
| Matching Device ID: root\rdp_kbd
| Upper Filters: kbdclass
| Service: TermDD
| Driver: i8042prt.sys, 7/13/2009 19:11:24, 80896 bytes
| Driver: kbdclass.sys, 7/13/2009 21:20:36, 42576 bytes
| 
+ PS/2 Compatible Mouse
| Matching Device ID: *pnp0f13
| Service: i8042prt
| Driver: i8042prt.sys, 7/13/2009 19:11:24, 80896 bytes
| Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes
| 
+ Microsoft USB Dual Receiver Wireless Mouse (IntelliPoint)
| Vendor/Product ID: 0x045E, 0x0745
| Matching Device ID: hid\vid_045e&pid_0745&mi_01&col01
| Upper Filters: Point32
| Service: mouhid
| Driver: point32.sys, 8/1/2011 15:56:42, 40936 bytes
| Driver: mouhid.sys, 7/13/2009 19:45:08, 26112 bytes
| Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes
| Driver: wdfcoinstaller01009.dll, 7/7/2010 18:18:56, 1461992 bytes
| 
+ HID-compliant mouse
| Vendor/Product ID: 0x413C, 0x3016
| Matching Device ID: hid_device_system_mouse
| Service: mouhid
| Driver: mouhid.sys, 7/13/2009 19:45:08, 26112 bytes
| Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes
| 
+ Terminal Server Mouse Driver
| Matching Device ID: root\rdp_mou
| Upper Filters: mouclass
| Service: TermDD
| Driver: termdd.sys, 11/20/2010 08:30:12, 53120 bytes
| Driver: sermouse.sys, 7/13/2009 19:45:08, 19968 bytes
| Driver: mouclass.sys, 7/13/2009 21:20:44, 41552 bytes

------------------------
Disk & DVD/CD-ROM Drives
------------------------
      Drive: C:
 Free Space: 35.9 GB
Total Space: 137.6 GB
File System: NTFS
      Model: ST9160310AS

      Drive: E:
 Free Space: 0.0 GB
Total Space: 15.0 GB
File System: NTFS
      Model: ST9160310AS

      Drive: G:
      Model: Kingston DTVault Privacy USB Device
     Driver: c:\windows\system32\drivers\cdrom.sys, 6.01.7601.17514 (English), 11/20/2010 04:38:10, 108544 bytes

      Drive: D:
      Model: Optiarc DVD+-RW AD-7580S
     Driver: c:\windows\system32\drivers\cdrom.sys, 6.01.7601.17514 (English), 11/20/2010 04:38:10, 108544 bytes

--------------
System Devices
--------------
     Name: Intel(R) ICH9 Family PCI Express Root Port 1 - 2940
Device ID: PCI\VEN_8086&DEV_2940&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E0
   Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes

     Name: Intel(R) ICH9 Family USB Universal Host Controller - 2935
Device ID: PCI\VEN_8086&DEV_2935&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E9
   Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
   Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
   Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes

     Name: High Definition Audio Controller
Device ID: PCI\VEN_8086&DEV_293E&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D8
   Driver: C:\Windows\system32\DRIVERS\hdaudbus.sys, 6.01.7601.17514 (English), 11/20/2010 05:59:29, 108544 bytes

     Name: Intel(R) ICH9 Family USB Universal Host Controller - 2934
Device ID: PCI\VEN_8086&DEV_2934&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E8
   Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
   Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
   Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes

     Name: Mobile Intel(R) 4 Series Express Chipset Family
Device ID: PCI\VEN_8086&DEV_2A43&SUBSYS_02AA1028&REV_07\3&18D45AA6&0&11
   Driver: n/a

     Name: Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293C
Device ID: PCI\VEN_8086&DEV_293C&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D7
   Driver: C:\Windows\system32\drivers\usbehci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:58, 43008 bytes
   Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
   Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes

     Name: Intel(R) ICH9 Family SMBus Controller - 2930
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&FB
   Driver: n/a

     Name: Mobile Intel(R) 4 Series Express Chipset Family
Device ID: PCI\VEN_8086&DEV_2A42&SUBSYS_02AA1028&REV_07\3&18D45AA6&0&10
   Driver: C:\Windows\system32\DRIVERS\igdkmd32.sys, 8.15.0010.2302 (English), 2/11/2011 19:12:16, 9036800 bytes
   Driver: C:\Windows\system32\igdumd32.dll, 8.15.0010.2302 (English), 2/11/2011 19:12:16, 4967424 bytes
   Driver: C:\Windows\system32\igkrng500.bin, 4/21/2010 18:08:14, 982240 bytes
   Driver: C:\Windows\system32\igcompkrng500.bin, 4/21/2010 18:08:14, 439308 bytes
   Driver: C:\Windows\system32\igfcg500m.bin, 4/21/2010 18:08:14, 92356 bytes
   Driver: C:\Windows\system32\iglhxs32.vp, 2/11/2011 19:42:52, 51636 bytes
   Driver: C:\Windows\system32\iglhxo32.vp, 4/21/2010 17:22:50, 60015 bytes
   Driver: C:\Windows\system32\iglhxc32.vp, 4/21/2010 17:22:50, 60226 bytes
   Driver: C:\Windows\system32\iglhxg32.vp, 4/21/2010 17:22:52, 60254 bytes
   Driver: C:\Windows\system32\iglhxa32.vp, 4/21/2010 17:22:50, 1090 bytes
   Driver: C:\Windows\system32\iglhxa32.cpa, 4/21/2010 17:22:50, 1921265 bytes
   Driver: C:\Windows\system32\iglhcp32.dll, 1.05.0002.0001 (English), 2/11/2011 18:35:00, 147456 bytes
   Driver: C:\Windows\system32\iglhsip32.dll, 1.05.0002.0001 (English), 2/11/2011 18:35:00, 208896 bytes
   Driver: C:\Windows\system32\hccutils.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:48, 95232 bytes
   Driver: C:\Windows\system32\igfxsrvc.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:12, 57856 bytes
   Driver: C:\Windows\system32\igfxsrvc.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:30, 267800 bytes
   Driver: C:\Windows\system32\igfxpph.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:30, 195584 bytes
   Driver: C:\Windows\system32\igfxcpl.cpl, 8.15.0010.2302 (English), 2/11/2011 18:41:30, 115200 bytes
   Driver: C:\Windows\system32\igfxdev.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:38, 228864 bytes
   Driver: C:\Windows\system32\igfxdo.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:56, 130048 bytes
   Driver: C:\Windows\system32\igfxtray.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:32, 137752 bytes
   Driver: C:\Windows\system32\hkcmd.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:26, 171032 bytes
   Driver: C:\Windows\system32\igfxress.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:38, 828928 bytes
   Driver: C:\Windows\system32\igfxpers.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:30, 172568 bytes
   Driver: C:\Windows\system32\igfxTMM.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:30, 261632 bytes
   Driver: C:\Windows\system32\TVWSetup.exe, 1.00.0001.0000 (English), 2/11/2011 19:26:38, 8198680 bytes
   Driver: C:\Windows\system32\gfxSrvc.dll, 8.15.0010.2302 (English), 2/11/2011 18:40:42, 120320 bytes
   Driver: C:\Windows\system32\GfxUI.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:22, 3157528 bytes
   Driver: C:\Windows\system32\GfxUI.exe.config, 4/21/2010 17:29:46, 151 bytes
   Driver: C:\Windows\system32\IGFXDEVLib.dll, 1.00.0000.0000 (Invariant Language), 2/11/2011 18:40:40, 4096 bytes
   Driver: C:\Windows\system32\igfxext.exe, 8.15.0010.2302 (English), 2/11/2011 19:26:28, 179224 bytes
   Driver: C:\Windows\system32\igfxexps.dll, 8.15.0010.2302 (English), 2/11/2011 18:41:28, 23552 bytes
   Driver: C:\Windows\system32\igfxrara.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 84480 bytes
   Driver: C:\Windows\system32\igfxrchs.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 81920 bytes
   Driver: C:\Windows\system32\igfxrcht.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 81920 bytes
   Driver: C:\Windows\system32\igfxrdan.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 84992 bytes
   Driver: C:\Windows\system32\igfxrdeu.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 86016 bytes
   Driver: C:\Windows\system32\igfxrenu.lrc, 8.15.0010.2302 (English), 2/11/2011 18:40:38, 85504 bytes
   Driver: C:\Windows\system32\igfxresn.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 86528 bytes
   Driver: C:\Windows\system32\igfxrfin.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 85504 bytes
   Driver: C:\Windows\system32\igfxrfra.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 86528 bytes
   Driver: C:\Windows\system32\igfxrheb.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 84480 bytes
   Driver: C:\Windows\system32\igfxrita.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 86016 bytes
   Driver: C:\Windows\system32\igfxrjpn.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 82944 bytes
   Driver: C:\Windows\system32\igfxrkor.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 82944 bytes
   Driver: C:\Windows\system32\igfxrnld.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:02, 86016 bytes
   Driver: C:\Windows\system32\igfxrnor.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 85504 bytes
   Driver: C:\Windows\system32\igfxrplk.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 86016 bytes
   Driver: C:\Windows\system32\igfxrptb.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:06, 85504 bytes
   Driver: C:\Windows\system32\igfxrptg.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 86016 bytes
   Driver: C:\Windows\system32\igfxrrus.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 86016 bytes
   Driver: C:\Windows\system32\igfxrsky.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 86016 bytes
   Driver: C:\Windows\system32\igfxrslv.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 85504 bytes
   Driver: C:\Windows\system32\igfxrsve.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:08, 85504 bytes
   Driver: C:\Windows\system32\igfxrtha.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 84992 bytes
   Driver: C:\Windows\system32\igfxrcsy.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:00, 85504 bytes
   Driver: C:\Windows\system32\igfxrell.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 86528 bytes
   Driver: C:\Windows\system32\igfxrhun.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:04, 85504 bytes
   Driver: C:\Windows\system32\igfxrtrk.lrc, 8.15.0010.2302 (English), 2/11/2011 18:44:10, 85504 bytes
   Driver: C:\Windows\system32\Gfxres.ar-SA.resources, 2/11/2011 18:44:12, 139851 bytes
   Driver: C:\Windows\system32\Gfxres.cs-CZ.resources, 2/11/2011 18:44:14, 118687 bytes
   Driver: C:\Windows\system32\Gfxres.da-DK.resources, 2/11/2011 18:44:14, 114203 bytes
   Driver: C:\Windows\system32\Gfxres.de-DE.resources, 2/11/2011 18:44:16, 122651 bytes
   Driver: C:\Windows\system32\Gfxres.el-GR.resources, 2/11/2011 18:44:16, 178349 bytes
   Driver: C:\Windows\system32\Gfxres.es-ES.resources, 2/11/2011 18:44:18, 122869 bytes
   Driver: C:\Windows\system32\Gfxres.en-US.resources, 8/25/2010 20:02:24, 110156 bytes
   Driver: C:\Windows\system32\Gfxres.fi-FI.resources, 2/11/2011 18:44:20, 118639 bytes
   Driver: C:\Windows\system32\Gfxres.fr-FR.resources, 2/11/2011 18:44:20, 120742 bytes
   Driver: C:\Windows\system32\Gfxres.he-IL.resources, 2/11/2011 18:44:22, 133688 bytes
   Driver: C:\Windows\system32\Gfxres.hu-HU.resources, 2/11/2011 18:44:22, 119558 bytes
   Driver: C:\Windows\system32\Gfxres.it-IT.resources, 2/11/2011 18:44:24, 125500 bytes
   Driver: C:\Windows\system32\Gfxres.ja-JP.resources, 2/11/2011 18:44:24, 136343 bytes
   Driver: C:\Windows\system32\Gfxres.ko-KR.resources, 2/11/2011 18:44:26, 123172 bytes
   Driver: C:\Windows\system32\Gfxres.nb-NO.resources, 2/11/2011 18:44:28, 114794 bytes
   Driver: C:\Windows\system32\Gfxres.nl-NL.resources, 2/11/2011 18:44:28, 119528 bytes
   Driver: C:\Windows\system32\Gfxres.pl-PL.resources, 2/11/2011 18:44:30, 118351 bytes
   Driver: C:\Windows\system32\Gfxres.pt-BR.resources, 2/11/2011 18:44:30, 120308 bytes
   Driver: C:\Windows\system32\Gfxres.pt-PT.resources, 2/11/2011 18:44:32, 119009 bytes
   Driver: C:\Windows\system32\Gfxres.ru-RU.resources, 2/11/2011 18:44:32, 165337 bytes
   Driver: C:\Windows\system32\Gfxres.sk-SK.resources, 2/11/2011 18:44:34, 118000 bytes
   Driver: C:\Windows\system32\Gfxres.sl-SI.resources, 2/11/2011 18:44:36, 114314 bytes
   Driver: C:\Windows\system32\Gfxres.sv-SE.resources, 2/11/2011 18:44:36, 119302 bytes
   Driver: C:\Windows\system32\Gfxres.th-TH.resources, 2/11/2011 18:44:38, 189494 bytes
   Driver: C:\Windows\system32\Gfxres.tr-TR.resources, 2/11/2011 18:44:38, 121115 bytes
   Driver: C:\Windows\system32\Gfxres.zh-CN.resources, 2/11/2011 18:44:40, 102825 bytes
   Driver: C:\Windows\system32\Gfxres.zh-TW.resources, 2/11/2011 18:44:40, 103986 bytes
   Driver: C:\Windows\system32\ig4icd32.dll, 8.15.0010.2302 (English), 2/11/2011 18:51:10, 11039744 bytes
   Driver: C:\Windows\system32\igd10umd32.dll, 8.15.0010.2302 (English), 2/11/2011 19:04:40, 4411392 bytes
   Driver: C:\Windows\system32\d3dx10_40.dll, 9.24.0950.2656 (English), 8/13/2009 22:09:44, 452440 bytes
   Driver: C:\Windows\system32\igdumdx32.dll, 8.15.0010.2302 (English), 2/11/2011 19:09:48, 571904 bytes
   Driver: C:\Windows\system32\igfxCoIn_v2302.dll, 1.02.0030.0000 (English), 2/11/2011 19:20:00, 81920 bytes

     Name: Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293A
Device ID: PCI\VEN_8086&DEV_293A&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&EF
   Driver: C:\Windows\system32\drivers\usbehci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:58, 43008 bytes
   Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
   Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes

     Name: Intel(R) ICH9M-E/M SATA AHCI Controller
Device ID: PCI\VEN_8086&DEV_2929&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&FA
   Driver: C:\Windows\system32\DRIVERS\iaStor.sys, 10.05.0000.1029 (English), 6/15/2011 09:00:28, 461080 bytes
   Driver: C:\Windows\system32\RSTCoin.dll, 1.03.0001.0000 (English), 6/15/2011 09:20:52, 105240 bytes
   Driver: C:\Windows\RST_UI.cab, , 0 bytes

     Name: Mobile Intel(R) 4 Series Chipset Processor to DRAM Controller - 2A40
Device ID: PCI\VEN_8086&DEV_2A40&SUBSYS_02AA1028&REV_07\3&18D45AA6&0&00
   Driver: n/a

     Name: Intel(R) ICH9 Family USB Universal Host Controller - 2939
Device ID: PCI\VEN_8086&DEV_2939&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D2
   Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
   Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
   Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes

     Name: Intel(R) ICH9M LPC Interface Controller - 2919
Device ID: PCI\VEN_8086&DEV_2919&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&F8
   Driver: C:\Windows\system32\DRIVERS\msisadrv.sys, 6.01.7600.16385 (English), 7/13/2009 21:20:43, 13888 bytes

     Name: Intel(R) ICH9 Family PCI Express Root Port 5 - 2948
Device ID: PCI\VEN_8086&DEV_2948&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E4
   Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes

     Name: Intel(R) ICH9 Family USB Universal Host Controller - 2938
Device ID: PCI\VEN_8086&DEV_2938&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D1
   Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
   Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
   Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes

     Name: Intel(R) 82801 PCI Bridge - 2448
Device ID: PCI\VEN_8086&DEV_2448&SUBSYS_02AA1028&REV_93\3&18D45AA6&0&F0
   Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes

     Name: Intel(R) ICH9 Family PCI Express Root Port 3 - 2944
Device ID: PCI\VEN_8086&DEV_2944&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E2
   Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes

     Name: Intel(R) ICH9 Family USB Universal Host Controller - 2937
Device ID: PCI\VEN_8086&DEV_2937&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&D0
   Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
   Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
   Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes

     Name: Dell Wireless 1397 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000C1028&REV_01\4&1B317842&0&00E1
   Driver: C:\Windows\system32\DRIVERS\BCMWL6.SYS, 5.30.0021.0000 (English), 7/8/2009 01:45:32, 2506232 bytes
   Driver: C:\Windows\system32\drivers\vwifibus.sys, 6.01.7600.16385 (English), 7/13/2009 19:52:02, 19968 bytes

     Name: Intel(R) ICH9 Family PCI Express Root Port 2 - 2942
Device ID: PCI\VEN_8086&DEV_2942&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&E1
   Driver: C:\Windows\system32\DRIVERS\pci.sys, 6.01.7601.17514 (English), 11/20/2010 08:30:06, 153984 bytes

     Name: Intel(R) ICH9 Family USB Universal Host Controller - 2936
Device ID: PCI\VEN_8086&DEV_2936&SUBSYS_02AA1028&REV_03\3&18D45AA6&0&EA
   Driver: C:\Windows\system32\drivers\usbuhci.sys, 6.01.7601.17586 (English), 3/24/2011 22:57:56, 24064 bytes
   Driver: C:\Windows\system32\drivers\usbport.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:07, 284672 bytes
   Driver: C:\Windows\system32\drivers\usbhub.sys, 6.01.7601.17586 (English), 3/24/2011 22:58:37, 258560 bytes

     Name: Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4354&SUBSYS_02AA1028&REV_13\4&2AC8D8A2&0&00E2
   Driver: n/a

------------------
DirectShow Filters
------------------

DirectShow Filters:
WMAudio Decoder DMO,0x00800800,1,1,WMADMOD.DLL,6.01.7601.17514
WMAPro over S/PDIF DMO,0x00600800,1,1,WMADMOD.DLL,6.01.7601.17514
WMSpeech Decoder DMO,0x00600800,1,1,WMSPDMOD.DLL,6.01.7601.17514
MP3 Decoder DMO,0x00600800,1,1,mp3dmod.dll,6.01.7600.16385
Mpeg4s Decoder DMO,0x00800001,1,1,mp4sdecd.dll,6.01.7600.16385
WMV Screen decoder DMO,0x00600800,1,1,wmvsdecd.dll,6.01.7601.17514
WMVideo Decoder DMO,0x00800001,1,1,wmvdecod.dll,6.01.7601.17514
Mpeg43 Decoder DMO,0x00800001,1,1,mp43decd.dll,6.01.7600.16385
Mpeg4 Decoder DMO,0x00800001,1,1,mpg4decd.dll,6.01.7600.16385
CyberLink AudioCD Filter,0x00600000,0,1,CLAudioCD.ax,5.00.0000.4417
WMT VIH2 Fix,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
Record Queue,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
WMT Switch Filter,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
WMT Virtual Renderer,0x00200000,1,0,WLXVAFilt.dll,15.04.3538.0513
WMT DV Extract,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
WMT Virtual Source,0x00200000,0,1,WLXVAFilt.dll,15.04.3538.0513
WMT Sample Information Filter,0x00200000,1,1,WLXVAFilt.dll,15.04.3538.0513
DV Muxer,0x00400000,0,0,qdv.dll,6.06.7601.17514
CyberLink Audio Wizard,0x00200001,1,1,CLAudWizard.ax,1.00.0000.3616
Color Space Converter,0x00400001,1,1,quartz.dll,6.06.7601.17713
WM ASF Reader,0x00400000,0,0,qasf.dll,12.00.7601.17514
Screen Capture filter,0x00200000,0,1,wmpsrcwp.dll,12.00.7601.17514
AVI Splitter,0x00600000,1,1,quartz.dll,6.06.7601.17713
VGA 16 Color Ditherer,0x00400000,1,1,quartz.dll,6.06.7601.17713
SBE2MediaTypeProfile,0x00200000,0,0,sbe.dll,6.06.7601.17528
Microsoft DTV-DVD Video Decoder,0x005fffff,2,4,msmpeg2vdec.dll,6.01.7140.0000
CyberLink DVD Navigator,0x00200000,0,3,CLNavX.ax,8.00.0000.0121
AC3 Parser Filter,0x00600000,1,1,mpg2splt.ax,6.06.7601.17528
StreamBufferSink,0x00200000,0,0,sbe.dll,6.06.7601.17528
Microsoft TV Captions Decoder,0x00200001,1,0,MSTVCapn.dll,6.01.7601.17715
MJPEG Decompressor,0x00600000,1,1,quartz.dll,6.06.7601.17713
CBVA DMO wrapper filter,0x00200000,1,1,cbva.dll,6.01.7601.17514
MPEG-I Stream Splitter,0x00600000,1,2,quartz.dll,6.06.7601.17713
SAMI (CC) Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713
CyberLink Audio Spectrum Analyzer,0x00200000,1,1,CLAudSpa.ax,1.00.0000.0924
VBI Codec,0x00600000,1,4,VBICodec.ax,6.06.7601.17514
MPEG-2 Splitter,0x005fffff,1,0,mpg2splt.ax,6.06.7601.17528
Closed Captions Analysis Filter,0x00200000,2,5,cca.dll,6.06.7601.17514
SBE2FileScan,0x00200000,0,0,sbe.dll,6.06.7601.17528
Microsoft MPEG-2 Video Encoder,0x00200000,1,1,msmpeg2enc.dll,6.01.7601.17514
CyberLink Demultiplexer,0x00200000,1,0,cldemuxer.ax,1.00.0000.4528
Internal Script Command Renderer,0x00800001,1,0,quartz.dll,6.06.7601.17713
MPEG Audio Decoder,0x03680001,1,1,quartz.dll,6.06.7601.17713
DV Splitter,0x00600000,1,2,qdv.dll,6.06.7601.17514
Video Mixing Renderer 9,0x00200000,1,0,quartz.dll,6.06.7601.17713
Haali Media Splitter,0x00600001,0,1,,
Microsoft MPEG-2 Encoder,0x00200000,2,1,msmpeg2enc.dll,6.01.7601.17514
ACM Wrapper,0x00600000,1,1,quartz.dll,6.06.7601.17713
Video Renderer,0x00800001,1,0,quartz.dll,6.06.7601.17713
MPEG-2 Video Stream Analyzer,0x00200000,0,0,sbe.dll,6.06.7601.17528
Line 21 Decoder,0x00600000,1,1,qdvd.dll,6.06.7601.17713
Video Port Manager,0x00600000,2,1,quartz.dll,6.06.7601.17713
Video Renderer,0x00400000,1,0,quartz.dll,6.06.7601.17713
File Writer,0x00200000,1,0,WLXVAFilt.dll,15.04.3538.0513
VPS Decoder,0x00200000,0,0,WSTPager.ax,6.06.7601.17514
WM ASF Writer,0x00400000,0,0,qasf.dll,12.00.7601.17514
VBI Surface Allocator,0x00600000,1,1,vbisurf.ax,6.01.7601.17514
CyberLink Audio Decoder,0x00200000,1,1,Claud.ax,6.03.0000.1124
File writer,0x00200000,1,0,qcap.dll,6.06.7601.17514
iTV Data Sink,0x00600000,1,0,itvdata.dll,6.06.7601.17514
iTV Data Capture filter,0x00600000,1,1,itvdata.dll,6.06.7601.17514
DVD Navigator,0x00200000,0,3,qdvd.dll,6.06.7601.17713
Microsoft TV Subtitles Decoder,0x00200001,1,0,MSTVCapn.dll,6.01.7601.17715
Overlay Mixer2,0x00200000,1,1,qdvd.dll,6.06.7601.17713
CyberLink TimeStretch Filter,0x00200000,1,1,clauts.ax,1.00.0000.5423
Haali Matroska Muxer,0x00200000,1,0,,
AVI Draw,0x00600064,9,1,quartz.dll,6.06.7601.17713
RDP DShow Redirection Filter,0xffffffff,1,0,DShowRdpFilter.dll,
CyberLink Audio Effect,0x00200000,1,1,CLAudFx.ax,6.00.0000.5723
Microsoft MPEG-2 Audio Encoder,0x00200000,1,1,msmpeg2enc.dll,6.01.7601.17514
WST Pager,0x00200000,1,1,WSTPager.ax,6.06.7601.17514
MPEG-2 Demultiplexer,0x00600000,1,1,mpg2splt.ax,6.06.7601.17528
DV Video Decoder,0x00800000,1,1,qdv.dll,6.06.7601.17514
Cyberlink SubTitle Importor,0x00200000,1,1,CLSubTitle.ax,1.00.0000.4716
SampleGrabber,0x00200000,1,1,qedit.dll,6.06.7601.17514
Null Renderer,0x00200000,1,0,qedit.dll,6.06.7601.17514
MPEG-2 Sections and Tables,0x005fffff,1,0,Mpeg2Data.ax,6.06.7601.17514
Microsoft AC3 Encoder,0x00200000,1,1,msac3enc.dll,6.01.7601.17514
StreamBufferSource,0x00200000,0,0,sbe.dll,6.06.7601.17528
Smart Tee,0x00200000,1,2,qcap.dll,6.06.7601.17514
Overlay Mixer,0x00200000,0,0,qdvd.dll,6.06.7601.17713
CyberLink Video Effect,0x00200000,1,1,CLVidFx.ax,1.00.0000.1523
CyberLink Video/SP Decoder,0x00600000,2,3,CLVSD.ax,8.02.0000.1117
AVI Decompressor,0x00600000,1,1,quartz.dll,6.06.7601.17713
NetBridge,0x00200000,2,0,netbridge.dll,6.01.7601.17514
AVI/WAV File Source,0x00400000,0,2,quartz.dll,6.06.7601.17713
Wave Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713
MIDI Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713
Multi-file Parser,0x00400000,1,1,quartz.dll,6.06.7601.17713
File stream renderer,0x00400000,1,1,quartz.dll,6.06.7601.17713
CyberLink Line21 Decoder Filter,0x00200000,0,2,CLLine21.ax,4.00.0000.9027
Microsoft DTV-DVD Audio Decoder,0x005fffff,1,1,msmpeg2adec.dll,6.01.7140.0000
StreamBufferSink2,0x00200000,0,0,sbe.dll,6.06.7601.17528
AVI Mux,0x00200000,1,0,qcap.dll,6.06.7601.17514
Line 21 Decoder 2,0x00600002,1,1,quartz.dll,6.06.7601.17713
File Source (Async.),0x00400000,0,1,quartz.dll,6.06.7601.17713
File Source (URL),0x00400000,0,1,quartz.dll,6.06.7601.17713
Media Center Extender Encryption Filter,0x00200000,2,2,Mcx2Filter.dll,6.01.7601.17514
AudioRecorder WAV Dest,0x00200000,0,0,WavDest.dll,
AudioRecorder Wave Form,0x00200000,0,0,WavDest.dll,
SoundRecorder Null Renderer,0x00200000,0,0,WavDest.dll,
Infinite Pin Tee Filter,0x00200000,1,1,qcap.dll,6.06.7601.17514
Enhanced Video Renderer,0x00200000,1,0,evr.dll,6.01.7601.17514
BDA MPEG2 Transport Information Filter,0x00200000,2,0,psisrndr.ax,6.06.7601.17669
MPEG Video Decoder,0x40000001,1,1,quartz.dll,6.06.7601.17713

WDM Streaming Tee/Splitter Devices:
Tee/Sink-to-Sink Converter,0x00200000,1,1,ksproxy.ax,6.01.7601.17514

Video Compressors:
WMVideo8 Encoder DMO,0x00600800,1,1,wmvxencd.dll,6.01.7600.16385
WMVideo9 Encoder DMO,0x00600800,1,1,wmvencod.dll,6.01.7600.16385
MSScreen 9 encoder DMO,0x00600800,1,1,wmvsencd.dll,6.01.7600.16385
DV Video Encoder,0x00200000,0,0,qdv.dll,6.06.7601.17514
MJPEG Compressor,0x00200000,0,0,quartz.dll,6.06.7601.17713
Cinepak Codec by Radius,0x00200000,1,1,qcap.dll,6.06.7601.17514
Intel IYUV codec,0x00200000,1,1,qcap.dll,6.06.7601.17514
Intel IYUV codec,0x00200000,1,1,qcap.dll,6.06.7601.17514
Microsoft RLE,0x00200000,1,1,qcap.dll,6.06.7601.17514
Microsoft Video 1,0x00200000,1,1,qcap.dll,6.06.7601.17514

Audio Compressors:
WM Speech Encoder DMO,0x00600800,1,1,WMSPDMOE.DLL,6.01.7600.16385
WMAudio Encoder DMO,0x00600800,1,1,WMADMOE.DLL,6.01.7600.16385
IMA ADPCM,0x00200000,1,1,quartz.dll,6.06.7601.17713
PCM,0x00200000,1,1,quartz.dll,6.06.7601.17713
Microsoft ADPCM,0x00200000,1,1,quartz.dll,6.06.7601.17713
GSM 6.10,0x00200000,1,1,quartz.dll,6.06.7601.17713
Messenger Audio Codec,0x00200000,1,1,quartz.dll,6.06.7601.17713
CCITT A-Law,0x00200000,1,1,quartz.dll,6.06.7601.17713
CCITT u-Law,0x00200000,1,1,quartz.dll,6.06.7601.17713
MPEG Layer-3,0x00200000,1,1,quartz.dll,6.06.7601.17713

Audio Capture Sources:
Microphone (High Definition Aud,0x00200000,0,0,qcap.dll,6.06.7601.17514

PBDA CP Filters:
PBDA DTFilter,0x00600000,1,1,CPFilters.dll,6.06.7601.17528
PBDA ETFilter,0x00200000,0,0,CPFilters.dll,6.06.7601.17528
PBDA PTFilter,0x00200000,0,0,CPFilters.dll,6.06.7601.17528

Midi Renderers:
Default MidiOut Device,0x00800000,1,0,quartz.dll,6.06.7601.17713
Microsoft GS Wavetable Synth,0x00200000,1,0,quartz.dll,6.06.7601.17713

WDM Streaming Capture Devices:
HD Audio Microphone 2,0x00200000,1,1,ksproxy.ax,6.01.7601.17514

WDM Streaming Rendering Devices:
HD Audio Headphone/Speakers,0x00200000,1,1,ksproxy.ax,6.01.7601.17514

BDA Network Providers:
Microsoft ATSC Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514
Microsoft DVBC Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514
Microsoft DVBS Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514
Microsoft DVBT Network Provider,0x00200000,0,1,MSDvbNP.ax,6.06.7601.17514
Microsoft Network Provider,0x00200000,0,1,MSNP.ax,6.06.7601.17514

Multi-Instance Capable VBI Codecs:
VBI Codec,0x00600000,1,4,VBICodec.ax,6.06.7601.17514

BDA Transport Information Renderers:
BDA MPEG2 Transport Information Filter,0x00600000,2,0,psisrndr.ax,6.06.7601.17669
MPEG-2 Sections and Tables,0x00600000,1,0,Mpeg2Data.ax,6.06.7601.17514

BDA CP/CA Filters:
Decrypt/Tag,0x00600000,1,1,EncDec.dll,6.06.7601.17708
Encrypt/Tag,0x00200000,0,0,EncDec.dll,6.06.7601.17708
PTFilter,0x00200000,0,0,EncDec.dll,6.06.7601.17708
XDS Codec,0x00200000,0,0,EncDec.dll,6.06.7601.17708

WDM Streaming Communication Transforms:
Tee/Sink-to-Sink Converter,0x00200000,1,1,ksproxy.ax,6.01.7601.17514

Audio Renderers:
Speakers (High Definition Audio,0x00200000,1,0,quartz.dll,6.06.7601.17713
CyberLink Audio Renderer,0x00200000,1,0,cladr.ax,6.00.0000.5222
Default DirectSound Device,0x00800000,1,0,quartz.dll,6.06.7601.17713
Default WaveOut Device,0x00200000,1,0,quartz.dll,6.06.7601.17713
DirectSound: Speakers (High Definition Audio Device),0x00200000,1,0,quartz.dll,6.06.7601.17713

---------------
EVR Power Information
---------------
Current Setting: {651288E5-A7ED-4076-A96B-6CC62D848FE1} (Balanced)
  Quality Flags: 2576
    Enabled:
    Force throttling
    Allow half deinterlace
    Allow scaling
    Decode Power Usage: 100
  Balanced Flags: 1424
    Enabled:
    Force throttling
    Allow batching
    Force half deinterlace
    Force scaling
    Decode Power Usage: 50
  PowerFlags: 1424
    Enabled:
    Force throttling
    Allow batching
    Force half deinterlace
    Force scaling
    Decode Power Usage: 0
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
July 23, 2012, 12:42:57 AM
 #18
Quote from: dree12 on July 23, 2012, 12:34:45 AM
Quote from: sadpandatech on July 23, 2012, 12:28:43 AM

What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep


Nothing else stands out to me atleast.
Do I "fix" it?

Most definitely!  Before you go wiping it though, let's make sure it did not make any way to copy itself again.

First kill all the iexplorer.exe running in taskmanager, that's scary. ;p  And the Flash_util_activex after.

Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll   What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com  (remove spaces).
Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions.  Please share if you find anything. At this point also run the fix for that one file atleast.

Let us know if your date modified/created search returns anything unusual.

cheers
If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system.
- GA

It is being worked on by smart people.  -DamienBlack
dree12 (OP)
Legendary
*
Offline Offline

Activity: 1246
Merit: 1077



View Profile
July 23, 2012, 12:58:38 AM
 #19
Quote from: sadpandatech on July 23, 2012, 12:42:57 AM
Quote from: dree12 on July 23, 2012, 12:34:45 AM
Quote from: sadpandatech on July 23, 2012, 12:28:43 AM

What is this;
O4 - HKCU\..\Run: [wrorap] "C:\Windows\System32\rundll32.exe" "C:\Users\~\AppData\Roaming\wrorap.dll",SetStep


Nothing else stands out to me atleast.
Do I "fix" it?

Most definitely!  Before you go wiping it though, let's make sure it did not make any way to copy itself again.

First kill all the iexplorer.exe running in taskmanager, that's scary. ;p  And the Flash_util_activex after.

Then browse to My Computer, click the c: drive and use the search box at top right to search for wrorap.dll   What we are wanting to do is, one get a copy of it and, two find out when it was created. Please email a copy to 'titusville tech AT gmail . com  (remove spaces).
Once you know the date it was creatd do another file search for all files created or modified on that same date, using the advanced search functions.  Please share if you find anything. At this point also run the fix for that one file atleast.

Let us know if your date modified/created search returns anything unusual.

cheers


Here's the file in base64 encoding (I also sent an email, but this is more public).
Code:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAADRDTOwlWxd45VsXeOVbF3j93NO45dsXePucFHjl2xd431zV+OQbF3jlWxc
46FsXeMtalvjlGxd431zVuOebF3jfXNZ45FsXeNSaWNolWxd4wAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAFBFAABMAQUAxoGeSwAAAAAAAAAA4AACIQsBCAAARgEAAJIFAAAAAACKmAAAABAAAABgAQAA
AAAQABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAAAHAAAEAAAAAAAAAgAAAAAAEAAAEAAAAAAQAAAQ
AAAAAAAAEAAAAMSdAgCQAAAAtJICAHgAAAAA4AUAnv8AAAAAAAAAAAAAAAAAAAAAAAAA4AYA1BUA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAQAUAgAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAADQRQEAABAAAABGAQAABAAAAAAAAAAAAAAA
AAAAIAAAYC5yZGF0YQAAY10DAABgAQAAXgMAAEoBAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAHwd
AQAAwAQAABgBAACoBAAAAAAAAAAAAAAAAABAAADALnJzcmMAAADJ/wAAAOAFAAAAAQAAwAUAAAAA
AAAAAAAAAAAAQAAAQC5yZWxvYwAA/BUAAADgBgAAFgAAAMAGAAAAAAAAAAAAAAAAAEAAAEAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGr/
aGoDABBS/xVAYAEQkJCQkJCQkJCLRCQQgexRUFLoxekAAIPEHIXAdQzDkJCQkJCQkJBWi3QkAQAA
x0QkFAIAAACNRCSDyf+L+jPA8q730Y1EJMQcX15dW8OLD4tBFIXA6OmQAACDxBCFwHUJV+j/FXBh
ARCFwIlEJCgPhQDoihQAAIPEFF9eXVuDJCRQaLAEABBqAP/Ti9AEi0gUiQqLTCQIi0AYiRhfXl1b
g8QQw4tEJBSLXl1bg8QQw5CQkJCQkJB+HFOZ938EjVQkHIlEJAEQUv8VxGEBEIXAdQyJ//9Q6Foc
AQCDxAiFwHX3fwSNVCQciUQkGItPJDcNAQCDxBCFwA+FcQEA//+DxBzDkJCQkJCQkJBQVeif0///
g8QMhcAPhRBqAeg6fQAAg8QQhcAPi0wkaKQEABBAUYlEJCToe/j//4PEEIXAD4W1ACQcVlHoEOz/
/4PEDIXAUlCLRCQQUP9RGIPEEMNMJHxR6KdAAACDxAQ78O7//4tMJCyDxAiJQQiLAIXtD4RaAwAA
hfYPhFIkKOgmtP//g8QUhcAPhYtICIXJdStomQUAEGhWBAAQkJCQkJCQkJBTVYvonbwAAIPEFF9e
XVtZwwsAAACDxAxfXl1bw5CQD4UBBQAAi0QkYItUJFAAg8QUX16BxKABAADDi1LoWuH//4lFBItE
JCiDAACNTCQkUFHo+sj//4MQVmjXAgAQaKYEABCNRACDxBRfXl1bw5CQkJCQJARQUehR/f//g8QI
w5CQkJCQkJCQkJCQkJCQkMOQi0QkBItICIXJdBCLEMdDEAAAAADp4AEAAIsQ6EB3AACLB1BorAUA
EFuDxAjDaLkFABDrBWieAgAQAACDxBRfXl1bw5CQkItUJBCLRCQIUotUJOgh7P//g8QUhcAPhQQB
99iJRiyLRCQcaGMEABABEOh9+QAAaFQEABBqAJCQkJBRi0QkEFNViy1k86qAOy90CMYCL70BAAD6
AXZbgzgBdVaLTwRWUYoQih6KyjrTdR6EyXQWSIs7i1sIUFBo3gQAEFMkDIlOEItEJAiLVhCJEFSJ
TCRQi0wkXBvBiUQkMIXAfBt/BIXJdhVQUWj0AgAQuL0CABB1BbhYBQAQ6NMDAACLVCREg8QcUItH
BGgYAwAQUFbozc+QkJCQkJCD7GhQAgAQUyQQU1aLdCQUi95XwesDbCQg6OMCAACDxBCFwA+QkJCQ
kJCQkItEJAhqAYtNBFdSi1QkGFCLhCSIARBQVeh8LwAAg8QchcCQkFaLdCQgV4t8JBCNRF9ew4tM
JBCLdCQUagBRRCQoUo1OGFBR6BfK//8AagBoTwQAEFBW/xWAYQEQVhhS6GdFAACDxASFUmhhBAAQ
UIlEJBDo/m2ceAAAg8QIi/CLRCQYUAUAAIPEDIXAdStXVuiwwA+FrwAAAItMJCBXUeg46J2FAACD
xCSJRCQQV8QMUFZTV+hNAAAAg8QMFFFoUAMAEFP/FehhARBdW8OQkJBXi3wkDGoBV10zwFvDaPoD
ABBoSQMAEBRfXsOQkJCQkJCQkJABEFBWiQH/FbBhARCLVxBS6AcAAACDxBDDkJCQCItMJARQUehR
/f//g8QhRQyDfQwAdBGhDwUAEPwKAHUsVujqGAEAV2gMBgAQi1QkEItIGFJQi0T5AnQkgfmC/AoA
dByB+RWAUAEQi0QkFF9eiShdAABo9QMAEOjotAAAVmiWBQAQAIPEBItHHGoAalX/FdhgARCLTCQU
i3wkdS07Pn8FXzPAXsNorwIAEMQEhcB1JmjOAgAQaLoFABCKUAGKyjpWAXUOVCQQUVJQ6OSpAACL
RCSDyf9XUVCLRCQkUOhiAxhSARD/JdBgARD/JYhhARBfXl1bw4t8JCSLRCSNTCQcjVQkEFFSUOjk
qVb/FdBgARCL+DPAi/e52L///4PEFIXAD4WNAAA0g8QEX16JAV0zwFuDxP/Tg8QQUItHBGgOBgAQ
EIEBEGoAaFMCABDoBzUGi1cEUlP/1YlGBItHCCQUg8QEi/iKGYrTOh91i04oUVX/04tWBIlGGFL3
i1QkCCvGUItEJBRWUBiD+f91DVeL+gvJM8DyAABoUgQAEOjVDgAAaOECABBRARD/JcBhARD/JeBh
ARAAAMdBKAAAAACLATPAw5CQkJCLRCQEi0C/oI8BEIvNigGK0DoHdRCLTCQUVlBVUWoA6MIAxBTD
kJCQkJCQkJCQkJAAAGipBAAQ6NR0AACLTgBoigIAEGhcAgAQ6HtTagBoZQUAEOg8HgAAg8QIw5CQ
kJCQkJCQkIPsDPCLRCQYUFf/FQBiARCLXoPEEMONRCQIVlD/FVhhARAEUItHBFNVUOhU7sYAAACL
fiSLFkdTiX4kfH8AAIPEKF9eXVvDi1SLRCQggzgAdHGLSASFyXQMi04ggXkIANAHAHY0xBBQVlfo
oTsFABBLFIOQkJCQkJCLRCQQi0wkDHQcgfmD/AoAdBSB+e78HnUchMl0FIpYAYrLOl5Q6HTX//+D
xBiFwHVUiwyFwA+FkwEAAItUJBCL2A+OQv///4tsJDBXaOACABABEFeJEMdABAAAAIPECDP/hcAP
jK8AAABWdBSKQQGK0DpGAXUOg8EAAItEJFBQ6LQbAACLTGooU/8VGGABEItsJCSLAIPEEIXAdRmL
TCQYUeiLTCQIiUIEiQqLwl/DkFNVi2wkEFaLdCQYVzluAABqMFP/FchhARCLdCQVWFABEItUJDCL
KotUJOidNgAAg8QMhcB1VotGAAC4awUAEOsFuDIFABBXUeg63///iUYIi0YcgwEQi0wkLIPEEFBq
/2iYAwAQOFeNTCRsUFHoTjv/g8QMhcAPhaMCAACLVIPEGIXAD4VpAQAAi0QkJAxXi3wkFI1UJBCL
BosQhcB0OFZQi0QkKFONTAzDkJCQkJCQkJCLRCQQX15dM8BbgcQMEQAAw42HDwAAaP4FABDoM9EA
AIlFAItEJBRQV/8VqGABEAAAD46bAAAAVb8BAACQkItUJBCLRCQIUotUJDiFwHQni1ZAiweLDlJQ
bFABEIsdxFABEI1MJCQoUAEQi1QkaGwCABABECQMi1QkBItIHDPAiQrDJAiLTCQEUFHoUf3//4MQ
hcCJRCQcD4Xz+///iy

Edit: There was something here, but I realized that was the quarantine. Never mind.
sadpandatech
Hero Member
*****
Offline Offline

Activity: 504
Merit: 500



View Profile
July 23, 2012, 01:09:08 AM
 #20
Are you using a device from Midiman called M-Audio or some such via firewire?


edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.
If you're not excited by the idea of being an early adopter 'now', then you should come back in three or four years and either tell us "Told you it'd never work!" or join what should, by then, be a much more stable and easier-to-use system.
- GA

It is being worked on by smart people.  -DamienBlack
Pages: [1] 2 3 »  All
  Print  
Bitcoin Forum > Other > Off-topic > [Solved] Windows infection: please help a security newbie
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!