Jump to content


 

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help removing Win32:Sirefef-FQ Infection

Started by Pintglass , Feb 20 2012 05:30 PM

  • This topic is locked This topic is locked
88 replies to this topic

#1 Pintglass

Pintglass

    Member

  • Members
  • PipPip
  • 47 posts

Posted 20 February 2012 - 05:30 PM

I originally posted this here My link and have followed the guide as posted in the reply.

I had a computer infected with the Win 7 Antispyware 2012 rogue anti-spyware program which i thought i had removed by following guides on this site. The problem i have is that windows 7 can not see my network devices. The "Computer Browser" service will not start, failing with Error 1060.
I have run scans with malwarebytes which finds nothing, but when i ran a scan with aswMBR it said i was infected with the Win32:Sirefef-FQ virus.
Im not getting redirects with google searches but do get the doubleclick.net showing on the back button in internet explorer.

DDs Log

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Jase at 22:19:15 on 2012-02-20
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4095.2657 [GMT 0:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\lxdvcoms.exe
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files (x86)\Lexmark X5400 Series\lxdvmon.exe
C:\Program Files (x86)\Lexmark X5400 Series\lxdvamon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Speckie: {8ce7f568-67fa-4432-ba39-f5afd68e7b8b} - C:\Users\Jase\AppData\Roaming\Speckie\bin32\Speckie32.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
IE: {E6846530-6088-4AA3-932F-C6245CE59A4C} - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Users\Jase\AppData\Roaming\Speckie\bin32\Speckie32.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F504F504-EA82-4DBC-8582-2110D49DA536} : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\PKMCDO.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Speckie: {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Users\Jase\AppData\Roaming\Speckie\bin32\Speckie32.dll
BHO-X64: Speckie - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 lxdv_device;lxdv_device;C:\Windows\system32\lxdvcoms.exe -service --> C:\Windows\system32\lxdvcoms.exe -service [?]
R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-9-15 88576]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x64.sys --> C:\Windows\system32\DRIVERS\l160x64.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;C:\Windows\System32\spool\DRIVERS\x64\3\lxdvserv.exe [2007-10-18 33448]
S3 atillk64;atillk64;C:\Users\Jase\Downloads\ati_winflash_2.0.1.14\atillk64.sys [2011-8-7 14608]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-8-16 1030600]
S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\system32\DRIVERS\htcnprot.sys --> C:\Windows\system32\DRIVERS\htcnprot.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\system32\DRIVERS\RsFx0103.sys --> C:\Windows\system32\DRIVERS\RsFx0103.sys [?]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
.
=============== Created Last 30 ================
.
2012-02-20 17:51:33 8643640 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F65A56A2-81D4-411F-91F3-14F721093C94}\mpengine.dll
2012-02-20 17:41:07 -------- d-----w- C:\Users\Jase\AppData\Local\{B559D77D-E037-45A5-8F92-5E96C92F7119}
2012-02-20 17:40:55 -------- d-----w- C:\Users\Jase\AppData\Local\{827BF90C-4498-4975-8B95-DD915D25371F}
2012-02-18 15:08:50 -------- d-----w- C:\Users\Jase\AppData\Local\{C37D834D-4369-473D-9C8B-CDFE075877D6}
2012-02-18 15:08:39 -------- d-----w- C:\Users\Jase\AppData\Local\{351A8EB3-F2A4-43BB-870C-A5C514852567}
2012-02-14 20:19:34 -------- d-----w- C:\Users\Jase\AppData\Local\{474DDCEE-C33E-4A23-B6D5-91C0FEE81739}
2012-02-14 20:19:22 -------- d-----w- C:\Users\Jase\AppData\Local\{977A6E6F-EA3C-4858-8135-CA00364D5D05}
2012-02-11 17:06:34 -------- d-----w- C:\Users\Jase\AppData\Local\{7E66B8A8-63F7-4589-B6D9-4D71EF8ACFB7}
2012-02-11 17:06:22 -------- d-----w- C:\Users\Jase\AppData\Local\{818A883C-15C9-4B5A-9B08-6FF06B2287B1}
2012-02-10 16:05:32 -------- d-----w- C:\Users\Jase\AppData\Local\{70EF9626-6982-469E-AC2C-B958E5B9D558}
2012-02-10 16:05:20 -------- d-----w- C:\Users\Jase\AppData\Local\{5700220D-0AEC-464E-9144-EC63FC28A562}
2012-02-09 12:33:01 -------- d-----w- C:\Users\Jase\AppData\Local\{D587206C-0E11-4D1F-8BF5-2AF465E6C487}
2012-02-09 12:32:49 -------- d-----w- C:\Users\Jase\AppData\Local\{72C31B7E-77E9-4EDF-9687-A8E0EC279231}
2012-02-09 11:37:58 -------- d-----w- C:\Users\Jase\AppData\Local\{12E3C4ED-3A58-4323-8CE2-808E38997B95}
2012-02-09 11:37:45 -------- d-----w- C:\Users\Jase\AppData\Local\{0998D021-97A9-48B1-8366-52AB2A718A7A}
2012-02-08 22:26:02 -------- d-----w- C:\Users\Jase\AppData\Local\{75C39C0C-0776-4734-A3D1-F3FF2755BF36}
2012-02-08 22:25:49 -------- d-----w- C:\Users\Jase\AppData\Local\{3122B76E-8753-476A-BDDA-384A4F58C052}
2012-02-08 17:39:06 8602168 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-08 17:27:15 -------- d-sh--w- C:\$RECYCLE.BIN
2012-02-07 22:52:59 388096 ----a-r- C:\Users\Jase\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-07 22:52:59 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-02-07 22:39:23 98816 ----a-w- C:\Windows\sed.exe
2012-02-07 22:39:23 518144 ----a-w- C:\Windows\SWREG.exe
2012-02-07 22:39:23 256000 ----a-w- C:\Windows\PEV.exe
2012-02-07 22:39:23 208896 ----a-w- C:\Windows\MBR.exe
2012-02-06 22:56:42 200976 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2012-02-06 22:38:37 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AA707033-0E4C-4EA0-952B-8FCB204DAA27}\gapaengine.dll
2012-02-06 22:35:48 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-02-06 22:35:44 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-02-03 23:16:49 -------- d-----w- C:\Users\Jase\AppData\Roaming\SUPERAntiSpyware.com
2012-02-03 23:16:19 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-02-03 23:16:19 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-02-03 22:05:17 -------- d-----w- C:\Users\Jase\AppData\Local\{BD77A630-7E9A-4A9B-B13D-CB9B11652BE0}
2012-02-03 22:05:06 -------- d-----w- C:\Users\Jase\AppData\Local\{80C0312A-2C08-452E-947D-7F75F2084630}
2012-02-03 09:40:32 138240 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\lxdvdrpp.dll
2012-02-03 09:40:07 420352 ----a-w- C:\Windows\System32\lxdvcoin.dll
2012-02-03 09:40:07 1462272 ----a-w- C:\Windows\System32\lxdvg.dll
2012-02-02 22:23:39 -------- d-----w- C:\Users\Jase\AppData\Local\{1545D7FA-631A-4CDD-8A56-7B2F106DF114}
2012-02-02 22:23:27 -------- d-----w- C:\Users\Jase\AppData\Local\{2F076FB6-94A9-4661-AB39-F1F4ECF5F683}
2012-02-02 22:12:03 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-02-02 22:12:03 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-02-02 20:17:07 -------- d-----w- C:\Users\Jase\AppData\Local\{E1EED025-2912-4557-978F-14F409213BEC}
2012-02-01 23:30:24 -------- d-----w- C:\Users\Jase\AppData\Local\{B669E0DD-0D91-40C4-B704-D5E8E17737D9}
2012-02-01 22:53:43 -------- d-----w- C:\Users\Jase\AppData\Local\{0184948D-7E60-4403-A72E-DA73BDFD0E7A}
2012-02-01 17:38:54 -------- d-----w- C:\Windows\System32\appmgmt
2012-02-01 17:30:19 -------- d-----w- C:\ProgramData\AutoKMS
2012-02-01 02:22:02 -------- d-----w- C:\Users\Jase\AppData\Roaming\Pyexo
2012-01-30 22:54:58 -------- d-----w- C:\Users\Jase\AppData\Local\{D18EBCB2-E69C-495B-9B12-AFCC8930CBAA}
2012-01-30 22:54:47 -------- d-----w- C:\Users\Jase\AppData\Local\{24FA4D65-2A5A-4870-8290-AB354FAA3D3A}
2012-01-30 09:52:22 -------- d-----w- C:\Users\Jase\AppData\Roaming\Win7codecs
2012-01-30 09:52:20 -------- d-----w- C:\Program Files (x86)\Win7codecs
2012-01-30 09:51:22 -------- d-----w- C:\ProgramData\Win7codecs
2012-01-28 12:12:40 79360 ----a-w- C:\Windows\SysWow64\ff_vfw.dll
2012-01-28 12:10:56 48128 ----a-w- C:\Windows\SysWow64\ff_acm.acm
2012-01-27 17:44:40 -------- d-----w- C:\Program Files\iPod
2012-01-27 17:44:39 -------- d-----w- C:\Program Files\iTunes
2012-01-27 17:44:39 -------- d-----w- C:\Program Files (x86)\iTunes
2012-01-27 10:37:39 -------- d-----w- C:\Program Files\OpenCV2.3
2012-01-26 17:26:10 -------- d-----w- C:\Users\Jase\AppData\Roaming\Microsoft Corporation
2012-01-26 17:18:13 78872 ----a-w- C:\Windows\System32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2012-01-26 17:18:13 50200 ----a-w- C:\Windows\SysWow64\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2012-01-26 17:18:00 79896 ----a-w- C:\Windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2012-01-26 17:18:00 111640 ----a-w- C:\Windows\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2012-01-26 17:17:19 -------- d-----w- C:\Windows\System32\RsFx
2012-01-26 17:12:19 -------- d-----w- C:\Program Files\Microsoft SQL Server
2012-01-26 17:11:56 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server
2012-01-26 17:04:46 2118848 ----a-w- C:\ProgramData\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-01-26 16:58:43 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 10.0
2012-01-25 22:42:24 -------- d-----w- C:\Users\Jase\AppData\Local\{5CA42125-4171-4386-86A4-4B946CD7C0E6}
2012-01-25 22:42:13 -------- d-----w- C:\Users\Jase\AppData\Local\{055399D7-BA56-4DC5-A94B-670E22C77598}
2012-01-25 21:58:44 -------- d-----w- C:\Users\Jase\AppData\Roaming\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
2012-01-25 21:58:39 -------- d-----w- C:\Users\Jase\AppData\Local\Htc
2012-01-25 21:57:15 -------- d-----w- C:\Users\Jase\AppData\Roaming\HTC
2012-01-25 21:55:55 -------- d-----w- C:\Users\Jase\AppData\Local\Downloaded Installations
2012-01-25 21:55:41 -------- d-----w- C:\Program Files (x86)\Spirent Communications
2012-01-25 21:55:31 -------- d-----w- C:\Program Files (x86)\HTC
2012-01-25 21:35:52 -------- d-----w- C:\ruu_log
2012-01-24 22:26:40 -------- d-----w- C:\Users\Jase\AppData\Local\{EE6B0A23-0089-4D5B-B140-33F1FAACA788}
2012-01-24 14:18:04 4794880 ----a-w- C:\Windows\SysWow64\x264vfw.dll
2012-01-24 07:47:27 -------- d-----w- C:\Users\Jase\AppData\Local\{EFD16B0D-9726-4D88-A29E-E8786FC08E34}
2012-01-24 07:47:15 -------- d-----w- C:\Users\Jase\AppData\Local\{EFD6C3D0-5980-41EA-B837-9393B9D0E67C}
2012-01-23 18:12:41 -------- d-----w- C:\Users\Jase\AppData\Local\{A7B23BBD-EB1D-42F4-B5B2-E3A3D64845A6}
2012-01-23 18:12:30 -------- d-----w- C:\Users\Jase\AppData\Local\{7E822268-1D43-4EED-8939-95E98BD29468}
.
==================== Find3M ====================
.
2012-01-31 21:49:44 419840 ----a-w- C:\Windows\System32\systemcplx64.dll
2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-28 12:16:32 92160 ----a-w- C:\Windows\System32\ff_vfw.dll
2012-01-28 12:14:52 53760 ----a-w- C:\Windows\System32\ff_acm.acm
2012-01-24 14:17:54 4608000 ----a-w- C:\Windows\System32\x264vfw.dll
2011-12-22 22:40:00 155648 ----a-w- C:\Windows\SysWow64\ac3acm.acm
2011-12-22 22:39:48 180224 ----a-w- C:\Windows\System32\ac3acm.acm
2011-12-10 15:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-07 19:37:18 148992 ----a-w- C:\Windows\System32\lagarith.dll
2011-12-07 19:32:24 216064 ----a-w- C:\Windows\SysWow64\lagarith.dll
2011-11-28 12:25:46 763904 ----a-w- C:\Windows\SysWow64\lameACM.acm
.
============= FINISH: 22:19:45.39 ===============

Attached Files


Edited by Pintglass, 20 February 2012 - 05:31 PM.

 

  • BC Ads
  • BleepingComputer.com

#2 SweetTech

SweetTech

    Agent ST

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica

Posted 23 February 2012 - 02:35 AM

Hello Pintglass! Welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:


Running OTL

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Copy and Paste the following code into the Posted Image textbox.
    msconfig
safebootminimal
activex
drivers32
netsvcs
"%WinDir%\$NtUninstallKB*$." /30
C:\Program Files\Common Files\ComObjects\*.* /s
%systemroot%\*. /mp /s
%systemroot%\*. /rp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
atapi.sys
explorer.exe
winlogon.exe
wininit.exe
tdx.sys
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


Please let me know how the above scans go.

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 Pintglass

Pintglass

    Member

  • Members
  • PipPip
  • 47 posts

Posted 23 February 2012 - 07:57 AM

Hello SweetTech its nice to meet you & thank you very much for helping me.


Here are my logs as requested

1) TDSSKiller

12:35:17.0823 5000 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
12:35:18.0103 5000 ============================================================
12:35:18.0103 5000 Current date / time: 2012/02/23 12:35:18.0103
12:35:18.0103 5000 SystemInfo:
12:35:18.0103 5000
12:35:18.0103 5000 OS Version: 6.1.7601 ServicePack: 1.0
12:35:18.0103 5000 Product type: Workstation
12:35:18.0103 5000 ComputerName: DESKTOP-PC
12:35:18.0103 5000 UserName: Jase
12:35:18.0103 5000 Windows directory: C:\Windows
12:35:18.0103 5000 System windows directory: C:\Windows
12:35:18.0103 5000 Running under WOW64
12:35:18.0103 5000 Processor architecture: Intel x64
12:35:18.0103 5000 Number of processors: 4
12:35:18.0103 5000 Page size: 0x1000
12:35:18.0103 5000 Boot type: Normal boot
12:35:18.0103 5000 ============================================================
12:35:19.0851 5000 Drive \Device\Harddisk1\DR1 - Size: 0x1D1C1116000 (1863.02 Gb), SectorSize: 0x200, Cylinders: 0x3B601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
12:35:19.0866 5000 Drive \Device\Harddisk0\DR0 - Size: 0x262AE80000 (152.67 Gb), SectorSize: 0x200, Cylinders: 0x4DD9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
12:35:19.0882 5000 Drive \Device\Harddisk4\DR4 - Size: 0xF500000 (0.24 Gb), SectorSize: 0x200, Cylinders: 0x1F, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
12:35:19.0897 5000 \Device\Harddisk1\DR1:
12:35:19.0897 5000 GPT used
12:35:19.0897 5000 \Device\Harddisk1\DR1\Partition0: GPT, TypeGUID: {C12A7328-F81F-11D2-BA4B-00A0C93EC93B}, UniqueGUID: {7C88C497-03ED-4C1F-94EF-71EEBD27AC6C}, Name: EFI System Partition, StartLBA 0x28, BlocksNum 0x64000
12:35:19.0897 5000 \Device\Harddisk1\DR1\Partition1: GPT, TypeGUID: {48465300-0000-11AA-AA11-00306543ECAC}, UniqueGUID: {FEE91140-7C87-4111-B709-6E8AD0A4B3D0}, Name: Mac OSX, StartLBA 0x64028, BlocksNum 0x21FE4738
12:35:19.0897 5000 \Device\Harddisk1\DR1\Partition2: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {B6C8EEB2-67C0-486C-883E-279F73BB771D}, Name: WINDOWS 7, StartLBA 0x22F6F800, BlocksNum 0xB93AA000
12:35:19.0897 5000 \Device\Harddisk1\DR1\Partition3: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {A80DC8DE-E677-41CD-9DB3-DED2EBBF4D1A}, Name: , StartLBA 0xDC319800, BlocksNum 0xBC083C0
12:35:19.0897 5000 \Device\Harddisk1\DR1\Partition4: GPT, TypeGUID: {0657FD6D-A4AB-43C4-84E5-0933C84B4F4F}, UniqueGUID: {0AA63536-45CB-45A3-90C8-70CF04BA2177}, Name: , StartLBA 0xE7F21D66, BlocksNum 0xEE6B19
12:35:19.0897 5000 \Device\Harddisk0\DR0:
12:35:19.0897 5000 MBR used
12:35:19.0897 5000 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x13153E5A
12:35:19.0897 5000 \Device\Harddisk4\DR4:
12:35:19.0913 5000 MBR used
12:35:19.0913 5000 \Device\Harddisk4\DR4\Partition0: MBR, Type 0xB, StartLBA 0x20, BlocksNum 0x7A7E0
12:35:19.0929 5000 Initialize success
12:35:19.0929 5000 ============================================================
12:35:59.0288 1064 ============================================================
12:35:59.0288 1064 Scan started
12:35:59.0288 1064 Mode: Manual; SigCheck; TDLFS;
12:35:59.0288 1064 ============================================================
12:35:59.0740 1064 1394ohci - ok
12:35:59.0756 1064 ACPI - ok
12:35:59.0756 1064 AcpiPmi - ok
12:35:59.0787 1064 adp94xx - ok
12:35:59.0802 1064 adpahci - ok
12:35:59.0802 1064 adpu320 - ok
12:35:59.0834 1064 AFD - ok
12:35:59.0834 1064 agp440 - ok
12:35:59.0834 1064 aliide - ok
12:35:59.0849 1064 amdide - ok
12:35:59.0849 1064 AmdK8 - ok
12:35:59.0880 1064 amdkmdag - ok
12:35:59.0912 1064 amdkmdap - ok
12:35:59.0912 1064 AmdPPM - ok
12:35:59.0912 1064 amdsata - ok
12:35:59.0927 1064 amdsbs - ok
12:35:59.0927 1064 amdxata - ok
12:35:59.0927 1064 AppID - ok
12:35:59.0974 1064 arc - ok
12:35:59.0974 1064 arcsas - ok
12:35:59.0990 1064 AsyncMac - ok
12:35:59.0990 1064 atapi - ok
12:35:59.0990 1064 AtcL001 - ok
12:36:00.0005 1064 AtiHDAudioService - ok
12:36:00.0021 1064 atikmdag - ok
12:36:00.0052 1064 atillk64 - ok
12:36:00.0068 1064 b06bdrv - ok
12:36:00.0099 1064 b57nd60a - ok
12:36:00.0099 1064 Beep - ok
12:36:00.0130 1064 blbdrive - ok
12:36:00.0130 1064 bowser - ok
12:36:00.0146 1064 BrFiltLo - ok
12:36:00.0146 1064 BrFiltUp - ok
12:36:00.0146 1064 BridgeMP - ok
12:36:00.0161 1064 Brserid - ok
12:36:00.0161 1064 BrSerWdm - ok
12:36:00.0161 1064 BrUsbMdm - ok
12:36:00.0161 1064 BrUsbSer - ok
12:36:00.0177 1064 BthEnum - ok
12:36:00.0177 1064 BTHMODEM - ok
12:36:00.0177 1064 BthPan - ok
12:36:00.0192 1064 BTHPORT - ok
12:36:00.0192 1064 BTHUSB - ok
12:36:00.0192 1064 cdfs - ok
12:36:00.0208 1064 cdrom - ok
12:36:00.0208 1064 circlass - ok
12:36:00.0208 1064 CLFS - ok
12:36:00.0224 1064 CmBatt - ok
12:36:00.0224 1064 cmdide - ok
12:36:00.0224 1064 CNG - ok
12:36:00.0239 1064 Compbatt - ok
12:36:00.0255 1064 CompositeBus - ok
12:36:00.0255 1064 crcdisk - ok
12:36:00.0270 1064 CSC - ok
12:36:00.0270 1064 DfsC - ok
12:36:00.0286 1064 discache - ok
12:36:00.0286 1064 Disk - ok
12:36:00.0286 1064 drmkaud - ok
12:36:00.0286 1064 DXGKrnl - ok
12:36:00.0302 1064 E1G60 - ok
12:36:00.0302 1064 ebdrv - ok
12:36:00.0302 1064 elxstor - ok
12:36:00.0317 1064 ErrDev - ok
12:36:00.0317 1064 exfat - ok
12:36:00.0317 1064 fastfat - ok
12:36:00.0333 1064 fdc - ok
12:36:00.0333 1064 FileInfo - ok
12:36:00.0333 1064 Filetrace - ok
12:36:00.0364 1064 flpydisk - ok
12:36:00.0364 1064 FltMgr - ok
12:36:00.0380 1064 FsDepends - ok
12:36:00.0380 1064 Fs_Rec - ok
12:36:00.0380 1064 fvevol - ok
12:36:00.0395 1064 gagp30kx - ok
12:36:00.0411 1064 GEARAspiWDM - ok
12:36:00.0411 1064 hcw85cir - ok
12:36:00.0426 1064 HdAudAddService - ok
12:36:00.0426 1064 HDAudBus - ok
12:36:00.0426 1064 HidBatt - ok
12:36:00.0442 1064 HidBth - ok
12:36:00.0442 1064 HidIr - ok
12:36:00.0442 1064 HidUsb - ok
12:36:00.0442 1064 HpSAMD - ok
12:36:00.0458 1064 HTCAND64 - ok
12:36:00.0458 1064 htcnprot - ok
12:36:00.0458 1064 HTTP - ok
12:36:00.0458 1064 hwpolicy - ok
12:36:00.0473 1064 i8042prt - ok
12:36:00.0473 1064 iaStorV - ok
12:36:00.0473 1064 iirsp - ok
12:36:00.0489 1064 intelide - ok
12:36:00.0489 1064 intelppm - ok
12:36:00.0489 1064 IpFilterDriver - ok
12:36:00.0489 1064 IPMIDRV - ok
12:36:00.0504 1064 IPNAT - ok
12:36:00.0504 1064 IRENUM - ok
12:36:00.0504 1064 isapnp - ok
12:36:00.0504 1064 iScsiPrt - ok
12:36:00.0504 1064 kbdclass - ok
12:36:00.0520 1064 kbdhid - ok
12:36:00.0520 1064 KSecDD - ok
12:36:00.0520 1064 KSecPkg - ok
12:36:00.0520 1064 ksthunk - ok
12:36:00.0536 1064 lltdio - ok
12:36:00.0536 1064 LSI_FC - ok
12:36:00.0551 1064 LSI_SAS - ok
12:36:00.0567 1064 LSI_SAS2 - ok
12:36:00.0567 1064 LSI_SCSI - ok
12:36:00.0567 1064 luafv - ok
12:36:00.0567 1064 megasas - ok
12:36:00.0582 1064 MegaSR - ok
12:36:00.0598 1064 Modem - ok
12:36:00.0598 1064 monitor - ok
12:36:00.0598 1064 mouclass - ok
12:36:00.0598 1064 mouhid - ok
12:36:00.0598 1064 mountmgr - ok
12:36:00.0614 1064 MpFilter - ok
12:36:00.0614 1064 mpio - ok
12:36:00.0614 1064 MpNWMon - ok
12:36:00.0614 1064 mpsdrv - ok
12:36:00.0614 1064 MRxDAV - ok
12:36:00.0614 1064 mrxsmb - ok
12:36:00.0629 1064 mrxsmb10 - ok
12:36:00.0629 1064 mrxsmb20 - ok
12:36:00.0629 1064 msahci - ok
12:36:00.0629 1064 msdsm - ok
12:36:00.0645 1064 Msfs - ok
12:36:00.0645 1064 mshidkmdf - ok
12:36:00.0645 1064 msisadrv - ok
12:36:00.0660 1064 MSKSSRV - ok
12:36:00.0660 1064 MSPCLOCK - ok
12:36:00.0660 1064 MSPQM - ok
12:36:00.0660 1064 MsRPC - ok
12:36:00.0676 1064 mssmbios - ok
12:36:00.0676 1064 MSTEE - ok
12:36:00.0692 1064 MTConfig - ok
12:36:00.0692 1064 MTsensor - ok
12:36:00.0692 1064 Mup - ok
12:36:00.0692 1064 NativeWifiP - ok
12:36:00.0707 1064 NDIS - ok
12:36:00.0707 1064 NdisCap - ok
12:36:00.0707 1064 NdisTapi - ok
12:36:00.0723 1064 Ndisuio - ok
12:36:00.0723 1064 NdisWan - ok
12:36:00.0723 1064 NDProxy - ok
12:36:00.0738 1064 NetBIOS - ok
12:36:00.0738 1064 NetBT - ok
12:36:00.0770 1064 nfrd960 - ok
12:36:00.0770 1064 NisDrv - ok
12:36:00.0785 1064 Npfs - ok
12:36:00.0785 1064 nsiproxy - ok
12:36:00.0801 1064 Ntfs - ok
12:36:00.0801 1064 NuidFltr - ok
12:36:00.0801 1064 Null - ok
12:36:00.0801 1064 nvraid - ok
12:36:00.0801 1064 nvstor - ok
12:36:00.0816 1064 nv_agp - ok
12:36:00.0816 1064 ohci1394 - ok
12:36:00.0848 1064 Parport - ok
12:36:00.0848 1064 partmgr - ok
12:36:00.0848 1064 pci - ok
12:36:00.0863 1064 pciide - ok
12:36:00.0863 1064 pcmcia - ok
12:36:00.0863 1064 pcw - ok
12:36:00.0863 1064 PEAUTH - ok
12:36:00.0894 1064 PptpMiniport - ok
12:36:00.0894 1064 Processor - ok
12:36:00.0894 1064 Psched - ok
12:36:00.0894 1064 ql2300 - ok
12:36:00.0910 1064 ql40xx - ok
12:36:00.0910 1064 QWAVEdrv - ok
12:36:00.0910 1064 RasAcd - ok
12:36:00.0910 1064 RasAgileVpn - ok
12:36:00.0926 1064 Rasl2tp - ok
12:36:00.0926 1064 RasPppoe - ok
12:36:00.0926 1064 RasSstp - ok
12:36:00.0926 1064 rdbss - ok
12:36:00.0926 1064 rdpbus - ok
12:36:00.0941 1064 RDPCDD - ok
12:36:00.0941 1064 RDPDR - ok
12:36:00.0941 1064 RDPENCDD - ok
12:36:00.0941 1064 RDPREFMP - ok
12:36:00.0957 1064 RdpVideoMiniport - ok
12:36:00.0957 1064 RDPWD - ok
12:36:00.0957 1064 rdyboost - ok
12:36:00.0972 1064 RFCOMM - ok
12:36:00.0972 1064 RsFx0103 - ok
12:36:00.0972 1064 rspndr - ok
12:36:00.0972 1064 s3cap - ok
12:36:00.0988 1064 SASDIFSV - ok
12:36:00.0988 1064 SASKUTIL - ok
12:36:00.0988 1064 sbp2port - ok
12:36:00.0988 1064 SCDEmu - ok
12:36:01.0004 1064 scfilter - ok
12:36:01.0004 1064 secdrv - ok
12:36:01.0019 1064 Serenum - ok
12:36:01.0019 1064 Serial - ok
12:36:01.0019 1064 sermouse - ok
12:36:01.0035 1064 sffdisk - ok
12:36:01.0035 1064 sffp_mmc - ok
12:36:01.0035 1064 sffp_sd - ok
12:36:01.0035 1064 sfloppy - ok
12:36:01.0035 1064 SiSRaid2 - ok
12:36:01.0050 1064 SiSRaid4 - ok
12:36:01.0050 1064 Smb - ok
12:36:01.0050 1064 spldr - ok
12:36:01.0066 1064 srv - ok
12:36:01.0066 1064 srv2 - ok
12:36:01.0066 1064 srvnet - ok
12:36:01.0082 1064 stexstor - ok
12:36:01.0082 1064 storflt - ok
12:36:01.0097 1064 storvsc - ok
12:36:01.0097 1064 swenum - ok
12:36:01.0113 1064 Synth3dVsc - ok
12:36:01.0113 1064 Tcpip - ok
12:36:01.0128 1064 TCPIP6 - ok
12:36:01.0128 1064 tcpipreg - ok
12:36:01.0128 1064 TDPIPE - ok
12:36:01.0144 1064 TDTCP - ok
12:36:01.0144 1064 tdx - ok
12:36:01.0144 1064 TermDD - ok
12:36:01.0160 1064 tssecsrv - ok
12:36:01.0160 1064 TsUsbFlt - ok
12:36:01.0160 1064 tsusbhub - ok
12:36:01.0160 1064 tunnel - ok
12:36:01.0160 1064 uagp35 - ok
12:36:01.0175 1064 udfs - ok
12:36:01.0175 1064 uliagpkx - ok
12:36:01.0175 1064 umbus - ok
12:36:01.0191 1064 UmPass - ok
12:36:01.0191 1064 USBAAPL64 - ok
12:36:01.0191 1064 usbaudio - ok
12:36:01.0191 1064 usbccgp - ok
12:36:01.0206 1064 usbcir - ok
12:36:01.0206 1064 usbehci - ok
12:36:01.0206 1064 usbhub - ok
12:36:01.0206 1064 usbohci - ok
12:36:01.0206 1064 usbprint - ok
12:36:01.0222 1064 usbscan - ok
12:36:01.0222 1064 USBSTOR - ok
12:36:01.0222 1064 usbuhci - ok
12:36:01.0222 1064 usbvideo - ok
12:36:01.0222 1064 vdrvroot - ok
12:36:01.0238 1064 vga - ok
12:36:01.0238 1064 VgaSave - ok
12:36:01.0238 1064 VGPU - ok
12:36:01.0238 1064 vhdmp - ok
12:36:01.0253 1064 viaide - ok
12:36:01.0253 1064 vmbus - ok
12:36:01.0253 1064 VMBusHID - ok
12:36:01.0253 1064 volmgr - ok
12:36:01.0253 1064 volmgrx - ok
12:36:01.0253 1064 volsnap - ok
12:36:01.0269 1064 vsmraid - ok
12:36:01.0269 1064 vwifibus - ok
12:36:01.0269 1064 WacomPen - ok
12:36:01.0284 1064 WANARP - ok
12:36:01.0284 1064 Wanarpv6 - ok
12:36:01.0284 1064 Wd - ok
12:36:01.0300 1064 Wdf01000 - ok
12:36:01.0300 1064 WfpLwf - ok
12:36:01.0316 1064 WIMMount - ok
12:36:01.0331 1064 WinUsb - ok
12:36:01.0331 1064 WmiAcpi - ok
12:36:01.0347 1064 ws2ifsl - ok
12:36:01.0362 1064 WudfPf - ok
12:36:01.0362 1064 WUDFRd - ok
12:36:01.0378 1064 xusb21 - ok
12:36:01.0394 1064 MBR (0x1B8) (bb13a4fea75050d83daee19167a247d9) \Device\Harddisk1\DR1
12:36:01.0581 1064 \Device\Harddisk1\DR1 - ok
12:36:01.0596 1064 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
12:36:01.0659 1064 \Device\Harddisk0\DR0 - ok
12:36:01.0674 1064 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk4\DR4
12:36:02.0080 1064 \Device\Harddisk4\DR4 - ok
12:36:02.0096 1064 Boot (0x1200) (7d307b81c9f87f79db5eef5803d40bc8) \Device\Harddisk1\DR1\Partition0
12:36:02.0096 1064 \Device\Harddisk1\DR1\Partition0 - ok
12:36:02.0096 1064 Boot (0x1200) (4daefc2178d7c15db95fa8f31c1ffa29) \Device\Harddisk1\DR1\Partition1
12:36:02.0096 1064 \Device\Harddisk1\DR1\Partition1 - ok
12:36:02.0096 1064 Boot (0x1200) (f502770ffc94f258a4f5a1eba46293a7) \Device\Harddisk1\DR1\Partition2
12:36:02.0111 1064 \Device\Harddisk1\DR1\Partition2 - ok
12:36:02.0111 1064 Boot (0x1200) (d54776aed2db5cc8ed19c78b0a11d11e) \Device\Harddisk1\DR1\Partition3
12:36:02.0111 1064 \Device\Harddisk1\DR1\Partition3 - ok
12:36:02.0142 1064 Boot (0x1200) (fb451de74ab20d4458ea0ca410c1bb55) \Device\Harddisk1\DR1\Partition4
12:36:02.0142 1064 \Device\Harddisk1\DR1\Partition4 - ok
12:36:02.0158 1064 Boot (0x1200) (40c93b85f018b7118e56a3ac927e597b) \Device\Harddisk0\DR0\Partition0
12:36:02.0158 1064 \Device\Harddisk0\DR0\Partition0 - ok
12:36:02.0158 1064 Boot (0x1200) (8d6414a45f8baf62c78cdc80dd50badd) \Device\Harddisk4\DR4\Partition0
12:36:02.0158 1064 \Device\Harddisk4\DR4\Partition0 - ok
12:36:02.0174 1064 ============================================================
12:36:02.0174 1064 Scan finished
12:36:02.0174 1064 ============================================================
12:36:02.0174 4768 Detected object count: 0
12:36:02.0174 4768 Actual detected object count: 0
12:36:55.0557 4968 Deinitialize success

2) Farbar service scanner

Farbar Service Scanner Version: 22-02-2012
Ran by Jase (administrator) on 23-02-2012 at 12:38:12
Running from "C:\Users\Jase\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

3) OTL log

OTL logfile created on: 23/02/2012 12:40:27 - Run 2
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Jase\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 2.46 Gb Available Physical Memory | 61.59% Memory free
8.00 Gb Paging File | 6.08 Gb Available in Paging File | 76.01% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1481.83 Gb Total Space | 1374.36 Gb Free Space | 92.75% Space Free | Partition Type: NTFS
Drive F: | 152.66 Gb Total Space | 93.13 Gb Free Space | 61.00% Space Free | Partition Type: NTFS
Drive H: | 244.01 Mb Total Space | 160.72 Mb Free Space | 65.86% Space Free | Partition Type: FAT32

Computer Name: DESKTOP-PC | User Name: Jase | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/23 12:34:50 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Users\Jase\Desktop\OTL.exe
PRC - [2012/01/03 13:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/20 13:32:00 | 000,634,880 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
PRC - [2011/11/11 18:18:24 | 000,059,240 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
PRC - [2011/09/15 12:06:04 | 000,088,576 | ---- | M] () -- C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
PRC - [2010/04/12 08:40:16 | 000,180,224 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
PRC - [2007/11/02 03:38:43 | 000,455,336 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\lxdvmon.exe
PRC - [2007/11/02 03:38:40 | 000,025,256 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\lxdvamon.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/20 13:32:00 | 001,515,520 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\Maps\R66Api.dll
MOD - [2011/12/20 13:32:00 | 000,634,880 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
MOD - [2011/12/20 13:32:00 | 000,559,244 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\sqlite3.7.dll
MOD - [2011/12/20 13:32:00 | 000,516,599 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\sqlite3.dll
MOD - [2011/12/20 13:32:00 | 000,389,120 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDetect.dll
MOD - [2011/12/20 13:32:00 | 000,172,032 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDetectLegend.dll
MOD - [2011/12/20 13:32:00 | 000,143,360 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDisk.dll
MOD - [2011/12/20 13:32:00 | 000,103,936 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\OutputLog.dll
MOD - [2011/12/20 13:32:00 | 000,094,208 | ---- | M] () -- C:\Program Files (x86)\HTC\HTC Sync 3.0\fdHttpd.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/08/17 18:50:14 | 012,432,896 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
MOD - [2011/08/17 18:49:59 | 006,611,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1e85062785e286cd9eae9c26d2c61f73\System.Data.ni.dll
MOD - [2011/08/17 18:49:55 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
MOD - [2011/08/17 18:49:43 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll
MOD - [2011/08/17 18:49:39 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bc09ad2d49d8535371845cd7532f9271\System.Configuration.ni.dll
MOD - [2011/08/17 18:49:38 | 007,963,136 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
MOD - [2011/08/17 18:49:18 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
MOD - [2010/11/05 01:58:05 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2007/11/02 03:38:43 | 000,455,336 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\lxdvmon.exe
MOD - [2007/11/02 03:38:40 | 000,025,256 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\lxdvamon.exe
MOD - [2007/10/08 04:59:24 | 000,036,864 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\app4r.monitor.core.dll
MOD - [2007/10/08 04:59:24 | 000,028,672 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\app4r.monitor.common.dll
MOD - [2007/10/08 04:58:32 | 000,057,344 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\app4r.devmons.mcmdevmon.dll
MOD - [2007/09/06 16:38:30 | 000,278,528 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\lxdvscw.dll
MOD - [2007/08/10 02:12:14 | 000,011,776 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\app4r.devmons.mcmdevmon.autoplayutil.dll
MOD - [2007/07/20 07:30:02 | 000,188,416 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\lxdvdatr.dll
MOD - [2006/12/28 10:47:42 | 000,073,728 | ---- | M] () -- C:\Program Files (x86)\Lexmark X5400 Series\lxdvcats.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/08/16 15:46:57 | 001,030,600 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe -- (FLEXnet Licensing Service 64)
SRV:64bit: - [2011/08/11 23:38:04 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2011/07/28 21:35:34 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2011/04/27 17:21:18 | 000,288,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2011/04/27 17:21:18 | 000,012,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2009/07/14 01:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2007/10/18 16:54:06 | 001,044,136 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysNative\lxdvcoms.exe -- (lxdv_device)
SRV:64bit: - [2007/10/18 16:53:58 | 000,033,448 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\spool\DRIVERS\x64\3\\lxdvserv.exe -- (lxdvCATSCustConnectService)
SRV - [2012/01/03 13:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/09/15 12:06:04 | 000,088,576 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 21:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2007/10/18 16:53:54 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysWow64\lxdvcoms.exe -- (lxdv_device)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/08/02 17:38:56 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2011/07/28 22:23:16 | 009,980,416 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2011/07/28 22:23:16 | 009,980,416 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/07/28 20:54:10 | 000,309,248 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/07/22 16:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 21:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/06/06 22:07:00 | 000,231,440 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2011/04/27 15:25:24 | 000,084,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2011/03/11 06:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 06:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 13:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 11:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 11:03:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/06/25 16:08:10 | 000,036,928 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\htcnprot.sys -- (htcnprot)
DRV:64bit: - [2010/04/12 08:55:00 | 000,091,568 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\scdemu.sys -- (SCDEmu)
DRV:64bit: - [2009/11/02 18:16:50 | 000,033,736 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ANDROIDUSB.sys -- (HTCAND64)
DRV:64bit: - [2009/08/21 01:52:10 | 000,079,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\xusb21.sys -- (xusb21)
DRV:64bit: - [2009/07/14 01:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 01:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 01:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/25 02:14:46 | 000,058,368 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\l160x64.sys -- (AtcL001)
DRV:64bit: - [2009/06/10 20:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 20:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 20:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 20:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/05/09 00:14:20 | 000,015,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nuidfltr.sys -- (NuidFltr)
DRV:64bit: - [2005/03/29 00:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2009/07/14 01:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2006/07/19 17:04:00 | 000,014,608 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Users\Jase\Downloads\ati_winflash_2.0.1.14\atillk64.sys -- (atillk64)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B2 B3 6C 71 CD EC CC 01 [binary data]
IE - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\3.0.40818.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2011/12/22 16:11:00 | 000,000,833 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Speckie) - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Users\Jase\AppData\Roaming\Speckie\bin64\Speckie64.dll (Versoworks Pty Ltd)
O2:64bit: - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O2 - BHO: (Speckie) - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - C:\Users\Jase\AppData\Roaming\Speckie\bin32\Speckie32.dll (Versoworks Pty Ltd)
O3 - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4:64bit: - HKLM..\Run: [lxdvamon] C:\Program Files (x86)\Lexmark X5400 Series\lxdvamon.exe ()
O4:64bit: - HKLM..\Run: [lxdvmon.exe] C:\Program Files (x86)\Lexmark X5400 Series\lxdvmon.exe ()
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [XboxStat] C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Microsoft Corporation)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [HTC Sync Loader] C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe ()
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-793449266-2017018900-3416318726-1001..\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-793449266-2017018900-3416318726-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Lookup on Merriam Webster - Reg Error: Value error. File not found
O8:64bit: - Extra context menu item: Lookup on Wikipedia - Reg Error: Value error. File not found
O8 - Extra context menu item: Lookup on Merriam Webster - Reg Error: Value error. File not found
O8 - Extra context menu item: Lookup on Wikipedia - Reg Error: Value error. File not found
O9:64bit: - Extra 'Tools' menuitem : Speckie Settings - {E6846530-6088-4AA3-932F-C6245CE59A4C} - C:\Users\Jase\AppData\Roaming\Speckie\bin64\Speckie64.dll (Versoworks Pty Ltd)
O9 - Extra 'Tools' menuitem : Speckie Settings - {E6846530-6088-4AA3-932F-C6245CE59A4C} - C:\Users\Jase\AppData\Roaming\Speckie\bin32\Speckie32.dll (Versoworks Pty Ltd)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F504F504-EA82-4DBC-8582-2110D49DA536}: DhcpNameServer = 192.168.0.1
O18:64bit: - Protocol\Handler\cdo - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/08/16 21:14:05 | 000,000,000 | ---D | M] - F:\Autocad Templates -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin:64bit: !SASCORE - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)
SafeBootMin:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SafeBootMin:64bit: Base - Driver Group
SafeBootMin:64bit: Boot Bus Extender - Driver Group
SafeBootMin:64bit: Boot file system - Driver Group
SafeBootMin:64bit: File system - Driver Group
SafeBootMin:64bit: Filter - Driver Group
SafeBootMin:64bit: HelpSvc - Service
SafeBootMin:64bit: MsMpSvc - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SafeBootMin:64bit: PCI Configuration - Driver Group
SafeBootMin:64bit: PNP Filter - Driver Group
SafeBootMin:64bit: Primary disk - Driver Group
SafeBootMin:64bit: sacsvr - Service
SafeBootMin:64bit: SCSI Class - Driver Group
SafeBootMin:64bit: System Bus Extender - Driver Group
SafeBootMin:64bit: vmms - Service
SafeBootMin:64bit: WinDefend - Service
SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: WinDefend - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: msacm.aacacm - AACACM.acm (fccHandler)
Drivers32:64bit: msacm.ac3acm - ac3acm.acm (fccHandler)
Drivers32:64bit: msacm.ac3filter - ac3filter.acm ()
Drivers32:64bit: msacm.avis - ff_acm.acm ()
Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32:64bit: msacm.l3pacm - l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32:64bit: msacm.lameacm - lameACM.acm (http://www.mp3dev.org/)
Drivers32:64bit: VIDC.FFDS - ff_vfw.dll ()
Drivers32:64bit: VIDC.LAGS - lagarith.dll ( )
Drivers32:64bit: vidc.x264 - x264vfw.dll ()
Drivers32: msacm.aacacm - C:\Windows\SysWow64\AACACM.acm (fccHandler)
Drivers32: msacm.ac3acm - C:\Windows\SysWow64\ac3acm.acm (fccHandler)
Drivers32: msacm.ac3filter - C:\Windows\SysWow64\ac3filter.acm ()
Drivers32: msacm.avis - C:\Windows\SysWow64\ff_acm.acm ()
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3pacm - C:\Windows\SysWow64\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\Windows\SysWow64\lameACM.acm (http://www.mp3dev.org/)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\Windows\SysWow64\ff_vfw.dll ()
Drivers32: VIDC.LAGS - C:\Windows\SysWow64\lagarith.dll ( )
Drivers32: VIDC.X264 - C:\Windows\SysWow64\x264vfw.dll ()

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2012/02/23 12:34:50 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Users\Jase\Desktop\OTL.exe
[2012/02/23 12:33:39 | 002,060,336 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Jase\Desktop\tdsskiller.exe
[2012/02/20 17:46:24 | 004,729,344 | ---- | C] (AVAST Software) -- C:\Users\Jase\Desktop\aswMBR.exe
[2012/02/20 17:41:07 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{B559D77D-E037-45A5-8F92-5E96C92F7119}
[2012/02/20 17:40:55 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{827BF90C-4498-4975-8B95-DD915D25371F}
[2012/02/18 15:08:50 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{C37D834D-4369-473D-9C8B-CDFE075877D6}
[2012/02/18 15:08:39 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{351A8EB3-F2A4-43BB-870C-A5C514852567}
[2012/02/14 20:19:34 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{474DDCEE-C33E-4A23-B6D5-91C0FEE81739}
[2012/02/14 20:19:22 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{977A6E6F-EA3C-4858-8135-CA00364D5D05}
[2012/02/11 17:06:34 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{7E66B8A8-63F7-4589-B6D9-4D71EF8ACFB7}
[2012/02/11 17:06:22 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{818A883C-15C9-4B5A-9B08-6FF06B2287B1}
[2012/02/10 16:05:32 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{70EF9626-6982-469E-AC2C-B958E5B9D558}
[2012/02/10 16:05:20 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{5700220D-0AEC-464E-9144-EC63FC28A562}
[2012/02/09 12:33:01 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{D587206C-0E11-4D1F-8BF5-2AF465E6C487}
[2012/02/09 12:32:49 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{72C31B7E-77E9-4EDF-9687-A8E0EC279231}
[2012/02/09 11:37:58 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{12E3C4ED-3A58-4323-8CE2-808E38997B95}
[2012/02/09 11:37:45 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{0998D021-97A9-48B1-8366-52AB2A718A7A}
[2012/02/08 22:26:02 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{75C39C0C-0776-4734-A3D1-F3FF2755BF36}
[2012/02/08 22:25:49 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{3122B76E-8753-476A-BDDA-384A4F58C052}
[2012/02/08 17:27:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/02/07 22:52:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2012/02/07 22:52:59 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2012/02/07 22:47:05 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/02/07 22:39:23 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/02/07 22:39:23 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/02/07 22:39:23 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/02/07 22:39:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/06 22:56:42 | 000,200,976 | ---- | C] (Trend Micro Inc.) -- C:\Windows\SysWow64\drivers\tmcomm.sys
[2012/02/06 22:35:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/02/06 22:35:44 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/02/03 23:16:49 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Roaming\SUPERAntiSpyware.com
[2012/02/03 23:16:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/02/03 23:16:19 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/02/03 23:16:19 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/02/03 22:05:17 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{BD77A630-7E9A-4A9B-B13D-CB9B11652BE0}
[2012/02/03 22:05:06 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{80C0312A-2C08-452E-947D-7F75F2084630}
[2012/02/03 09:40:07 | 001,462,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lxdvg.dll
[2012/02/03 09:38:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lexmark X5400 Series
[2012/02/03 09:38:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Lexmark X5400 Series
[2012/02/03 09:38:21 | 000,715,264 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysNative\lxdvutil.dll
[2012/02/03 09:38:20 | 000,129,024 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysNative\lxdvjswr.dll
[2012/02/03 09:38:19 | 000,235,520 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysNative\lxdvins.dll
[2012/02/03 09:38:19 | 000,183,808 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysNative\lxdvinsb.dll
[2012/02/03 09:38:19 | 000,090,624 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysNative\lxdvinsr.dll
[2012/02/03 09:38:18 | 000,983,121 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lxdvgf.dll
[2012/02/03 09:38:18 | 000,102,400 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysNative\lxdvcu.dll
[2012/02/03 09:38:18 | 000,073,216 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysNative\lxdvcub.dll
[2012/02/03 09:38:18 | 000,022,528 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysNative\lxdvcur.dll
[2012/02/03 09:38:17 | 000,065,536 | ---- | C] (Lexmark International) -- C:\Windows\SysNative\LXDVcfg.dll
[2012/02/03 09:38:14 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark X5400 Series
[2012/02/02 22:23:39 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{1545D7FA-631A-4CDD-8A56-7B2F106DF114}
[2012/02/02 22:23:27 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{2F076FB6-94A9-4661-AB39-F1F4ECF5F683}
[2012/02/02 22:12:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/02/02 22:12:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/02/02 22:12:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2012/02/02 20:17:07 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{E1EED025-2912-4557-978F-14F409213BEC}
[2012/02/02 17:11:30 | 000,000,000 | ---D | C] -- C:\ProgramData\X5400 Series
[2012/02/02 17:11:19 | 000,983,121 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\lxdvgf.dll
[2012/02/02 17:11:19 | 000,503,808 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysWow64\lxdvutil.dll
[2012/02/02 17:11:19 | 000,200,704 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysWow64\lxdvinsb.dll
[2012/02/02 17:11:19 | 000,176,128 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysWow64\lxdvins.dll
[2012/02/02 17:11:19 | 000,143,360 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysWow64\lxdvjswr.dll
[2012/02/02 17:11:19 | 000,126,976 | ---- | C] (Lexmark International Inc.) -- C:\Windows\SysWow64\lxdvlnks.dll
[2012/02/02 17:11:19 | 000,106,496 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysWow64\lxdvinsr.dll
[2012/02/02 17:11:19 | 000,090,112 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysWow64\lxdvcub.dll
[2012/02/02 17:11:19 | 000,077,906 | ---- | C] (Lexmark International) -- C:\Windows\SysWow64\LXDVcfg.dll
[2012/02/02 17:11:19 | 000,077,824 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysWow64\lxdvcu.dll
[2012/02/02 17:11:19 | 000,036,864 | ---- | C] (Lexmark International, Inc.) -- C:\Windows\SysWow64\lxdvcur.dll
[2012/02/01 23:30:24 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{B669E0DD-0D91-40C4-B704-D5E8E17737D9}
[2012/02/01 22:53:43 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{0184948D-7E60-4403-A72E-DA73BDFD0E7A}
[2012/02/01 18:16:15 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/02/01 17:38:54 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt
[2012/02/01 17:30:19 | 000,000,000 | ---D | C] -- C:\ProgramData\AutoKMS
[2012/02/01 07:39:18 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2012/02/01 02:22:02 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Roaming\Pyexo
[2012/01/30 22:54:58 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{D18EBCB2-E69C-495B-9B12-AFCC8930CBAA}
[2012/01/30 22:54:47 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{24FA4D65-2A5A-4870-8290-AB354FAA3D3A}
[2012/01/30 09:53:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft
[2012/01/30 09:53:21 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Roaming\Shark007
[2012/01/30 09:53:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Shark007
[2012/01/30 09:53:18 | 001,574,400 | ---- | C] (MPC-HC Team) -- C:\Windows\SysNative\VSFilter.dll
[2012/01/30 09:53:18 | 000,548,864 | ---- | C] (http://www.mp3dev.org/) -- C:\Windows\SysNative\lameacm.acm
[2012/01/30 09:53:18 | 000,360,960 | ---- | C] (fccHandler) -- C:\Windows\SysNative\aacacm.acm
[2012/01/30 09:53:18 | 000,180,224 | ---- | C] (fccHandler) -- C:\Windows\SysNative\ac3acm.acm
[2012/01/30 09:53:18 | 000,124,909 | ---- | C] (Open Source Software community project) -- C:\Windows\SysNative\pthreadGC2.dll
[2012/01/30 09:53:18 | 000,000,000 | ---D | C] -- C:\Program Files\Shark007
[2012/01/30 09:52:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shark007 Codecs
[2012/01/30 09:52:22 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Roaming\Win7codecs
[2012/01/30 09:52:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Win7codecs
[2012/01/30 09:51:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Win7codecs
[2012/01/27 17:45:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/01/27 17:44:40 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/01/27 17:44:39 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/01/27 17:44:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2012/01/27 10:37:39 | 000,000,000 | ---D | C] -- C:\Program Files\OpenCV2.3
[2012/01/26 17:26:10 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Roaming\Microsoft Corporation
[2012/01/26 17:18:13 | 000,078,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
[2012/01/26 17:18:13 | 000,050,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
[2012/01/26 17:18:00 | 000,111,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
[2012/01/26 17:18:00 | 000,079,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
[2012/01/26 17:17:19 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\RsFx
[2012/01/26 17:16:44 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio 9.0
[2012/01/26 17:16:24 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2012/01/26 17:12:19 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2012/01/26 17:11:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SQL Server
[2012/01/26 17:07:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight 3 SDK
[2012/01/26 17:07:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight
[2012/01/26 16:58:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 10.0
[2012/01/26 16:56:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 9.0
[2012/01/26 16:56:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SDKs
[2012/01/25 22:42:24 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{5CA42125-4171-4386-86A4-4B946CD7C0E6}
[2012/01/25 22:42:13 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{055399D7-BA56-4DC5-A94B-670E22C77598}
[2012/01/25 22:02:30 | 000,000,000 | ---D | C] -- C:\Users\Jase\Documents\My Photos
[2012/01/25 22:02:30 | 000,000,000 | ---D | C] -- C:\Users\Jase\Documents\My Documents
[2012/01/25 21:58:44 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Roaming\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
[2012/01/25 21:58:39 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\Htc
[2012/01/25 21:57:15 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Roaming\HTC
[2012/01/25 21:56:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HTC Sync
[2012/01/25 21:55:55 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\Downloaded Installations
[2012/01/25 21:55:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HTC
[2012/01/25 21:55:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spirent Communications
[2012/01/25 21:55:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\HTC
[2012/01/25 21:55:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe AIR
[2012/01/25 21:35:52 | 000,000,000 | ---D | C] -- C:\ruu_log
[2012/01/24 22:26:40 | 000,000,000 | ---D | C] -- C:\Users\Jase\AppData\Local\{EE6B0A23-0089-4D5B-B140-33F1FAACA788}

========== Files - Modified Within 30 Days ==========

[2012/02/23 12:42:04 | 000,016,448 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/23 12:42:04 | 000,016,448 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/23 12:34:50 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Users\Jase\Desktop\OTL.exe
[2012/02/23 12:34:16 | 000,337,133 | ---- | M] () -- C:\Users\Jase\Desktop\FSS.exe
[2012/02/23 12:33:39 | 002,060,336 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Jase\Desktop\tdsskiller.exe
[2012/02/23 12:26:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/23 12:26:49 | 3220,525,056 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/22 22:47:53 | 003,407,872 | ---- | M] () -- C:\Users\Jase\Documents\DailyLogTest Try2.accdb
[2012/02/20 22:02:34 | 000,000,000 | ---- | M] () -- C:\Users\Jase\defogger_reenable
[2012/02/20 17:47:08 | 004,729,344 | ---- | M] (AVAST Software) -- C:\Users\Jase\Desktop\aswMBR.exe
[2012/02/19 23:29:30 | 000,869,194 | ---- | M] () -- C:\Users\Jase\Desktop\SecurityCheck.exe
[2012/02/17 22:25:52 | 004,333,568 | ---- | M] () -- C:\Users\Jase\Documents\Northwind1.accdb
[2012/02/10 22:10:50 | 002,228,224 | ---- | M] () -- C:\Users\Jase\Documents\QuotationTest.accdb
[2012/02/07 22:52:59 | 000,002,971 | ---- | M] () -- C:\Users\Jase\Desktop\HiJackThis.lnk
[2012/02/06 23:02:00 | 000,134,788 | ---- | M] () -- C:\Users\Jase\AppData\Local\census.cache
[2012/02/06 23:01:54 | 000,098,432 | ---- | M] () -- C:\Users\Jase\AppData\Local\ars.cache
[2012/02/06 22:55:16 | 000,000,036 | ---- | M] () -- C:\Users\Jase\AppData\Local\housecall.guid.cache
[2012/02/06 22:36:03 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/02/06 22:35:51 | 000,824,364 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/02/06 22:35:51 | 000,694,190 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/02/06 22:35:51 | 000,135,226 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/02/06 22:15:02 | 000,396,041 | ---- | M] () -- C:\Users\Jase\Desktop\MiniToolBox.exe
[2012/02/03 23:16:21 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/02/03 09:42:41 | 000,815,526 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/02/03 09:40:34 | 000,083,243 | ---- | M] () -- C:\Windows\SysNative\LexFiles.ulf
[2012/02/03 09:39:14 | 000,001,072 | ---- | M] () -- C:\Users\Public\Desktop\Lexmark Productivity Studio - X5400 Series.LNK
[2012/02/03 09:21:22 | 000,087,860 | ---- | M] () -- C:\Windows\SysWow64\LexFiles.ulf
[2012/02/02 22:12:06 | 000,001,258 | ---- | M] () -- C:\Users\Jase\Desktop\Spybot - Search & Destroy.lnk
[2012/02/02 17:53:27 | 000,000,020 | ---- | M] () -- C:\Windows\Κ+
[2012/02/01 22:23:41 | 000,434,014 | RHS- | M] () -- C:\BOXQP
[2012/02/01 21:53:10 | 000,000,047 | ---- | M] () -- C:\Windows\WinInit.Ini
[2012/02/01 21:49:30 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\lame_acm.xml
[2012/02/01 21:18:49 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.old
[2012/02/01 07:40:08 | 001,603,436 | ---- | M] () -- C:\Windows\SysNative\drivers\Cat.DB
[2012/02/01 07:25:39 | 000,008,781 | ---- | M] () -- C:\ProgramData\22cd857d
[2012/02/01 07:25:39 | 000,008,719 | ---- | M] () -- C:\Users\Jase\AppData\Roaming\40744b62
[2012/02/01 07:25:39 | 000,008,686 | ---- | M] () -- C:\Users\Jase\AppData\Local\3dc97ee4
[2012/01/31 23:30:00 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/31 21:49:44 | 000,419,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\systemcplx64.dll
[2012/01/28 12:16:32 | 000,092,160 | ---- | M] () -- C:\Windows\SysNative\ff_vfw.dll
[2012/01/28 12:14:52 | 000,053,760 | ---- | M] () -- C:\Windows\SysNative\ff_acm.acm
[2012/01/28 12:12:40 | 000,079,360 | ---- | M] () -- C:\Windows\SysWow64\ff_vfw.dll
[2012/01/28 12:10:56 | 000,048,128 | ---- | M] () -- C:\Windows\SysWow64\ff_acm.acm
[2012/01/27 17:45:03 | 000,001,783 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/01/27 17:42:03 | 000,000,628 | ---- | M] () -- C:\Windows\SysNative\mapisvc.inf
[2012/01/25 21:57:07 | 000,001,082 | ---- | M] () -- C:\Users\Public\Desktop\HTC Sync.lnk
[2012/01/24 14:18:04 | 004,794,880 | ---- | M] () -- C:\Windows\SysWow64\x264vfw.dll
[2012/01/24 14:17:54 | 004,608,000 | ---- | M] () -- C:\Windows\SysNative\x264vfw.dll

========== Files Created - No Company Name ==========

[2012/02/23 12:34:16 | 000,337,133 | ---- | C] () -- C:\Users\Jase\Desktop\FSS.exe
[2012/02/20 22:02:34 | 000,000,000 | ---- | C] () -- C:\Users\Jase\defogger_reenable
[2012/02/19 23:29:30 | 000,869,194 | ---- | C] () -- C:\Users\Jase\Desktop\SecurityCheck.exe
[2012/02/17 21:51:45 | 004,333,568 | ---- | C] () -- C:\Users\Jase\Documents\Northwind1.accdb
[2012/02/07 22:52:59 | 000,002,971 | ---- | C] () -- C:\Users\Jase\Desktop\HiJackThis.lnk
[2012/02/07 22:39:23 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/02/07 22:39:23 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/02/07 22:39:23 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/02/07 22:39:23 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/02/07 22:39:23 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/02/06 23:02:00 | 000,134,788 | ---- | C] () -- C:\Users\Jase\AppData\Local\census.cache
[2012/02/06 23:01:54 | 000,098,432 | ---- | C] () -- C:\Users\Jase\AppData\Local\ars.cache
[2012/02/06 22:55:16 | 000,000,036 | ---- | C] () -- C:\Users\Jase\AppData\Local\housecall.guid.cache
[2012/02/06 22:36:03 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/02/06 22:35:45 | 000,001,897 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/02/06 22:14:59 | 000,396,041 | ---- | C] () -- C:\Users\Jase\Desktop\MiniToolBox.exe
[2012/02/03 23:16:21 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/02/03 09:40:07 | 000,420,352 | ---- | C] () -- C:\Windows\SysNative\lxdvcoin.dll
[2012/02/03 09:38:36 | 000,000,060 | ---- | C] () -- C:\Windows\SysNative\lxdvrwrd.ini
[2012/02/03 09:38:21 | 000,671,744 | ---- | C] ( ) -- C:\Windows\SysNative\LXDVhcp.dll
[2012/02/03 09:38:21 | 000,541,696 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvinpa.dll
[2012/02/03 09:38:21 | 000,524,800 | ---- | C] () -- C:\Windows\SysNative\LXDVinst.dll
[2012/02/03 09:38:21 | 000,510,464 | ---- | C] ( ) -- C:\Windows\SysNative\lxdviesc.dll
[2012/02/03 09:38:20 | 001,661,952 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvserv.dll
[2012/02/03 09:38:20 | 001,502,720 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvusb1.dll
[2012/02/03 09:38:20 | 000,977,408 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvpmui.dll
[2012/02/03 09:38:20 | 000,885,248 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvlmpm.dll
[2012/02/03 09:38:20 | 000,047,104 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvprox.dll
[2012/02/03 09:38:19 | 001,201,182 | ---- | C] () -- C:\Windows\SysNative\LXDVhelp.chm
[2012/02/03 09:38:19 | 001,070,592 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvhbn3.dll
[2012/02/03 09:38:19 | 000,519,336 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvih.exe
[2012/02/03 09:38:18 | 001,472,512 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvcomc.dll
[2012/02/03 09:38:18 | 001,044,136 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvcoms.exe
[2012/02/03 09:38:18 | 000,602,792 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvcfg.exe
[2012/02/03 09:38:18 | 000,562,688 | ---- | C] ( ) -- C:\Windows\SysNative\lxdvcomm.dll
[2012/02/03 09:38:18 | 000,299,520 | ---- | C] () -- C:\Windows\SysNative\lxdvgrd.dll
[2012/02/03 09:38:17 | 000,083,243 | ---- | C] () -- C:\Windows\SysNative\LexFiles.ulf
[2012/02/03 09:38:17 | 000,002,030 | ---- | C] () -- C:\Windows\SysNative\lxdv.loc
[2012/02/03 09:21:10 | 000,001,072 | ---- | C] () -- C:\Users\Public\Desktop\Lexmark Productivity Studio - X5400 Series.LNK
[2012/02/02 22:12:06 | 000,001,258 | ---- | C] () -- C:\Users\Jase\Desktop\Spybot - Search & Destroy.lnk
[2012/02/02 17:53:27 | 000,000,020 | ---- | C] () -- C:\Windows\Κ+
[2012/02/02 17:11:19 | 001,201,182 | ---- | C] () -- C:\Windows\SysWow64\LXDVhelp.chm
[2012/02/02 17:11:19 | 001,069,056 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvserv.dll
[2012/02/02 17:11:19 | 000,954,368 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvusb1.dll
[2012/02/02 17:11:19 | 000,851,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvcomc.dll
[2012/02/02 17:11:19 | 000,663,552 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvhbn3.dll
[2012/02/02 17:11:19 | 000,643,072 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvpmui.dll
[2012/02/02 17:11:19 | 000,594,600 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvcoms.exe
[2012/02/02 17:11:19 | 000,569,344 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvlmpm.dll
[2012/02/02 17:11:19 | 000,385,024 | ---- | C] () -- C:\Windows\SysWow64\lxdvcomx.dll
[2012/02/02 17:11:19 | 000,365,224 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvcfg.exe
[2012/02/02 17:11:19 | 000,364,544 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvcomm.dll
[2012/02/02 17:11:19 | 000,360,448 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvinpa.dll
[2012/02/02 17:11:19 | 000,348,160 | ---- | C] () -- C:\Windows\SysWow64\LXDVinst.dll
[2012/02/02 17:11:19 | 000,339,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdviesc.dll
[2012/02/02 17:11:19 | 000,320,168 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvih.exe
[2012/02/02 17:11:19 | 000,053,248 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdvprox.dll
[2012/02/02 17:11:19 | 000,002,030 | ---- | C] () -- C:\Windows\SysWow64\lxdv.loc
[2012/02/01 22:23:41 | 000,434,014 | RHS- | C] () -- C:\BOXQP
[2012/02/01 21:53:10 | 000,000,047 | ---- | C] () -- C:\Windows\WinInit.Ini
[2012/02/01 21:49:30 | 000,000,000 | ---- | C] () -- C:\Windows\SysNative\lame_acm.xml
[2012/02/01 07:39:31 | 001,603,436 | ---- | C] () -- C:\Windows\SysNative\drivers\Cat.DB
[2012/01/31 23:30:00 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/31 22:14:37 | 000,008,781 | ---- | C] () -- C:\ProgramData\22cd857d
[2012/01/31 22:14:37 | 000,008,719 | ---- | C] () -- C:\Users\Jase\AppData\Roaming\40744b62
[2012/01/31 22:14:37 | 000,008,686 | ---- | C] () -- C:\Users\Jase\AppData\Local\3dc97ee4
[2012/01/30 09:53:18 | 004,608,000 | ---- | C] () -- C:\Windows\SysNative\x264vfw.dll
[2012/01/30 09:53:18 | 000,580,096 | ---- | C] () -- C:\Windows\SysNative\ac3filter64.acm
[2012/01/30 09:53:18 | 000,580,096 | ---- | C] () -- C:\Windows\SysNative\ac3filter.acm
[2012/01/30 09:53:18 | 000,203,264 | ---- | C] () -- C:\Windows\SysNative\unrar.dll
[2012/01/30 09:53:18 | 000,148,992 | ---- | C] ( ) -- C:\Windows\SysNative\lagarith.dll
[2012/01/30 09:53:18 | 000,092,160 | ---- | C] () -- C:\Windows\SysNative\ff_vfw.dll
[2012/01/30 09:53:18 | 000,053,760 | ---- | C] () -- C:\Windows\SysNative\ff_acm.acm
[2012/01/29 15:43:34 | 000,325,279 | ---- | C] () -- C:\Sophie.jpg
[2012/01/28 12:12:40 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2012/01/28 12:10:56 | 000,048,128 | ---- | C] () -- C:\Windows\SysWow64\ff_acm.acm
[2012/01/27 17:45:03 | 000,001,783 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/01/27 17:42:03 | 000,000,628 | ---- | C] () -- C:\Windows\SysNative\mapisvc.inf
[2012/01/26 16:55:51 | 000,824,364 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/01/25 21:57:07 | 000,001,082 | ---- | C] () -- C:\Users\Public\Desktop\HTC Sync.lnk
[2012/01/24 14:18:04 | 004,794,880 | ---- | C] () -- C:\Windows\SysWow64\x264vfw.dll
[2011/12/07 19:32:24 | 000,216,064 | ---- | C] ( ) -- C:\Windows\SysWow64\lagarith.dll
[2011/08/02 11:52:14 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2011/08/01 13:09:24 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/07/17 22:54:02 | 000,059,904 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
[2011/03/17 17:51:44 | 000,003,929 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011/01/04 13:28:18 | 000,175,616 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll

========== Custom Scans ==========


< "%WinDir%\$NtUninstallKB*$." /30 >

< C:\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2009/07/14 01:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\ERDNT\cache64\atapi.sys
[2009/07/14 01:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\drivers\atapi.sys
[2009/07/14 01:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys
[2009/07/14 01:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys
[2009/07/14 01:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys

< MD5 for: EXPLORER.EXE >
[2011/02/26 06:23:14 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=0862495E0C825893DB75EF44FAEA8E93 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_adc24107935a7e25\explorer.exe
[2011/02/26 05:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
[2009/07/14 01:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe
[2011/02/26 05:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_b8ce9756e0b786a4\explorer.exe
[2009/10/31 05:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe
[2011/02/26 05:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_b816eb59c7bb4020\explorer.exe
[2011/02/25 06:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\ERDNT\cache86\explorer.exe
[2011/02/25 06:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\explorer.exe
[2011/02/25 06:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[2011/02/26 06:14:34 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=3B69712041F3D63605529BD66DC00C48 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[2010/11/20 12:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
[2009/08/03 06:19:07 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=700073016DAC1C3D2E7E2CE4223334B6 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[2011/02/25 05:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\SysWOW64\explorer.exe
[2011/02/25 05:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
[2009/10/31 06:34:59 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=9AAAEC8DAC27AA17B053E6352AD233AE -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[2009/08/03 05:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe
[2010/11/20 13:24:45 | 002,872,320 | ---- | M] (Microsoft Corporation) MD5=AC4C51EB24AA95B77F705AB159189E24 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
[2009/10/31 06:38:38 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=B8EC4BD49CE8F6FC457721BFC210B67F -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[2009/08/03 05:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe
[2009/07/14 01:39:10 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=C235A51CB740E45FFA0EBFB9BAFCDA64 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
[2009/10/31 06:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe
[2011/02/26 06:26:45 | 002,870,784 | ---- | M] (Microsoft Corporation) MD5=E38899074D4951D31B4040E994DD7C8D -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_ae79ed04ac56c4a9\explorer.exe
[2009/08/03 06:17:37 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=F170B4A061C9E026437B193B4D571799 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe

< MD5 for: TDX.SYS >
[2009/07/13 23:21:15 | 000,099,840 | ---- | M] (Microsoft Corporation) MD5=079125C4B17B01FCAEEBCE0BCB290C0F -- C:\Windows\winsxs\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_4632b9f2f5c6af5e\tdx.sys
[2010/11/20 09:21:56 | 000,119,296 | ---- | M] (Microsoft Corporation) MD5=DDAD5A7AB24D8B65F8D724F5C20FD806 -- C:\Windows\ERDNT\cache64\tdx.sys
[2010/11/20 09:21:56 | 000,119,296 | ---- | M] (Microsoft Corporation) MD5=DDAD5A7AB24D8B65F8D724F5C20FD806 -- C:\Windows\SysNative\drivers\tdx.sys
[2010/11/20 09:21:56 | 000,119,296 | ---- | M] (Microsoft Corporation) MD5=DDAD5A7AB24D8B65F8D724F5C20FD806 -- C:\Windows\winsxs\amd64_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_4863cdbaf2b532f8\tdx.sys

< MD5 for: VOLSNAP.SYS >
[2010/11/20 13:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\SysNative\drivers\volsnap.sys
[2010/11/20 13:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\SysNative\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volsnap.sys
[2010/11/20 13:34:02 | 000,295,808 | ---- | M] (Microsoft Corporation) MD5=0D08D2F3B3FF84E433346669B5E0F639 -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_73dcbcf012b4850e\volsnap.sys
[2009/07/14 01:45:55 | 000,294,992 | ---- | M] (Microsoft Corporation) MD5=58F82EED8CA24B461441F9C3E4F0BF5C -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_71aba92815c60174\volsnap.sys

< MD5 for: WININIT.EXE >
[2009/07/14 01:39:52 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=94355C28C1970635A31B3FE52EB7CEBA -- C:\Windows\ERDNT\cache64\wininit.exe
[2009/07/14 01:39:52 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=94355C28C1970635A31B3FE52EB7CEBA -- C:\Windows\SysNative\wininit.exe
[2009/07/14 01:39:52 | 000,129,024 | ---- | M] (Microsoft Corporation) MD5=94355C28C1970635A31B3FE52EB7CEBA -- C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49\wininit.exe
[2009/07/14 01:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\ERDNT\cache86\wininit.exe
[2009/07/14 01:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\SysWOW64\wininit.exe
[2009/07/14 01:14:45 | 000,096,256 | ---- | M] (Microsoft Corporation) MD5=B5C5DCAD3899512020D135600129D665 -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\wininit.exe

< MD5 for: WINLOGON.EXE >
[2010/11/20 13:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\ERDNT\cache64\winlogon.exe
[2010/11/20 13:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\SysNative\winlogon.exe
[2010/11/20 13:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
[2009/07/14 01:39:52 | 000,389,120 | ---- | M] (Microsoft Corporation) MD5=132328DF455B0028F13BF0ABEE51A63A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009/10/28 07:01:57 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=A93D41A4D4B0D91C072D11DD8AF266DE -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_cc522fd507b468f8\winlogon.exe
[2009/10/28 06:24:40 | 000,389,632 | ---- | M] (Microsoft Corporation) MD5=DA3E2A6FA9660CC75B471530CE88453A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_cbe534e7ee8042ad\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/08/01 16:48:05 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/08/01 16:48:05 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/08/01 16:48:05 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff [2011/08/01 16:48:05 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" [2011/08/01 16:48:05 | 000,748,336 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: FIREFOX.EXE
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: FIREFOX.EXE
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW [2011/08/01 16:48:05 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL [2011/08/01 16:48:05 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE [2011/08/01 16:48:05 | 000,089,088 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF [2011/08/01 16:48:05 | 000,748,336 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" [2011/08/01 16:48:05 | 000,748,336 | ---- | M] (Microsoft Corporation)

========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >

4) OTL Extra log

OTL Extras logfile created on: 23/02/2012 12:40:27 - Run 2
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Users\Jase\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 2.46 Gb Available Physical Memory | 61.59% Memory free
8.00 Gb Paging File | 6.08 Gb Available in Paging File | 76.01% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1481.83 Gb Total Space | 1374.36 Gb Free Space | 92.75% Space Free | Partition Type: NTFS
Drive F: | 152.66 Gb Total Space | 93.13 Gb Free Space | 61.00% Space Free | Partition Type: NTFS
Drive H: | 244.01 Mb Total Space | 160.72 Mb Free Space | 65.86% Space Free | Partition Type: FAT32

Computer Name: DESKTOP-PC | User Name: Jase | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-793449266-2017018900-3416318726-1001\SOFTWARE\Classes\<extension>]
.scr [@ = scrfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{180C8888-50F1-426B-A9DC-AB83A1989C65}" = Windows Live Language Selector
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{2AF2EABE-CF18-CACB-E57C-A4902A3C36C8}" = AMD Media Foundation Decoders
"{2F14965D-567B-4E59-ADEB-0A2CC1E3ADDF}" = Sql Server Customer Experience Improvement Program
"{3C9B2770-E66E-D289-56A0-95CFADA8EB26}" = AMD Catalyst Install Manager
"{42738DB0-FC3E-4672-A99B-9372F5696E30}" = Microsoft Security Client
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5340A3B5-3853-4745-BED2-DD9FF5371331}" = Microsoft SQL Server 2008 Common Files
"{5783F2D7-8001-0000-0102-0060B0CE6BBA}" = AutoCAD 2010 - English
"{5783F2D7-8001-0409-0102-0060B0CE6BBA}" = AutoCAD 2010 - English
"{5783F2D7-8001-0409-1102-0060B0CE6BBA}" = AutoCAD 2010 Language Pack - English
"{5E11C972-1E76-45FE-8F92-14E0D1140B1B}" = iTunes
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{75104836-CAC7-444E-A39E-3F54151942F5}" = Apple Mobile Device Support
"{7ACE202B-1B01-4B43-B6AE-03D66D621CDE}" = Microsoft SQL Server 2008 RsFx Driver
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{893F27E6-D6BE-4B9F-80E6-0ADA694A31A8}" = Microsoft SQL Server 2008 Common Files
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{C616FD4F-11F5-11E0-A38F-0013D3D69929}" = Vegas Pro 10.0 (64-bit)
"{C9608300-11F5-11E0-A64B-0013D3D69929}" = MSVCRT Redists
"{CC8BA866-16A7-4667-BA0C-C494A1E7B2BF}" = Microsoft SQL Server 2008 Database Engine Shared
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D1829BE5-F305-4576-9593-C66FC7E0B008}" = iCloud
"{D63FFA4F-6405-4782-8E3C-6F1C6807C66D}" = Speckie
"{D77162FE-B7B2-8E1E-D80D-89DE6217DF13}" = AMD Drag and Drop Transcoding
"{D79C2CD4-7BCC-60AC-76C9-834CEEF1CDBE}" = ccc-utility64
"{D9C50188-12D5-4D3E-8F00-682346C2AA5F}" = Microsoft Xbox 360 Accessories 1.2
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
"{DF167CE3-60E7-44EA-99EC-2507C51F37AE}" = Microsoft SQL Server 2008 Database Engine Shared
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{FA7394B8-CE65-4F9E-AC99-F372AD365424}" = Microsoft SQL Server 2008 Database Engine Services
"{FBD367D1-642F-47CF-B79B-9BE48FB34007}" = Microsoft SQL Server 2008 Database Engine Services
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX 64-bit
"AutoCAD 2010 - English" = AutoCAD 2010 - English
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"Microsoft SQL Server 10" = Microsoft SQL Server 2008 (64-bit)
"WinRAR archiver" = WinRAR 4.01 (64-bit)
"x64 Components_is1" = x64 Components v3.4.2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{19A492A0-888F-44A0-9B21-D91700763F62}" = Catalyst Control Center - Branding
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2012098D-EEE9-4769-8DD3-B038050854D4}" = Microsoft Silverlight 3 SDK
"{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver
"{330D5210-3C4F-E632-2714-BE23C7C10B9F}" = Catalyst Control Center Graphics Previews Common
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{434D0FA1-3E0C-4D03-A5D4-5E1000008100}" = F1 2011
"{43544FB5-BC1D-939A-7FDA-F7F3E5AEC35B}" = Catalyst Control Center
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
"{76285C16-411A-488A-BCE3-C83CB933D8CF}" = Battlefield 3™
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{78D2854E-5DBF-11E7-B41F-47D203C8ED66}" = CCC Help English
"{7A3FFA58-876F-489C-B6CF-0503916224DF}" = HTC Sync
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C0CAA7A-3272-4991-A808-2C7559DE3409}" = Win7codecs
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{7C5B1ECD-FE93-4FB2-A51A-06451BA49969}" =
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{ABD3F7BD-02E6-9150-2D34-F9F3109FA466}" = Catalyst Control Center InstallProxy
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.2)
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D2FCA41E-AC01-4DCD-B3A7-DC9E32363065}}_is1" = Rapture3D 2.4.9 Game
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{F2508213-9989-4E85-A078-72BE483917EF}" = Microsoft Games for Windows - LIVE Redistributable
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"599CD Welcome" = 599CD Welcome
"Adobe AIR" = Adobe AIR
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.4
"AVS4YOU Video Converter 7_is1" = AVS Video Converter 7
"DVD Identifier_is1" = DVD Identifier
"GFWL_{434D0FA1-3E0C-4D03-A5D4-5E1000008100}" = F1 2011
"ImgBurn" = ImgBurn
"Lexmark X5400 Series" = Lexmark X5400 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"OpenAL" = OpenAL
"PowerISO" = PowerISO
"SABnzbd" = SABnzbd 0.6.8
"TransMac_is1" = TransMac version 10.0
"WinLiveSuite" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 14/02/2012 16:39:40 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 15/02/2012 03:42:03 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\Program Files\Microsoft
SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe". Dependent Assembly Microsoft.VC80.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.1833"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 15/02/2012 13:12:35 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\Program Files\Microsoft
SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe". Dependent Assembly Microsoft.VC80.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.1833"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 16/02/2012 13:05:57 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\Program Files\Microsoft
SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe". Dependent Assembly Microsoft.VC80.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.1833"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 16/02/2012 13:58:59 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files (x86)\HTC\HTC
Sync 3.0\FDAgentForOutlook64.exe". Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 16/02/2012 13:59:24 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842824
Description = Activation context generation failed for "c:\program files\microsoft
security client\MSESysprep.dll".Error in manifest or policy file "c:\program files\microsoft
security client\MSESysprep.dll" on line 10. The element imaging appears as a child
of element urn:schemas-microsoft-com:asm.v1^assembly which is not supported by
this version of Windows.

Error - 16/02/2012 13:59:39 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842827
Description = Activation context generation failed for "C:\Program Files (x86)\Codemasters\F1
2011\CustomActionOnFinishInst.exe".Error in manifest or policy file "C:\Program
Files (x86)\Codemasters\F1 2011\CustomActionOnFinishInst.exe" on line 1. Multiple
requestedPrivileges elements are not allowed in manifest.

Error - 16/02/2012 13:59:58 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\program files (x86)\HTC\htc
sync 3.0\FDAgentForOutlook64.exe". Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 16/02/2012 13:59:59 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\program files (x86)\spybot
- search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program
files (x86)\spybot - search & destroy\DelZip179.dll" on line 8. The value "*" of
attribute "language" in element "assemblyIdentity" is invalid.

Error - 17/02/2012 17:36:09 | Computer Name = Desktop-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\Program Files\Microsoft
SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe". Dependent Assembly Microsoft.VC80.ATL,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.1833"
could not be found. Please use sxstrace.exe for detailed diagnosis.


< End of report >

5)Computer Status

The status of my computer is still the same as in my original post.

The "Computer Browser" service will not start, failing with Error 1060 & i can not enable network discovery.

Im still getting google.doubleclick.net showing in iexplorer.

I look forward to reply

Many Thanks Pintglass

#4 SweetTech

SweetTech

    Agent ST

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica

Posted 23 February 2012 - 10:50 AM

Hi Pintglass!

Not a problem! I'm glad to be of assistance. :)

Can you please post the aswMBR log file for me to review?

We'll be doing some fixes in the Windows Registry. We'll need to first back-up your registry before we get started with that.

ERUNT - Emergency Recovery Utility NT
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
This is a free program that allows you to keep a complete backup of your registry and restore it when needed.
ERUNT utility program
Run:
  • Please navigate to Start >> All Programs >> ERUNT. Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  • Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  • Now click on "OK". A registry backup has now been created.
< STOP > If you did not successfully complete this step. < STOP > Do not continue with any other steps, post back and let me know!



Please download the following file to your Desktop.

It's extremely important that it's saved to your Desktop.


[b]I also need you to download the attached file to your Desktop and run it and post the lookatme.txt file that it should produce after completion.

Attached File  runme.bat   3.63K   8 downloads

Please Note: You'll need to run the batch file as an administrator, and you will be prompted with a warning asking you if you want to merge the file with your registry, you will want to allow it to do so.

Let me know how that goes.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#5 Pintglass

Pintglass

    Member

  • Members
  • PipPip
  • 47 posts

Posted 23 February 2012 - 12:09 PM

This is the aswMBR log that i created before we started this process as you will see by the date stamp.

I hope this is ok i will post back with the lookatme.txt .

aswMBR version 0.9.9.1618 Copyright© 2011 AVAST Software
Run date: 2012-02-20 17:49:03
-----------------------------
17:49:03.954 OS Version: Windows x64 6.1.7601 Service Pack 1
17:49:03.954 Number of processors: 4 586 0xF0B
17:49:03.954 ComputerName: DESKTOP-PC UserName: Jase
17:49:05.482 Initialize success
17:50:16.942 AVAST engine defs: 12022001
17:53:04.533 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
17:53:04.533 Disk 0 Vendor: Maxtor_6L160M0 BACE1G10 Size: 156334MB BusType: 11
17:53:04.533 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-0
17:53:04.533 Disk 1 Vendor: WDC_WD20EARS-00MVWB0 51.0AB51 Size: 1907729MB BusType: 11
17:53:04.564 Disk 1 MBR read successfully
17:53:04.564 Disk 1 MBR scan
17:53:04.564 Disk 1 unknown MBR code
17:53:04.564 Disk 1 Partition 1 00 EE GPT 200 MB offset 1
17:53:04.580 Disk 1 Partition 2 00 AF HFS / HFS+ 278472 MB offset 409640
17:53:04.611 Disk 1 Partition 3 80 (A) 07 HPFS/NTFS NTFS 1517396 MB offset 586610688
17:53:04.642 Disk 1 Partition 4 00 83 Linux 96272 MB offset 3694237696
17:53:04.642 Service scanning
17:53:23.425 Modules scanning
17:53:23.425 Disk 1 trace - called modules:
17:53:23.440 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
17:53:23.456 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004a9c060]
17:53:23.456 3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> [0xfffffa8004423090]
17:53:23.456 5 ACPI.sys[fffff88000ef67a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800442f060]
17:53:25.624 AVAST engine scan C:\Windows
17:53:28.432 AVAST engine scan C:\Windows\system32
17:54:49.108 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
17:54:50.949 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
17:55:44.363 AVAST engine scan C:\Windows\system32\drivers
17:55:54.035 AVAST engine scan C:\Users\Jase
17:59:51.946 AVAST engine scan C:\ProgramData
18:00:24.800 Scan finished successfully
18:03:48.172 Disk 1 MBR has been saved successfully to "C:\Users\Jase\Desktop\MBR.dat"
18:03:48.172 The log file has been saved successfully to "C:\Users\Jase\Desktop\aswMBR.txt"

Regards Pintglass

#6 Pintglass

Pintglass

    Member

  • Members
  • PipPip
  • 47 posts

Posted 23 February 2012 - 12:23 PM

This is the output from running the Runme.Bat file.

lookatme.txt

[SC] StartService: OpenService FAILED 1060:

The specified service does not exist as an installed service.


SERVICE_NAME: mpsdrv
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{BD77A630-7E9A-4A9B-B13D-CB9B11652BE0}

03/02/2012 22:05 <DIR> .
03/02/2012 22:05 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,523,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{80C0312A-2C08-452E-947D-7F75F2084630}

03/02/2012 22:05 <DIR> .
03/02/2012 22:05 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,523,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{B559D77D-E037-45A5-8F92-5E96C92F7119}

20/02/2012 17:41 <DIR> .
20/02/2012 17:41 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,523,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{827BF90C-4498-4975-8B95-DD915D25371F}

20/02/2012 17:41 <DIR> .
20/02/2012 17:41 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,523,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{C37D834D-4369-473D-9C8B-CDFE075877D6}

18/02/2012 15:09 <DIR> .
18/02/2012 15:09 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,523,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{351A8EB3-F2A4-43BB-870C-A5C514852567}

18/02/2012 15:08 <DIR> .
18/02/2012 15:08 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,523,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{474DDCEE-C33E-4A23-B6D5-91C0FEE81739}

14/02/2012 20:19 <DIR> .
14/02/2012 20:19 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,523,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{977A6E6F-EA3C-4858-8135-CA00364D5D05}

14/02/2012 20:19 <DIR> .
14/02/2012 20:19 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,523,072 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{7E66B8A8-63F7-4589-B6D9-4D71EF8ACFB7}

11/02/2012 17:06 <DIR> .
11/02/2012 17:06 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,518,976 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{818A883C-15C9-4B5A-9B08-6FF06B2287B1}

11/02/2012 17:06 <DIR> .
11/02/2012 17:06 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,518,976 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{70EF9626-6982-469E-AC2C-B958E5B9D558}

10/02/2012 16:05 <DIR> .
10/02/2012 16:05 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,514,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{5700220D-0AEC-464E-9144-EC63FC28A562}

10/02/2012 16:05 <DIR> .
10/02/2012 16:05 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,514,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{D587206C-0E11-4D1F-8BF5-2AF465E6C487}

09/02/2012 12:33 <DIR> .
09/02/2012 12:33 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,514,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{72C31B7E-77E9-4EDF-9687-A8E0EC279231}

09/02/2012 12:33 <DIR> .
09/02/2012 12:33 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,514,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{12E3C4ED-3A58-4323-8CE2-808E38997B95}

09/02/2012 11:37 <DIR> .
09/02/2012 11:37 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,514,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{0998D021-97A9-48B1-8366-52AB2A718A7A}

09/02/2012 11:37 <DIR> .
09/02/2012 11:37 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,514,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{75C39C0C-0776-4734-A3D1-F3FF2755BF36}

08/02/2012 22:26 <DIR> .
08/02/2012 22:26 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,514,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{3122B76E-8753-476A-BDDA-384A4F58C052}

08/02/2012 22:26 <DIR> .
08/02/2012 22:26 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,514,880 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{1545D7FA-631A-4CDD-8A56-7B2F106DF114}

02/02/2012 22:23 <DIR> .
02/02/2012 22:23 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{2F076FB6-94A9-4661-AB39-F1F4ECF5F683}

02/02/2012 22:23 <DIR> .
02/02/2012 22:23 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{E1EED025-2912-4557-978F-14F409213BEC}

02/02/2012 20:17 <DIR> .
02/02/2012 20:17 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{B669E0DD-0D91-40C4-B704-D5E8E17737D9}

01/02/2012 23:30 <DIR> .
01/02/2012 23:30 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{0184948D-7E60-4403-A72E-DA73BDFD0E7A}

01/02/2012 22:53 <DIR> .
01/02/2012 22:53 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{D18EBCB2-E69C-495B-9B12-AFCC8930CBAA}

30/01/2012 22:55 <DIR> .
30/01/2012 22:55 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{24FA4D65-2A5A-4870-8290-AB354FAA3D3A}

30/01/2012 22:54 <DIR> .
30/01/2012 22:54 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{5CA42125-4171-4386-86A4-4B946CD7C0E6}

25/01/2012 22:42 <DIR> .
25/01/2012 22:42 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{055399D7-BA56-4DC5-A94B-670E22C77598}

25/01/2012 22:42 <DIR> .
25/01/2012 22:42 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Local\{EE6B0A23-0089-4D5B-B140-33F1FAACA788}

24/01/2012 22:26 <DIR> .
24/01/2012 22:26 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,510,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\ruu_log

25/01/2012 22:10 <DIR> .
25/01/2012 22:10 <DIR> ..
25/01/2012 21:52 5,017 RUU_120125T213552.log
25/01/2012 21:54 5,017 RUU_120125T215324.log
2 File(s) 10,034 bytes

Total Files Listed:
2 File(s) 10,034 bytes
2 Dir(s) 1,475,323,506,688 bytes free
Volume in drive C has no label.
Volume Serial Number is 4848-3A46

Directory of C:\Users\Jase\AppData\Roaming\Pyexo

01/02/2012 02:23 <DIR> .
01/02/2012 02:23 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,475,323,506,688 bytes free
1 file(s) moved.
1 file(s) moved.
1 file(s) moved.

Regards Pintglass

#7 SweetTech

SweetTech

    Agent ST

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica

Posted 24 February 2012 - 01:37 AM

Hi Pintglass!

Thanks for posting the aswMBR log file for me to review.

When you ran the batch file did you get prompted to allow a file to be merged with your registry?

Also do you happen to recognize these 2 files?

They are in the C:\ruu_log folder

RUU_120125T213552.log
RUU_120125T215324.log

Please also run this tool next for me:

Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
  • If you get an error message saying: "Illegal operation attempted on a registry key that was marked for deletion." please reboot your computer, and that should take care of that error message.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#8 Pintglass

Pintglass

    Member

  • Members
  • PipPip
  • 47 posts

Posted 24 February 2012 - 03:22 AM

Hi SweetTech i hope your well.

1) When i ran the runme.bat file i was prompted to allow the MpsSvc.reg file to be merged with the registry & update was successful.

2)The two files that you have highlighted (RUU_120125T213552.log RUU_120125T215324.log)are from a program to update my HTC mobile phone RUU is Radio Update Utility.

3)The "Computer Browser" service is now running and windows is now seeing devices on the network.

4)Combofix log as requested.

ComboFix 12-02-23.02 - Jase 24/02/2012 8:05.3.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4095.2695 [GMT 0:00]
Running from: c:\users\Jase\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-24 08:10 . 2012-02-24 08:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-23 17:20 . 2012-02-23 17:20 -------- d-----w- C:\Bad Files
2012-02-23 17:16 . 2012-02-23 17:17 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-23 12:37 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F942D2-7651-40BA-B19A-1D87A0789123}\mpengine.dll
2012-02-08 17:39 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-07 22:52 . 2012-02-07 22:52 388096 ----a-r- c:\users\Jase\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-07 22:52 . 2012-02-07 22:52 -------- d-----w- c:\program files (x86)\Trend Micro
2012-02-06 22:56 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-02-06 22:38 . 2012-02-06 22:38 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AA707033-0E4C-4EA0-952B-8FCB204DAA27}\gapaengine.dll
2012-02-06 22:35 . 2012-02-06 22:35 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-02-06 22:35 . 2012-02-06 22:35 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-03 23:16 . 2012-02-03 23:16 -------- d-----w- c:\users\Jase\AppData\Roaming\SUPERAntiSpyware.com
2012-02-03 23:16 . 2012-02-03 23:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-03 23:16 . 2012-02-03 23:16 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-03 09:40 . 2007-05-02 23:43 138240 ----a-w- c:\windows\system32\Spool\prtprocs\x64\lxdvdrpp.dll
2012-02-03 09:40 . 2007-07-18 07:45 1462272 ----a-w- c:\windows\system32\lxdvg.dll
2012-02-03 09:40 . 2007-04-30 21:14 420352 ----a-w- c:\windows\system32\lxdvcoin.dll
2012-02-02 22:12 . 2012-02-02 22:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-02 22:12 . 2012-02-02 22:12 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-01 17:38 . 2012-02-01 17:38 -------- d-----w- c:\windows\system32\appmgmt
2012-02-01 17:30 . 2012-02-01 18:18 -------- d-----w- c:\programdata\AutoKMS
2012-02-01 02:22 . 2012-02-01 02:23 -------- d-----w- c:\users\Jase\AppData\Roaming\Pyexo
2012-01-30 09:52 . 2012-01-31 18:46 -------- d-----w- c:\users\Jase\AppData\Roaming\Win7codecs
2012-01-30 09:52 . 2012-01-30 09:52 -------- d-----w- c:\program files (x86)\Win7codecs
2012-01-30 09:51 . 2012-01-31 18:46 -------- d-----w- c:\programdata\Win7codecs
2012-01-28 12:12 . 2012-01-28 12:12 79360 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2012-01-28 12:10 . 2012-01-28 12:10 48128 ----a-w- c:\windows\SysWow64\ff_acm.acm
2012-01-27 17:44 . 2012-01-27 17:44 -------- d-----w- c:\program files\iPod
2012-01-27 17:44 . 2012-01-27 17:44 -------- d-----w- c:\program files\iTunes
2012-01-27 17:44 . 2012-01-27 17:44 -------- d-----w- c:\program files (x86)\iTunes
2012-01-27 10:37 . 2011-07-04 03:47 -------- d-----w- c:\program files\OpenCV2.3
2012-01-26 17:26 . 2012-01-26 17:26 -------- d-----w- c:\users\Jase\AppData\Roaming\Microsoft Corporation
2012-01-26 17:18 . 2009-07-22 08:17 78872 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2012-01-26 17:18 . 2009-07-22 08:17 50200 ----a-w- c:\windows\SysWow64\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2012-01-26 17:18 . 2009-07-22 08:17 79896 ----a-w- c:\windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2012-01-26 17:18 . 2009-07-22 08:17 111640 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2012-01-26 17:17 . 2012-01-26 17:17 -------- d-----w- c:\windows\system32\RsFx
2012-01-26 17:16 . 2012-01-26 17:16 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2012-01-26 17:16 . 2012-01-26 17:16 -------- d-----w- c:\program files\Microsoft.NET
2012-01-26 17:12 . 2012-02-02 18:04 -------- d-----w- c:\program files\Microsoft SQL Server
2012-01-26 17:11 . 2012-01-26 17:16 -------- d-----w- c:\program files (x86)\Microsoft SQL Server
2012-01-26 17:07 . 2012-01-26 17:07 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-01-26 17:04 . 2012-02-02 17:25 2118848 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-01-26 16:58 . 2012-02-02 18:06 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 10.0
2012-01-26 16:56 . 2012-02-02 17:38 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 9.0
2012-01-26 16:56 . 2012-02-02 17:56 -------- d-----w- c:\program files (x86)\Microsoft SDKs
2012-01-25 21:58 . 2012-02-24 07:54 -------- d-----w- c:\users\Jase\AppData\Local\Htc
2012-01-25 21:57 . 2012-02-01 21:19 -------- d-----w- c:\users\Jase\AppData\Roaming\HTC
2012-01-25 21:55 . 2012-01-25 21:55 -------- d-----w- c:\users\Jase\AppData\Local\Downloaded Installations
2012-01-25 21:55 . 2012-01-25 21:55 -------- d-----w- c:\program files (x86)\Spirent Communications
2012-01-25 21:55 . 2012-01-25 21:56 -------- d-----w- c:\program files (x86)\HTC
2012-01-25 21:55 . 2012-01-25 21:55 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-01-25 21:35 . 2012-01-25 22:10 -------- d-----w- C:\ruu_log
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 21:49 . 2011-11-01 12:28 419840 ----a-w- c:\windows\system32\systemcplx64.dll
2012-01-31 12:44 . 2009-10-14 12:52 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-24 14:18 . 2012-01-24 14:18 4794880 ----a-w- c:\windows\SysWow64\x264vfw.dll
2011-12-22 22:40 . 2011-12-22 22:40 155648 ----a-w- c:\windows\SysWow64\ac3acm.acm
2011-12-10 15:24 . 2011-08-03 15:39 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-07 19:32 . 2011-12-07 19:32 216064 ----a-w- c:\windows\SysWow64\lagarith.dll
2011-11-28 12:25 . 2011-11-28 12:25 763904 ----a-w- c:\windows\SysWow64\lameACM.acm
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-07_22.45.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-11 06:15 . 2012-02-24 07:55 41280 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-24 07:55 42172 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-08-01 13:18 . 2012-02-24 07:55 12114 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-793449266-2017018900-3416318726-1001_UserData.bin
+ 2011-08-01 13:11 . 2012-02-23 17:17 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-01 13:11 . 2012-02-06 23:02 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-01 13:11 . 2012-02-06 23:02 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-08-01 13:11 . 2012-02-23 17:17 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-06 23:02 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-23 17:17 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-01 13:17 . 2012-02-19 23:18 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-01 13:17 . 2011-08-01 16:48 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-02-24 07:53 . 2012-02-24 07:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-07 21:54 . 2012-02-07 21:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-07 21:54 . 2012-02-07 21:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-24 07:53 . 2012-02-24 07:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:12 . 2011-08-01 15:22 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2012-02-15 23:39 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:01 . 2012-02-23 23:05 367276 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-02-07 18:16 367276 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-02-23 17:18 . 2005-10-20 12:02 163328 c:\windows\ERDNT\23-02-2012\ERDNT.EXE
+ 2011-08-11 14:14 . 2012-02-23 23:05 1109440 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-08-11 14:14 . 2012-02-07 18:16 1109440 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-02-07 22:52 . 2012-02-07 22:52 1402880 c:\windows\Installer\35b280.msi
+ 2012-02-23 17:18 . 2012-02-23 17:18 2658304 c:\windows\ERDNT\23-02-2012\Users\00000002\UsrClass.dat
+ 2012-02-23 17:18 . 2012-02-23 17:18 6942720 c:\windows\ERDNT\23-02-2012\Users\00000001\NTUSER.DAT
+ 2011-08-03 08:52 . 2012-02-23 23:05 29546688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-793449266-2017018900-3416318726-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2011-11-11 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-07-28 336384]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdvserv.exe [2007-10-18 33448]
R3 atillk64;atillk64;c:\users\Jase\Downloads\ati_winflash_2.0.1.14\atillk64.sys [2006-07-19 14608]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-08-16 1030600]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2007-10-18 1044136]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]
"lxdvmon.exe"="c:\program files (x86)\Lexmark X5400 Series\lxdvmon.exe" [2007-11-02 455336]
"lxdvamon"="c:\program files (x86)\Lexmark X5400 Series\lxdvamon.exe" [2007-11-02 25256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-793449266-2017018900-3416318726-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-793449266-2017018900-3416318726-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-793449266-2017018900-3416318726-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F45BA7C-5C96-5B93-D393-B0746A555ED0}*]
"oaaofnnckpbioablffaegbpnhheoan"=hex:69,61,66,68,62,69,6f,6d,61,66,62,63,65,70,
6a,66,63,69,00,00
"pacohegbolecikkaokcahadjkaaooogn"=hex:69,61,69,67,6d,6b,6e,69,6b,6f,63,61,67,
64,63,6f,67,62,00,00
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-24 08:12:42
ComboFix-quarantined-files.txt 2012-02-24 08:12
ComboFix2.txt 2012-02-07 22:47
.
Pre-Run: 1,475,042,111,488 bytes free
Post-Run: 1,475,029,590,016 bytes free
.
- - End Of File - - 1E7D9A39E0E55F37C2414C5AE3DEFD84

Regards Pintglass

Edited by Pintglass, 24 February 2012 - 03:42 AM.

#9 SweetTech

SweetTech

    Agent ST

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica

Posted 24 February 2012 - 03:34 AM

Hi Pintglass!

I'm ready for a nap right now, but besides that I'm doing well.

How about yourself?

1) When i ran the runme.bat file i was prompted to allow the MpsSvc.reg file to be merged with the registry & update was successful.

Okay, perfect! Glad to hear that went as expected.

2)The two files that you have highlighted (RUU_120125T213552.log RUU_120125T215324.log)are from a program to update my HTC mobile phone RUU is Radio Update Utility.

Okay, that's fine, I just wanted to be sure you recognized them.

Lets see what these scans find, and see where we stand then. Be sure to let me know how things are running in your next reply.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
ClearJavaCache::
Folder::
C:\Users\Jase\AppData\Local\{BD77A630-7E9A-4A9B-B13D-CB9B11652BE0}
C:\Users\Jase\AppData\Local\{80C0312A-2C08-452E-947D-7F75F2084630}
C:\Users\Jase\AppData\Local\{B559D77D-E037-45A5-8F92-5E96C92F7119}
C:\Users\Jase\AppData\Local\{827BF90C-4498-4975-8B95-DD915D25371F}
C:\Users\Jase\AppData\Local\{C37D834D-4369-473D-9C8B-CDFE075877D6}
C:\Users\Jase\AppData\Local\{351A8EB3-F2A4-43BB-870C-A5C514852567}
C:\Users\Jase\AppData\Local\{474DDCEE-C33E-4A23-B6D5-91C0FEE81739}
C:\Users\Jase\AppData\Local\{977A6E6F-EA3C-4858-8135-CA00364D5D05}
C:\Users\Jase\AppData\Local\{7E66B8A8-63F7-4589-B6D9-4D71EF8ACFB7}
C:\Users\Jase\AppData\Local\{818A883C-15C9-4B5A-9B08-6FF06B2287B1}
C:\Users\Jase\AppData\Local\{70EF9626-6982-469E-AC2C-B958E5B9D558}
C:\Users\Jase\AppData\Local\{5700220D-0AEC-464E-9144-EC63FC28A562}
C:\Users\Jase\AppData\Local\{D587206C-0E11-4D1F-8BF5-2AF465E6C487}
C:\Users\Jase\AppData\Local\{72C31B7E-77E9-4EDF-9687-A8E0EC279231}
C:\Users\Jase\AppData\Local\{12E3C4ED-3A58-4323-8CE2-808E38997B95}
C:\Users\Jase\AppData\Local\{0998D021-97A9-48B1-8366-52AB2A718A7A}
C:\Users\Jase\AppData\Local\{75C39C0C-0776-4734-A3D1-F3FF2755BF36}
C:\Users\Jase\AppData\Local\{3122B76E-8753-476A-BDDA-384A4F58C052}
C:\Users\Jase\AppData\Local\{1545D7FA-631A-4CDD-8A56-7B2F106DF114}
C:\Users\Jase\AppData\Local\{2F076FB6-94A9-4661-AB39-F1F4ECF5F683}
C:\Users\Jase\AppData\Local\{E1EED025-2912-4557-978F-14F409213BEC}
C:\Users\Jase\AppData\Local\{B669E0DD-0D91-40C4-B704-D5E8E17737D9}
C:\Users\Jase\AppData\Local\{0184948D-7E60-4403-A72E-DA73BDFD0E7A}
C:\Users\Jase\AppData\Local\{D18EBCB2-E69C-495B-9B12-AFCC8930CBAA}
C:\Users\Jase\AppData\Local\{24FA4D65-2A5A-4870-8290-AB354FAA3D3A}
C:\Users\Jase\AppData\Local\{5CA42125-4171-4386-86A4-4B946CD7C0E6}
C:\Users\Jase\AppData\Local\{055399D7-BA56-4DC5-A94B-670E22C77598}
C:\Users\Jase\AppData\Local\{EE6B0A23-0089-4D5B-B140-33F1FAACA788}
C:\Users\Jase\AppData\Roaming\Pyexo

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:


Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#10 Pintglass

Pintglass

    Member

  • Members
  • PipPip
  • 47 posts

Posted 24 February 2012 - 06:21 AM

Hi SweetTech

Since the last run of combofix which i am posting logs for i am getting a security alert message box in iexplorer saying you are about to view pages over a secure connection.

1) combofix log

ComboFix 12-02-23.02 - Jase 24/02/2012 8:59.4.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.4095.2390 [GMT 0:00]
Running from: c:\users\Jase\Desktop\ComboFix.exe
Command switches used :: c:\users\Jase\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Jase\AppData\Local\{0184948D-7E60-4403-A72E-DA73BDFD0E7A}
c:\users\Jase\AppData\Local\{055399D7-BA56-4DC5-A94B-670E22C77598}
c:\users\Jase\AppData\Local\{0998D021-97A9-48B1-8366-52AB2A718A7A}
c:\users\Jase\AppData\Local\{12E3C4ED-3A58-4323-8CE2-808E38997B95}
c:\users\Jase\AppData\Local\{1545D7FA-631A-4CDD-8A56-7B2F106DF114}
c:\users\Jase\AppData\Local\{24FA4D65-2A5A-4870-8290-AB354FAA3D3A}
c:\users\Jase\AppData\Local\{2F076FB6-94A9-4661-AB39-F1F4ECF5F683}
c:\users\Jase\AppData\Local\{3122B76E-8753-476A-BDDA-384A4F58C052}
c:\users\Jase\AppData\Local\{351A8EB3-F2A4-43BB-870C-A5C514852567}
c:\users\Jase\AppData\Local\{474DDCEE-C33E-4A23-B6D5-91C0FEE81739}
c:\users\Jase\AppData\Local\{5700220D-0AEC-464E-9144-EC63FC28A562}
c:\users\Jase\AppData\Local\{5CA42125-4171-4386-86A4-4B946CD7C0E6}
c:\users\Jase\AppData\Local\{70EF9626-6982-469E-AC2C-B958E5B9D558}
c:\users\Jase\AppData\Local\{72C31B7E-77E9-4EDF-9687-A8E0EC279231}
c:\users\Jase\AppData\Local\{75C39C0C-0776-4734-A3D1-F3FF2755BF36}
c:\users\Jase\AppData\Local\{7E66B8A8-63F7-4589-B6D9-4D71EF8ACFB7}
c:\users\Jase\AppData\Local\{80C0312A-2C08-452E-947D-7F75F2084630}
c:\users\Jase\AppData\Local\{818A883C-15C9-4B5A-9B08-6FF06B2287B1}
c:\users\Jase\AppData\Local\{827BF90C-4498-4975-8B95-DD915D25371F}
c:\users\Jase\AppData\Local\{977A6E6F-EA3C-4858-8135-CA00364D5D05}
c:\users\Jase\AppData\Local\{B559D77D-E037-45A5-8F92-5E96C92F7119}
c:\users\Jase\AppData\Local\{B669E0DD-0D91-40C4-B704-D5E8E17737D9}
c:\users\Jase\AppData\Local\{BD77A630-7E9A-4A9B-B13D-CB9B11652BE0}
c:\users\Jase\AppData\Local\{C37D834D-4369-473D-9C8B-CDFE075877D6}
c:\users\Jase\AppData\Local\{D18EBCB2-E69C-495B-9B12-AFCC8930CBAA}
c:\users\Jase\AppData\Local\{D587206C-0E11-4D1F-8BF5-2AF465E6C487}
c:\users\Jase\AppData\Local\{E1EED025-2912-4557-978F-14F409213BEC}
c:\users\Jase\AppData\Local\{EE6B0A23-0089-4D5B-B140-33F1FAACA788}
c:\users\Jase\AppData\Roaming\Pyexo
.
.
((((((((((((((((((((((((( Files Created from 2012-01-24 to 2012-02-24 )))))))))))))))))))))))))))))))
.
.
2012-02-24 09:02 . 2012-02-24 09:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-23 17:20 . 2012-02-23 17:20 -------- d-----w- C:\Bad Files
2012-02-23 17:16 . 2012-02-23 17:17 -------- d-----w- c:\program files (x86)\ERUNT
2012-02-23 12:37 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0F942D2-7651-40BA-B19A-1D87A0789123}\mpengine.dll
2012-02-08 17:39 . 2012-02-08 07:13 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-02-07 22:52 . 2012-02-07 22:52 388096 ----a-r- c:\users\Jase\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-07 22:52 . 2012-02-07 22:52 -------- d-----w- c:\program files (x86)\Trend Micro
2012-02-06 22:56 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-02-06 22:38 . 2012-02-06 22:38 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AA707033-0E4C-4EA0-952B-8FCB204DAA27}\gapaengine.dll
2012-02-06 22:35 . 2012-02-06 22:35 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-02-06 22:35 . 2012-02-06 22:35 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-03 23:16 . 2012-02-03 23:16 -------- d-----w- c:\users\Jase\AppData\Roaming\SUPERAntiSpyware.com
2012-02-03 23:16 . 2012-02-03 23:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-03 23:16 . 2012-02-03 23:16 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-03 09:40 . 2007-05-02 23:43 138240 ----a-w- c:\windows\system32\Spool\prtprocs\x64\lxdvdrpp.dll
2012-02-03 09:40 . 2007-07-18 07:45 1462272 ----a-w- c:\windows\system32\lxdvg.dll
2012-02-03 09:40 . 2007-04-30 21:14 420352 ----a-w- c:\windows\system32\lxdvcoin.dll
2012-02-02 22:12 . 2012-02-02 22:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-02 22:12 . 2012-02-02 22:12 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-01 17:38 . 2012-02-01 17:38 -------- d-----w- c:\windows\system32\appmgmt
2012-02-01 17:30 . 2012-02-01 18:18 -------- d-----w- c:\programdata\AutoKMS
2012-01-30 09:52 . 2012-01-31 18:46 -------- d-----w- c:\users\Jase\AppData\Roaming\Win7codecs
2012-01-30 09:52 . 2012-01-30 09:52 -------- d-----w- c:\program files (x86)\Win7codecs
2012-01-30 09:51 . 2012-01-31 18:46 -------- d-----w- c:\programdata\Win7codecs
2012-01-28 12:12 . 2012-01-28 12:12 79360 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2012-01-28 12:10 . 2012-01-28 12:10 48128 ----a-w- c:\windows\SysWow64\ff_acm.acm
2012-01-27 17:44 . 2012-01-27 17:44 -------- d-----w- c:\program files\iPod
2012-01-27 17:44 . 2012-01-27 17:44 -------- d-----w- c:\program files\iTunes
2012-01-27 17:44 . 2012-01-27 17:44 -------- d-----w- c:\program files (x86)\iTunes
2012-01-27 10:37 . 2011-07-04 03:47 -------- d-----w- c:\program files\OpenCV2.3
2012-01-26 17:26 . 2012-01-26 17:26 -------- d-----w- c:\users\Jase\AppData\Roaming\Microsoft Corporation
2012-01-26 17:18 . 2009-07-22 08:17 78872 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2012-01-26 17:18 . 2009-07-22 08:17 50200 ----a-w- c:\windows\SysWow64\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2012-01-26 17:18 . 2009-07-22 08:17 79896 ----a-w- c:\windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2012-01-26 17:18 . 2009-07-22 08:17 111640 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2012-01-26 17:17 . 2012-01-26 17:17 -------- d-----w- c:\windows\system32\RsFx
2012-01-26 17:16 . 2012-01-26 17:16 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2012-01-26 17:16 . 2012-01-26 17:16 -------- d-----w- c:\program files\Microsoft.NET
2012-01-26 17:12 . 2012-02-02 18:04 -------- d-----w- c:\program files\Microsoft SQL Server
2012-01-26 17:11 . 2012-01-26 17:16 -------- d-----w- c:\program files (x86)\Microsoft SQL Server
2012-01-26 17:07 . 2012-01-26 17:07 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-01-26 17:04 . 2012-02-02 17:25 2118848 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2012-01-26 16:58 . 2012-02-02 18:06 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 10.0
2012-01-26 16:56 . 2012-02-02 17:38 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 9.0
2012-01-26 16:56 . 2012-02-02 17:56 -------- d-----w- c:\program files (x86)\Microsoft SDKs
2012-01-25 21:58 . 2012-02-24 07:54 -------- d-----w- c:\users\Jase\AppData\Local\Htc
2012-01-25 21:57 . 2012-02-01 21:19 -------- d-----w- c:\users\Jase\AppData\Roaming\HTC
2012-01-25 21:55 . 2012-01-25 21:55 -------- d-----w- c:\users\Jase\AppData\Local\Downloaded Installations
2012-01-25 21:55 . 2012-01-25 21:55 -------- d-----w- c:\program files (x86)\Spirent Communications
2012-01-25 21:55 . 2012-01-25 21:56 -------- d-----w- c:\program files (x86)\HTC
2012-01-25 21:55 . 2012-01-25 21:55 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-01-25 21:35 . 2012-01-25 22:10 -------- d-----w- C:\ruu_log
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 21:49 . 2011-11-01 12:28 419840 ----a-w- c:\windows\system32\systemcplx64.dll
2012-01-31 12:44 . 2009-10-14 12:52 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-24 14:18 . 2012-01-24 14:18 4794880 ----a-w- c:\windows\SysWow64\x264vfw.dll
2011-12-22 22:40 . 2011-12-22 22:40 155648 ----a-w- c:\windows\SysWow64\ac3acm.acm
2011-12-10 15:24 . 2011-08-03 15:39 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-07 19:32 . 2011-12-07 19:32 216064 ----a-w- c:\windows\SysWow64\lagarith.dll
2011-11-28 12:25 . 2011-11-28 12:25 763904 ----a-w- c:\windows\SysWow64\lameACM.acm
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-07_22.45.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-11 06:15 . 2012-02-24 07:55 41280 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-24 07:55 42172 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-08-01 13:18 . 2012-02-24 07:55 12114 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-793449266-2017018900-3416318726-1001_UserData.bin
+ 2011-08-01 13:11 . 2012-02-23 17:17 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-01 13:11 . 2012-02-06 23:02 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-01 13:11 . 2012-02-06 23:02 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-08-01 13:11 . 2012-02-23 17:17 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-06 23:02 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-23 17:17 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-01 13:17 . 2012-02-19 23:18 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-08-01 13:17 . 2011-08-01 16:48 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-02-24 09:04 . 2012-02-24 09:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-07 21:54 . 2012-02-07 21:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-07 21:54 . 2012-02-07 21:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-24 09:04 . 2012-02-24 09:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:12 . 2011-08-01 15:22 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2012-02-15 23:39 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:01 . 2012-02-24 09:03 367276 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-02-07 18:16 367276 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-02-23 17:18 . 2005-10-20 12:02 163328 c:\windows\ERDNT\23-02-2012\ERDNT.EXE
+ 2011-08-11 14:14 . 2012-02-24 09:03 1109440 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-08-11 14:14 . 2012-02-07 18:16 1109440 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-02-07 22:52 . 2012-02-07 22:52 1402880 c:\windows\Installer\35b280.msi
+ 2012-02-23 17:18 . 2012-02-23 17:18 2658304 c:\windows\ERDNT\23-02-2012\Users\00000002\UsrClass.dat
+ 2012-02-23 17:18 . 2012-02-23 17:18 6942720 c:\windows\ERDNT\23-02-2012\Users\00000001\NTUSER.DAT
+ 2011-08-03 08:52 . 2012-02-24 09:03 29546688 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-793449266-2017018900-3416318726-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2011-11-11 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-07-28 336384]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 lxdvCATSCustConnectService;lxdvCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdvserv.exe [2007-10-18 33448]
R3 atillk64;atillk64;c:\users\Jase\Downloads\ati_winflash_2.0.1.14\atillk64.sys [2006-07-19 14608]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-08-16 1030600]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe [2007-10-18 1044136]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]
"lxdvmon.exe"="c:\program files (x86)\Lexmark X5400 Series\lxdvmon.exe" [2007-11-02 455336]
"lxdvamon"="c:\program files (x86)\Lexmark X5400 Series\lxdvamon.exe" [2007-11-02 25256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Lookup on Merriam Webster
IE: Lookup on Wikipedia
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-793449266-2017018900-3416318726-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-793449266-2017018900-3416318726-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-793449266-2017018900-3416318726-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F45BA7C-5C96-5B93-D393-B0746A555ED0}*]
"oaaofnnckpbioablffaegbpnhheoan"=hex:69,61,66,68,62,69,6f,6d,61,66,62,63,65,70,
6a,66,63,69,00,00
"pacohegbolecikkaokcahadjkaaooogn"=hex:69,61,69,67,6d,6b,6e,69,6b,6f,63,61,67,
64,63,6f,67,62,00,00
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2012-02-24 09:08:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-24 09:08
ComboFix2.txt 2012-02-24 08:12
ComboFix3.txt 2012-02-07 22:47
.
Pre-Run: 1,475,086,639,104 bytes free
Post-Run: 1,474,760,810,496 bytes free
.
- - End Of File - - 5D455B4B5C5769CC25EFE7C799657303

2)Malwarebytes log

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.23.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jase :: DESKTOP-PC [administrator]

24/02/2012 09:14:01
mbam-log-2012-02-24 (09-14-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 187196
Time elapsed: 1 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

3)Eset Scan

C:\Users\Jase\Pictures\Advance\OPTIMA (E)\CarryItEasy.exe Win32/Sality.AF virus

I think this file is ok as its a program to use on a usb pen drive.

4)Security check log

Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
Adobe Reader X (10.1.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

Regards Pintglass

#11 SweetTech

SweetTech

    Agent ST

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica

Posted 24 February 2012 - 08:49 AM

Hi Pintglass!

Since the last run of combofix which i am posting logs for i am getting a security alert message box in iexplorer saying you are about to view pages over a secure connection.

Does it say HTTPS:\\ in the address bar?

C:\Users\Jase\Pictures\Advance\OPTIMA (E)\CarryItEasy.exe Win32/Sality.AF virus

uhmm... I really really really hope you're right because if it is Sality, then it's not going to be good news at all.

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Choose File button and search for the following file: C:\Users\Jase\Pictures\Advance\OPTIMA (E)\CarryItEasy.exe
  • Click Open
  • Then click Send File
If it says already scanned -- click "reanalyze now"

  • Please be patient while the file is scanned.
  • Once the scan results appear, please click on the Compact button.
  • A new window should appear with a bunch of tabs at the top. Please click on the BBCode tab.
  • Copy and Paste the contents of the text in the BBCode into your next reply for me to review.


Please post the results in your next reply

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#12 Pintglass

Pintglass

    Member

  • Members
  • PipPip
  • 47 posts

Posted 24 February 2012 - 09:16 AM

Hi SweetTech

Does it say HTTPS:\\ in the address bar?

Yes it does.

SweetTech there is no compact button on the virustotal results page.

Here is a link to the results from the scan it was scanned 2012-02-24 13:57:00 UTC.

VirusTotal

If this is not satisfactory let me know.

Regards Pintglass

Edited by Pintglass, 24 February 2012 - 09:18 AM.

#13 SweetTech

SweetTech

    Agent ST

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica

Posted 24 February 2012 - 09:19 AM

Hi Pintglass,

What you provided me is fine for the VirusTotal results. Unfortunately, I do not have any good news for you.

Please see ThreatExpert's awareness of Win32.Sality.

Sality Family is a family of a polymorphic file infectors which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

As with many other malware, Sality disables anti-virus software and prevents access to certain anti-virus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach.

Sality/Win32.Sector is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once
infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there
afterwords. Please read:

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#14 Pintglass

Pintglass

    Member

  • Members
  • PipPip
  • 47 posts

Posted 24 February 2012 - 09:29 AM

Hi SweetTech

That file came on a PNY usb pen drive i have never used it or opened it in any way i must of copied it to my computer when i was transferring pictures from the usb drive.
I reinstalled windows about 6-8 months ago and up until about 2 weeks ago i have had no problems with viruses or malware.

Regards Pintglass

#15 SweetTech

SweetTech

    Agent ST

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,421 posts
  • Gender:Male
  • Location:Antarctica

Posted 24 February 2012 - 09:32 AM

Pintglass,

Okay, so are you thinking that you want to try and proceed cleaning this computer up then?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·