Jump to content


 

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Multi.ZAccess.gen and Rootkit.Zeroaccess

Started by SuperstarSal , Apr 04 2012 11:17 PM

  • This topic is locked This topic is locked
16 replies to this topic

#1 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 04 April 2012 - 11:17 PM

So I've ran TDSKiller and Malwarebytes Pro multiple times and they've failed to remove "Backdoor.Multi.ZAccess.gen" and "Rootkit.Zeroaccess." I don't know what more to do so I've posted the stuff you guys asked me to. Thanks guys.


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by SAL at 21:08:14 on 2012-04-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6128.4373 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUI.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Xfire\xfire.exe
C:\Program Files (x86)\Xfire\xfire64.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Xfire\xfire64.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\SAL\Downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4320&r=17360810e306p0425v165k4611r25q
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4320&r=17360810e306p0425v165k4611r25q
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4320&r=17360810e306p0425v165k4611r25q
uInternet Settings,ProxyServer = socks=127.0.0.1:4021
uInternet Settings,ProxyOverride = local;*.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: FBDownloader BHO: {553318da-d010-469e-84b1-496563cae1bf} - C:\Program Files (x86)\HTTO Group, Ltd\FBDownloader IE Add-on\FBDownloader.dll
BHO: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {1B26960C-6AAC-4856-AE2B-2570161D565E} - No File
mRun: [Hotkey Utility] C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
mRun: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIAVgBFAEcAQQAtAFYASgBOAFgAMwAtAFkAMwBEAEwAQQAtADgAVQBFAE4ANgAtADYARQBNAEIAUgA"&"inst=NwA2AC0ANQAxADgAMgAxADcAOAA5ADEALQBYAE8AMwA2ACsAMQAtAEQAMwA4ADEATAArADUALQBUAEIAOQArADIALQBOADEARAArADEALQBQAEwAKwA5AC0ARABEAFQAKwAwAA"&"prod=54"&"ver=9.0.894
StartupFolder: C:\Users\SAL\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\AMLDEV~1.LNK - C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{22A864D8-2616-4238-995E-8190C42A49C9} : DhcpNameServer = 10.0.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: FBDownloader BHO: {553318DA-D010-469E-84B1-496563CAE1BF} - C:\Program Files (x86)\HTTO Group, Ltd\FBDownloader IE Add-on\FBDownloader.dll
BHO-X64: FBDownloader - No File
BHO-X64: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - No File
BHO-X64: AMD SteadyVideo BHO - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {1B26960C-6AAC-4856-AE2B-2570161D565E} - No File
mRun-x64: [Hotkey Utility] C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
mRun-x64: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRunOnce-x64: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIAVgBFAEcAQQAtAFYASgBOAFgAMwAtAFkAMwBEAEwAQQAtADgAVQBFAE4ANgAtADYARQBNAEIAUgA"&"inst=NwA2AC0ANQAxADgAMgAxADcAOAA5ADEALQBYAE8AMwA2ACsAMQAtAEQAMwA4ADEATAArADUALQBUAEIAOQArADIALQBOADEARAArADEALQBQAEwAKwA5AC0ARABEAFQAKwAwAA"&"prod=54"&"ver=9.0.894
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\SAL\AppData\Roaming\Mozilla\Firefox\Profiles\u4f443o6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BSRTDF&PC=BBSR&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c5d0cc2&v=7.005.030.004&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: C:\Program Files (x86)\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 ahcix64s;ahcix64s;C:\Windows\system32\DRIVERS\ahcix64s.sys --> C:\Windows\system32\DRIVERS\ahcix64s.sys [?]
R0 SmartDefragDriver;SmartDefragDriver;C:\Windows\system32\Drivers\SmartDefragDriver.sys --> C:\Windows\system32\Drivers\SmartDefragDriver.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-2-14 361984]
R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-1-3 55936]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-8-28 1150496]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-1-31 652360]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2011-8-19 450848]
R2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2010-4-12 243232]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
R3 LVUVC64;Logitech Webcam C210(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-1-3 55936]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-2 253600]
S3 ESLvnic1;ESLvnic Virtual Network 64 Bit;C:\Windows\system32\DRIVERS\ESLvnic.sys --> C:\Windows\system32\DRIVERS\ESLvnic.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 30963576]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
.
=============== Created Last 30 ================
.
2012-04-04 00:47:54 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-03 23:33:13 -------- d-----w- C:\TDSSKiller
2012-04-03 06:33:47 53248 ----a-r- C:\Users\SAL\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2012-04-02 19:29:04 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-02 17:57:10 -------- d-sh--w- C:\Windows\System32\%APPDATA%
2012-04-02 17:53:45 0 --sha-w- C:\Windows\System32\dds_log_ad13.cmd
2012-04-02 17:52:42 -------- d-sh--w- C:\Users\SAL\AppData\Local\c7c64ac0
2012-03-30 22:15:49 -------- d-----w- C:\Users\SAL\AppData\Local\DDMSettings
2012-03-30 22:11:42 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DCF3B38D-DCA5-4122-AE2C-DF9031AA00F8}\mpengine.dll
2012-03-28 19:41:39 99840 ----a-w- C:\Windows\System32\charhost64.dll
2012-03-28 19:41:39 88576 ----a-w- C:\Windows\SysWow64\charhost.dll
2012-03-24 19:23:01 -------- d-----w- C:\Program Files (x86)\AMD AVT
2012-03-24 19:22:59 -------- d-----w- C:\Program Files\AMD
2012-03-24 19:22:59 -------- d-----w- C:\Program Files (x86)\AMD
2012-03-24 19:22:58 -------- d-----w- C:\Program Files (x86)\AMD APP
2012-03-21 01:26:53 -------- d-----w- C:\Users\SAL\AppData\Roaming\BANDISOFT
2012-03-21 01:26:38 -------- d-----w- C:\Program Files (x86)\Bandicam
2012-03-21 01:26:37 -------- d-----w- C:\Program Files (x86)\BandiMPEG1
2012-03-20 00:04:05 -------- d-----w- C:\Program Files\iPod
2012-03-20 00:04:04 -------- d-----w- C:\Program Files\iTunes
2012-03-20 00:04:04 -------- d-----w- C:\Program Files (x86)\iTunes
2012-03-15 02:01:22 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-15 02:01:22 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-03-13 20:35:32 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-13 20:35:31 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-13 20:35:31 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-13 19:49:40 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-13 19:49:32 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-13 19:49:32 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-13 18:19:00 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-13 18:19:00 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-13 18:19:00 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-13 18:19:00 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-13 18:19:00 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-13 18:19:00 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-13 18:19:00 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-08 22:26:36 -------- d-----w- C:\Program Files (x86)\Cygnus
.
==================== Find3M ====================
.
2012-04-03 06:33:33 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2012-04-02 19:29:03 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-29 19:21:24 42392 ----a-w- C:\Windows\SysWow64\xfcodec.dll
2012-02-29 19:21:24 28056 ----a-w- C:\Windows\System32\xfcodec64.dll
2012-02-23 16:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-15 05:05:32 69632 ----a-w- C:\Windows\System32\OpenVideo64.dll
2012-02-15 05:05:26 59904 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2012-02-15 05:05:20 61952 ----a-w- C:\Windows\System32\OVDecode64.dll
2012-02-15 05:05:16 54784 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2012-02-15 05:05:08 16507904 ----a-w- C:\Windows\System32\amdocl64.dll
2012-02-15 05:04:26 13238272 ----a-w- C:\Windows\SysWow64\amdocl.dll
2012-02-15 05:03:44 54272 ----a-w- C:\Windows\System32\OpenCL.dll
2012-02-15 05:03:38 48128 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2012-02-15 03:48:32 10856960 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2012-02-15 03:21:24 25839104 ----a-w- C:\Windows\System32\atio6axx.dll
2012-02-15 03:18:56 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2012-02-15 03:18:40 791040 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2012-02-15 03:17:04 957952 ----a-w- C:\Windows\System32\aticfx64.dll
2012-02-15 03:13:56 442368 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2012-02-15 03:13:40 496128 ----a-w- C:\Windows\System32\atieclxx.exe
2012-02-15 03:13:00 235520 ----a-w- C:\Windows\System32\atiesrxx.exe
2012-02-15 03:11:42 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2012-02-15 03:10:58 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2012-02-15 03:10:54 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2012-02-15 03:10:48 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2012-02-15 03:07:44 6200320 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2012-02-15 02:58:56 19392000 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2012-02-15 02:52:28 7646208 ----a-w- C:\Windows\System32\atidxx64.dll
2012-02-15 02:41:28 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2012-02-15 02:40:54 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2012-02-15 02:40:42 4958208 ----a-w- C:\Windows\System32\atiumd6a.dll
2012-02-15 02:34:56 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2012-02-15 02:34:54 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2012-02-15 02:34:46 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2012-02-15 02:34:44 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2012-02-15 02:34:36 5954048 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2012-02-15 02:34:30 13859840 ----a-w- C:\Windows\System32\aticaldd64.dll
2012-02-15 02:29:52 5062656 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2012-02-15 02:29:50 11561984 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2012-02-15 02:25:06 7551488 ----a-w- C:\Windows\System32\atiumd64.dll
2012-02-15 02:16:38 58880 ----a-w- C:\Windows\System32\coinst.dll
2012-02-15 02:14:00 512000 ----a-w- C:\Windows\System32\atiadlxx.dll
2012-02-15 02:13:50 356352 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2012-02-15 02:13:36 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2012-02-15 02:13:32 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2012-02-15 02:13:32 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2012-02-15 02:13:28 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2012-02-15 02:13:20 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2012-02-15 02:13:12 327680 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2012-02-15 02:12:22 43008 ----a-w- C:\Windows\System32\atiuxp64.dll
2012-02-15 02:12:14 33280 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2012-02-15 02:12:08 39936 ----a-w- C:\Windows\System32\atiu9p64.dll
2012-02-15 02:12:00 30208 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2012-02-15 02:11:22 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2012-02-15 02:11:16 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2012-02-15 02:11:16 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2012-02-15 02:11:10 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2012-02-15 02:11:10 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2012-01-31 13:02:26 21504 ----a-w- C:\Windows\System32\kdbsdk64.dll
2012-01-31 13:00:24 16896 ----a-w- C:\Windows\SysWow64\kdbsdk32.dll
.
============= FINISH: 21:08:39.43 ===============

 

  • BC Ads
  • BleepingComputer.com

#2 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,568 posts
  • Gender:Not Telling
  • Location:Canada

Posted 08 April 2012 - 08:41 AM

Hi

Please do the following:


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#3 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 08 April 2012 - 05:38 PM

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 08-04-2012 15:33:10
Running from L:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [13307496 2011-10-17] (Realtek Semiconductor)
HKLM-x32\...\Run: [Hotkey Utility] C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe [563744 2010-03-25] ()
HKLM-x32\...\Run: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A [124416 2009-07-20] (IOI)
HKLM-x32\...\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-05-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-01-21] (Microsoft Corporation)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1230704 2011-03-21] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [460872 2012-01-13] (Malwarebytes Corporation)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [636032 2012-02-14] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Runonce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIAVgBFAEcAQQAtAFYASgBOAFgAMwAtAFkAMwBEAEwAQQAtADgAVQBFAE4ANgAtADYARQBNAEIAUgA"&"inst=NwA2AC0ANQAxADgAMgAxADcAOAA5ADEALQBYAE8AMwA2ACsAMQAtAEQAMwA4ADEATAArADUALQBUAEIAOQArADIALQBOADEARAArADEALQBQAEwAKwA5AC0ARABEAFQAKwAwAA"&"prod=54"&"ver=9.0.894 [x]
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

==================== Services (Whitelisted) ======

2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [652360 2012-01-13] (Malwarebytes Corporation)
3 Nero BackItUp Scheduler 4.0; C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe [935208 2010-01-15] (Nero AG)
3 npggsvc; C:\Windows\SysWow64\GameMon.des -service [3555568 2010-04-28] (INCA Internet Co., Ltd.)
2 UMVPFSrv; C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2011-08-19] (Logitech Inc.)

========================== Drivers (Whitelisted) =============

0 ahcix64s; C:\Windows\System32\Drivers\ahcix64s.sys [235312 2010-01-05] (Advanced Micro Devices, Inc)
3 amdkmdag; C:\Windows\System32\DRIVERS\atikmdag.sys [10856960 2012-02-14] (Advanced Micro Devices, Inc.)
2 AODDriver4.01; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55936 2012-01-03] (Advanced Micro Devices)
2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55936 2012-01-03] (Advanced Micro Devices)
3 ESLvnic1; C:\Windows\System32\DRIVERS\ESLvnic.sys [25528 2011-04-18] (Turtle Entertainment GmbH)
3 LHidFilt; C:\Windows\System32\Drivers\LHidFilt.sys [63568 2010-08-24] (Logitech, Inc.)
3 LMouFilt; C:\Windows\System32\Drivers\LMouFilt.sys [57936 2010-08-24] (Logitech, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [23152 2011-12-10] (Malwarebytes Corporation)
0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2010-11-26] ()
3 TIEHDUSB; C:\Windows\System32\Drivers\TIEHDUSB.sys [128512 2009-09-03] (Texas Instruments)
3 cpuz132; \??\C:\Users\SAL\AppData\Local\Temp\cpuz132\cpuz132_x64.sys [x]
3 dump_wmimmc; \??\C:\ijji\ENGLISH\u_sf\GameGuard\dump_wmimmc.sys [x]
3 NPPTNT2; \??\C:\Windows\system32\npptNT2.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-08 15:32 - 2012-04-08 15:33 - 0000000 ____D C:\FRST
2012-04-07 14:05 - 2012-04-07 15:44 - 0000000 ____D C:\Program Files (x86)\STOPzilla!
2012-04-07 14:05 - 2012-04-07 14:07 - 0000000 ____D C:\Users\All Users\STOPzilla!
2012-04-07 14:05 - 2012-04-07 14:07 - 0000000 ____D C:\ProgramData\STOPzilla!
2012-04-07 14:03 - 2012-04-07 14:03 - 0109656 ____A C:\Users\SAL\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-07 13:38 - 2012-04-07 13:40 - 0124594 ____A C:\TDSSKiller.2.7.26.0_07.04.2012_14.38.41_log.txt
2012-04-07 13:38 - 2012-04-07 13:38 - 0000348 ____A C:\TDSSKiller.2.7.25.0_07.04.2012_14.38.18_log.txt
2012-04-04 20:07 - 2012-04-04 20:07 - 0000000 ____A C:\Users\SAL\defogger_reenable
2012-04-04 20:06 - 2012-04-07 15:44 - 0000000 ____D C:\Users\SAL\Desktop\Operation Overlord
2012-04-03 15:33 - 2012-04-07 15:44 - 0000000 ____D C:\TDSSKiller
2012-04-02 09:52 - 2012-04-02 15:11 - 0000000 __SHD C:\Users\SAL\AppData\Local\c7c64ac0
2012-03-30 14:15 - 2012-03-30 14:15 - 0000000 ____D C:\Users\SAL\AppData\Local\DDMSettings
2012-03-28 11:41 - 2012-03-28 11:41 - 0099840 ____A (Kaspersky Lab) C:\Windows\System32\charhost64.dll
2012-03-25 18:37 - 2012-04-07 17:36 - 0001152 ____A C:\Windows\PFRO.log
2012-03-25 16:39 - 2012-03-25 16:40 - 3898304 ____A (TeamViewer GmbH) C:\Users\SAL\Downloads\TeamViewer_Setup_en.exe
2012-03-24 11:28 - 2012-03-24 11:28 - 0000000 ____D C:\Users\All Users\ATI
2012-03-24 11:28 - 2012-03-24 11:28 - 0000000 ____D C:\ProgramData\ATI
2012-03-24 11:23 - 2012-03-24 11:23 - 0002014 ____A C:\Users\All Users\Start Menu\Programs\Startup\AML Device Install.lnk
2012-03-24 11:23 - 2012-03-24 11:23 - 0000000 ____D C:\Program Files (x86)\AMD AVT
2012-03-24 11:22 - 2012-03-24 11:22 - 0000000 ____D C:\Program Files\AMD
2012-03-24 11:22 - 2012-03-24 11:22 - 0000000 ____D C:\Program Files (x86)\AMD APP
2012-03-24 11:22 - 2012-03-24 11:22 - 0000000 ____D C:\Program Files (x86)\AMD
2012-03-20 17:26 - 2012-03-20 17:26 - 5590336 ____A (Bandisoft) C:\Users\SAL\Downloads\bdcamsetup.exe
2012-03-20 17:26 - 2012-03-20 17:26 - 0000000 ____D C:\Users\SAL\AppData\Roaming\BANDISOFT
2012-03-20 17:26 - 2012-03-20 17:26 - 0000000 ____D C:\Program Files (x86)\BandiMPEG1
2012-03-20 17:26 - 2012-03-20 17:26 - 0000000 ____D C:\Program Files (x86)\Bandicam
2012-03-20 17:24 - 2012-03-20 17:24 - 0000000 ____D C:\Program Files (x86)\QuickTime
2012-03-19 16:04 - 2012-03-19 16:04 - 0000000 ____D C:\Program Files\iTunes
2012-03-19 16:04 - 2012-03-19 16:04 - 0000000 ____D C:\Program Files\iPod
2012-03-19 16:04 - 2012-03-19 16:04 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-03-15 22:39 - 2012-04-08 14:27 - 0007271 ____A C:\Windows\setupact.log
2012-03-15 22:39 - 2012-03-15 22:39 - 0000000 ____A C:\Windows\setuperr.log
2012-03-14 18:00 - 2012-03-14 18:00 - 16157992 ____A (Mozilla) C:\Users\SAL\Downloads\Firefox Setup 11.0.exe
2012-03-14 11:01 - 2012-03-15 18:41 - 0000000 ____D C:\Windows\Minidump
2012-03-13 12:35 - 2011-11-19 07:20 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-13 12:35 - 2011-11-19 06:50 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-13 12:35 - 2011-11-19 06:50 - 3913584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-13 11:49 - 2012-02-09 22:36 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-03-13 11:49 - 2012-02-09 21:38 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-03-13 11:49 - 2012-02-02 20:34 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-13 10:19 - 2012-02-16 22:38 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-03-13 10:19 - 2012-02-16 21:34 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-03-13 10:19 - 2012-02-16 20:58 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-03-13 10:19 - 2012-02-16 20:57 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-03-13 10:19 - 2012-01-24 22:38 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-03-13 10:19 - 2012-01-24 22:38 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-03-13 10:19 - 2012-01-24 22:33 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe

============ 3 Months Modified Files and Folders =============

2012-04-08 15:33 - 2012-04-08 15:32 - 0000000 ____D C:\FRST
2012-04-08 14:28 - 2011-01-10 19:16 - 0000000 ____D C:\Users\SAL\AppData\Roaming\Mumble
2012-04-08 14:27 - 2012-03-15 22:39 - 0007271 ____A C:\Windows\setupact.log
2012-04-08 14:27 - 2010-06-07 22:00 - 524099584 __ASH C:\hiberfil.sys
2012-04-08 14:27 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-08 14:24 - 2012-03-06 19:50 - 1107805 ____A C:\Windows\WindowsUpdate.log
2012-04-08 14:24 - 2009-07-13 21:13 - 0784224 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-08 13:58 - 2010-08-06 21:47 - 0000000 ____D C:\Users\SAL\AppData\Roaming\ijjigame
2012-04-08 13:34 - 2011-08-01 23:47 - 0000000 ____D C:\Users\SAL\AppData\Roaming\Skype
2012-04-08 10:23 - 2009-07-13 20:45 - 0009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-08 10:23 - 2009-07-13 20:45 - 0009920 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-07 19:50 - 2011-10-25 19:28 - 0000000 ____D C:\Users\SAL\AppData\Roaming\Xfire
2012-04-07 17:36 - 2012-03-25 18:37 - 0001152 ____A C:\Windows\PFRO.log
2012-04-07 17:34 - 2011-12-16 23:13 - 0000000 ____D C:\Users\SAL\AppData\Local\PMB Files
2012-04-07 15:44 - 2012-04-07 14:05 - 0000000 ____D C:\Program Files (x86)\STOPzilla!
2012-04-07 15:44 - 2012-04-04 20:06 - 0000000 ____D C:\Users\SAL\Desktop\Operation Overlord
2012-04-07 15:44 - 2012-04-03 15:33 - 0000000 ____D C:\TDSSKiller
2012-04-07 15:44 - 2011-12-26 11:56 - 0000000 ____D C:\Windows\System32\Macromed
2012-04-07 15:44 - 2011-12-16 23:13 - 0000000 ____D C:\Users\All Users\PMB Files
2012-04-07 15:44 - 2011-12-16 23:13 - 0000000 ____D C:\ProgramData\PMB Files
2012-04-07 15:44 - 2011-07-13 23:30 - 0000000 ____D C:\Program Files\DivX
2012-04-07 15:44 - 2011-07-13 23:29 - 0000000 ____D C:\Users\All Users\DivX
2012-04-07 15:44 - 2011-07-13 23:29 - 0000000 ____D C:\ProgramData\DivX
2012-04-07 15:44 - 2011-07-13 23:29 - 0000000 ____D C:\Program Files (x86)\DivX
2012-04-07 15:44 - 2011-05-28 03:36 - 0000000 ____D C:\Users\SAL\AppData\Roaming\Logishrd
2012-04-07 15:44 - 2010-08-06 21:45 - 0000000 ____D C:\Users\SAL\AppData\Roaming\Ventrilo
2012-04-07 15:44 - 2009-07-13 23:44 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-04-07 15:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-04-07 15:44 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-04-07 15:43 - 2011-01-11 16:43 - 0000000 __RHD C:\MSOCache
2012-04-07 15:43 - 2010-08-18 20:57 - 0000000 ____D C:\Users\All Users\LogiShrd
2012-04-07 15:43 - 2010-08-18 20:57 - 0000000 ____D C:\ProgramData\LogiShrd
2012-04-07 15:43 - 2010-08-06 14:55 - 0000000 ____D C:\Users\SAL\AppData\LocalLow
2012-04-07 15:30 - 2011-10-17 16:51 - 0000000 ____D C:\Users\All Users\Xfire
2012-04-07 15:30 - 2011-10-17 16:51 - 0000000 ____D C:\ProgramData\Xfire
2012-04-07 15:08 - 2010-08-22 17:21 - 0000000 ____A C:\Windows\SysWOW64\wbers.dat.dmp
2012-04-07 14:52 - 2010-08-06 14:55 - 0000000 ____D C:\users\SAL
2012-04-07 14:45 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-04-07 14:07 - 2012-04-07 14:05 - 0000000 ____D C:\Users\All Users\STOPzilla!
2012-04-07 14:07 - 2012-04-07 14:05 - 0000000 ____D C:\ProgramData\STOPzilla!
2012-04-07 14:03 - 2012-04-07 14:03 - 0109656 ____A C:\Users\SAL\AppData\Local\GDIPFONTCACHEV1.DAT
2012-04-07 13:40 - 2012-04-07 13:38 - 0124594 ____A C:\TDSSKiller.2.7.26.0_07.04.2012_14.38.41_log.txt
2012-04-07 13:38 - 2012-04-07 13:38 - 0000348 ____A C:\TDSSKiller.2.7.25.0_07.04.2012_14.38.18_log.txt
2012-04-05 12:29 - 2011-07-26 12:37 - 0000000 ____D C:\Users\SAL\riotsGamesLogs
2012-04-04 20:23 - 2010-08-18 20:59 - 0000000 ____D C:\Program Files\Logitech
2012-04-04 20:07 - 2012-04-04 20:07 - 0000000 ____A C:\Users\SAL\defogger_reenable
2012-04-04 17:02 - 2010-09-06 15:46 - 0000000 ____D C:\Users\SAL\Documents\Business
2012-04-03 15:34 - 2011-12-10 13:21 - 0000000 ____D C:\Users\SAL\Documents\School
2012-04-02 15:11 - 2012-04-02 09:52 - 0000000 __SHD C:\Users\SAL\AppData\Local\c7c64ac0
2012-03-30 14:15 - 2012-03-30 14:15 - 0000000 ____D C:\Users\SAL\AppData\Local\DDMSettings
2012-03-28 11:41 - 2012-03-28 11:41 - 0099840 ____A (Kaspersky Lab) C:\Windows\System32\charhost64.dll
2012-03-25 16:40 - 2012-03-25 16:39 - 3898304 ____A (TeamViewer GmbH) C:\Users\SAL\Downloads\TeamViewer_Setup_en.exe
2012-03-25 16:35 - 2010-10-09 16:10 - 0000000 ____D C:\Users\SAL\AppData\Roaming\TeamViewer
2012-03-24 11:28 - 2012-03-24 11:28 - 0000000 ____D C:\Users\All Users\ATI
2012-03-24 11:28 - 2012-03-24 11:28 - 0000000 ____D C:\ProgramData\ATI
2012-03-24 11:23 - 2012-03-24 11:23 - 0002014 ____A C:\Users\All Users\Start Menu\Programs\Startup\AML Device Install.lnk
2012-03-24 11:23 - 2012-03-24 11:23 - 0000000 ____D C:\Program Files (x86)\AMD AVT
2012-03-24 11:23 - 2011-07-26 19:27 - 0000000 ____D C:\Users\All Users\AMD
2012-03-24 11:23 - 2011-07-26 19:27 - 0000000 ____D C:\ProgramData\AMD
2012-03-24 11:22 - 2012-03-24 11:22 - 0000000 ____D C:\Program Files\AMD
2012-03-24 11:22 - 2012-03-24 11:22 - 0000000 ____D C:\Program Files (x86)\AMD APP
2012-03-24 11:22 - 2012-03-24 11:22 - 0000000 ____D C:\Program Files (x86)\AMD
2012-03-24 11:22 - 2010-08-08 13:06 - 0000000 ____D C:\Program Files\ATI Technologies
2012-03-20 17:28 - 2011-11-13 16:31 - 0000000 ____D C:\Users\SAL\Documents\Recordings
2012-03-20 17:26 - 2012-03-20 17:26 - 5590336 ____A (Bandisoft) C:\Users\SAL\Downloads\bdcamsetup.exe
2012-03-20 17:26 - 2012-03-20 17:26 - 0000000 ____D C:\Users\SAL\AppData\Roaming\BANDISOFT
2012-03-20 17:26 - 2012-03-20 17:26 - 0000000 ____D C:\Program Files (x86)\BandiMPEG1
2012-03-20 17:26 - 2012-03-20 17:26 - 0000000 ____D C:\Program Files (x86)\Bandicam
2012-03-20 17:24 - 2012-03-20 17:24 - 0000000 ____D C:\Program Files (x86)\QuickTime
2012-03-20 12:20 - 2010-10-24 14:31 - 0005295 ____A C:\Users\SAL\Documents\Word Key.txt
2012-03-19 23:03 - 2011-10-14 21:21 - 0000000 ___RD C:\Users\SAL\Dropbox
2012-03-19 23:03 - 2011-10-14 21:19 - 0000000 ____D C:\Users\SAL\AppData\Roaming\Dropbox
2012-03-19 16:04 - 2012-03-19 16:04 - 0000000 ____D C:\Program Files\iTunes
2012-03-19 16:04 - 2012-03-19 16:04 - 0000000 ____D C:\Program Files\iPod
2012-03-19 16:04 - 2012-03-19 16:04 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-03-18 21:00 - 2010-12-25 15:29 - 0000404 ____A C:\Windows\Tasks\SmartDefrag.job
2012-03-15 22:39 - 2012-03-15 22:39 - 0000000 ____A C:\Windows\setuperr.log
2012-03-15 18:41 - 2012-03-14 11:01 - 0000000 ____D C:\Windows\Minidump
2012-03-14 18:01 - 2010-08-06 21:40 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-03-14 18:00 - 2012-03-14 18:00 - 16157992 ____A (Mozilla) C:\Users\SAL\Downloads\Firefox Setup 11.0.exe
2012-03-14 18:00 - 2010-08-06 22:58 - 0000000 ____D C:\Users\SAL\AppData\Roaming\SoftGrid Client
2012-03-13 12:58 - 2009-07-13 20:45 - 0424536 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-13 12:34 - 2010-08-09 18:58 - 56297240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-03-13 12:33 - 2010-04-12 00:56 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-03-13 12:33 - 2010-04-12 00:56 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-03-12 15:55 - 2011-05-31 00:03 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-03-12 15:31 - 2010-08-06 21:34 - 0000000 ____D C:\Users\SAL\AppData\Local\AIM
2012-03-11 11:20 - 2010-08-06 21:32 - 0000000 ____D C:\Users\SAL\AppData\Local\Google
2012-03-11 00:06 - 2010-08-07 19:18 - 0000000 ___RD C:\Recycle Bin
2012-03-08 14:26 - 2012-03-08 14:26 - 0000000 ____D C:\Program Files (x86)\Cygnus
2012-03-06 19:49 - 2007-07-11 17:49 - 0000000 ____D C:\Windows\Panther
2012-03-05 17:01 - 2010-08-08 18:54 - 0000000 ____D C:\Program Files (x86)\CCleaner
2012-03-01 15:45 - 2011-10-25 19:28 - 0000000 ___SD C:\Program Files (x86)\Xfire
2012-02-29 11:21 - 2012-02-29 11:21 - 0042392 ____A C:\Windows\SysWOW64\xfcodec.dll
2012-02-29 11:21 - 2012-02-29 11:21 - 0028056 ____A C:\Windows\System32\xfcodec64.dll
2012-02-27 23:57 - 2010-08-06 22:57 - 0777948 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-02-24 17:36 - 2011-10-17 16:43 - 0000000 ____D C:\Program Files (x86)\REACTOR
2012-02-24 15:13 - 2009-07-13 21:08 - 0032638 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-02-23 09:18 - 2010-08-06 21:49 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-02-20 22:28 - 2010-04-12 00:42 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-02-20 20:58 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-02-20 20:57 - 2012-02-20 20:54 - 0000000 ____D C:\Program Files (x86)\fbDownloader
2012-02-20 20:57 - 2011-02-23 23:00 - 0000000 ____D C:\Users\SAL\AppData\Local\Conduit
2012-02-20 20:54 - 2012-02-20 20:54 - 0000000 ____D C:\Program Files (x86)\SDIV 2.0
2012-02-20 20:54 - 2012-02-20 20:54 - 0000000 ____D C:\Program Files (x86)\HTTO Group, Ltd
2012-02-20 20:54 - 2012-02-20 20:54 - 0000000 ____D C:\Program Files (x86)\Conduit
2012-02-20 20:42 - 2012-02-20 20:42 - 0000064 ____A C:\Windows\GPlrLanc.dat
2012-02-16 22:38 - 2012-03-13 10:19 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-13 10:19 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-13 10:19 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-13 10:19 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-15 14:34 - 2010-04-12 01:00 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-02-15 10:02 - 2010-08-06 14:56 - 0000174 ___SH C:\Users\SAL\Start Menu\Programs\Startup\desktop.ini
2012-02-15 10:02 - 2010-08-06 14:56 - 0000174 ___SH C:\Users\SAL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-15 00:16 - 2011-01-11 15:28 - 0000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2012-02-14 21:05 - 2012-02-14 21:05 - 16507904 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\amdocl64.dll
2012-02-14 21:05 - 2012-02-14 21:05 - 0069632 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\OpenVideo64.dll
2012-02-14 21:05 - 2012-02-14 21:05 - 0061952 ____A C:\Windows\System32\OVDecode64.dll
2012-02-14 21:05 - 2012-02-14 21:05 - 0059904 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\OpenVideo.dll
2012-02-14 21:05 - 2012-02-14 21:05 - 0054784 ____A C:\Windows\SysWOW64\OVDecode.dll
2012-02-14 21:04 - 2012-02-14 21:04 - 13238272 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\amdocl.dll
2012-02-14 21:03 - 2012-02-14 21:03 - 0054272 ____A (Khronos Group) C:\Windows\System32\OpenCL.dll
2012-02-14 21:03 - 2012-02-14 21:03 - 0048128 ____A (Khronos Group) C:\Windows\SysWOW64\OpenCL.dll
2012-02-14 19:48 - 2012-02-14 19:48 - 10856960 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmdag.sys
2012-02-14 19:21 - 2012-02-14 19:21 - 25839104 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atio6axx.dll
2012-02-14 19:19 - 2012-02-14 19:19 - 0235072 ____A C:\Windows\SysWOW64\atiapfxx.blb
2012-02-14 19:19 - 2012-02-14 19:19 - 0235072 ____A C:\Windows\System32\atiapfxx.blb
2012-02-14 19:18 - 2012-02-14 19:18 - 0159744 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiapfxx.exe
2012-02-14 19:18 - 2011-12-05 19:17 - 0791040 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
2012-02-14 19:17 - 2010-04-12 01:29 - 0957952 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\aticfx64.dll
2012-02-14 19:13 - 2012-02-14 19:13 - 0496128 ____A (AMD) C:\Windows\System32\atieclxx.exe
2012-02-14 19:13 - 2012-02-14 19:13 - 0442368 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\ATIDEMGX.dll
2012-02-14 19:13 - 2012-02-14 19:13 - 0235520 ____A (AMD) C:\Windows\System32\atiesrxx.exe
2012-02-14 19:11 - 2012-02-14 19:11 - 0120320 ____A (AMD) C:\Windows\System32\atitmm64.dll
2012-02-14 19:10 - 2012-02-14 19:10 - 0059392 ____A (ATI Technologies, Inc.) C:\Windows\System32\atiedu64.dll
2012-02-14 19:10 - 2012-02-14 19:10 - 0043520 ____A (ATI Technologies, Inc.) C:\Windows\SysWOW64\ati2edxx.dll
2012-02-14 19:10 - 2012-02-14 19:10 - 0021504 ____A (AMD) C:\Windows\System32\atimuixx.dll
2012-02-14 19:07 - 2011-12-05 19:06 - 6200320 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
2012-02-14 18:58 - 2012-02-14 18:58 - 19392000 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
2012-02-14 18:52 - 2010-04-12 01:29 - 7646208 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atidxx64.dll
2012-02-14 18:41 - 2012-02-14 18:41 - 1113088 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6v.dll
2012-02-14 18:40 - 2012-02-14 18:40 - 4958208 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6a.dll
2012-02-14 18:40 - 2012-02-14 18:40 - 1828864 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdmv.dll
2012-02-14 18:36 - 2012-02-14 18:36 - 2425664 ____A C:\Windows\System32\atiumd6a.cap
2012-02-14 18:36 - 2012-02-14 18:36 - 0204952 ____A C:\Windows\SysWOW64\ativvsvl.dat
2012-02-14 18:36 - 2012-02-14 18:36 - 0204952 ____A C:\Windows\System32\ativvsvl.dat
2012-02-14 18:36 - 2012-02-14 18:36 - 0157144 ____A C:\Windows\SysWOW64\ativvsva.dat
2012-02-14 18:36 - 2012-02-14 18:36 - 0157144 ____A C:\Windows\System32\ativvsva.dat
2012-02-14 18:34 - 2012-02-14 18:34 - 13859840 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticaldd64.dll
2012-02-14 18:34 - 2012-02-14 18:34 - 0051200 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalrt64.dll
2012-02-14 18:34 - 2012-02-14 18:34 - 0046080 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
2012-02-14 18:34 - 2012-02-14 18:34 - 0044544 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalcl64.dll
2012-02-14 18:34 - 2012-02-14 18:34 - 0044032 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
2012-02-14 18:34 - 2011-12-05 18:33 - 5954048 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
2012-02-14 18:29 - 2012-02-14 18:29 - 11561984 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
2012-02-14 18:29 - 2011-12-05 18:28 - 5062656 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
2012-02-14 18:28 - 2012-02-14 18:28 - 2427392 ____A C:\Windows\SysWOW64\atiumdva.cap
2012-02-14 18:25 - 2012-02-14 18:25 - 7551488 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd64.dll
2012-02-14 18:16 - 2010-04-12 01:29 - 0058880 ____A (AMD) C:\Windows\System32\coinst.dll
2012-02-14 18:14 - 2012-02-14 18:14 - 0512000 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiadlxx.dll
2012-02-14 18:13 - 2012-02-14 18:13 - 0356352 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
2012-02-14 18:13 - 2012-02-14 18:13 - 0327680 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmpag.sys
2012-02-14 18:13 - 2012-02-14 18:13 - 0039936 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6txx.dll
2012-02-14 18:13 - 2012-02-14 18:13 - 0033280 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
2012-02-14 18:13 - 2012-02-14 18:13 - 0017408 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6pxx.dll
2012-02-14 18:13 - 2012-02-14 18:13 - 0014336 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
2012-02-14 18:13 - 2012-02-14 18:13 - 0014336 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiglpxx.dll
2012-02-14 18:12 - 2012-02-14 18:12 - 0039936 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiu9p64.dll
2012-02-14 18:12 - 2011-12-05 18:11 - 0033280 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
2012-02-14 18:12 - 2011-12-05 18:11 - 0030208 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
2012-02-14 18:12 - 2010-04-12 01:29 - 0043008 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiuxp64.dll
2012-02-14 18:11 - 2012-02-14 18:11 - 0054784 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atimpc64.dll
2012-02-14 18:11 - 2012-02-14 18:11 - 0054784 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\amdpcom64.dll
2012-02-14 18:11 - 2012-02-14 18:11 - 0053760 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
2012-02-14 18:11 - 2012-02-14 18:11 - 0053760 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
2012-02-14 18:11 - 2012-02-14 18:11 - 0053248 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\ati2erec.dll
2012-02-13 21:24 - 2010-08-18 20:58 - 0000000 ____D C:\Program Files\Common Files\Logishrd
2012-02-12 22:10 - 2010-08-16 17:04 - 0000000 ____D C:\Users\SAL\AppData\Local\Adobe
2012-02-12 22:10 - 2010-04-12 01:08 - 0000000 ____D C:\Users\All Users\Adobe
2012-02-12 22:10 - 2010-04-12 01:08 - 0000000 ____D C:\ProgramData\Adobe
2012-02-12 22:10 - 2010-04-12 01:08 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-02-09 22:36 - 2012-03-13 11:49 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-09 21:38 - 2012-03-13 11:49 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-07 21:26 - 2012-02-07 21:26 - 0000017 ____A C:\Users\SAL\AppData\Local\resmon.resmoncfg
2012-02-05 13:44 - 2010-08-06 22:59 - 0000000 ____D C:\Users\SAL\AppData\Roaming\SystemRequirementsLab
2012-02-05 13:44 - 2010-08-06 22:59 - 0000000 ____D C:\Program Files (x86)\SystemRequirementsLab
2012-02-02 20:34 - 2012-03-13 11:49 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-01 09:52 - 2011-11-13 20:22 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-01-31 05:02 - 2012-01-31 05:02 - 0021504 ____A C:\Windows\System32\kdbsdk64.dll
2012-01-31 05:00 - 2012-01-31 05:00 - 0016896 ____A C:\Windows\SysWOW64\kdbsdk32.dll
2012-01-28 13:00 - 2010-08-08 13:06 - 0000000 ____D C:\AMD
2012-01-26 14:29 - 2010-04-12 01:09 - 0000000 ____D C:\Users\All Users\Norton
2012-01-26 14:29 - 2010-04-12 01:09 - 0000000 ____D C:\ProgramData\Norton
2012-01-25 23:02 - 2010-04-12 01:09 - 0000000 ____D C:\Windows\SysWOW64\Macromed
2012-01-24 22:38 - 2012-03-13 10:19 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-01-24 22:38 - 2012-03-13 10:19 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-01-24 22:33 - 2012-03-13 10:19 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-01-10 13:10 - 2012-01-10 13:10 - 0601728 ____A C:\Windows\System32\atiicdxx.dat

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 6127.76 MB
Available physical RAM: 5303.4 MB
Total Pagefile: 6125.91 MB
Available Pagefile: 5283.76 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (Gateway) (Fixed) (Total:911.35 GB) (Free:846.95 GB) NTFS
2 Drive e: (PQSERVICE) (Fixed) (Total:20 GB) (Free:9.3 GB) NTFS ==>[System with boot components (obtained from reading drive)]
9 Drive l: (USB20FD) (Removable) (Total:7.45 GB) (Free:7.41 GB) FAT32
10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
11 Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 931 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Disk 6 Online 7648 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 20 GB 1024 KB
Partition 2 Primary 100 MB 20 GB
Partition 3 Primary 911 GB 20 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 20 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Gateway NTFS Partition 911 GB Healthy

======================================================================================================

Partitions of Disk 6:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7647 MB 40 KB

======================================================================================================

Disk: 6
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 9 L USB20FD FAT32 Removable 7647 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-03 14:04

======================= End Of Log ==========================

#4 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,568 posts
  • Gender:Not Telling
  • Location:Canada

Posted 08 April 2012 - 06:32 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt 

start
SubSystems: [Windows] ==> ZeroAccess
2012-04-02 09:52 - 2012-04-02 15:11 - 0000000 __SHD C:\Users\SAL\AppData\Local\c7c64ac0
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#5 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 08 April 2012 - 07:34 PM

Here's the fixlog.txt from FRST64. I will be running ComboFix shortly.

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 15-03-2012
Ran by SYSTEM at 2012-04-08 17:29:49 R:1
Running from L:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
C:\Users\SAL\AppData\Local\c7c64ac0 moved successfully.

==== End of Fixlog ====

The reboot went smoothly after I clicked fix.

#6 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 09 April 2012 - 01:36 AM

ComboFix 12-04-08.02 - SAL 04/08/2012 23:21:55.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6128.4592 [GMT -7:00]
Running from: C:\Users\SAL\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Windows\SysWow64\system


((((((((((((((((((((((((( Files Created from 2012-03-09 to 2012-04-09 )))))))))))))))))))))))))))))))


2012-04-09 06:27:58 . 2012-04-09 06:27:58 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-04-09 06:27:58 . 2012-04-09 06:27:58 -------- d-sh--w- C:\Windows\system32\%APPDATA%
2012-04-09 06:26:31 . 2012-04-09 06:26:31 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-04-08 23:32:42 . 2012-04-08 23:33:52 -------- d-----w- C:\FRST
2012-04-07 22:05:46 . 2012-04-07 23:44:36 -------- d-----w- C:\Program Files (x86)\STOPzilla!
2012-04-07 22:05:45 . 2012-04-07 22:07:20 -------- d-----w- C:\ProgramData\STOPzilla!
2012-04-07 22:05:45 . 2012-04-07 22:05:45 -------- d-----w- C:\Program Files (x86)\Common Files\iS3
2012-04-03 23:33:13 . 2012-04-07 23:44:32 -------- d-----w- C:\TDSSKiller
2012-03-30 22:15:49 . 2012-03-30 22:15:49 -------- d-----w- C:\Users\SAL\AppData\Local\DDMSettings
2012-03-28 19:41:39 . 2012-03-28 19:41:39 99840 ----a-w- C:\Windows\system32\charhost64.dll
2012-03-24 19:28:33 . 2012-03-24 19:28:33 -------- d-----w- C:\ProgramData\ATI
2012-03-24 19:23:01 . 2012-03-24 19:23:01 -------- d-----w- C:\Program Files (x86)\AMD AVT
2012-03-24 19:22:59 . 2012-03-24 19:22:59 -------- d-----w- C:\Program Files\AMD
2012-03-24 19:22:59 . 2012-03-24 19:22:59 -------- d-----w- C:\Program Files (x86)\AMD
2012-03-24 19:22:58 . 2012-03-24 19:22:58 -------- d-----w- C:\Program Files (x86)\AMD APP
2012-03-21 01:26:53 . 2012-03-21 01:26:53 -------- d-----w- C:\Users\SAL\AppData\Roaming\BANDISOFT
2012-03-21 01:26:38 . 2012-03-21 01:26:39 -------- d-----w- C:\Program Files (x86)\Bandicam
2012-03-21 01:26:37 . 2012-03-21 01:26:38 -------- d-----w- C:\Program Files (x86)\BandiMPEG1
2012-03-20 00:04:05 . 2012-03-20 00:04:05 -------- d-----w- C:\Program Files\iPod
2012-03-20 00:04:04 . 2012-03-20 00:04:14 -------- d-----w- C:\Program Files\iTunes
2012-03-20 00:04:04 . 2012-03-20 00:04:14 -------- d-----w- C:\Program Files (x86)\iTunes
2012-03-15 02:01:22 . 2012-03-13 04:39:06 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-03-15 02:01:22 . 2012-03-13 04:39:05 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-13 20:35:32 . 2011-11-19 15:20:37 5559152 ----a-w- C:\Windows\system32\ntoskrnl.exe
2012-03-13 20:35:31 . 2011-11-19 14:50:02 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-13 20:35:31 . 2011-11-19 14:50:02 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-13 19:49:40 . 2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\system32\win32k.sys
2012-03-13 19:49:32 . 2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\system32\DWrite.dll
2012-03-13 19:49:32 . 2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-13 18:19:00 . 2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\system32\rdpcore.dll
2012-03-13 18:19:00 . 2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-13 18:19:00 . 2012-02-17 04:58:24 210944 ----a-w- C:\Windows\system32\drivers\rdpwd.sys
2012-03-13 18:19:00 . 2012-02-17 04:57:32 23552 ----a-w- C:\Windows\system32\drivers\tdtcp.sys
2012-03-13 18:19:00 . 2012-01-25 06:38:39 77312 ----a-w- C:\Windows\system32\rdpwsx.dll
2012-03-13 18:19:00 . 2012-01-25 06:38:38 149504 ----a-w- C:\Windows\system32\rdpcorekmts.dll
2012-03-13 18:19:00 . 2012-01-25 06:33:30 9216 ----a-w- C:\Windows\system32\rdrmemptylst.exe
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-03-14 03:27:40 . 2012-04-07 22:50:36 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{136C1E69-F830-479D-A2BC-755957C89832}\mpengine.dll
2012-03-12 23:55:57 . 2011-05-31 08:03:55 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-29 19:21:24 . 2012-02-29 19:21:24 42392 ----a-w- C:\Windows\SysWow64\xfcodec.dll
2012-02-29 19:21:24 . 2012-02-29 19:21:24 28056 ----a-w- C:\Windows\system32\xfcodec64.dll
2012-02-23 17:18:36 . 2010-08-07 05:49:13 279656 ------w- C:\Windows\system32\MpSigStub.exe
2012-02-15 05:05:32 . 2012-02-15 05:05:32 69632 ----a-w- C:\Windows\system32\OpenVideo64.dll
2012-02-15 05:05:26 . 2012-02-15 05:05:26 59904 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2012-02-15 05:05:20 . 2012-02-15 05:05:20 61952 ----a-w- C:\Windows\system32\OVDecode64.dll
2012-02-15 05:05:16 . 2012-02-15 05:05:16 54784 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2012-02-15 05:05:08 . 2012-02-15 05:05:08 16507904 ----a-w- C:\Windows\system32\amdocl64.dll
2012-02-15 05:04:26 . 2012-02-15 05:04:26 13238272 ----a-w- C:\Windows\SysWow64\amdocl.dll
2012-02-15 05:03:44 . 2012-02-15 05:03:44 54272 ----a-w- C:\Windows\system32\OpenCL.dll
2012-02-15 05:03:38 . 2012-02-15 05:03:38 48128 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2012-02-15 03:48:32 . 2012-02-15 03:48:32 10856960 ----a-w- C:\Windows\system32\drivers\atikmdag.sys
2012-02-15 03:21:24 . 2012-02-15 03:21:24 25839104 ----a-w- C:\Windows\system32\atio6axx.dll
2012-02-15 03:18:56 . 2012-02-15 03:18:56 159744 ----a-w- C:\Windows\system32\atiapfxx.exe
2012-02-15 03:18:40 . 2011-12-06 03:17:36 791040 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2012-02-15 03:17:04 . 2010-04-12 09:29:23 957952 ----a-w- C:\Windows\system32\aticfx64.dll
2012-02-15 03:13:56 . 2012-02-15 03:13:56 442368 ----a-w- C:\Windows\system32\ATIDEMGX.dll
2012-02-15 03:13:40 . 2012-02-15 03:13:40 496128 ----a-w- C:\Windows\system32\atieclxx.exe
2012-02-15 03:13:00 . 2012-02-15 03:13:00 235520 ----a-w- C:\Windows\system32\atiesrxx.exe
2012-02-15 03:11:42 . 2012-02-15 03:11:42 120320 ----a-w- C:\Windows\system32\atitmm64.dll
2012-02-15 03:10:58 . 2012-02-15 03:10:58 21504 ----a-w- C:\Windows\system32\atimuixx.dll
2012-02-15 03:10:54 . 2012-02-15 03:10:54 59392 ----a-w- C:\Windows\system32\atiedu64.dll
2012-02-15 03:10:48 . 2012-02-15 03:10:48 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2012-02-15 03:07:44 . 2011-12-06 03:06:38 6200320 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2012-02-15 02:58:56 . 2012-02-15 02:58:56 19392000 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2012-02-15 02:52:28 . 2010-04-12 09:29:23 7646208 ----a-w- C:\Windows\system32\atidxx64.dll
2012-02-15 02:41:28 . 2012-02-15 02:41:28 1113088 ----a-w- C:\Windows\system32\atiumd6v.dll
2012-02-15 02:40:54 . 2012-02-15 02:40:54 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2012-02-15 02:40:42 . 2012-02-15 02:40:42 4958208 ----a-w- C:\Windows\system32\atiumd6a.dll
2012-02-15 02:34:56 . 2012-02-15 02:34:56 51200 ----a-w- C:\Windows\system32\aticalrt64.dll
2012-02-15 02:34:54 . 2012-02-15 02:34:54 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2012-02-15 02:34:46 . 2012-02-15 02:34:46 44544 ----a-w- C:\Windows\system32\aticalcl64.dll
2012-02-15 02:34:44 . 2012-02-15 02:34:44 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2012-02-15 02:34:36 . 2011-12-06 02:33:36 5954048 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2012-02-15 02:34:30 . 2012-02-15 02:34:30 13859840 ----a-w- C:\Windows\system32\aticaldd64.dll
2012-02-15 02:29:52 . 2011-12-06 02:28:50 5062656 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2012-02-15 02:29:50 . 2012-02-15 02:29:50 11561984 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2012-02-15 02:25:06 . 2012-02-15 02:25:06 7551488 ----a-w- C:\Windows\system32\atiumd64.dll
2012-02-15 02:16:38 . 2010-04-12 09:29:25 58880 ----a-w- C:\Windows\system32\coinst.dll
2012-02-15 02:14:00 . 2012-02-15 02:14:00 512000 ----a-w- C:\Windows\system32\atiadlxx.dll
2012-02-15 02:13:50 . 2012-02-15 02:13:50 356352 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2012-02-15 02:13:36 . 2012-02-15 02:13:36 17408 ----a-w- C:\Windows\system32\atig6pxx.dll
2012-02-15 02:13:32 . 2012-02-15 02:13:32 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2012-02-15 02:13:32 . 2012-02-15 02:13:32 14336 ----a-w- C:\Windows\system32\atiglpxx.dll
2012-02-15 02:13:28 . 2012-02-15 02:13:28 39936 ----a-w- C:\Windows\system32\atig6txx.dll
2012-02-15 02:13:20 . 2012-02-15 02:13:20 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2012-02-15 02:13:12 . 2012-02-15 02:13:12 327680 ----a-w- C:\Windows\system32\drivers\atikmpag.sys
2012-02-15 02:12:22 . 2010-04-12 09:29:25 43008 ----a-w- C:\Windows\system32\atiuxp64.dll
2012-02-15 02:12:14 . 2011-12-06 02:11:16 33280 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2012-02-15 02:12:08 . 2012-02-15 02:12:08 39936 ----a-w- C:\Windows\system32\atiu9p64.dll
2012-02-15 02:12:00 . 2011-12-06 02:11:02 30208 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2012-02-15 02:11:22 . 2012-02-15 02:11:22 53248 ----a-w- C:\Windows\system32\drivers\ati2erec.dll
2012-02-15 02:11:16 . 2012-02-15 02:11:16 54784 ----a-w- C:\Windows\system32\atimpc64.dll
2012-02-15 02:11:16 . 2012-02-15 02:11:16 54784 ----a-w- C:\Windows\system32\amdpcom64.dll
2012-02-15 02:11:10 . 2012-02-15 02:11:10 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2012-02-15 02:11:10 . 2012-02-15 02:11:10 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2012-01-31 13:02:26 . 2012-01-31 13:02:26 21504 ----a-w- C:\Windows\system32\kdbsdk64.dll
2012-01-31 13:00:24 . 2012-01-31 13:00:24 16896 ----a-w- C:\Windows\SysWow64\kdbsdk32.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{553318DA-D010-469E-84B1-496563CAE1BF}]
2012-02-02 01:18:36 136192 ----a-w- C:\Program Files (x86)\HTTO Group, Ltd\FBDownloader IE Add-on\FBDownloader.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12:20 94208 ----a-w- C:\Users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12:20 94208 ----a-w- C:\Users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12:20 94208 ----a-w- C:\Users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12:20 94208 ----a-w- C:\Users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Hotkey Utility"="C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe" [2010-03-26 02:29:36 563744]
"Gateway Photo Frame"="C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-07-20 21:07:10 124416]
"ATICustomerCare"="C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-05 00:05:02 311296]
"BCSSync"="C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-22 01:22:24 91520]
"DivXUpdate"="C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 18:56:16 1230704]
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 04:28:32 59240]
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 21:06:06 254696]
"Adobe Reader Speed Launcher"="C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 06:51:18 37296]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 18:07:56 843712]
"Malwarebytes' Anti-Malware"="C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 22:53:18 460872]
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 02:05:34 421736]
"QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2011-10-24 21:28:52 421888]
"StartCCC"="C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-02-15 05:49:08 636032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIAVgBFAEcAQQAtAFYASgBOAFgAMwAtAFkAMwBEAEwAQQAtADgAVQBFAE4ANgAtADYARQBNAEIAUgA&inst=NwA2AC0ANQAxADgAMgAxADcAOAA5ADEALQBYAE8AMwA2ACsAMQAtAEQAMwA4ADEATAArADUALQBUAEIAOQArADIALQBOADEARAArADEALQBQAEwAKwA5AC0ARABEAFQAKwAwAA&prod=54&ver=9.0.894" [?]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AML Device Install.lnk - C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [2012-1-31 10752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R2 AODDriver4.1;AODDriver4.1;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-01-04 05:22:54 55936]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 20:16:28 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 21:27:14 138576]
R3 dump_wmimmc;dump_wmimmc;C:\ijji\ENGLISH\u_sf\GameGuard\dump_wmimmc.sys [x]
R3 ESLvnic1;ESLvnic Virtual Network 64 Bit;C:\Windows\system32\DRIVERS\ESLvnic.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-22 01:51:12 30963576]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 05:34:24 4925184]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys [x]
S0 ahcix64s;ahcix64s;C:\Windows\system32\DRIVERS\ahcix64s.sys [x]
S0 SmartDefragDriver;SmartDefragDriver;C:\Windows\System32\Drivers\SmartDefragDriver.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-02-15 05:16:40 361984]
S2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-01-04 05:22:54 55936]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 22:22:40 822624]
S2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-08-28 09:38:58 1150496]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 22:53:18 652360]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 16:30:18 508776]
S2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 16:26:50 450848]
S2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2010-01-28 23:27:36 243232]
S3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech Webcam C210(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys [x]
S3 MBAMProtector;MBAMProtector;C:\Windows\system32\drivers\mbam.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 16:30:22 219496]


Contents of the 'Scheduled Tasks' folder


--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C680BAE-655C-4E3D-8FC4-E6A520C3D928}]
2012-02-13 23:44:52 81024 ----a-w- C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12:20 97792 ----a-w- C:\Users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12:20 97792 ----a-w- C:\Users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12:20 97792 ----a-w- C:\Users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12:20 97792 ----a-w- C:\Users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-10-17 22:13:58 13307496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4320&r=17360810e306p0425v165k4611r25q
uInternet Settings,ProxyServer = socks=127.0.0.1:4021
uInternet Settings,ProxyOverride = local;*.local
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - C:\Users\SAL\AppData\Roaming\Mozilla\Firefox\Profiles\u4f443o6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BSRTDF&PC=BBSR&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c5d0cc2&v=7.005.030.004&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{1b26960c-6aac-4856-ae2b-2570161d565e} - (no file)
URLSearchHooks-{93c338de-5fb5-4fb5-ab4e-0eedc0bd9f3a} - (no file)
BHO-{6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - (no file)
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{1B26960C-6AAC-4856-AE2B-2570161D565E} - (no file)
AddRemove-Adobe Shockwave Player - C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe



[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="C:\Windows\system32\GameMon.des -service"

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-904338096-3171393900-4048260793-1000\Software\SecuROM\License information*]
"datasecu"=hex:5b,f1,83,39,44,c8,02,b3,fc,e0,28,14,c0,f6,80,53,02,02,6f,a9,97,
83,ab,ec,06,6f,e0,0b,4f,e7,96,56,29,0d,c0,e1,6b,2b,2b,29,09,62,4e,5c,6f,c1,\
"rkeysecu"=hex:2d,ce,02,cd,29,11,d3,cd,0b,ff,8c,5c,73,c8,6c,49

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="C:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

------------------------ Other Running Processes ------------------------

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

**************************************************************************

Completion time: 2012-04-08 23:33:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-09 06:33:21

Pre-Run: 908,792,545,280 bytes free
Post-Run: 910,152,769,536 bytes free

- - End Of File - - 09991A0A588CF26F926421EB5199EA1C

ComboFix kinda deleted all my documents

#7 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 09 April 2012 - 01:52 AM

Nevermind, just had to reboot.

#8 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,568 posts
  • Gender:Not Telling
  • Location:Canada

Posted 09 April 2012 - 08:12 AM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DDS::
uInternet Settings,ProxyServer = socks=127.0.0.1:4021

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT

Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#9 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 09 April 2012 - 02:26 PM

ComboFix Log
ComboFix 12-04-08.02 - SAL 04/09/2012 12:14:11.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6128.4610 [GMT -7:00]
Running from: c:\users\SAL\Desktop\ComboFix.exe
Command switches used :: c:\users\SAL\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-03-09 to 2012-04-09 )))))))))))))))))))))))))))))))
.
.
2012-04-09 19:18 . 2012-04-09 19:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-09 06:33 . 2012-04-09 19:20 -------- d-----w- c:\users\SAL\AppData\Local\temp
2012-04-09 06:27 . 2012-04-09 06:27 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-04-09 06:27 . 2012-04-09 06:27 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-04-08 23:32 . 2012-04-08 23:33 -------- d-----w- C:\FRST
2012-04-07 22:05 . 2012-04-07 23:44 -------- d-----w- c:\program files (x86)\STOPzilla!
2012-04-07 22:05 . 2012-04-07 22:07 -------- d-----w- c:\programdata\STOPzilla!
2012-04-07 22:05 . 2012-04-07 22:05 -------- d-----w- c:\program files (x86)\Common Files\iS3
2012-04-03 23:33 . 2012-04-07 23:44 -------- d-----w- C:\TDSSKiller
2012-03-30 22:15 . 2012-03-30 22:15 -------- d-----w- c:\users\SAL\AppData\Local\DDMSettings
2012-03-28 19:41 . 2012-03-28 19:41 99840 ----a-w- c:\windows\system32\charhost64.dll
2012-03-24 19:28 . 2012-03-24 19:28 -------- d-----w- c:\programdata\ATI
2012-03-24 19:23 . 2012-03-24 19:23 -------- d-----w- c:\program files (x86)\AMD AVT
2012-03-24 19:22 . 2012-03-24 19:22 -------- d-----w- c:\program files\AMD
2012-03-24 19:22 . 2012-03-24 19:22 -------- d-----w- c:\program files (x86)\AMD
2012-03-24 19:22 . 2012-03-24 19:22 -------- d-----w- c:\program files (x86)\AMD APP
2012-03-21 01:26 . 2012-03-21 01:26 -------- d-----w- c:\users\SAL\AppData\Roaming\BANDISOFT
2012-03-21 01:26 . 2012-03-21 01:26 -------- d-----w- c:\program files (x86)\Bandicam
2012-03-21 01:26 . 2012-03-21 01:26 -------- d-----w- c:\program files (x86)\BandiMPEG1
2012-03-20 00:04 . 2012-03-20 00:04 -------- d-----w- c:\program files\iPod
2012-03-20 00:04 . 2012-03-20 00:04 -------- d-----w- c:\program files\iTunes
2012-03-20 00:04 . 2012-03-20 00:04 -------- d-----w- c:\program files (x86)\iTunes
2012-03-15 02:01 . 2012-03-13 04:39 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-03-15 02:01 . 2012-03-13 04:39 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-13 20:35 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-13 20:35 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-13 20:35 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-13 19:49 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-13 19:49 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-13 19:49 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-13 18:19 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-13 18:19 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-13 18:19 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-13 18:19 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-13 18:19 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-13 18:19 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-13 18:19 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-14 03:27 . 2012-04-07 22:50 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{136C1E69-F830-479D-A2BC-755957C89832}\mpengine.dll
2012-03-12 23:55 . 2011-05-31 08:03 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-29 19:21 . 2012-02-29 19:21 42392 ----a-w- c:\windows\SysWow64\xfcodec.dll
2012-02-29 19:21 . 2012-02-29 19:21 28056 ----a-w- c:\windows\system32\xfcodec64.dll
2012-02-23 17:18 . 2010-08-07 05:49 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 05:05 . 2012-02-15 05:05 69632 ----a-w- c:\windows\system32\OpenVideo64.dll
2012-02-15 05:05 . 2012-02-15 05:05 59904 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2012-02-15 05:05 . 2012-02-15 05:05 61952 ----a-w- c:\windows\system32\OVDecode64.dll
2012-02-15 05:05 . 2012-02-15 05:05 54784 ----a-w- c:\windows\SysWow64\OVDecode.dll
2012-02-15 05:05 . 2012-02-15 05:05 16507904 ----a-w- c:\windows\system32\amdocl64.dll
2012-02-15 05:04 . 2012-02-15 05:04 13238272 ----a-w- c:\windows\SysWow64\amdocl.dll
2012-02-15 05:03 . 2012-02-15 05:03 54272 ----a-w- c:\windows\system32\OpenCL.dll
2012-02-15 05:03 . 2012-02-15 05:03 48128 ----a-w- c:\windows\SysWow64\OpenCL.dll
2012-02-15 03:48 . 2012-02-15 03:48 10856960 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-02-15 03:21 . 2012-02-15 03:21 25839104 ----a-w- c:\windows\system32\atio6axx.dll
2012-02-15 03:18 . 2012-02-15 03:18 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-02-15 03:18 . 2011-12-06 03:17 791040 ----a-w- c:\windows\SysWow64\aticfx32.dll
2012-02-15 03:17 . 2010-04-12 09:29 957952 ----a-w- c:\windows\system32\aticfx64.dll
2012-02-15 03:13 . 2012-02-15 03:13 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-02-15 03:13 . 2012-02-15 03:13 496128 ----a-w- c:\windows\system32\atieclxx.exe
2012-02-15 03:13 . 2012-02-15 03:13 235520 ----a-w- c:\windows\system32\atiesrxx.exe
2012-02-15 03:11 . 2012-02-15 03:11 120320 ----a-w- c:\windows\system32\atitmm64.dll
2012-02-15 03:10 . 2012-02-15 03:10 21504 ----a-w- c:\windows\system32\atimuixx.dll
2012-02-15 03:10 . 2012-02-15 03:10 59392 ----a-w- c:\windows\system32\atiedu64.dll
2012-02-15 03:10 . 2012-02-15 03:10 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2012-02-15 03:07 . 2011-12-06 03:06 6200320 ----a-w- c:\windows\SysWow64\atidxx32.dll
2012-02-15 02:58 . 2012-02-15 02:58 19392000 ----a-w- c:\windows\SysWow64\atioglxx.dll
2012-02-15 02:52 . 2010-04-12 09:29 7646208 ----a-w- c:\windows\system32\atidxx64.dll
2012-02-15 02:41 . 2012-02-15 02:41 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2012-02-15 02:40 . 2012-02-15 02:40 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2012-02-15 02:40 . 2012-02-15 02:40 4958208 ----a-w- c:\windows\system32\atiumd6a.dll
2012-02-15 02:34 . 2012-02-15 02:34 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2012-02-15 02:34 . 2012-02-15 02:34 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2012-02-15 02:34 . 2012-02-15 02:34 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2012-02-15 02:34 . 2012-02-15 02:34 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2012-02-15 02:34 . 2011-12-06 02:33 5954048 ----a-w- c:\windows\SysWow64\atiumdag.dll
2012-02-15 02:34 . 2012-02-15 02:34 13859840 ----a-w- c:\windows\system32\aticaldd64.dll
2012-02-15 02:29 . 2011-12-06 02:28 5062656 ----a-w- c:\windows\SysWow64\atiumdva.dll
2012-02-15 02:29 . 2012-02-15 02:29 11561984 ----a-w- c:\windows\SysWow64\aticaldd.dll
2012-02-15 02:25 . 2012-02-15 02:25 7551488 ----a-w- c:\windows\system32\atiumd64.dll
2012-02-15 02:16 . 2010-04-12 09:29 58880 ----a-w- c:\windows\system32\coinst.dll
2012-02-15 02:14 . 2012-02-15 02:14 512000 ----a-w- c:\windows\system32\atiadlxx.dll
2012-02-15 02:13 . 2012-02-15 02:13 356352 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2012-02-15 02:13 . 2012-02-15 02:13 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2012-02-15 02:13 . 2012-02-15 02:13 14336 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2012-02-15 02:13 . 2012-02-15 02:13 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2012-02-15 02:13 . 2012-02-15 02:13 39936 ----a-w- c:\windows\system32\atig6txx.dll
2012-02-15 02:13 . 2012-02-15 02:13 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll
2012-02-15 02:13 . 2012-02-15 02:13 327680 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-02-15 02:12 . 2010-04-12 09:29 43008 ----a-w- c:\windows\system32\atiuxp64.dll
2012-02-15 02:12 . 2011-12-06 02:11 33280 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2012-02-15 02:12 . 2012-02-15 02:12 39936 ----a-w- c:\windows\system32\atiu9p64.dll
2012-02-15 02:12 . 2011-12-06 02:11 30208 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2012-02-15 02:11 . 2012-02-15 02:11 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-02-15 02:11 . 2012-02-15 02:11 54784 ----a-w- c:\windows\system32\atimpc64.dll
2012-02-15 02:11 . 2012-02-15 02:11 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2012-02-15 02:11 . 2012-02-15 02:11 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2012-02-15 02:11 . 2012-02-15 02:11 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2012-01-31 13:02 . 2012-01-31 13:02 21504 ----a-w- c:\windows\system32\kdbsdk64.dll
2012-01-31 13:00 . 2012-01-31 13:00 16896 ----a-w- c:\windows\SysWow64\kdbsdk32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-09_06.28.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-09 06:34 . 2012-04-09 06:34 16369 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\xqu60k48.default\pluginreg.dat
- 2009-07-14 04:54 . 2012-04-09 06:27 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-09 19:19 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-09 19:19 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-09 06:27 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-09 06:27 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-09 19:19 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-12 08:44 . 2012-04-09 19:21 80400 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-09 19:21 32226 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-08-06 22:56 . 2012-04-09 19:21 32346 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-904338096-3171393900-4048260793-1000_UserData.bin
+ 2010-08-06 22:56 . 2012-04-09 19:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-06 22:56 . 2012-04-09 06:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-08-06 22:56 . 2012-04-09 06:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-08-06 22:56 . 2012-04-09 19:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-09 19:19 . 2012-04-09 19:19 9557 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-04-09 06:26 . 2012-04-09 06:26 9557 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2011-06-05 08:34 . 2012-04-09 06:36 1840 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-04-09 19:19 . 2012-04-09 19:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-09 06:27 . 2012-04-09 06:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-09 19:19 . 2012-04-09 19:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-09 06:27 . 2012-04-09 06:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-09 06:34 . 2012-04-09 06:34 299160 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
+ 2011-07-27 08:58 . 2012-04-09 19:19 957416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-07-27 08:58 . 2012-04-09 06:26 957416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-07-14 05:01 . 2012-04-09 19:19 391920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-04-09 06:26 391920 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-03-24 03:03 . 2012-04-09 06:26 63525916 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-904338096-3171393900-4048260793-1000-12288.dat
+ 2011-03-24 03:03 . 2012-04-09 19:19 63525916 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-904338096-3171393900-4048260793-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{553318DA-D010-469E-84B1-496563CAE1BF}]
2012-02-02 01:18 136192 ----a-w- c:\program files (x86)\HTTO Group, Ltd\FBDownloader IE Add-on\FBDownloader.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Hotkey Utility"="c:\program files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe" [2010-03-26 563744]
"Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-07-20 124416]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-05 311296]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-22 91520]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-02-15 636032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OABNAEUASAAtAFIAVgBFAEcAQQAtAFYASgBOAFgAMwAtAFkAMwBEAEwAQQAtADgAVQBFAE4ANgAtADYARQBNAEIAUgA&inst=NwA2AC0ANQAxADgAMgAxADcAOAA5ADEALQBYAE8AMwA2ACsAMQAtAEQAMwA4ADEATAArADUALQBUAEIAOQArADIALQBOADEARAArADEALQBQAEwAKwA5AC0ARABEAFQAKwAwAA&prod=54&ver=9.0.894" [?]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AML Device Install.lnk - c:\program files (x86)\AMD AVT\bin\kdbsync.exe [2012-1-31 10752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-01-04 55936]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\u_sf\GameGuard\dump_wmimmc.sys [x]
R3 ESLvnic1;ESLvnic Virtual Network 64 Bit;c:\windows\system32\DRIVERS\ESLvnic.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-22 30963576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
S0 ahcix64s;ahcix64s;c:\windows\system32\DRIVERS\ahcix64s.sys [x]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-02-15 361984]
S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-01-04 55936]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 Greg_Service;GRegService;c:\program files (x86)\Gateway\Registration\GregHSRW.exe [2009-08-28 1150496]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-08-19 450848]
S2 Updater Service;Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [2010-01-28 243232]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech Webcam C210(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\SAL\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-10-17 13307496]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4320&r=17360810e306p0425v165k4611r25q
uInternet Settings,ProxyOverride = local;*.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\SAL\AppData\Roaming\Mozilla\Firefox\Profiles\u4f443o6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=BSRTDF&PC=BBSR&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4c5d0cc2&v=7.005.030.004&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - (no file)
Toolbar-Locked - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-904338096-3171393900-4048260793-1000\Software\SecuROM\License information*]
"datasecu"=hex:5b,f1,83,39,44,c8,02,b3,fc,e0,28,14,c0,f6,80,53,02,02,6f,a9,97,
83,ab,ec,06,6f,e0,0b,4f,e7,96,56,29,0d,c0,e1,6b,2b,2b,29,09,62,4e,5c,6f,c1,\
"rkeysecu"=hex:2d,ce,02,cd,29,11,d3,cd,0b,ff,8c,5c,73,c8,6c,49
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2012-04-09 12:25:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-09 19:25
ComboFix2.txt 2012-04-09 06:33
.
Pre-Run: 909,934,256,128 bytes free
Post-Run: 909,274,996,736 bytes free
.
- - End Of File - - 37434483CB8A7573B13016940AAAF1D1

#10 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 09 April 2012 - 02:33 PM

MBAM Log
Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.04.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
SAL :: SAL-PC [administrator]

Protection: Disabled

4/9/2012 12:29:45 PM
mbam-log-2012-04-09 (12-29-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205108
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#11 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 09 April 2012 - 05:36 PM

ESETSCAN Log
C:\Users\SAL\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.6.windows.exe Win32/OpenCandy application
C:\Users\SAL\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.7.windows.exe Win32/OpenCandy application
C:\Users\SAL\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-4.21.8.windows.exe Win32/OpenCandy application
C:\Users\SAL\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-5.1.4.windows.exe Win32/OpenCandy application
C:\Users\SAL\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-5.1.5.windows.exe Win32/OpenCandy application

#12 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,568 posts
  • Gender:Not Telling
  • Location:Canada

Posted 09 April 2012 - 07:54 PM

I would uninstall frostwire and delete the following folder

C:\Users\SAL\AppData\Roaming\FrostWire\.AppSpecialShare

Peer2peer, torrents, cracks and keygens are a certain way to get infected, it really isn't worth it.

NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 29 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please advise how your computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#13 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 09 April 2012 - 08:28 PM

The computer has been running normally for a while now. Is that all?

#14 CatByte

CatByte

    bleepin' tiger

  • Malware Response Team
  • PipPipPipPipPipPip
  • 13,568 posts
  • Gender:Not Telling
  • Location:Canada

Posted 09 April 2012 - 08:34 PM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the DDS and FRST logs and programs from your desktop.


NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011, 2012

#15 SuperstarSal

SuperstarSal

    Member

  • Members
  • PipPip
  • 29 posts

Posted 09 April 2012 - 10:10 PM

Thanks for all your help :]
Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·