Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty Trojans/Spyware


  • This topic is locked This topic is locked
22 replies to this topic

#1 Hydrosere

Hydrosere

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 27 April 2012 - 07:36 PM

To start off, I found that I was plagued with Smart Fortress 2012. I did some research and found out how I should go about removing it. I managed to boot into safe mode and use Malwarebytes to remove the infection (hopefully). It seems like it has dropped files all over the place and my startup is horrific. When I came out of safemode I found that I was unable to launch Malwarebytes nor was I able to use MSE as it said that realtime scanning was disabled and it was not able to update. I seemed to get around this by playing with the processes running and ensuring that the windows update service was running. Anyways, I could do with a hand hope you guys can help. Finally Gamer rookit scanner will not work on my computer as I am running a x64 copy of Windows 7.

My DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.2.1
Run by Adam at 1:05:07 on 2012-04-28
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.6135.4042 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
C:\Windows\SysWOW64\vmnat.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\SysWOW64\vmnetdhcp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files (x86)\puush\puush.exe
C:\Users\Adam\Downloads\Vagex\Vagex.exe
C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\msconfig.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\DisplayFusion\AppHookx86.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe,C:\Users\Adam\AppData\Local\vqtjtshv\etlvesqm.exe,
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [puush] C:\Program Files (x86)\puush\puush.exe
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [DisplayFusion] "C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe"
uRun: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s
uRun: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
StartupFolder: C:\Users\Adam\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Adam\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SECUNI~1.LNK - C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{1BBE82D2-A83D-4D5F-9D84-2162AEC67DCF} : DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{67A37A7A-F402-45EE-81E7-EB13F776C22E} : DhcpNameServer = 10.47.48.1
TCP: Interfaces\{FF2842A4-9850-41C7-986F-E39DF4E83ED0} : DhcpNameServer = 10.10.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll
BHO-X64: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
mRun-x64: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\slwxz4h2.default\
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll
FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\new_plugin\npjp2.dll
FF - plugin: C:\Windows\system32\npdeployJava1.dll
FF - plugin: C:\Windows\system32\npmproxy.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv61xx;mv61xx;C:\Windows\system32\DRIVERS\mv61xx.sys --> C:\Windows\system32\DRIVERS\mv61xx.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 TsVp;TsVp;C:\Windows\system32\DRIVERS\tsvp.sys --> C:\Windows\system32\DRIVERS\tsvp.sys [?]
R2 hshld;Hotspot Shield Service;C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-4-11 542552]
R2 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS --> C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [?]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-3-30 2348352]
R2 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-10-14 994360]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-29 382272]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-3-29 2666880]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-8-21 846448]
R2 VMwareHostd;VMware Workstation Server;C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2011-8-22 11837440]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
R3 LVUVC64;Logitech QuickCam Pro 9000(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
R3 ManyCam;ManyCam Virtual Webcam;C:\Windows\system32\DRIVERS\mcvidrv_x64.sys --> C:\Windows\system32\DRIVERS\mcvidrv_x64.sys [?]
R3 mcaudrv_simple;ManyCam Virtual Microphone;C:\Windows\system32\drivers\mcaudrv_x64.sys --> C:\Windows\system32\drivers\mcaudrv_x64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2012-3-22 163480]
R3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;C:\Windows\system32\DRIVERS\tscomm.sys --> C:\Windows\system32\DRIVERS\tscomm.sys [?]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);C:\Windows\system32\DRIVERS\vcsvad.sys --> C:\Windows\system32\DRIVERS\vcsvad.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-29 253088]
S3 CGVPNCliSrvc;CyberGhost VPN Client;C:\Program Files\CyberGhost VPN\CGVPNCliService.exe [2012-4-2 2430128]
S3 CV2K1;CommView Network Monitor;C:\Windows\system32\DRIVERS\cv2k1.sys --> C:\Windows\system32\DRIVERS\cv2k1.sys [?]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\system32\DRIVERS\ssudbus.sys --> C:\Windows\system32\DRIVERS\ssudbus.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 51740536]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 RTCore64;RTCore64;C:\Program Files (x86)\MSI Afterburner\RTCore64.sys [2010-5-27 14648]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\system32\DRIVERS\ssudmdm.sys --> C:\Windows\system32\DRIVERS\ssudmdm.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsVlb;TsVlb;C:\Windows\system32\DRIVERS\tsvlb.sys --> C:\Windows\system32\DRIVERS\tsvlb.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-04-28 00:04:23 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{28EEFDA1-CD24-4B13-AC5E-8C62F21675DC}\offreg.dll
2012-04-27 23:35:46 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{28EEFDA1-CD24-4B13-AC5E-8C62F21675DC}\mpengine.dll
2012-04-27 22:01:46 -------- d-----w- C:\Users\Adam\AppData\Local\Secunia PSI
2012-04-27 22:01:16 -------- d-----w- C:\Program Files (x86)\Secunia
2012-04-27 21:41:47 -------- d-----w- C:\ProgramData\hssff
2012-04-27 21:25:09 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-04-27 21:25:07 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{4572BF4D-4B7B-4845-B118-7CA994F40059}\mpengine.dll
2012-04-27 21:12:13 -------- d-----w- C:\AV-CLS
2012-04-27 20:55:42 388096 ----a-r- C:\Users\Adam\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-27 20:55:42 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-04-27 20:27:29 116016 ----a-w- C:\Windows\System32\drivers\40014565.sys
2012-04-27 19:33:42 -------- d-----w- C:\Users\Adam\AppData\Roaming\Malwarebytes
2012-04-27 19:33:35 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-04-27 19:33:35 -------- d-----w- C:\ProgramData\Malwarebytes
2012-04-27 19:33:35 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-27 19:30:23 -------- d-----w- C:\Users\Adam\AppData\Local\{6EE1F586-909F-11E1-826D-B8AC6F996F26}
2012-04-27 17:47:00 4390376 ----a-w- C:\Windows\SysWow64\GameMon.des
2012-04-27 17:46:43 5174 ----a-w- C:\Windows\SysWow64\nppt9x.vxd
2012-04-27 17:46:43 4682 ----a-w- C:\Windows\SysWow64\npptNT2.sys
2012-04-27 17:46:22 -------- d-----w- C:\Program Files\Common Files\INCA Shared
2012-04-27 17:25:54 -------- d-----w- C:\Program Files (x86)\REACTOR
2012-04-27 17:11:29 -------- d-----w- C:\ijji
2012-04-26 21:52:06 14744 ----a-w- C:\Users\Adam\AppData\Roaming\Microsoft\IdentityCRL\Production\ppcrlconfig.dll
2012-04-25 19:39:36 -------- d-----w- C:\Users\Adam\SD
2012-04-25 19:13:08 -------- d-----w- C:\Users\Adam\AppData\Roaming\Temp
2012-04-25 19:12:17 -------- d-----w- C:\Temp
2012-04-25 18:38:53 -------- d-----w- C:\Users\Adam\AppData\Local\Samsung
2012-04-25 18:38:32 -------- d-----w- C:\Users\Adam\AppData\Roaming\Samsung
2012-04-25 18:37:55 99384 ----a-w- C:\Windows\System32\drivers\ssudbus.sys
2012-04-25 18:37:55 203320 ----a-w- C:\Windows\System32\drivers\ssudmdm.sys
2012-04-25 18:36:53 4659712 ----a-w- C:\Windows\SysWow64\Redemption.dll
2012-04-25 18:36:46 821824 ----a-w- C:\Windows\SysWow64\dgderapi.dll
2012-04-25 18:36:46 -------- d-----w- C:\Program Files (x86)\MarkAny
2012-04-25 18:36:18 -------- d-----w- C:\ProgramData\Samsung
2012-04-25 18:36:18 -------- d-----w- C:\Program Files (x86)\Samsung
2012-04-25 18:35:36 -------- d-----w- C:\Users\Adam\AppData\Local\Downloaded Installations
2012-04-24 23:33:09 231376 ----a-w- C:\Windows\System32\drivers\truecrypt.sys
2012-04-24 23:33:07 -------- d-----w- C:\Program Files\TrueCrypt
2012-04-20 15:11:10 8741536 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-17 22:55:40 -------- d-----w- C:\Program Files\Microsoft Analysis Services
2012-04-17 22:55:40 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2012-04-17 22:51:22 -------- d-----w- C:\Program Files\Microsoft Synchronization Services
2012-04-17 22:51:09 -------- d-----w- C:\Windows\PCHEALTH
2012-04-17 22:51:09 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition
2012-04-17 22:50:33 -------- d-----w- C:\Users\Adam\AppData\Local\Microsoft Help
2012-04-17 22:48:24 283200 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
2012-04-17 22:48:22 -------- d-----w- C:\Users\Adam\AppData\Roaming\DAEMON Tools Lite
2012-04-17 22:48:21 -------- d-----w- C:\Program Files (x86)\DAEMON Tools Lite
2012-04-17 22:47:24 -------- d-----w- C:\ProgramData\DAEMON Tools Lite
2012-04-17 17:45:27 -------- d-----w- C:\Users\Adam\AppData\Roaming\DisplayFusion
2012-04-17 17:33:10 -------- d-----w- C:\Program Files (x86)\DisplayFusion
2012-04-16 00:14:24 -------- d-----w- C:\Program Files (x86)\osu!
2012-04-16 00:13:55 -------- d-----w- C:\Users\Adam\AppData\Roaming\Downloaded Installations
2012-04-15 21:25:59 -------- d-----w- C:\Users\Adam\AppData\Local\Vagex
2012-04-15 02:14:27 109248 ----a-w- C:\Windows\SysWow64\mswinsck.ocx
2012-04-15 02:12:42 152848 ----a-w- C:\Windows\SysWow64\COMDLG32.OCX
2012-04-14 02:14:04 154624 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{368333DE-562B-4EB5-8B86-D38940762F5A}-RATs Crew Extension Spoofer.exe
2012-04-11 14:02:01 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-04-11 14:02:00 304640 ----a-w- C:\Program Files\Internet Explorer\IEShims.dll
2012-04-11 14:02:00 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-04-11 14:02:00 174392 ----a-w- C:\Program Files\Internet Explorer\sqmapi.dll
2012-04-11 14:02:00 141112 ----a-w- C:\Program Files (x86)\Internet Explorer\sqmapi.dll
2012-04-11 13:59:55 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-11 13:59:55 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-11 13:59:55 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-11 13:59:54 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-11 13:59:54 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-11 13:59:54 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-11 13:59:54 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-11 01:23:40 -------- d-----w- C:\Users\Adam\AppData\Roaming\NVIDIA
2012-04-11 01:23:03 -------- d-----w- C:\Users\Adam\AppData\Roaming\.minecraft
2012-04-09 21:24:56 -------- d-----w- C:\Users\Adam\AppData\Roaming\Avnex
2012-04-09 21:24:42 21504 ----a-w- C:\Windows\System32\drivers\vcsvad.sys
2012-04-09 21:24:34 -------- d-----w- C:\Program Files (x86)\AV Vcs 7.0 DIAMOND
2012-04-09 13:30:53 -------- d-----w- C:\Users\Adam\AppData\Local\Oleksiy_Gapotchenko
2012-04-08 20:00:43 -------- d-----w- C:\Users\Adam\AppData\Roaming\Foxit Software
2012-04-08 13:04:59 -------- d-----w- C:\ProgramData\TamoSoft
2012-04-08 13:04:55 -------- d-----w- C:\Program Files (x86)\CommView
2012-04-08 03:36:57 -------- d-----w- C:\Program Files (x86)\Yahoo!
2012-04-07 14:07:20 -------- d-----w- C:\Windows\SysWow64\xlive
2012-04-07 14:07:16 -------- d-----w- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
2012-04-07 13:53:51 -------- d-----w- C:\Windows\pss
2012-04-06 23:44:28 31232 ----a-w- C:\Windows\System32\drivers\tap0901.sys
2012-04-06 23:44:26 -------- d-----w- C:\Program Files\SecurityKISS Tunnel
2012-04-06 23:25:29 561992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor11.dll
2012-04-06 23:24:56 -------- d-----w- C:\ProgramData\Hotspot Shield
2012-04-06 23:24:15 -------- d-----w- C:\Hotspot Shield
2012-04-06 23:23:39 -------- d-----w- C:\Program Files (x86)\Hotspot Shield
2012-04-06 23:14:34 -------- d-----w- C:\Program Files (x86)\UltraVPN
2012-04-05 21:39:09 -------- d-----r- C:\Users\Adam\Dropbox
2012-04-05 21:36:18 -------- d-----w- C:\Users\Adam\AppData\Roaming\Dropbox
2012-04-05 16:26:08 -------- d-----w- C:\Users\Adam\AppData\Local\join.me
2012-04-05 01:37:42 -------- d-----w- C:\Users\Adam\AppData\Roaming\ManyCam
2012-04-05 01:37:42 -------- d-----w- C:\Users\Adam\AppData\Local\ManyCam
2012-04-05 01:37:34 -------- d-----w- C:\Program Files (x86)\ManyCam
2012-04-05 01:37:19 -------- d-----w- C:\ProgramData\Ask
2012-04-04 20:56:37 -------- d-----w- C:\Users\Adam\AppData\Local\ESN Sonar
2012-04-04 01:42:37 -------- d-----w- C:\Users\Adam\Tracing
2012-04-04 00:31:53 61491 ----a-w- C:\Windows\SysWow64\wbemdisp.TLB
2012-04-04 00:31:53 431616 ----a-w- C:\Windows\SysWow64\temp.000
2012-04-04 00:31:53 203976 ----a-w- C:\Windows\SysWow64\RICHTX32.OCX
2012-04-04 00:31:53 1077336 ----a-w- C:\Windows\SysWow64\mscomctl.ocx
2012-04-04 00:31:53 -------- d-----w- C:\Program Files (x86)\KLC
2012-04-03 18:31:22 -------- d-----w- C:\Program Files (x86)\proXPN
2012-04-03 02:36:33 -------- d-----w- C:\Users\Adam\AppData\Local\VMware
2012-04-03 02:29:11 62064 ----a-w- C:\Windows\System32\drivers\vmx86.sys
2012-04-03 02:28:47 354416 ----a-w- C:\Windows\SysWow64\vmnetdhcp.exe
2012-04-03 02:28:43 432752 ----a-w- C:\Windows\SysWow64\vmnat.exe
2012-04-03 02:28:43 30320 ----a-w- C:\Windows\System32\drivers\vmnetuserif.sys
2012-04-03 02:28:38 942192 ----a-w- C:\Windows\System32\vnetlib64.dll
2012-04-03 02:28:34 39024 ----a-w- C:\Windows\System32\drivers\hcmon.sys
2012-04-03 02:28:04 -------- d-----w- C:\Program Files (x86)\VMware
2012-04-03 02:28:04 -------- d-----w- C:\Program Files (x86)\Common Files\VMware
2012-04-03 02:27:53 -------- d-----w- C:\Program Files\Common Files\VMware
2012-04-03 01:50:07 -------- d-----r- C:\Sandbox
2012-04-03 01:49:14 -------- d-----w- C:\Program Files\Sandboxie
2012-04-03 01:34:28 -------- d-----w- C:\Users\Adam\AppData\Local\Vitalwerks
2012-04-03 01:33:55 -------- d-----w- C:\Program Files (x86)\No-IP
2012-04-01 23:54:09 -------- d-----w- C:\Program Files\CyberGhost VPN
2012-04-01 19:59:21 -------- d-----w- C:\Users\Adam\AppData\Roaming\puush
2012-04-01 19:59:17 -------- d-----w- C:\Program Files (x86)\puush
2012-04-01 14:12:58 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-01 14:12:58 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-01 13:41:05 -------- d-----w- C:\Windows\System32\SPReview
2012-04-01 13:40:51 -------- d-----w- C:\Windows\System32\EventProviders
2012-03-31 11:04:59 958464 ----a-w- C:\Windows\System32\actxprxy.dll
2012-03-31 11:03:59 98304 ----a-w- C:\Windows\SysWow64\nslookup.exe
2012-03-31 11:02:26 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2012-03-31 11:02:26 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2012-03-31 11:02:21 244736 ----a-w- C:\Windows\System32\sqmapi.dll
2012-03-31 11:00:44 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-30 19:26:55 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2012-03-30 19:26:51 -------- d-----w- C:\Users\Adam\AppData\Local\PunkBuster
2012-03-30 19:16:38 2515790 ----a-w- C:\Windows\System32\nvcoproc.bin
2012-03-30 19:05:00 -------- d-----w- C:\Program Files (x86)\Battlelog Web Plugins
2012-03-30 18:24:59 74576 ----a-w- C:\Windows\System32\XAPOFX1_2.dll
2012-03-30 01:07:15 -------- d-----w- C:\Windows\Panther
2012-03-29 18:26:44 -------- d-----w- C:\Program Files (x86)\Origin Games
2012-03-29 18:26:40 -------- d-----w- C:\Users\Adam\AppData\Local\Origin
2012-03-29 18:26:40 -------- d-----w- C:\ProgramData\Origin
2012-03-29 18:24:05 -------- d-----w- C:\Users\Adam\AppData\Roaming\Origin
2012-03-29 18:24:05 -------- d-----w- C:\ProgramData\Electronic Arts
2012-03-29 18:23:46 -------- d-----w- C:\Program Files (x86)\Origin
2012-03-29 17:51:30 110592 ----a-w- C:\Windows\System32\rtvcvfw32.dll
2012-03-29 17:51:26 -------- d-----w- C:\Program Files (x86)\MSI Afterburner
2012-03-29 17:50:17 -------- d-----w- C:\Users\Adam\AppData\Local\Logitech
2012-03-29 17:40:02 -------- d-----w- C:\Users\Adam\AppData\Roaming\ts3overlay
2012-03-29 17:39:06 -------- d-----w- C:\Users\Adam\AppData\Roaming\TS3Client
2012-03-29 17:31:40 -------- d-----w- C:\Program Files\CCleaner
2012-03-29 17:30:23 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-03-29 17:30:23 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EABCA035-2720-4955-B226-63FDBB484463}\gapaengine.dll
2012-03-29 17:30:03 -------- d-----w- C:\Program Files (x86)\TeamSpeak 3 Client
2012-03-29 17:29:15 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive
2012-03-29 17:28:27 -------- d-----w- C:\eclipse
2012-03-29 17:27:58 -------- d-----w- C:\Program Files (x86)\VideoLAN
2012-03-29 17:26:36 -------- d-----r- C:\Program Files (x86)\Skype
2012-03-29 17:25:38 -------- d-----w- C:\Users\Adam\AppData\Roaming\Spotify
2012-03-29 17:25:38 -------- d-----w- C:\Users\Adam\AppData\Local\Spotify
2012-03-29 17:21:01 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-03-29 17:20:56 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-03-29 17:18:40 -------- d-----w- C:\Program Files (x86)\Oracle
2012-03-29 17:18:32 637848 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-03-29 17:10:18 -------- d-----w- C:\Windows\SysWow64\Wat
2012-03-29 17:10:18 -------- d-----w- C:\Windows\System32\Wat
2012-03-29 17:08:20 -------- d-----w- C:\Program Files (x86)\Foxit Software
2012-03-29 17:06:31 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-29 17:06:31 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-03-29 17:01:48 294912 ----a-w- C:\Windows\System32\browserchoice.exe
2012-03-29 16:50:38 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2012-03-29 16:46:58 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-03-29 16:41:55 77312 ----a-w- C:\Windows\System32\packager.dll
2012-03-29 16:41:55 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-03-29 16:34:10 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2012-03-29 16:34:04 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-03-29 16:34:04 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-03-29 16:34:04 6074176 ----a-w- C:\Windows\System32\nvcpl.dll
2012-03-29 16:34:04 3089728 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-03-29 16:34:04 2560616 ----a-w- C:\Windows\System32\nvsvcr.dll
2012-03-29 16:34:04 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-03-29 16:33:58 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2012-03-29 16:33:57 -------- d-----w- C:\Program Files\NVIDIA Corporation
2012-03-29 16:29:52 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-29 16:29:51 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-29 16:29:51 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-29 16:29:51 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-29 16:29:51 20992 ----a-w- C:\Windows\System32\drivers\rdpvideominiport.sys
2012-03-29 16:29:51 162816 ----a-w- C:\Windows\System32\rdpudd.dll
2012-03-29 16:29:51 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-03-29 16:29:51 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
.
==================== Find3M ====================
.
2012-04-10 23:40:07 283304 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-04-10 23:39:41 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2012-04-01 13:46:08 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-04-01 13:46:07 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-03-30 19:31:24 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2012-03-28 21:11:08 90112 ----a-w- C:\Windows\MAMCityDownload.ocx
2012-03-26 21:45:18 56832 ----a-w- C:\Windows\System32\drivers\HssDrv.sys
2012-03-26 21:45:14 37888 ----a-w- C:\Windows\System32\drivers\taphss.sys
2012-03-06 06:53:37 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-06 05:59:47 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-06 05:59:41 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-02-29 12:26:56 416064 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 05:26:10 28160 ----a-w- C:\Windows\System32\drivers\mcaudrv_x64.sys
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-23 09:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 1:08:22.25 ===============


Some pictures of my startup, I found I had 4 instances of rundll32 to which I was not too pleased about. I disabled them from starting up and I believe I removed them.

http://puu.sh/rPYJ

In the picture provided you can see the Startup items: snexy.dll , vmonsf.dll, Spoolsv.exe and at the bottom etlvesqm.exe.

I also came across these two:

http://puu.sh/rPZK

Thanks

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 28 April 2012 - 10:59 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it
  • You will be asked if you want to use Avast! Free anti virus for scanning - select No
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Hydrosere

Hydrosere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 28 April 2012 - 03:50 PM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-28 21:43:49
-----------------------------
21:43:49.687 OS Version: Windows x64 6.1.7601 Service Pack 1
21:43:49.687 Number of processors: 8 586 0x1A05
21:43:49.688 ComputerName: ADAM-PC UserName: Adam
21:43:50.333 Initialize success
21:43:56.805 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3
21:43:56.807 Disk 0 Vendor: SAMSUNG_HD103SJ 1AJ10001 Size: 953869MB BusType: 3
21:43:56.883 Disk 0 MBR read successfully
21:43:56.884 Disk 0 MBR scan
21:43:56.886 Disk 0 Windows 7 default MBR code
21:43:56.913 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:43:56.928 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
21:43:56.997 Disk 0 scanning C:\Windows\system32\drivers
21:44:33.020 Service scanning
21:44:37.289 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
21:44:42.639 Modules scanning
21:44:42.643 Disk 0 trace - called modules:
21:44:42.676 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
21:44:42.678 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800661c790]
21:44:42.682 3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa8006338810]
21:44:42.684 5 ACPI.sys[fffff88000ef37a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-3[0xfffffa8006359060]
21:44:42.687 Scan finished successfully

Here is the log, I have some mysterious files which seem malicious:
C:\Users\Adam\AppData\Local\vqtjtshv\etlvesqm.exe

http://puu.sh/rYQy

I believe it is creating log files?

http://puu.sh/rYR9 - They are continually added to my startup making them a pain to remove.

I've noticed that MSE detects a .sys file (http://puu.sh/rYXg) and alerts me to this detection:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3aWinNT%2fRamnit.gen!A&threatid=2147645307

I click remove and it says file not found, I think it may be creating the .exe files and adding them to the startup ?

Edited by Hydrosere, 28 April 2012 - 03:58 PM.


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 28 April 2012 - 05:07 PM

Please do this next:

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registery key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Hydrosere

Hydrosere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 28 April 2012 - 06:46 PM

ComboFix 12-04-28.01 - Adam 29/04/2012 0:32.1.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.6135.2526 [GMT 1:00]
Running from: c:\users\Adam\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Adam\AppData\Local\gosbxrdi.log
c:\users\Adam\AppData\Local\hliqvygy.log
c:\users\Adam\AppData\Local\rnmrykhy.log
c:\users\Adam\AppData\Local\Temp\bd7c47bb-f5c0-417c-a180-ec348d87718a\CliSecureRT.dll
c:\users\Adam\AppData\Local\tgglljlc.log
c:\users\Adam\AppData\Local\vqtjtshv\etlvesqm.exe
c:\users\Adam\AppData\Local\xuvbnsia.log
c:\users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\etlvesqm.exe
c:\windows\SysWow64\3DAudio.ax
c:\windows\SysWow64\bdaplgin.ax
c:\windows\SysWow64\cero.rs
c:\windows\SysWow64\csrr.rs
c:\windows\SysWow64\esrb.rs
c:\windows\SysWow64\g711codc.ax
c:\windows\SysWow64\grb.rs
c:\windows\SysWow64\iac25_32.ax
c:\windows\SysWow64\ir41_32.ax
c:\windows\SysWow64\ivfsrc.ax
c:\windows\SysWow64\ksproxy.ax
c:\windows\SysWow64\kstvtune.ax
c:\windows\SysWow64\Kswdmcap.ax
c:\windows\SysWow64\ksxbar.ax
c:\windows\SysWow64\Mpeg2Data.ax
c:\windows\SysWow64\mpg2splt.ax
c:\windows\SysWow64\MSDvbNP.ax
c:\windows\SysWow64\MSNP.ax
c:\windows\SysWow64\muzapp.exe
c:\windows\SysWow64\muzdecode.ax
c:\windows\SysWow64\muzeffect.ax
c:\windows\SysWow64\muzmp4sp.ax
c:\windows\SysWow64\muzmpgsp.ax
c:\windows\SysWow64\muzoggsp.ax
c:\windows\SysWow64\oflc.rs
c:\windows\SysWow64\pegi-fi.rs
c:\windows\SysWow64\pegi-pt.rs
c:\windows\SysWow64\pegi.rs
c:\windows\SysWow64\pegibbfc.rs
c:\windows\SysWow64\psisrndr.ax
c:\windows\SysWow64\usk.rs
c:\windows\SysWow64\VBICodec.ax
c:\windows\SysWow64\vbisurf.ax
c:\windows\SysWow64\vidcap.ax
c:\windows\SysWow64\WEB.rs
c:\windows\SysWow64\WSTPager.ax
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-28 )))))))))))))))))))))))))))))))
.
.
2012-04-28 23:37 . 2012-04-28 23:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-28 21:24 . 2012-04-28 21:24 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-04-28 21:24 . 2012-04-28 21:24 -------- d-----r- c:\program files (x86)\Skype
2012-04-28 19:33 . 2012-04-28 19:33 116016 ----a-w- c:\windows\system32\drivers\44590172.sys
2012-04-28 19:24 . 2012-04-28 23:37 -------- d-----w- c:\users\Adam\AppData\Local\vqtjtshv
2012-04-28 16:38 . 2012-04-28 16:38 -------- d-----w- c:\users\Adam\AppData\Roaming\TeamViewer
2012-04-28 14:21 . 2012-04-28 14:21 -------- d-----w- c:\users\Adam\AppData\Local\Remove_Empty_Directories
2012-04-28 14:21 . 2012-04-28 14:21 -------- d-----w- c:\program files (x86)\Remove Empty Directories
2012-04-28 08:40 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C787AF0F-F8CE-4F09-9DEC-73D699F494ED}\mpengine.dll
2012-04-28 00:48 . 2012-04-28 00:48 -------- d-----w- c:\program files (x86)\ESET
2012-04-28 00:45 . 2012-04-28 00:45 -------- d-----w- c:\users\Adam\AppData\Roaming\SUPERAntiSpyware.com
2012-04-28 00:45 . 2012-04-28 00:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-28 00:45 . 2012-04-28 00:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-04-27 22:01 . 2012-04-27 22:01 -------- d-----w- c:\program files (x86)\Secunia
2012-04-27 21:41 . 2012-04-27 21:41 -------- d-----w- c:\programdata\hssff
2012-04-27 21:25 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4572BF4D-4B7B-4845-B118-7CA994F40059}\mpengine.dll
2012-04-27 21:12 . 2012-04-27 21:12 -------- d-----w- C:\AV-CLS
2012-04-27 20:55 . 2012-04-27 20:55 388096 ----a-r- c:\users\Adam\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-27 20:55 . 2012-04-27 20:55 -------- d-----w- c:\program files (x86)\Trend Micro
2012-04-27 20:27 . 2012-04-27 20:27 116016 ----a-w- c:\windows\system32\drivers\40014565.sys
2012-04-27 19:33 . 2012-04-27 19:33 -------- d-----w- c:\users\Adam\AppData\Roaming\Malwarebytes
2012-04-27 19:33 . 2012-04-27 21:08 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-27 19:33 . 2012-04-27 19:33 -------- d-----w- c:\programdata\Malwarebytes
2012-04-27 19:33 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 19:30 . 2012-04-27 19:30 -------- d-----w- c:\users\Adam\AppData\Local\{6EE1F586-909F-11E1-826D-B8AC6F996F26}
2012-04-27 19:18 . 2012-04-27 19:18 -------- d-----w- c:\windows\Sun
2012-04-27 17:47 . 2011-07-17 16:04 4390376 ----a-w- c:\windows\SysWow64\GameMon.des
2012-04-27 17:46 . 2004-12-31 15:43 4682 ----a-w- c:\windows\SysWow64\npptNT2.sys
2012-04-27 17:46 . 2003-07-17 00:17 5174 ----a-w- c:\windows\SysWow64\nppt9x.vxd
2012-04-27 17:46 . 2012-04-27 17:46 -------- d-----w- c:\program files\Common Files\INCA Shared
2012-04-27 17:25 . 2012-04-27 21:20 -------- d-----w- c:\program files (x86)\REACTOR
2012-04-25 19:39 . 2012-04-25 19:46 -------- d-----w- c:\users\Adam\SD
2012-04-25 19:12 . 2012-04-25 19:12 -------- d-----w- C:\Temp
2012-04-25 18:38 . 2012-04-26 15:23 -------- d-----w- c:\users\Adam\AppData\Local\Samsung
2012-04-25 18:38 . 2012-04-25 18:38 -------- d-----w- c:\users\Adam\AppData\Roaming\Samsung
2012-04-25 18:37 . 2012-02-24 09:14 99384 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2012-04-25 18:37 . 2012-02-24 09:14 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2012-04-25 18:36 . 2012-03-28 21:11 4659712 ----a-w- c:\windows\SysWow64\Redemption.dll
2012-04-25 18:36 . 2012-04-25 18:36 -------- d-----w- c:\program files (x86)\MarkAny
2012-04-25 18:36 . 2012-03-28 21:11 821824 ----a-w- c:\windows\SysWow64\dgderapi.dll
2012-04-25 18:36 . 2012-04-27 21:20 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2012-04-25 18:36 . 2012-04-25 18:37 -------- d-----w- c:\program files (x86)\Samsung
2012-04-25 18:36 . 2012-04-25 18:37 -------- d-----w- c:\programdata\Samsung
2012-04-25 18:35 . 2012-04-25 18:35 -------- d-----w- c:\users\Adam\AppData\Local\Downloaded Installations
2012-04-24 23:33 . 2012-04-24 23:33 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-04-24 23:33 . 2012-04-24 23:33 -------- d-----w- c:\program files\TrueCrypt
2012-04-20 21:41 . 2012-04-20 21:41 -------- d-----w- c:\program files (x86)\Microsoft SDKs
2012-04-20 15:11 . 2012-04-20 15:11 8741536 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-17 22:55 . 2012-04-17 22:55 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-04-17 22:55 . 2012-04-17 22:55 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-04-17 22:51 . 2012-04-17 22:51 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-04-17 22:51 . 2012-04-17 22:51 -------- d-----w- c:\windows\PCHEALTH
2012-04-17 22:51 . 2012-04-17 22:51 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-04-17 22:50 . 2012-04-18 12:44 -------- d-----w- c:\programdata\Microsoft Help
2012-04-17 22:50 . 2012-04-17 22:50 -------- d-----r- C:\MSOCache
2012-04-17 22:48 . 2012-04-17 22:48 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-04-17 22:48 . 2012-04-20 15:23 -------- d-----w- c:\users\Adam\AppData\Roaming\DAEMON Tools Lite
2012-04-17 22:48 . 2012-04-17 22:48 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-04-17 22:47 . 2012-04-17 22:49 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-04-17 17:45 . 2012-04-27 20:14 -------- d-----w- c:\users\Adam\AppData\Roaming\DisplayFusion
2012-04-17 17:33 . 2012-04-17 17:45 -------- d-----w- c:\program files (x86)\DisplayFusion
2012-04-16 00:14 . 2012-04-21 21:45 -------- d-----w- c:\program files (x86)\osu!
2012-04-16 00:13 . 2012-04-16 00:13 -------- d-----w- c:\users\Adam\AppData\Roaming\Downloaded Installations
2012-04-15 21:25 . 2012-04-15 21:25 -------- d-----w- c:\users\Adam\AppData\Local\Vagex
2012-04-15 02:14 . 2012-04-15 02:14 109248 ----a-w- c:\windows\SysWow64\mswinsck.ocx
2012-04-15 02:12 . 2012-04-15 02:12 152848 ----a-w- c:\windows\SysWow64\COMDLG32.OCX
2012-04-11 14:02 . 2012-02-28 06:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-11 14:02 . 2012-02-28 07:37 174392 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-04-11 14:02 . 2012-02-28 06:47 304640 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2012-04-11 14:02 . 2012-02-28 01:58 141112 ----a-w- c:\program files (x86)\Internet Explorer\sqmapi.dll
2012-04-11 14:02 . 2012-02-28 01:03 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-04-11 13:59 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 13:59 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 13:59 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 13:59 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 13:59 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 13:59 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 13:59 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-11 01:23 . 2012-04-11 01:23 -------- d-----w- c:\users\Adam\AppData\Roaming\NVIDIA
2012-04-11 01:23 . 2012-04-21 19:11 -------- d-----w- c:\users\Adam\AppData\Roaming\.minecraft
2012-04-09 21:24 . 2012-04-09 21:24 -------- d-----w- c:\users\Adam\AppData\Roaming\Avnex
2012-04-09 21:24 . 2008-12-26 11:56 21504 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2012-04-09 21:24 . 2012-04-09 21:25 -------- d-----w- c:\program files (x86)\AV Vcs 7.0 DIAMOND
2012-04-09 13:45 . 2012-04-17 22:51 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-04-09 13:30 . 2012-04-09 13:30 -------- d-----w- c:\users\Adam\AppData\Local\Oleksiy_Gapotchenko
2012-04-08 20:00 . 2012-04-08 20:00 -------- d-----w- c:\users\Adam\AppData\Roaming\Foxit Software
2012-04-08 13:04 . 2012-04-08 13:04 -------- d-----w- c:\programdata\TamoSoft
2012-04-08 13:04 . 2012-04-08 13:06 -------- d-----w- c:\program files (x86)\CommView
2012-04-08 03:41 . 2012-04-08 03:41 -------- d-----w- c:\users\Adam\AppData\Roaming\Yahoo!
2012-04-08 03:38 . 2012-04-08 03:38 -------- d-----w- c:\programdata\Yahoo!
2012-04-08 03:36 . 2012-04-08 03:38 -------- d-----w- c:\program files (x86)\Yahoo!
2012-04-07 14:07 . 2012-04-07 14:07 -------- d-----w- c:\windows\SysWow64\xlive
2012-04-07 14:07 . 2012-04-07 14:07 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
2012-04-06 23:44 . 2011-07-01 03:46 31232 ----a-w- c:\windows\system32\drivers\tap0901.sys
2012-04-06 23:44 . 2012-04-28 17:16 -------- d-----w- c:\program files\SecurityKISS Tunnel
2012-04-06 23:25 . 2012-04-06 23:25 561992 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor11.dll
2012-04-06 23:24 . 2012-04-06 23:24 -------- d-----w- c:\programdata\Hotspot Shield
2012-04-06 23:24 . 2012-04-06 23:24 -------- d-----w- C:\Hotspot Shield
2012-04-06 23:23 . 2012-04-14 01:26 -------- d-----w- c:\program files (x86)\Hotspot Shield
2012-04-06 23:14 . 2012-04-06 23:25 -------- d-----w- c:\program files (x86)\UltraVPN
2012-04-05 21:39 . 2012-04-27 23:33 -------- d-----r- c:\users\Adam\Dropbox
2012-04-05 21:36 . 2012-04-28 00:02 -------- d-----w- c:\users\Adam\AppData\Roaming\Dropbox
2012-04-05 16:26 . 2012-04-25 14:13 -------- d-----w- c:\users\Adam\AppData\Local\join.me
2012-04-05 01:37 . 2012-04-05 01:41 -------- d-----w- c:\users\Adam\AppData\Roaming\ManyCam
2012-04-05 01:37 . 2012-04-05 01:41 -------- d-----w- c:\users\Adam\AppData\Local\ManyCam
2012-04-05 01:37 . 2012-04-05 01:37 -------- d-----w- c:\program files (x86)\ManyCam
2012-04-05 01:37 . 2012-04-05 01:37 -------- d-----w- c:\programdata\Ask
2012-04-04 20:56 . 2012-04-05 01:16 -------- d-----w- c:\users\Adam\AppData\Local\ESN Sonar
2012-04-04 01:42 . 2012-04-28 20:34 -------- d-----w- c:\users\Adam\Tracing
2012-04-04 00:31 . 2012-04-04 00:31 -------- d-----w- c:\program files (x86)\KLC
2012-04-04 00:31 . 2004-08-04 02:56 431616 ----a-w- c:\windows\SysWow64\temp.000
2012-04-04 00:31 . 2002-12-20 11:02 1077336 ----a-w- c:\windows\SysWow64\mscomctl.ocx
2012-04-04 00:31 . 2000-05-21 23:00 203976 ----a-w- c:\windows\SysWow64\RICHTX32.OCX
2012-04-04 00:31 . 1999-12-07 06:00 61491 ----a-w- c:\windows\SysWow64\wbemdisp.TLB
2012-04-03 20:06 . 2012-04-23 23:40 -------- d-----w- c:\users\Adam\AppData\Roaming\FileZilla
2012-04-03 18:31 . 2012-04-04 02:58 -------- d-----w- c:\program files (x86)\proXPN
2012-04-03 02:36 . 2012-04-15 03:30 -------- d-----w- c:\users\Adam\AppData\Roaming\VMware
2012-04-03 02:29 . 2011-08-22 16:07 62064 ----a-w- c:\windows\system32\drivers\vmx86.sys
2012-04-03 02:28 . 2011-08-22 16:07 354416 ----a-w- c:\windows\SysWow64\vmnetdhcp.exe
2012-04-03 02:28 . 2011-08-22 16:06 432752 ----a-w- c:\windows\SysWow64\vmnat.exe
2012-04-03 02:28 . 2011-08-22 16:06 30320 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-22 21:57 . 2012-03-29 17:06 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-22 21:57 . 2012-03-29 17:06 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-07 14:11 . 2009-08-18 11:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2012-04-07 14:11 . 2009-08-18 10:24 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-04-01 13:46 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-04-01 13:46 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-03-29 17:28 . 2012-03-29 17:30 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-03-29 17:00 . 2012-03-29 17:00 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-03-29 17:00 . 2012-03-29 17:00 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-03-29 17:00 . 2012-03-29 17:00 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-03-29 17:00 . 2012-03-29 17:00 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-03-29 17:00 . 2012-03-29 17:00 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-03-29 17:00 . 2012-03-29 17:00 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-03-29 17:00 . 2012-03-29 17:00 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-03-29 17:00 . 2012-03-29 17:00 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-03-29 17:00 . 2012-03-29 17:00 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-03-29 17:00 . 2012-03-29 17:00 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-03-29 17:00 . 2012-03-29 17:00 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-03-29 17:00 . 2012-03-29 17:00 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-03-29 17:00 . 2012-03-29 17:00 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-03-29 17:00 . 2012-03-29 17:00 448512 ----a-w- c:\windows\system32\html.iec
2012-03-29 17:00 . 2012-03-29 17:00 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-03-29 17:00 . 2012-03-29 17:00 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-03-29 17:00 . 2012-03-29 17:00 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-03-29 17:00 . 2012-03-29 17:00 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-29 17:00 . 2012-03-29 17:00 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-03-29 17:00 . 2012-03-29 17:00 222208 ----a-w- c:\windows\system32\msls31.dll
2012-03-29 17:00 . 2012-03-29 17:00 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-03-29 17:00 . 2012-03-29 17:00 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-03-29 17:00 . 2012-03-29 17:00 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-03-29 17:00 . 2012-03-29 17:00 160256 ----a-w- c:\windows\system32\wextract.exe
2012-03-29 17:00 . 2012-03-29 17:00 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-03-29 17:00 . 2012-03-29 17:00 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-03-29 17:00 . 2012-03-29 17:00 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-03-29 17:00 . 2012-03-29 17:00 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-03-29 17:00 . 2012-03-29 17:00 12288 ----a-w- c:\windows\system32\mshta.exe
2012-03-29 17:00 . 2012-03-29 17:00 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-03-29 17:00 . 2012-03-29 17:00 114176 ----a-w- c:\windows\system32\admparse.dll
2012-03-29 17:00 . 2012-03-29 17:00 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-03-29 17:00 . 2012-03-29 17:00 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-03-29 17:00 . 2012-03-29 17:00 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-03-28 21:11 . 2012-03-28 21:11 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2012-03-28 21:11 . 2012-03-28 21:11 325552 ----a-w- c:\windows\MASetupCaller.dll
2012-03-28 21:11 . 2012-03-28 21:11 30568 ----a-w- c:\windows\MusiccityDownload.exe
2012-03-28 21:11 . 2012-03-28 21:11 974848 ----a-w- c:\windows\SysWow64\cis-2.4.dll
2012-03-28 21:11 . 2012-03-28 21:11 81920 ----a-w- c:\windows\SysWow64\issacapi_bs-2.3.dll
2012-03-28 21:11 . 2012-03-28 21:11 65536 ----a-w- c:\windows\SysWow64\issacapi_pe-2.3.dll
2012-03-28 21:11 . 2012-03-28 21:11 57344 ----a-w- c:\windows\SysWow64\MTXSYNCICON.dll
2012-03-28 21:11 . 2012-03-28 21:11 57344 ----a-w- c:\windows\SysWow64\MK_Lyric.dll
2012-03-28 21:11 . 2012-03-28 21:11 57344 ----a-w- c:\windows\SysWow64\issacapi_se-2.3.dll
2012-03-28 21:11 . 2012-03-28 21:11 491520 ----a-w- c:\windows\SysWow64\muzapp.dll
2012-03-28 21:11 . 2012-03-28 21:11 49152 ----a-w- c:\windows\SysWow64\MaJGUILib.dll
2012-03-28 21:11 . 2012-03-28 21:11 45320 ----a-w- c:\windows\SysWow64\MAMACExtract.dll
2012-03-28 21:11 . 2012-03-28 21:11 45056 ----a-w- c:\windows\SysWow64\MaXMLProto.dll
2012-03-28 21:11 . 2012-03-28 21:11 45056 ----a-w- c:\windows\SysWow64\MACXMLProto.dll
2012-03-28 21:11 . 2012-03-28 21:11 40960 ----a-w- c:\windows\SysWow64\MTTELECHIP.dll
2012-03-28 21:11 . 2012-03-28 21:11 352256 ----a-w- c:\windows\SysWow64\MSLUR71.dll
2012-03-28 21:11 . 2012-03-28 21:11 245760 ----a-w- c:\windows\SysWow64\MSCLib.dll
2012-03-28 21:11 . 2012-03-28 21:11 24576 ----a-w- c:\windows\SysWow64\MASetupCleaner.exe
2012-03-28 21:11 . 2012-03-28 21:11 200704 ----a-w- c:\windows\SysWow64\muzwmts.dll
2012-03-28 21:11 . 2012-03-28 21:11 155648 ----a-w- c:\windows\SysWow64\MSFLib.dll
2012-03-28 21:11 . 2012-03-28 21:11 135168 ----a-w- c:\windows\SysWow64\muzaf1.dll
2012-03-28 21:11 . 2012-03-28 21:11 118784 ----a-w- c:\windows\SysWow64\MaDRM.dll
2012-03-26 21:45 . 2012-03-26 21:45 56832 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2012-03-26 21:45 . 2012-03-26 21:45 37888 ----a-w- c:\windows\system32\drivers\taphss.sys
2012-03-01 00:02 . 2011-05-21 05:01 9717568 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-03-01 00:02 . 2011-05-21 05:01 7713088 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2012-03-01 00:02 . 2011-05-21 05:01 2660160 ----a-w- c:\windows\system32\nvapi64.dll
2012-03-01 00:02 . 2011-05-21 05:01 2301248 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-02-29 21:00 . 2012-03-29 16:34 3089728 ----a-w- c:\windows\system32\nvsvc64.dll
2012-02-29 21:00 . 2012-03-29 16:34 6074176 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-29 20:59 . 2012-03-29 16:34 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-02-29 20:59 . 2012-03-29 16:34 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-02-29 20:59 . 2012-03-29 16:34 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-29 12:26 . 2012-02-29 12:26 416064 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-02-28 05:26 . 2012-02-28 05:26 28160 ----a-w- c:\windows\system32\drivers\mcaudrv_x64.sys
2012-02-23 09:18 . 2012-03-29 17:07 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-29 16:29 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 06:38 . 2012-03-29 16:29 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-29 16:29 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-29 16:29 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-29 16:29 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 06:36 . 2012-03-29 16:47 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-29 16:47 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-09 12:17 . 2012-03-29 17:30 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EABCA035-2720-4955-B226-63FDBB484463}\gapaengine.dll
2012-02-03 04:34 . 2012-03-29 16:47 3145728 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-03-29 1242448]
"puush"="c:\program files (x86)\puush\puush.exe" [2012-04-16 565480]
"DisplayFusion"="c:\program files (x86)\DisplayFusion\DisplayFusion.exe" [2012-01-12 2789280]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-04-20 4786048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-03-31 3521424]
.
c:\users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Adam\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-4-26 27264496]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-04-05 158856]
R2 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2011-08-22 11837440]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 253088]
R3 CGVPNCliSrvc;CyberGhost VPN Client;c:\program files\CyberGhost VPN\CGVPNCliService.exe [2011-12-06 2430128]
R3 CV2K1;CommView Network Monitor;c:\windows\system32\DRIVERS\cv2k1.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys [2010-05-27 14648]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 TsVlb;TsVlb;c:\windows\system32\DRIVERS\tsvlb.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 TsVp;TsVp;c:\windows\system32\DRIVERS\tsvp.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 hshld;Hotspot Shield Service;c:\program files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-04-10 542552]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [2012-04-02 329544]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-10-14 994360]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-03-19 2666880]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-08-21 846448]
S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [x]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech QuickCam Pro 9000(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [x]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;c:\windows\system32\DRIVERS\tscomm.sys [x]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 21:57]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2012-04-02 18:47 287048 ----a-w- c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 415816]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 2412616]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 4725320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\slwxz4h2.default\
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-EtlVesqm - c:\users\Adam\AppData\Local\vqtjtshv\etlvesqm.exe
AddRemove-Smart Fortress 2012 - c:\programdata\99058D5900006B6700034B57B4EB2331\99058D5900006B6700034B57B4EB2331.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDMedia.exe
c:\windows\SysWOW64\vmnetdhcp.exe
.
**************************************************************************
.
Completion time: 2012-04-29 00:43:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-28 23:43
.
Pre-Run: 848,070,856,704 bytes free
Post-Run: 847,709,200,384 bytes free
.
- - End Of File - - 6EC7F1F79A5493DB2BDA8673A31D6286

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 28 April 2012 - 10:21 PM

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\windows\system32\drivers\44590172.sys
c:\windows\system32\drivers\40014565.sys
Folder::
c:\users\Adam\AppData\Local\vqtjtshv
DirLook::
c:\programdata\hssff

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information, C:\_OTL\MovedFiles or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Hydrosere

Hydrosere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 29 April 2012 - 06:44 AM

ComboFix Log:

ComboFix 12-04-28.01 - Adam 29/04/2012 11:47:44.2.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.6135.3960 [GMT 1:00]
Running from: c:\users\Adam\Desktop\ComboFix.exe
Command switches used :: c:\users\Adam\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\40014565.sys"
"c:\windows\system32\drivers\44590172.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Adam\AppData\Local\vqtjtshv
c:\windows\system32\drivers\40014565.sys
c:\windows\system32\drivers\44590172.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-29 )))))))))))))))))))))))))))))))
.
.
2012-04-29 10:51 . 2012-04-29 10:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-29 10:41 . 2012-04-29 10:41 -------- d-----w- c:\users\Adam\AppData\Local\Secunia PSI
2012-04-29 00:52 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1E9D119D-163F-43D9-89F7-A4EB83403D0F}\mpengine.dll
2012-04-28 21:24 . 2012-04-28 21:24 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-04-28 21:24 . 2012-04-28 21:24 -------- d-----r- c:\program files (x86)\Skype
2012-04-28 16:38 . 2012-04-28 16:38 -------- d-----w- c:\users\Adam\AppData\Roaming\TeamViewer
2012-04-28 14:21 . 2012-04-28 14:21 -------- d-----w- c:\users\Adam\AppData\Local\Remove_Empty_Directories
2012-04-28 14:21 . 2012-04-28 14:21 -------- d-----w- c:\program files (x86)\Remove Empty Directories
2012-04-28 00:48 . 2012-04-28 00:48 -------- d-----w- c:\program files (x86)\ESET
2012-04-28 00:45 . 2012-04-28 00:45 -------- d-----w- c:\users\Adam\AppData\Roaming\SUPERAntiSpyware.com
2012-04-28 00:45 . 2012-04-28 00:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-28 00:45 . 2012-04-28 00:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-04-27 22:01 . 2012-04-27 22:01 -------- d-----w- c:\program files (x86)\Secunia
2012-04-27 21:41 . 2012-04-27 21:41 -------- d-----w- c:\programdata\hssff
2012-04-27 21:25 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4572BF4D-4B7B-4845-B118-7CA994F40059}\mpengine.dll
2012-04-27 21:12 . 2012-04-27 21:12 -------- d-----w- C:\AV-CLS
2012-04-27 20:55 . 2012-04-27 20:55 388096 ----a-r- c:\users\Adam\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-27 20:55 . 2012-04-27 20:55 -------- d-----w- c:\program files (x86)\Trend Micro
2012-04-27 19:33 . 2012-04-27 19:33 -------- d-----w- c:\users\Adam\AppData\Roaming\Malwarebytes
2012-04-27 19:33 . 2012-04-27 21:08 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-27 19:33 . 2012-04-27 19:33 -------- d-----w- c:\programdata\Malwarebytes
2012-04-27 19:33 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-27 19:30 . 2012-04-27 19:30 -------- d-----w- c:\users\Adam\AppData\Local\{6EE1F586-909F-11E1-826D-B8AC6F996F26}
2012-04-27 19:18 . 2012-04-27 19:18 -------- d-----w- c:\windows\Sun
2012-04-27 17:47 . 2011-07-17 16:04 4390376 ----a-w- c:\windows\SysWow64\GameMon.des
2012-04-27 17:46 . 2004-12-31 15:43 4682 ----a-w- c:\windows\SysWow64\npptNT2.sys
2012-04-27 17:46 . 2003-07-17 00:17 5174 ----a-w- c:\windows\SysWow64\nppt9x.vxd
2012-04-27 17:46 . 2012-04-27 17:46 -------- d-----w- c:\program files\Common Files\INCA Shared
2012-04-27 17:25 . 2012-04-27 21:20 -------- d-----w- c:\program files (x86)\REACTOR
2012-04-25 19:39 . 2012-04-25 19:46 -------- d-----w- c:\users\Adam\SD
2012-04-25 19:12 . 2012-04-25 19:12 -------- d-----w- C:\Temp
2012-04-25 18:38 . 2012-04-26 15:23 -------- d-----w- c:\users\Adam\AppData\Local\Samsung
2012-04-25 18:38 . 2012-04-25 18:38 -------- d-----w- c:\users\Adam\AppData\Roaming\Samsung
2012-04-25 18:37 . 2012-02-24 09:14 99384 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2012-04-25 18:37 . 2012-02-24 09:14 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2012-04-25 18:36 . 2012-03-28 21:11 4659712 ----a-w- c:\windows\SysWow64\Redemption.dll
2012-04-25 18:36 . 2012-04-25 18:36 -------- d-----w- c:\program files (x86)\MarkAny
2012-04-25 18:36 . 2012-03-28 21:11 821824 ----a-w- c:\windows\SysWow64\dgderapi.dll
2012-04-25 18:36 . 2012-04-27 21:20 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2012-04-25 18:36 . 2012-04-25 18:37 -------- d-----w- c:\program files (x86)\Samsung
2012-04-25 18:36 . 2012-04-25 18:37 -------- d-----w- c:\programdata\Samsung
2012-04-25 18:35 . 2012-04-25 18:35 -------- d-----w- c:\users\Adam\AppData\Local\Downloaded Installations
2012-04-24 23:33 . 2012-04-24 23:33 231376 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-04-24 23:33 . 2012-04-24 23:33 -------- d-----w- c:\program files\TrueCrypt
2012-04-20 21:41 . 2012-04-20 21:41 -------- d-----w- c:\program files (x86)\Microsoft SDKs
2012-04-20 15:11 . 2012-04-20 15:11 8741536 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-17 22:55 . 2012-04-17 22:55 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-04-17 22:55 . 2012-04-17 22:55 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-04-17 22:51 . 2012-04-17 22:51 -------- d-----w- c:\program files\Microsoft Synchronization Services
2012-04-17 22:51 . 2012-04-17 22:51 -------- d-----w- c:\windows\PCHEALTH
2012-04-17 22:51 . 2012-04-17 22:51 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2012-04-17 22:50 . 2012-04-18 12:44 -------- d-----w- c:\programdata\Microsoft Help
2012-04-17 22:50 . 2012-04-17 22:50 -------- d-----r- C:\MSOCache
2012-04-17 22:48 . 2012-04-17 22:48 283200 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-04-17 22:48 . 2012-04-20 15:23 -------- d-----w- c:\users\Adam\AppData\Roaming\DAEMON Tools Lite
2012-04-17 22:48 . 2012-04-17 22:48 -------- d-----w- c:\program files (x86)\DAEMON Tools Lite
2012-04-17 22:47 . 2012-04-17 22:49 -------- d-----w- c:\programdata\DAEMON Tools Lite
2012-04-17 17:45 . 2012-04-27 20:14 -------- d-----w- c:\users\Adam\AppData\Roaming\DisplayFusion
2012-04-17 17:33 . 2012-04-17 17:45 -------- d-----w- c:\program files (x86)\DisplayFusion
2012-04-16 00:14 . 2012-04-21 21:45 -------- d-----w- c:\program files (x86)\osu!
2012-04-16 00:13 . 2012-04-16 00:13 -------- d-----w- c:\users\Adam\AppData\Roaming\Downloaded Installations
2012-04-15 21:25 . 2012-04-15 21:25 -------- d-----w- c:\users\Adam\AppData\Local\Vagex
2012-04-15 02:14 . 2012-04-15 02:14 109248 ----a-w- c:\windows\SysWow64\mswinsck.ocx
2012-04-15 02:12 . 2012-04-15 02:12 152848 ----a-w- c:\windows\SysWow64\COMDLG32.OCX
2012-04-11 14:02 . 2012-02-28 06:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-11 14:02 . 2012-02-28 07:37 174392 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-04-11 14:02 . 2012-02-28 06:47 304640 ----a-w- c:\program files\Internet Explorer\IEShims.dll
2012-04-11 14:02 . 2012-02-28 01:58 141112 ----a-w- c:\program files (x86)\Internet Explorer\sqmapi.dll
2012-04-11 14:02 . 2012-02-28 01:03 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-04-11 13:59 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 13:59 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 13:59 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 13:59 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 13:59 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 13:59 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 13:59 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-11 01:23 . 2012-04-11 01:23 -------- d-----w- c:\users\Adam\AppData\Roaming\NVIDIA
2012-04-11 01:23 . 2012-04-21 19:11 -------- d-----w- c:\users\Adam\AppData\Roaming\.minecraft
2012-04-09 21:24 . 2012-04-09 21:24 -------- d-----w- c:\users\Adam\AppData\Roaming\Avnex
2012-04-09 21:24 . 2008-12-26 11:56 21504 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2012-04-09 21:24 . 2012-04-09 21:25 -------- d-----w- c:\program files (x86)\AV Vcs 7.0 DIAMOND
2012-04-09 13:45 . 2012-04-17 22:51 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-04-09 13:30 . 2012-04-09 13:30 -------- d-----w- c:\users\Adam\AppData\Local\Oleksiy_Gapotchenko
2012-04-08 20:00 . 2012-04-08 20:00 -------- d-----w- c:\users\Adam\AppData\Roaming\Foxit Software
2012-04-08 13:04 . 2012-04-08 13:04 -------- d-----w- c:\programdata\TamoSoft
2012-04-08 13:04 . 2012-04-08 13:06 -------- d-----w- c:\program files (x86)\CommView
2012-04-08 03:41 . 2012-04-08 03:41 -------- d-----w- c:\users\Adam\AppData\Roaming\Yahoo!
2012-04-08 03:38 . 2012-04-08 03:38 -------- d-----w- c:\programdata\Yahoo!
2012-04-08 03:36 . 2012-04-08 03:38 -------- d-----w- c:\program files (x86)\Yahoo!
2012-04-07 14:07 . 2012-04-07 14:07 -------- d-----w- c:\windows\SysWow64\xlive
2012-04-07 14:07 . 2012-04-07 14:07 -------- d-----w- c:\program files (x86)\Microsoft Games for Windows - LIVE
2012-04-06 23:44 . 2011-07-01 03:46 31232 ----a-w- c:\windows\system32\drivers\tap0901.sys
2012-04-06 23:44 . 2012-04-28 17:16 -------- d-----w- c:\program files\SecurityKISS Tunnel
2012-04-06 23:25 . 2012-04-06 23:25 561992 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com\components\afurladvisor11.dll
2012-04-06 23:24 . 2012-04-06 23:24 -------- d-----w- c:\programdata\Hotspot Shield
2012-04-06 23:24 . 2012-04-06 23:24 -------- d-----w- C:\Hotspot Shield
2012-04-06 23:23 . 2012-04-14 01:26 -------- d-----w- c:\program files (x86)\Hotspot Shield
2012-04-06 23:14 . 2012-04-06 23:25 -------- d-----w- c:\program files (x86)\UltraVPN
2012-04-05 21:39 . 2012-04-29 10:42 -------- d-----r- c:\users\Adam\Dropbox
2012-04-05 21:36 . 2012-04-29 10:42 -------- d-----w- c:\users\Adam\AppData\Roaming\Dropbox
2012-04-05 16:26 . 2012-04-25 14:13 -------- d-----w- c:\users\Adam\AppData\Local\join.me
2012-04-05 01:37 . 2012-04-05 01:41 -------- d-----w- c:\users\Adam\AppData\Roaming\ManyCam
2012-04-05 01:37 . 2012-04-05 01:41 -------- d-----w- c:\users\Adam\AppData\Local\ManyCam
2012-04-05 01:37 . 2012-04-05 01:37 -------- d-----w- c:\program files (x86)\ManyCam
2012-04-05 01:37 . 2012-04-05 01:37 -------- d-----w- c:\programdata\Ask
2012-04-04 20:56 . 2012-04-05 01:16 -------- d-----w- c:\users\Adam\AppData\Local\ESN Sonar
2012-04-04 01:42 . 2012-04-28 20:34 -------- d-----w- c:\users\Adam\Tracing
2012-04-04 00:31 . 2012-04-04 00:31 -------- d-----w- c:\program files (x86)\KLC
2012-04-04 00:31 . 2004-08-04 02:56 431616 ----a-w- c:\windows\SysWow64\temp.000
2012-04-04 00:31 . 2002-12-20 11:02 1077336 ----a-w- c:\windows\SysWow64\mscomctl.ocx
2012-04-04 00:31 . 2000-05-21 23:00 203976 ----a-w- c:\windows\SysWow64\RICHTX32.OCX
2012-04-04 00:31 . 1999-12-07 06:00 61491 ----a-w- c:\windows\SysWow64\wbemdisp.TLB
2012-04-03 20:06 . 2012-04-23 23:40 -------- d-----w- c:\users\Adam\AppData\Roaming\FileZilla
2012-04-03 18:31 . 2012-04-04 02:58 -------- d-----w- c:\program files (x86)\proXPN
2012-04-03 02:36 . 2012-04-15 03:30 -------- d-----w- c:\users\Adam\AppData\Roaming\VMware
2012-04-03 02:29 . 2011-08-22 16:07 62064 ----a-w- c:\windows\system32\drivers\vmx86.sys
2012-04-03 02:28 . 2011-08-22 16:07 354416 ----a-w- c:\windows\SysWow64\vmnetdhcp.exe
2012-04-03 02:28 . 2011-08-22 16:06 432752 ----a-w- c:\windows\SysWow64\vmnat.exe
2012-04-03 02:28 . 2011-08-22 16:06 30320 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2012-04-03 02:28 . 2011-08-22 16:07 942192 ----a-w- c:\windows\system32\vnetlib64.dll
2012-04-03 02:28 . 2011-08-21 22:11 39024 ----a-w- c:\windows\system32\drivers\hcmon.sys
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-22 21:57 . 2012-03-29 17:06 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-22 21:57 . 2012-03-29 17:06 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-07 14:11 . 2009-08-18 11:49 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2012-04-07 14:11 . 2009-08-18 10:24 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-04-01 13:46 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-04-01 13:46 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-03-29 17:28 . 2012-03-29 17:30 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-03-29 17:00 . 2012-03-29 17:00 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-03-29 17:00 . 2012-03-29 17:00 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-03-29 17:00 . 2012-03-29 17:00 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll
2012-03-29 17:00 . 2012-03-29 17:00 85504 ----a-w- c:\windows\system32\iesetup.dll
2012-03-29 17:00 . 2012-03-29 17:00 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2012-03-29 17:00 . 2012-03-29 17:00 76800 ----a-w- c:\windows\system32\tdc.ocx
2012-03-29 17:00 . 2012-03-29 17:00 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-03-29 17:00 . 2012-03-29 17:00 74752 ----a-w- c:\windows\SysWow64\iesetup.dll
2012-03-29 17:00 . 2012-03-29 17:00 63488 ----a-w- c:\windows\SysWow64\tdc.ocx
2012-03-29 17:00 . 2012-03-29 17:00 603648 ----a-w- c:\windows\system32\vbscript.dll
2012-03-29 17:00 . 2012-03-29 17:00 49664 ----a-w- c:\windows\system32\imgutil.dll
2012-03-29 17:00 . 2012-03-29 17:00 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2012-03-29 17:00 . 2012-03-29 17:00 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-03-29 17:00 . 2012-03-29 17:00 448512 ----a-w- c:\windows\system32\html.iec
2012-03-29 17:00 . 2012-03-29 17:00 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-03-29 17:00 . 2012-03-29 17:00 367104 ----a-w- c:\windows\SysWow64\html.iec
2012-03-29 17:00 . 2012-03-29 17:00 35840 ----a-w- c:\windows\SysWow64\imgutil.dll
2012-03-29 17:00 . 2012-03-29 17:00 30720 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-29 17:00 . 2012-03-29 17:00 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll
2012-03-29 17:00 . 2012-03-29 17:00 222208 ----a-w- c:\windows\system32\msls31.dll
2012-03-29 17:00 . 2012-03-29 17:00 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-03-29 17:00 . 2012-03-29 17:00 165888 ----a-w- c:\windows\system32\iexpress.exe
2012-03-29 17:00 . 2012-03-29 17:00 161792 ----a-w- c:\windows\SysWow64\msls31.dll
2012-03-29 17:00 . 2012-03-29 17:00 160256 ----a-w- c:\windows\system32\wextract.exe
2012-03-29 17:00 . 2012-03-29 17:00 152064 ----a-w- c:\windows\SysWow64\wextract.exe
2012-03-29 17:00 . 2012-03-29 17:00 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2012-03-29 17:00 . 2012-03-29 17:00 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-03-29 17:00 . 2012-03-29 17:00 135168 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-03-29 17:00 . 2012-03-29 17:00 12288 ----a-w- c:\windows\system32\mshta.exe
2012-03-29 17:00 . 2012-03-29 17:00 11776 ----a-w- c:\windows\SysWow64\mshta.exe
2012-03-29 17:00 . 2012-03-29 17:00 114176 ----a-w- c:\windows\system32\admparse.dll
2012-03-29 17:00 . 2012-03-29 17:00 111616 ----a-w- c:\windows\system32\iesysprep.dll
2012-03-29 17:00 . 2012-03-29 17:00 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2012-03-29 17:00 . 2012-03-29 17:00 101888 ----a-w- c:\windows\SysWow64\admparse.dll
2012-03-28 21:11 . 2012-03-28 21:11 90112 ----a-w- c:\windows\MAMCityDownload.ocx
2012-03-28 21:11 . 2012-03-28 21:11 325552 ----a-w- c:\windows\MASetupCaller.dll
2012-03-28 21:11 . 2012-03-28 21:11 30568 ----a-w- c:\windows\MusiccityDownload.exe
2012-03-28 21:11 . 2012-03-28 21:11 974848 ----a-w- c:\windows\SysWow64\cis-2.4.dll
2012-03-28 21:11 . 2012-03-28 21:11 81920 ----a-w- c:\windows\SysWow64\issacapi_bs-2.3.dll
2012-03-28 21:11 . 2012-03-28 21:11 65536 ----a-w- c:\windows\SysWow64\issacapi_pe-2.3.dll
2012-03-28 21:11 . 2012-03-28 21:11 57344 ----a-w- c:\windows\SysWow64\MTXSYNCICON.dll
2012-03-28 21:11 . 2012-03-28 21:11 57344 ----a-w- c:\windows\SysWow64\MK_Lyric.dll
2012-03-28 21:11 . 2012-03-28 21:11 57344 ----a-w- c:\windows\SysWow64\issacapi_se-2.3.dll
2012-03-28 21:11 . 2012-03-28 21:11 491520 ----a-w- c:\windows\SysWow64\muzapp.dll
2012-03-28 21:11 . 2012-03-28 21:11 49152 ----a-w- c:\windows\SysWow64\MaJGUILib.dll
2012-03-28 21:11 . 2012-03-28 21:11 45320 ----a-w- c:\windows\SysWow64\MAMACExtract.dll
2012-03-28 21:11 . 2012-03-28 21:11 45056 ----a-w- c:\windows\SysWow64\MaXMLProto.dll
2012-03-28 21:11 . 2012-03-28 21:11 45056 ----a-w- c:\windows\SysWow64\MACXMLProto.dll
2012-03-28 21:11 . 2012-03-28 21:11 40960 ----a-w- c:\windows\SysWow64\MTTELECHIP.dll
2012-03-28 21:11 . 2012-03-28 21:11 352256 ----a-w- c:\windows\SysWow64\MSLUR71.dll
2012-03-28 21:11 . 2012-03-28 21:11 245760 ----a-w- c:\windows\SysWow64\MSCLib.dll
2012-03-28 21:11 . 2012-03-28 21:11 24576 ----a-w- c:\windows\SysWow64\MASetupCleaner.exe
2012-03-28 21:11 . 2012-03-28 21:11 200704 ----a-w- c:\windows\SysWow64\muzwmts.dll
2012-03-28 21:11 . 2012-03-28 21:11 155648 ----a-w- c:\windows\SysWow64\MSFLib.dll
2012-03-28 21:11 . 2012-03-28 21:11 135168 ----a-w- c:\windows\SysWow64\muzaf1.dll
2012-03-28 21:11 . 2012-03-28 21:11 118784 ----a-w- c:\windows\SysWow64\MaDRM.dll
2012-03-26 21:45 . 2012-03-26 21:45 56832 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2012-03-26 21:45 . 2012-03-26 21:45 37888 ----a-w- c:\windows\system32\drivers\taphss.sys
2012-03-01 00:02 . 2011-05-21 05:01 9717568 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-03-01 00:02 . 2011-05-21 05:01 7713088 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2012-03-01 00:02 . 2011-05-21 05:01 2660160 ----a-w- c:\windows\system32\nvapi64.dll
2012-03-01 00:02 . 2011-05-21 05:01 2301248 ----a-w- c:\windows\SysWow64\nvapi.dll
2012-02-29 21:00 . 2012-03-29 16:34 3089728 ----a-w- c:\windows\system32\nvsvc64.dll
2012-02-29 21:00 . 2012-03-29 16:34 6074176 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-29 20:59 . 2012-03-29 16:34 889664 ----a-w- c:\windows\system32\nvvsvc.exe
2012-02-29 20:59 . 2012-03-29 16:34 63296 ----a-w- c:\windows\system32\nvshext.dll
2012-02-29 20:59 . 2012-03-29 16:34 118080 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-29 12:26 . 2012-02-29 12:26 416064 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-02-28 05:26 . 2012-02-28 05:26 28160 ----a-w- c:\windows\system32\drivers\mcaudrv_x64.sys
2012-02-23 09:18 . 2012-03-29 17:07 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-29 16:29 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 06:38 . 2012-03-29 16:29 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-29 16:29 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-29 16:29 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-29 16:29 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 06:36 . 2012-03-29 16:47 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-29 16:47 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-09 12:17 . 2012-03-29 17:30 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EABCA035-2720-4955-B226-63FDBB484463}\gapaengine.dll
2012-02-03 04:34 . 2012-03-29 16:47 3145728 ----a-w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\hssff ----
.
2012-04-27 21:41 . 2012-04-27 21:41 0 ----a-w- c:\programdata\hssff\lock
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-28_23.39.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-04-28 23:39 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-29 10:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-29 10:40 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-28 23:39 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-28 23:39 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-29 10:40 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-29 17:14 . 2012-04-29 10:42 43202 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-29 10:42 29218 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-29 16:40 . 2012-04-29 10:42 6588 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3143709083-168080101-3079108536-1001_UserData.bin
- 2012-04-28 23:39 . 2012-04-28 23:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-29 10:40 . 2012-04-29 10:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-28 23:39 . 2012-04-28 23:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-29 10:40 . 2012-04-29 10:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:01 . 2012-04-28 23:38 384276 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-29 01:48 384276 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-03-29 18:11 . 2012-04-29 01:48 9707376 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3143709083-168080101-3079108536-1001-12288.dat
- 2012-03-29 18:11 . 2012-04-28 23:38 9707376 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3143709083-168080101-3079108536-1001-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-03-29 1242448]
"puush"="c:\program files (x86)\puush\puush.exe" [2012-04-16 565480]
"DisplayFusion"="c:\program files (x86)\DisplayFusion\DisplayFusion.exe" [2012-01-12 2789280]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-04-20 4786048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-03-31 3521424]
.
c:\users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Adam\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-4-26 27264496]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-04-05 158856]
R2 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2011-08-22 11837440]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-22 253088]
R3 CGVPNCliSrvc;CyberGhost VPN Client;c:\program files\CyberGhost VPN\CGVPNCliService.exe [2011-12-06 2430128]
R3 CV2K1;CommView Network Monitor;c:\windows\system32\DRIVERS\cv2k1.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [x]
R3 dump_wmimmc;dump_wmimmc;c:\ijji\ENGLISH\Gunz\GameGuard\dump_wmimmc.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 51740536]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 TsVlb;TsVlb;c:\windows\system32\DRIVERS\tsvlb.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 TsVp;TsVp;c:\windows\system32\DRIVERS\tsvp.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 hshld;Hotspot Shield Service;c:\program files (x86)\Hotspot Shield\bin\openvpnas.exe [2012-04-10 542552]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [2012-04-02 329544]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-10-14 994360]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-10-14 399416]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272]
S2 TeamViewer7;TeamViewer 7;c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-03-19 2666880]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-08-21 846448]
S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [x]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech QuickCam Pro 9000(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
S3 ManyCam;ManyCam Virtual Webcam;c:\windows\system32\DRIVERS\mcvidrv_x64.sys [x]
S3 mcaudrv_simple;ManyCam Virtual Microphone;c:\windows\system32\drivers\mcaudrv_x64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
S3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys [2010-05-27 14648]
S3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;c:\windows\system32\DRIVERS\tscomm.sys [x]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\DRIVERS\vcsvad.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PSI
*NewlyCreated* - RTCORE64
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 21:57]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Adam\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 415816]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 2412616]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 4725320]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\vsocklib.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\slwxz4h2.default\
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-04-29 11:52:09
ComboFix-quarantined-files.txt 2012-04-29 10:52
ComboFix2.txt 2012-04-28 23:43
.
Pre-Run: 848,217,710,592 bytes free
Post-Run: 848,167,374,848 bytes free
.
- - End Of File - - 89FC284A7DD93A744FD77CD3F9EF2B62


Malwarebytes log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.28.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Adam :: ADAM-PC [administrator]

29/04/2012 11:55:21
mbam-log-2012-04-29 (11-55-21).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 422697
Time elapsed: 25 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Qoobox\Quarantine\C\Users\Adam\AppData\Local\vqtjtshv\etlvesqm.exe.vir (Virus.Ramnit) -> No action taken.
C:\Qoobox\Quarantine\C\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\etlvesqm.exe.vir (Virus.Ramnit) -> No action taken.

(end)

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 29 April 2012 - 09:37 AM

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 31
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u31-windows-i586.exe to install the newest version.
Posted Image Go to thisLINK to run an online scannner from ESET.
  • Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If you are using Internet Explorer, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Hydrosere

Hydrosere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 29 April 2012 - 12:53 PM

ESET didn't find anything:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=831ea68263ccbc468453dc60b8daebf8
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-29 05:24:39
# local_time=2012-04-29 06:24:39 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 156608 156608 0 0
# compatibility_mode=5893 16776574 100 94 154843 88181800 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=216134

It seems to be running ok but I still have the startup entries for the malware on msconfig.

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 30 April 2012 - 08:33 AM

What are you seeing in msconfig that you consider suspicious?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Hydrosere

Hydrosere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 02 May 2012 - 09:29 AM

These are the startup items that I consider suspicious:

http://puu.sh/sygO
http://puu.sh/sygU

Secondly, after running combofix I have this issue:

http://puu.sh/syht

Edited by RPMcMurphy, 02 May 2012 - 01:21 PM.


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 02 May 2012 - 09:47 PM

Go ahead and re-install that driver. It may have been patched by malware of falsely detected and removed. I don't see any sign of those malicious startups in your logs, but lets take another look just to be sure:

Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. I only need to see OTL.txt
Please include the following in your next post:
  • OTL.txt log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Hydrosere

Hydrosere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 03 May 2012 - 12:21 PM

OTL logfile created on: 03/05/2012 18:22:43 - Run 2
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Adam\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

5.99 Gb Total Physical Memory | 3.78 Gb Available Physical Memory | 63.08% Memory free
11.98 Gb Paging File | 9.42 Gb Available in Paging File | 78.66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 931.41 Gb Total Space | 785.72 Gb Free Space | 84.36% Space Free | Partition Type: NTFS

Computer Name: ADAM-PC | User Name: Adam | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/02 23:55:42 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2012/05/01 18:26:29 | 000,076,888 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2012/04/28 01:55:08 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Adam\Desktop\OTL.exe
PRC - [2012/04/16 13:12:07 | 000,565,480 | ---- | M] () -- C:\Program Files (x86)\puush\puush.exe
PRC - [2012/04/11 00:59:14 | 000,542,552 | ---- | M] () -- C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe
PRC - [2012/04/02 19:46:58 | 000,329,544 | ---- | M] () -- C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
PRC - [2012/03/19 12:38:47 | 002,666,880 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
PRC - [2012/03/01 01:02:00 | 002,348,352 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2012/02/29 13:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2012/01/18 06:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
PRC - [2011/11/15 19:26:48 | 000,363,336 | ---- | M] (AnchorFree Inc.) -- C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
PRC - [2011/08/22 17:07:32 | 000,354,416 | ---- | M] (VMware, Inc.) -- C:\Windows\SysWOW64\vmnetdhcp.exe
PRC - [2011/08/22 17:06:56 | 000,432,752 | ---- | M] (VMware, Inc.) -- C:\Windows\SysWOW64\vmnat.exe
PRC - [2011/08/22 16:34:52 | 011,837,440 | ---- | M] () -- C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe
PRC - [2011/08/22 15:28:42 | 000,079,872 | ---- | M] (VMware, Inc.) -- C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
PRC - [2011/02/15 12:20:22 | 000,364,544 | ---- | M] () -- C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
PRC - [2010/11/20 13:17:56 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
PRC - [2010/08/03 09:43:02 | 000,522,824 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe


========== Modules (No Company Name) ==========

MOD - [2012/05/02 23:55:42 | 001,952,696 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2012/04/22 22:57:15 | 008,797,344 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll
MOD - [2012/04/22 11:03:48 | 012,433,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\262285b3d0afafc5059f3fe9be69bff5\System.Windows.Forms.ni.dll
MOD - [2012/04/22 11:03:37 | 001,590,784 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\8177623eac8f15cf95b587625439eac7\System.Drawing.ni.dll
MOD - [2012/04/22 11:03:32 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\a1c4a635721f85bef0ea4194b888b871\System.Runtime.Remoting.ni.dll
MOD - [2012/04/22 11:03:23 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\9866d1f6178e1cde25642f1ac293ff8d\System.Xml.ni.dll
MOD - [2012/04/22 11:03:21 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\e620323cacb5b6bfd93fd28d263440e4\System.Configuration.ni.dll
MOD - [2012/04/22 11:03:20 | 007,967,232 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\faf4e8730ecbd07570111bb7c3b20565\System.ni.dll
MOD - [2012/04/22 11:03:17 | 011,490,304 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2012/04/20 16:02:20 | 020,297,512 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\libcef.dll
MOD - [2012/04/20 16:02:15 | 001,099,576 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avcodec-53.dll
MOD - [2012/04/20 16:02:15 | 000,907,048 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\chromehtml.dll
MOD - [2012/04/20 16:02:15 | 000,190,776 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avformat-53.dll
MOD - [2012/04/20 16:02:15 | 000,123,192 | ---- | M] () -- C:\Program Files (x86)\Steam\bin\avutil-51.dll
MOD - [2012/04/16 13:12:07 | 000,565,480 | ---- | M] () -- C:\Program Files (x86)\puush\puush.exe
MOD - [2012/03/29 18:25:38 | 020,080,640 | ---- | M] () -- C:\Users\Adam\AppData\Roaming\Spotify\Data\libcef.dll
MOD - [2012/02/29 13:26:28 | 000,360,768 | ---- | M] () -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\Nv3DVStreaming.dll
MOD - [2012/01/08 14:41:12 | 000,093,696 | ---- | M] () -- C:\Program Files (x86)\FileZilla FTP Client\fzshellext.dll
MOD - [2011/02/15 12:20:22 | 000,364,544 | ---- | M] () -- C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe
MOD - [2011/02/15 12:20:08 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\MSI Afterburner\RTMUI.dll
MOD - [2011/02/15 12:20:02 | 000,278,528 | ---- | M] () -- C:\Program Files (x86)\MSI Afterburner\RTHAL.dll
MOD - [2011/02/15 12:19:44 | 000,229,376 | ---- | M] () -- C:\Program Files (x86)\MSI Afterburner\RTCore.dll
MOD - [2011/02/15 12:19:30 | 000,147,456 | ---- | M] () -- C:\Program Files (x86)\MSI Afterburner\RTUI.dll
MOD - [2011/02/15 12:19:20 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\MSI Afterburner\RTFC.dll
MOD - [2010/07/27 05:37:16 | 000,013,312 | ---- | M] () -- C:\Program Files (x86)\MSI Afterburner\RTTSH.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/03/26 18:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/03/26 18:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2012/03/22 11:14:30 | 000,097,552 | ---- | M] (SANDBOXIE L.T.D) [Auto | Running] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV:64bit: - [2011/12/06 13:54:14 | 002,430,128 | ---- | M] (mobile concepts GmbH) [On_Demand | Stopped] -- C:\Program Files\CyberGhost VPN\CGVPNCliService.exe -- (CGVPNCliSrvc)
SRV:64bit: - [2011/08/12 00:38:04 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:64bit: - [2009/07/14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/14 02:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2012/05/02 23:55:42 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/05/01 18:26:29 | 000,076,888 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2012/04/22 22:57:16 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/20 16:02:21 | 000,489,256 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/04/11 01:06:10 | 000,077,520 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\Hotspot Shield\bin\HSSTrayService.exe -- (HssTrayService)
SRV - [2012/04/11 00:59:14 | 000,542,552 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe -- (hshld)
SRV - [2012/04/05 11:37:38 | 000,158,856 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/04/02 19:46:58 | 000,329,544 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2012/03/19 12:38:47 | 002,666,880 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7)
SRV - [2012/03/01 01:02:00 | 002,348,352 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/02/29 13:26:46 | 000,382,272 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2012/01/18 06:44:52 | 000,450,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2011/11/15 19:26:48 | 000,363,336 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe -- (HssSrv)
SRV - [2011/08/22 17:07:32 | 000,354,416 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2011/08/22 17:06:56 | 000,432,752 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\vmnat.exe -- (VMware NAT Service)
SRV - [2011/08/22 16:34:52 | 011,837,440 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe -- (VMwareHostd)
SRV - [2011/08/22 15:28:42 | 000,079,872 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService)
SRV - [2011/08/21 23:11:28 | 000,846,448 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe -- (VMUSBArbService)
SRV - [2011/07/17 17:04:00 | 004,390,376 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWOW64\GameMon.des -- (npggsvc)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/04/25 00:33:09 | 000,231,376 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\truecrypt.sys -- (truecrypt)
DRV:64bit: - [2012/04/17 23:48:24 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2012/03/26 22:45:18 | 000,056,832 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HssDrv.sys -- (HssDrv)
DRV:64bit: - [2012/03/26 22:45:14 | 000,037,888 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\taphss.sys -- (taphss)
DRV:64bit: - [2012/03/22 11:14:28 | 000,163,480 | ---- | M] (SANDBOXIE L.T.D) [Kernel | On_Demand | Running] -- C:\Program Files\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV:64bit: - [2012/03/20 20:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/03/01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/28 06:26:10 | 000,028,160 | ---- | M] (ManyCam LLC) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mcaudrv_x64.sys -- (mcaudrv_simple)
DRV:64bit: - [2012/02/24 10:14:42 | 000,203,320 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudmdm.sys -- (ssudmdm) SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.)
DRV:64bit: - [2012/02/24 10:14:42 | 000,099,384 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudbus.sys -- (dg_ssudbus) SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)
DRV:64bit: - [2012/01/18 06:44:36 | 004,865,568 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lvuvc64.sys -- (LVUVC64) Logitech QuickCam Pro 9000(UVC)
DRV:64bit: - [2012/01/18 06:44:28 | 000,351,136 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lvrs64.sys -- (LVRS64)
DRV:64bit: - [2012/01/17 13:45:56 | 000,188,224 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2011/12/21 05:32:42 | 000,034,304 | ---- | M] (ManyCam LLC) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mcvidrv_x64.sys -- (ManyCam)
DRV:64bit: - [2011/08/22 17:07:58 | 000,062,064 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmx86.sys -- (vmx86)
DRV:64bit: - [2011/08/22 17:06:14 | 000,030,320 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV:64bit: - [2011/08/22 15:12:26 | 000,045,680 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV:64bit: - [2011/08/22 15:12:26 | 000,020,080 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV:64bit: - [2011/08/21 23:11:26 | 000,039,024 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\hcmon.sys -- (hcmon)
DRV:64bit: - [2011/08/21 23:01:22 | 000,037,680 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmusb.sys -- (vmusb)
DRV:64bit: - [2011/08/08 14:59:12 | 000,116,336 | ---- | M] (VMware, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vmci.sys -- (vmci)
DRV:64bit: - [2011/07/22 17:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 22:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/07/01 04:46:40 | 000,031,232 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tap0901.sys -- (tap0901)
DRV:64bit: - [2011/03/11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/09 09:34:44 | 000,181,040 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mv61xx.sys -- (mv61xx)
DRV:64bit: - [2010/11/20 14:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 12:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 12:03:42 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/06/15 17:40:06 | 000,032,872 | ---- | M] (TamoSoft) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\tsvp.sys -- (TsVp)
DRV:64bit: - [2010/04/29 14:27:06 | 000,045,160 | ---- | M] (TamoSoft) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tscomm.sys -- (TSCOMM)
DRV:64bit: - [2010/04/21 13:14:04 | 000,022,120 | ---- | M] (TamoSoft) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsvlb.sys -- (TsVlb)
DRV:64bit: - [2010/04/01 12:33:07 | 000,021,608 | ---- | M] (TamoSoft) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\cv2k1.sys -- (CV2K1)
DRV:64bit: - [2009/11/23 17:38:00 | 000,016,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGVirHid.sys -- (LGVirHid)
DRV:64bit: - [2009/11/23 17:37:50 | 000,022,408 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\LGBusEnum.sys -- (LGBusEnum)
DRV:64bit: - [2009/09/28 09:22:00 | 000,395,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/12/26 12:56:04 | 000,021,504 | ---- | M] (Avnex) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vcsvad.sys -- (VCSVADHWSer) Avnex Virtual Audio Device (WDM)
DRV:64bit: - [2005/03/29 01:30:38 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ASACPI.sys -- (MTsensor)
DRV - [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2004/12/31 16:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\npptNT2.sys -- (NPPTNT2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D8 E0 8A 00 AA 25 CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_2_202_233.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll ()
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=1.118.0: C:\Program Files (x86)\Battlelog Web Plugins\1.118.0\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.2.1: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.2.1: C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/05/02 23:55:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{6EE1F586-909F-11E1-826D-B8AC6F996F26}: C:\Users\Adam\AppData\Local\{6EE1F586-909F-11E1-826D-B8AC6F996F26}\ [2012/04/27 20:30:23 | 000,000,000 | ---D | M]

[2012/04/22 23:41:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Adam\AppData\Roaming\Mozilla\Extensions
[2012/05/02 13:54:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\slwxz4h2.default\extensions
[2012/05/02 23:55:44 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/04/07 00:23:39 | 000,000,000 | ---D | M] (Hotspot Shield Helper (Please allow this installation)) -- C:\Program Files (x86)\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
[2012/04/27 20:30:23 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\ADAM\APPDATA\LOCAL\{6EE1F586-909F-11E1-826D-B8AC6F996F26}
[2012/05/02 23:55:42 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/03/13 05:38:32 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/03/13 05:38:32 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/04/29 11:51:04 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKCU..\Run: [puush] C:\Program Files (x86)\puush\puush.exe ()
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000011 - C:\Windows\SysNative\vsocklib.dll (VMware, Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000012 - C:\Windows\SysNative\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\SysWOW64\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\SysWOW64\vsocklib.dll (VMware, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 10.2.1)
O16 - DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.6.0_32)
O16 - DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab (Java Plug-in 1.7.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Java Plug-in 1.7.0_02)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1BBE82D2-A83D-4D5F-9D84-2162AEC67DCF}: DhcpNameServer = 192.168.1.1 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{67A37A7A-F402-45EE-81E7-EB13F776C22E}: DhcpNameServer = 10.47.48.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FF2842A4-9850-41C7-986F-E39DF4E83ED0}: DhcpNameServer = 10.11.0.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\ms-help - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/02 23:55:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2012/05/02 23:55:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/05/01 20:13:27 | 000,000,000 | ---D | C] -- C:\Users\Adam\Desktop\norT
[2012/04/30 23:18:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client
[2012/04/29 22:11:32 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\TS3Client
[2012/04/29 22:10:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
[2012/04/29 22:10:53 | 000,000,000 | ---D | C] -- C:\Program Files\TeamSpeak 3 Client
[2012/04/29 22:08:48 | 000,000,000 | ---D | C] -- C:\ProgramData\boost_interprocess
[2012/04/29 21:47:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VS Revo Group
[2012/04/29 21:47:48 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
[2012/04/29 16:56:59 | 016,987,936 | ---- | C] (Sun Microsystems, Inc.) -- C:\Users\Adam\Desktop\jre-6u32-windows-i586.exe
[2012/04/29 14:47:58 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/04/29 11:41:38 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Local\Secunia PSI
[2012/04/29 00:31:04 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/04/29 00:31:04 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/04/29 00:31:04 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/04/29 00:31:01 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/04/29 00:29:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/04/29 00:27:48 | 004,478,552 | R--- | C] (Swearware) -- C:\Users\Adam\Desktop\ComboFix.exe
[2012/04/28 22:24:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012/04/28 22:24:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2012/04/28 22:24:22 | 000,000,000 | R--D | C] -- C:\Program Files (x86)\Skype
[2012/04/28 17:38:44 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\TeamViewer
[2012/04/28 01:54:53 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Adam\Desktop\OTL.exe
[2012/04/28 01:48:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/04/28 01:45:29 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\SUPERAntiSpyware.com
[2012/04/28 01:45:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/04/28 01:45:12 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/04/28 01:45:12 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/04/27 23:01:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Secunia
[2012/04/27 22:41:47 | 000,000,000 | ---D | C] -- C:\ProgramData\hssff
[2012/04/27 22:12:13 | 000,000,000 | ---D | C] -- C:\AV-CLS
[2012/04/27 22:09:09 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Adam\Desktop\dds.scr
[2012/04/27 21:55:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2012/04/27 21:55:42 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2012/04/27 21:48:34 | 001,079,112 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Adam\Desktop\procexp64.exe
[2012/04/27 21:27:20 | 002,074,160 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Adam\Desktop\TDSSKiller.exe
[2012/04/27 21:20:06 | 004,777,280 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Users\Adam\Desktop\procexp.exe
[2012/04/27 20:34:04 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Smart Fortress 2012
[2012/04/27 20:33:42 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Malwarebytes
[2012/04/27 20:33:35 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/04/27 20:33:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/27 20:33:35 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/04/27 20:33:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/04/27 20:30:23 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Local\{6EE1F586-909F-11E1-826D-B8AC6F996F26}
[2012/04/27 20:18:13 | 000,000,000 | ---D | C] -- C:\Windows\Sun
[2012/04/27 18:47:00 | 004,390,376 | ---- | C] (INCA Internet Co., Ltd.) -- C:\Windows\SysWow64\GameMon.des
[2012/04/27 18:46:43 | 000,004,682 | ---- | C] (INCA Internet Co., Ltd.) -- C:\Windows\SysWow64\npptNT2.sys
[2012/04/27 18:46:22 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\INCA Shared
[2012/04/27 18:25:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\REACTOR
[2012/04/27 17:56:43 | 000,000,000 | ---D | C] -- C:\Users\Adam\Documents\Downloads
[2012/04/26 17:03:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SecurityKISS Tunnel
[2012/04/25 20:39:36 | 000,000,000 | ---D | C] -- C:\Users\Adam\SD
[2012/04/25 20:20:09 | 000,000,000 | ---D | C] -- C:\Users\Adam\Documents\SelfMV
[2012/04/25 20:13:08 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Temp
[2012/04/25 20:12:17 | 000,000,000 | ---D | C] -- C:\Temp
[2012/04/25 19:38:53 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Local\Samsung
[2012/04/25 19:38:32 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Samsung
[2012/04/25 19:38:31 | 000,000,000 | ---D | C] -- C:\Users\Adam\Documents\samsung
[2012/04/25 19:37:55 | 000,203,320 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\SysNative\drivers\ssudmdm.sys
[2012/04/25 19:37:55 | 000,099,384 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\SysNative\drivers\ssudbus.sys
[2012/04/25 19:36:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung
[2012/04/25 19:36:53 | 004,659,712 | ---- | C] (Dmitry Streblechenko) -- C:\Windows\SysWow64\Redemption.dll
[2012/04/25 19:36:46 | 000,821,824 | ---- | C] (Devguru Co., Ltd.) -- C:\Windows\SysWow64\dgderapi.dll
[2012/04/25 19:36:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MarkAny
[2012/04/25 19:36:45 | 000,000,000 | -H-D | C] -- C:\Program Files (x86)\InstallShield Installation Information
[2012/04/25 19:36:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Samsung
[2012/04/25 19:36:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Samsung
[2012/04/25 19:35:36 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Local\Downloaded Installations
[2012/04/25 00:33:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TrueCrypt
[2012/04/25 00:33:09 | 000,231,376 | ---- | C] (TrueCrypt Foundation) -- C:\Windows\SysNative\drivers\truecrypt.sys
[2012/04/25 00:33:07 | 000,000,000 | ---D | C] -- C:\Program Files\TrueCrypt
[2012/04/22 23:41:40 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Mozilla
[2012/04/20 22:41:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft SDKs
[2012/04/20 16:11:10 | 008,741,536 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerInstaller.exe
[2012/04/17 23:55:40 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Analysis Services
[2012/04/17 23:55:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Analysis Services
[2012/04/17 23:51:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
[2012/04/17 23:51:22 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Synchronization Services
[2012/04/17 23:51:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2012/04/17 23:51:09 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2012/04/17 23:51:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2012/04/17 23:50:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Office
[2012/04/17 23:50:29 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2012/04/17 23:50:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2012/04/17 23:50:15 | 000,000,000 | R--D | C] -- C:\MSOCache
[2012/04/17 23:48:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
[2012/04/17 23:48:24 | 000,283,200 | ---- | C] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
[2012/04/17 23:48:22 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\DAEMON Tools Lite
[2012/04/17 23:48:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DAEMON Tools Lite
[2012/04/17 23:47:24 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2012/04/17 18:33:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\DisplayFusion
[2012/04/17 18:17:16 | 000,000,000 | ---D | C] -- C:\Users\Adam\Documents\DisplayFusion Backups
[2012/04/16 01:14:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\osu!
[2012/04/16 01:14:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\osu!
[2012/04/16 01:13:55 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Downloaded Installations
[2012/04/15 22:25:59 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Local\Vagex
[2012/04/15 03:14:27 | 000,109,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mswinsck.ocx
[2012/04/15 03:12:42 | 000,152,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\COMDLG32.OCX
[2012/04/14 02:42:03 | 000,000,000 | ---D | C] -- C:\Users\Adam\Desktop\Microsoft SDKs
[2012/04/12 04:00:34 | 000,000,000 | ---D | C] -- C:\Users\Adam\Desktop\Icons
[2012/04/11 15:02:00 | 000,096,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2012/04/11 15:02:00 | 000,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2012/04/11 15:01:59 | 002,311,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2012/04/11 15:01:59 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2012/04/11 15:01:59 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2012/04/11 15:01:59 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2012/04/11 15:01:59 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2012/04/11 15:01:59 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2012/04/11 15:01:58 | 001,493,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2012/04/11 15:01:58 | 001,427,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2012/04/11 15:01:58 | 000,818,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2012/04/11 15:01:45 | 005,559,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2012/04/11 15:01:45 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2012/04/11 15:01:44 | 003,913,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2012/04/11 14:59:55 | 000,081,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\imagehlp.dll
[2012/04/11 14:59:55 | 000,023,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\fs_rec.sys
[2012/04/11 14:59:54 | 000,220,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll
[2012/04/11 02:23:40 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\NVIDIA
[2012/04/11 02:23:03 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\.minecraft
[2012/04/09 22:24:42 | 000,021,504 | ---- | C] (Avnex) -- C:\Windows\SysNative\drivers\vcsvad.sys
[2012/04/09 14:45:48 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft.NET
[2012/04/09 14:30:53 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Local\Oleksiy_Gapotchenko
[2012/04/08 21:00:43 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Foxit Software
[2012/04/08 14:04:59 | 000,000,000 | ---D | C] -- C:\ProgramData\TamoSoft
[2012/04/08 14:04:59 | 000,000,000 | ---D | C] -- C:\Users\Adam\Documents\CommView
[2012/04/08 14:04:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CommView
[2012/04/08 14:04:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CommView
[2012/04/08 04:41:17 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Yahoo!
[2012/04/08 04:38:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
[2012/04/08 04:38:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo!
[2012/04/08 04:36:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Yahoo!
[2012/04/07 15:15:37 | 000,000,000 | ---D | C] -- C:\Users\Adam\Documents\Games for Windows - LIVE Demos
[2012/04/07 15:09:13 | 000,000,000 | ---D | C] -- C:\Users\Adam\Documents\Spartan
[2012/04/07 15:07:20 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\xlive
[2012/04/07 15:07:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Games for Windows - LIVE
[2012/04/07 14:53:51 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/04/07 00:44:28 | 000,031,232 | ---- | C] (The OpenVPN Project) -- C:\Windows\SysNative\drivers\tap0901.sys
[2012/04/07 00:44:26 | 000,000,000 | ---D | C] -- C:\Program Files\SecurityKISS Tunnel
[2012/04/07 00:24:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Hotspot Shield
[2012/04/07 00:24:15 | 000,000,000 | ---D | C] -- C:\Hotspot Shield
[2012/04/07 00:24:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotspot Shield
[2012/04/07 00:23:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Hotspot Shield
[2012/04/07 00:14:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN
[2012/04/07 00:14:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraVPN
[2012/04/07 00:14:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\UltraVPN
[2012/04/05 22:39:09 | 000,000,000 | R--D | C] -- C:\Users\Adam\Dropbox
[2012/04/05 22:37:23 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2012/04/05 22:36:18 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Dropbox
[2012/04/05 17:26:08 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Local\join.me
[2012/04/05 02:37:56 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ManyCam
[2012/04/05 02:37:42 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\ManyCam
[2012/04/05 02:37:42 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Local\ManyCam
[2012/04/05 02:37:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ManyCam
[2012/04/05 02:37:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Ask
[2012/04/04 21:56:37 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Local\ESN Sonar
[2012/04/04 02:42:37 | 000,000,000 | ---D | C] -- C:\Users\Adam\Tracing
[2012/04/04 01:31:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KLC
[2012/04/04 01:31:53 | 001,077,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mscomctl.ocx
[2012/04/04 01:31:53 | 000,431,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\temp.000
[2012/04/04 01:31:53 | 000,203,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RICHTX32.OCX
[2012/04/04 01:31:53 | 000,061,491 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wbemdisp.TLB
[2012/04/04 01:31:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\KLC
[2012/04/03 21:06:17 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\FileZilla
[2012/04/03 19:31:23 | 000,000,000 | ---D | C] -- C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\proXPN
[2012/04/03 19:31:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\proXPN

========== Files - Modified Within 30 Days ==========

[2012/05/03 18:11:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/03 16:18:35 | 000,014,816 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/03 16:18:35 | 000,014,816 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/03 16:10:51 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/03 16:10:41 | 529,883,135 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/02 13:57:28 | 000,283,304 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.xtr
[2012/05/02 13:57:28 | 000,283,304 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012/05/02 13:57:14 | 000,280,904 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrB.ex0
[2012/05/01 18:26:29 | 000,076,888 | ---- | M] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012/04/30 23:26:04 | 000,475,416 | ---- | M] () -- C:\Users\Adam\Documents\fx-570_991ES_PLUS_E.pdf
[2012/04/30 23:19:02 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/04/30 23:18:53 | 000,791,884 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/04/30 23:18:53 | 000,656,750 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/04/30 23:18:53 | 000,123,108 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/04/30 23:17:44 | 000,000,669 | ---- | M] () -- C:\Users\Adam\Documents\URvQ2.gif
[2012/04/29 22:10:55 | 000,000,967 | ---- | M] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2012/04/29 22:00:09 | 000,000,260 | ---- | M] () -- C:\Users\Adam\Myprofile.ini
[2012/04/29 21:47:48 | 000,001,264 | ---- | M] () -- C:\Users\Adam\Desktop\Revo Uninstaller.lnk
[2012/04/29 16:55:12 | 016,987,936 | ---- | M] (Sun Microsystems, Inc.) -- C:\Users\Adam\Desktop\jre-6u32-windows-i586.exe
[2012/04/29 11:51:04 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/04/29 00:28:09 | 004,478,552 | R--- | M] (Swearware) -- C:\Users\Adam\Desktop\ComboFix.exe
[2012/04/28 22:24:24 | 000,002,515 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/04/28 21:45:15 | 000,000,512 | ---- | M] () -- C:\Users\Adam\Documents\MBR.dat
[2012/04/28 18:16:28 | 000,000,214 | ---- | M] () -- C:\Users\Adam\SecurityKISSTunnel.config
[2012/04/28 01:55:08 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Adam\Desktop\OTL.exe
[2012/04/28 01:45:16 | 000,001,808 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/04/28 01:18:50 | 000,294,216 | ---- | M] () -- C:\Users\Adam\Desktop\gmer.zip
[2012/04/28 00:56:42 | 000,000,168 | ---- | M] () -- C:\Users\Adam\defogger_reenable
[2012/04/27 22:09:11 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Adam\Desktop\dds.scr
[2012/04/27 22:08:28 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/27 21:55:42 | 000,002,971 | ---- | M] () -- C:\Users\Adam\Desktop\HiJackThis.lnk
[2012/04/27 21:48:34 | 001,079,112 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Adam\Desktop\procexp64.exe
[2012/04/27 21:41:43 | 000,786,482 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/04/27 21:34:19 | 000,000,047 | ---- | M] () -- C:\Users\Adam\AppData\Roaming\mbam.context.scan
[2012/04/27 21:19:15 | 004,777,280 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Users\Adam\Desktop\procexp.exe
[2012/04/27 18:48:24 | 000,075,609 | ---- | M] () -- C:\Windows\SysWow64\wbers.dat.dmp
[2012/04/26 17:03:28 | 000,000,865 | ---- | M] () -- C:\Users\Adam\Desktop\SecurityKISS Tunnel.lnk
[2012/04/25 19:38:20 | 000,001,953 | ---- | M] () -- C:\Users\Public\Desktop\Samsung Kies.lnk
[2012/04/25 19:36:56 | 000,001,977 | ---- | M] () -- C:\Users\Adam\Application Data\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk
[2012/04/25 00:33:10 | 000,000,875 | ---- | M] () -- C:\Users\Public\Desktop\TrueCrypt.lnk
[2012/04/25 00:33:09 | 000,231,376 | ---- | M] (TrueCrypt Foundation) -- C:\Windows\SysNative\drivers\truecrypt.sys
[2012/04/24 18:45:52 | 002,074,160 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Adam\Desktop\TDSSKiller.exe
[2012/04/24 00:32:12 | 000,001,818 | ---- | M] () -- C:\Windows\Sandboxie.ini
[2012/04/22 23:41:34 | 000,001,130 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/04/22 22:57:16 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2012/04/22 22:57:16 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2012/04/21 01:58:09 | 005,137,974 | ---- | M] () -- C:\Users\Adam\Untitled 7.avi
[2012/04/20 16:11:14 | 008,741,536 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerInstaller.exe
[2012/04/19 17:45:34 | 001,138,688 | ---- | M] () -- C:\Users\Adam\P1110243.JPG
[2012/04/19 17:40:10 | 000,710,641 | ---- | M] () -- C:\Users\Adam\flo_heart_tattoo.psd
[2012/04/19 17:37:25 | 001,525,090 | ---- | M] () -- C:\Users\Adam\P1000848.JPG
[2012/04/18 13:34:08 | 000,413,960 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/04/17 23:48:24 | 000,283,200 | ---- | M] (DT Soft Ltd) -- C:\Windows\SysNative\drivers\dtsoftbus01.sys
[2012/04/17 21:53:52 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2012/04/15 03:14:28 | 000,109,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mswinsck.ocx
[2012/04/15 03:12:43 | 000,152,848 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\COMDLG32.OCX
[2012/04/14 04:33:11 | 000,046,081 | ---- | M] () -- C:\Users\Adam\Documents\me03.jpg
[2012/04/12 21:54:33 | 000,001,002 | ---- | M] () -- C:\Users\Adam\Desktop\Sandboxed Web Browser.lnk
[2012/04/09 20:31:53 | 000,000,260 | ---- | M] () -- C:\Users\Adam\dada.ini
[2012/04/08 14:04:58 | 000,001,837 | ---- | M] () -- C:\Users\Public\Desktop\CommView.lnk
[2012/04/08 04:38:52 | 000,001,161 | ---- | M] () -- C:\Users\Adam\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2012/04/07 02:44:24 | 000,052,017 | ---- | M] () -- C:\Users\Adam\Documents\ss.jpg
[2012/04/07 02:13:08 | 000,038,537 | ---- | M] () -- C:\Users\Adam\Documents\45768_148287121857592_100000289166604_384022_6929302_n.jpg
[2012/04/07 02:10:49 | 000,006,828 | ---- | M] () -- C:\Users\Adam\Documents\419661_115121305280914_100003491359524_59775_305565138_a.jpg
[2012/04/07 02:05:37 | 000,009,920 | ---- | M] () -- C:\Users\Adam\Documents\406845_114763938643303_100003290922976_73164_512012652_n.jpg
[2012/04/07 02:03:53 | 000,173,674 | ---- | M] () -- C:\Users\Adam\Documents\1.jpg
[2012/04/07 00:25:14 | 000,001,136 | ---- | M] () -- C:\Users\Public\Desktop\Hotspot Shield Launch.lnk
[2012/04/05 17:26:09 | 000,000,962 | ---- | M] () -- C:\Users\Adam\Desktop\join.me.lnk
[2012/04/05 02:37:56 | 000,001,131 | ---- | M] () -- C:\Users\Adam\Application Data\Microsoft\Internet Explorer\Quick Launch\ManyCam.lnk
[2012/04/05 02:37:56 | 000,001,107 | ---- | M] () -- C:\Users\Adam\Desktop\ManyCam.lnk
[2012/04/04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2012/04/03 19:31:56 | 000,001,061 | ---- | M] () -- C:\Users\Adam\Desktop\proXPN.lnk

========== Files Created - No Company Name ==========


[2012/04/30 23:31:39 | 000,475,416 | ---- | C] () -- C:\Users\Adam\Documents\fx-570_991ES_PLUS_E.pdf
[2012/04/30 23:17:44 | 000,000,669 | ---- | C] () -- C:\Users\Adam\Documents\URvQ2.gif
[2012/04/29 22:10:55 | 000,000,967 | ---- | C] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2012/04/29 22:00:09 | 000,000,260 | ---- | C] () -- C:\Users\Adam\Myprofile.ini
[2012/04/29 21:47:48 | 000,001,264 | ---- | C] () -- C:\Users\Adam\Desktop\Revo Uninstaller.lnk
[2012/04/29 00:31:04 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/04/29 00:31:04 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/04/29 00:31:04 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/04/29 00:31:04 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/04/29 00:31:04 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/04/28 22:24:24 | 000,002,515 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/04/28 21:45:15 | 000,000,512 | ---- | C] () -- C:\Users\Adam\Documents\MBR.dat
[2012/04/28 01:45:16 | 000,001,808 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/04/28 01:18:27 | 000,294,216 | ---- | C] () -- C:\Users\Adam\Desktop\gmer.zip
[2012/04/28 00:56:42 | 000,000,168 | ---- | C] () -- C:\Users\Adam\defogger_reenable
[2012/04/27 21:55:42 | 000,002,971 | ---- | C] () -- C:\Users\Adam\Desktop\HiJackThis.lnk
[2012/04/27 21:23:12 | 000,000,047 | ---- | C] () -- C:\Users\Adam\AppData\Roaming\mbam.context.scan
[2012/04/27 20:33:35 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/27 18:48:23 | 000,075,609 | ---- | C] () -- C:\Windows\SysWow64\wbers.dat.dmp
[2012/04/27 18:46:43 | 000,005,174 | ---- | C] () -- C:\Windows\SysWow64\nppt9x.vxd
[2012/04/25 19:38:20 | 000,001,953 | ---- | C] () -- C:\Users\Public\Desktop\Samsung Kies.lnk
[2012/04/25 19:36:56 | 000,001,977 | ---- | C] () -- C:\Users\Adam\Application Data\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk
[2012/04/25 00:33:10 | 000,000,875 | ---- | C] () -- C:\Users\Public\Desktop\TrueCrypt.lnk
[2012/04/22 23:41:34 | 000,001,130 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/04/22 23:41:33 | 000,001,142 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/04/21 01:51:18 | 005,137,974 | ---- | C] () -- C:\Users\Adam\Untitled 7.avi
[2012/04/19 17:42:38 | 001,138,688 | ---- | C] () -- C:\Users\Adam\P1110243.JPG
[2012/04/19 17:39:53 | 000,710,641 | ---- | C] () -- C:\Users\Adam\flo_heart_tattoo.psd
[2012/04/19 17:36:56 | 001,525,090 | ---- | C] () -- C:\Users\Adam\P1000848.JPG
[2012/04/17 21:53:52 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
[2012/04/14 04:33:06 | 000,046,081 | ---- | C] () -- C:\Users\Adam\Documents\me03.jpg
[2012/04/09 20:31:53 | 000,000,260 | ---- | C] () -- C:\Users\Adam\dada.ini
[2012/04/08 14:04:58 | 000,001,837 | ---- | C] () -- C:\Users\Public\Desktop\CommView.lnk
[2012/04/08 04:38:52 | 000,001,161 | ---- | C] () -- C:\Users\Adam\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2012/04/07 15:07:12 | 000,001,338 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live ID.lnk
[2012/04/07 02:43:16 | 000,052,017 | ---- | C] () -- C:\Users\Adam\Documents\ss.jpg
[2012/04/07 02:12:46 | 000,038,537 | ---- | C] () -- C:\Users\Adam\Documents\45768_148287121857592_100000289166604_384022_6929302_n.jpg
[2012/04/07 02:10:32 | 000,006,828 | ---- | C] () -- C:\Users\Adam\Documents\419661_115121305280914_100003491359524_59775_305565138_a.jpg
[2012/04/07 02:05:30 | 000,009,920 | ---- | C] () -- C:\Users\Adam\Documents\406845_114763938643303_100003290922976_73164_512012652_n.jpg
[2012/04/07 02:02:50 | 000,173,674 | ---- | C] () -- C:\Users\Adam\Documents\1.jpg
[2012/04/07 00:45:37 | 000,000,214 | ---- | C] () -- C:\Users\Adam\SecurityKISSTunnel.config
[2012/04/07 00:44:29 | 000,000,865 | ---- | C] () -- C:\Users\Adam\Desktop\SecurityKISS Tunnel.lnk
[2012/04/07 00:25:14 | 000,001,136 | ---- | C] () -- C:\Users\Public\Desktop\Hotspot Shield Launch.lnk
[2012/04/05 17:26:08 | 000,000,970 | ---- | C] () -- C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\join.me.lnk
[2012/04/05 17:26:08 | 000,000,962 | ---- | C] () -- C:\Users\Adam\Desktop\join.me.lnk
[2012/04/05 02:37:56 | 000,001,131 | ---- | C] () -- C:\Users\Adam\Application Data\Microsoft\Internet Explorer\Quick Launch\ManyCam.lnk
[2012/04/05 02:37:56 | 000,001,107 | ---- | C] () -- C:\Users\Adam\Desktop\ManyCam.lnk
[2012/04/03 19:31:56 | 000,001,061 | ---- | C] () -- C:\Users\Adam\Desktop\proXPN.lnk
[2012/04/03 02:49:19 | 000,001,818 | ---- | C] () -- C:\Windows\Sandboxie.ini
[2012/03/30 19:25:11 | 000,283,304 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2012/03/30 19:25:09 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2012/03/29 18:21:05 | 000,791,884 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/03/28 22:11:08 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2012/03/28 22:11:06 | 000,974,848 | ---- | C] () -- C:\Windows\SysWow64\cis-2.4.dll
[2012/03/28 22:11:06 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\issacapi_bs-2.3.dll
[2012/03/28 22:11:06 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\issacapi_pe-2.3.dll
[2012/03/28 22:11:06 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\issacapi_se-2.3.dll
[2012/02/29 13:26:56 | 000,416,064 | ---- | C] () -- C:\Windows\SysWow64\nvStreaming.exe
[2012/01/18 06:44:00 | 010,920,984 | ---- | C] () -- C:\Windows\SysWow64\LogiDPP.dll
[2012/01/18 06:44:00 | 000,336,408 | ---- | C] () -- C:\Windows\SysWow64\DevManagerCore.dll
[2012/01/18 06:44:00 | 000,104,472 | ---- | C] () -- C:\Windows\SysWow64\LogiDPPApp.exe
[2011/09/28 17:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat

< End of report >

Edited by Hydrosere, 03 May 2012 - 12:29 PM.


#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 03 May 2012 - 09:28 PM

Posted Image Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Posted Image Please download SystemLook from HERE and save it to your Desktop.
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following box into the main textfield:

    :filefind
    etlvesqm.*
    snexy.*
    :regfind
    etlvesqm
    snexy
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Please include the following in your next post:
  • SecurityCheck log
  • SystemLook log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Hydrosere

Hydrosere
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 04 May 2012 - 12:41 PM

Results of screen317's Security Check version 0.99.32
Windows 7 x64 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

JavaFX 2.0.2
JavaFX 2.0.2 SDK
Java™ 6 Update 32
Java™ 7 Update 2
Java™ SE Development Kit 7 Update 2
Mozilla Firefox (12.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
``````````End of Log````````````


You seemed to disregard vmonsf, Spoolsv and IMDCSC, therefore I decided to add them to the list:
:filefind
etlvesqm.*
snexy.*
vmonsf.*
Spoolsv.*
IMDCSC.*
:regfind
etlvesqm
snexy
vmonsf
Spoolsv
IMDCSC

Yes I do realise that spool service is part of windows but this isn't a windows process.

SystemLook 27.08.10 by jpshortstuff
Log created at 18:34 on 04/05/2012 by Adam
Administrator - Elevation successful

========== filefind ==========

Searching for "etlvesqm.*"
No files found.

Searching for "snexy.*"
No files found.

Searching for "vmonsf.*"
No files found.

Searching for "Spoolsv.*"
C:\Windows\ERDNT\cache64\spoolsv.exe --a---- 559104 bytes [23:42 28/04/2012] [13:25 20/11/2010] B96C17B5DC1424D56EEA3A99E97428CD
C:\Windows\System32\spoolsv.exe --a---- 559104 bytes [11:04 31/03/2012] [13:25 20/11/2010] B96C17B5DC1424D56EEA3A99E97428CD
C:\Windows\System32\en-US\spoolsv.exe.mui --a---- 2048 bytes [05:35 14/07/2009] [02:26 14/07/2009] 94CE88DAA1DE0ADD84B929AF0607366A
C:\Windows\winsxs\amd64_microsoft-windows-p..oler-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_83cc51ad1b26becc\spoolsv.exe.mui --a---- 2048 bytes [05:35 14/07/2009] [02:26 14/07/2009] 94CE88DAA1DE0ADD84B929AF0607366A
C:\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16385_none_324094c8db39cbbd\spoolsv.exe --a---- 558080 bytes [00:39 14/07/2009] [01:39 14/07/2009] 89E8550C5862999FCF482EA562B0E98E
C:\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16661_none_3252392adb2d25f4\spoolsv.exe --a---- 558592 bytes [16:47 29/03/2012] [06:29 21/08/2010] F8E1FA03CB70D54A9892AC88B91D1E7B
C:\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.20785_none_32ca3745f45762fc\spoolsv.exe --a---- 559104 bytes [16:47 29/03/2012] [05:38 20/08/2010] 8547491BE7086EE317163365D83A37D2
C:\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_3471a890d8284f57\spoolsv.exe --a---- 559104 bytes [11:04 31/03/2012] [13:25 20/11/2010] B96C17B5DC1424D56EEA3A99E97428CD

Searching for "IMDCSC.*"
No files found.

========== regfind ==========

Searching for "etlvesqm"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Adam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^etlvesqm.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Adam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^etlvesqm.exe]
"path"="C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\etlvesqm.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Adam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^etlvesqm.exe]
"backup"="C:\Windows\pss\etlvesqm.exe.Startup"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Adam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^etlvesqm.exe]
"command"="C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\etlvesqm.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Users^Adam^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^etlvesqm.exe]
"item"="etlvesqm"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EtlVesqm]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EtlVesqm]
"item"="EtlVesqm"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EtlVesqm]
"command"="C:\Users\Adam\AppData\Local\vqtjtshv\etlvesqm.exe"

Searching for "snexy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\snexy]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\snexy]
"item"="snexy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\snexy]
"command"="rundll32.exe "C:\Users\Adam\AppData\Local\Temp\snexy.dll",MatrixOrthoOffCenterRH"

Searching for "vmonsf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vmonsf]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vmonsf]
"item"="vmonsf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vmonsf]
"command"="rundll32.exe "C:\Users\Adam\AppData\Local\Temp\vmonsf.dll",HostAlloc"

Searching for "Spoolsv"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\spoolsv.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\spoolsv.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH]
"ExclusionList"="smss.exe csrss.exe wininit.exe services.exe lsass.exe lsm.exe svchost.exe winlogon.exe SLsvc.exe spoolsv.exe taskhost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Spool service]
"command"="C:\Users\Adam\AppData\Local\Temp\Spoolsv.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unse
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\FTH]
"ExclusionList"="smss.exe csrss.exe wininit.exe services.exe lsass.exe lsm.exe svchost.exe winlogon.exe SLsvc.exe spoolsv.exe taskhost.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\spoolsv.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Defaults\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP-NoScope"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Defaults\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP-NoScope"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{6A6DEBF6-8D26-4D60-81E3-A96144EAD353}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Spooler]
"DisplayName"="@%systemroot%\system32\spoolsv.exe,-1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Spooler]
"ImagePath"="%SystemRoot%\System32\spoolsv.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Spooler]
"Description"="@%systemroot%\system32\spoolsv.exe,-2"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Defaults\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP-NoScope"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Defaults\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP-NoScope"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{6A6DEBF6-8D26-4D60-81E3-A96144EAD353}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Spooler]
"DisplayName"="@%systemroot%\system32\spoolsv.exe,-1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Spooler]
"ImagePath"="%SystemRoot%\System32\spoolsv.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Spooler]
"Description"="@%systemroot%\system32\spoolsv.exe,-2"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Defaults\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP-NoScope"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Defaults\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP-NoScope"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Domain|LPort=RPC|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"FPS-SpoolSvc-In-TCP"="v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Public|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{6A6DEBF6-8D26-4D60-81E3-A96144EAD353}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|LPort=RPC|RA4=LocalSubnet|RA6=LocalSubnet|App=%SystemRoot%\system32\spoolsv.exe|Svc=Spooler|Name=@FirewallAPI.dll,-28535|Desc=@FirewallAPI.dll,-28538|EmbedCtxt=@FirewallAPI.dll,-28502|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler]
"DisplayName"="@%systemroot%\system32\spoolsv.exe,-1"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler]
"ImagePath"="%SystemRoot%\System32\spoolsv.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Spooler]
"Description"="@%systemroot%\system32\spoolsv.exe,-2"
[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\FE\52C64B7E]
"@%systemroot%\system32\spoolsv.exe,-1"="Print Spooler"
[HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\MuiCache\FE\52C64B7E]
"@%systemroot%\system32\spoolsv.exe,-1"="Print Spooler"

Searching for "IMDCSC"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Dark]
"command"="C:\Users\Adam\AppData\Roaming\DCSCMIN\IMDCSC.exe"

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users