Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked


  • This topic is locked This topic is locked
36 replies to this topic

#1 Notsol337

Notsol337

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 24 May 2012 - 06:28 PM

Hello Bleeping crew, I have recently been the victim of cyber-crime. Currently, my PC running Windows 7 64bit with service pack 3 and my Laptop running Vista are infected with a nasty Trojan and probably several different types of spyware too. For the sake of safety, I'm using my iPod touch to create this post. Reason being, I don't think my Firewall is usable right now on my other systems. I say this because I have been using your helpful forums to try and deal with my issues myself, but to no avail. I'm going to be long winded in my descriptions and explanations(I'm a writer). About a week ago, I noticed that my PC was acting strange, just an overall glitchyness. Then when trying to scan my PC with my Panda Global Protection 2012 I noticed that some of the features were turned off. I was unable to update or turn them back on(the features ie. antivirus, firewall, identity protection). I have always used Panda products with no problems in the past. I use the PGP firewall, instead of the W7 one. I checked my PC with free versions of Spybot S&D and Malwarebytes. Neither, helped infact the would either run and find nothing too malicious or, just close before completing. Left it for a day. Next morning, I was contacted by phone by someone posing as a Microsoft security specialist, that did their best to con me out of money and CC/Banking info. I was weary to have them help me for many reasons(I won't bother to explain these) but the man seemed to know a hell of a lot about my system so, (stupidly) I allowed them to remotely connect to my PC to help me. Long story short, they didn't get what they wanted, and have since been reported. O.K. So, now I was mad and determined to figure out what was wrong with my PC and Laptop. Using yours and other computer help forums I've attempted to investigate, remove and repair my units. Sadly to no avail.

Here is what I've done and found:

Using another clean PC I dl'd Rkill(I am aware of the warnings you've given on the programs I will mention) and combofix. I thought first that I might have the conflicker virus. I dl'd the reg fix that is supposed to allow you to enable your antivirus/malware/spyware programs if your registry has been changed. I tried Hijackthis, Avast, kaspersky,supermalware protector, USB vaccine( Panda. To be sure I wasn't transferring bad files to the clean PC), Microsoft Security Essentials, Windows Defender, Housecall.

When doing scans thi is what I found:
C:\>Windows\system32\SysWow64\. On my PC

C:\Windows\System32\conime.exe. On my Laptop

Others (Superspyware hunter) found and deleted a myriad of spyware programs

Ones I see and suspect are problematic: Isass.exe, svchost.exe, explorer.exe

I have found others through combofix and Rkill, too

Sooo, I am ready and willing to go online and do the DDS and Defogger actions and post them, but whereas I'm not sure I can trust my firewall I wanted to know for sure if you wanted me to proceed in this manner.

Will await your expertise, thank you.

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 30 May 2012 - 09:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Lets start by reviewing these logs.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Include a copy of the DDS log for my review.

Please post the logs requested above.

#3 Notsol337

Notsol337
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 30 May 2012 - 07:14 PM

Thank you for getting back to me Nasdaq, I realize you people must be busy with the work you do. Here's the situation. I have logs from TDSSKiller which I will post along with, the MBR.txt log and MBR.Bat(Zip). I cannot download DDS off of your link page for some reason. All other dl's work fine though. Incidentally, in my earlier message I said that I had attempted a lot of scans myself. In doing so, I have quite a few different antivirus' and Malware scanning programs installed. Should I have deleted these first before attempting these logs? Secondly, should I use Defogger or, Revo before going ahead with any of your steps?

Anyhow, here are the scan logs I was able to complete:

Attached File  aswMBR.txt   1.97KB   1 downloads
Attached File  TDSSKiller.2.7.36.0_30.05.2012_15.55.33_log.txt   262.44KB   1 downloads
Attached File  MBR.zip   559bytes   0 downloads

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 31 May 2012 - 08:26 AM

Nothing suspicious was found on your logs.

Strange that you cannot download DDS.
There are 3 programs available. Can you try these links. Right click on the link and open in a new tab.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

If still unable to download try this one.

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
===

#5 Notsol337

Notsol337
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 31 May 2012 - 10:04 PM

Here is my DDS log:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Administrator at 19:58:05 on 2012-05-31
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.8189.7048 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] C:\Users\Administrator\Desktop\SUPERAntiSpyware.exe
mRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
mRun: [APVXDWIN] "C:\Program Files (x86)\Panda Security\Panda Global Protection 2012\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "C:\Program Files (x86)\Panda Security\Panda Global Protection 2012\Inicio.exe"
mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [InstallShieldSetup] C:\PROGRA~2\INSTAL~1\{81A25~1\SETUP.exe -rebootC:\PROGRA~2\INSTAL~1\{81A25~1\reboot.ini -l0x9
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{0AFF647C-E2FE-49CB-9231-474D5C25352D} : DhcpNameServer = 172.16.0.1
TCP: Interfaces\{E77B2A22-FE43-4979-AEF3-13AC16436DA5} : DhcpNameServer = 10.0.0.1
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
mRun-x64: [APVXDWIN] "C:\Program Files (x86)\Panda Security\Panda Global Protection 2012\APVXDWIN.EXE" /s
mRun-x64: [SCANINICIO] "C:\Program Files (x86)\Panda Security\Panda Global Protection 2012\Inicio.exe"
mRunOnce-x64: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
mRunOnce-x64: [GrpConv] grpconv -o
mRunOnce-x64: [InstallShieldSetup] C:\PROGRA~2\INSTAL~1\{81A25~1\SETUP.exe -rebootC:\PROGRA~2\INSTAL~1\{81A25~1\reboot.ini -l0x9
IE-X64: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 JSWPSLWF;JumpStart Wireless Filter Driver;C:\Windows\system32\DRIVERS\jswpslwfx.sys --> C:\Windows\system32\DRIVERS\jswpslwfx.sys [?]
R1 VWiFiFlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 CompFilter64;UVCCompositeFilter;C:\Windows\system32\DRIVERS\lvbflt64.sys --> C:\Windows\system32\DRIVERS\lvbflt64.sys [?]
R3 NETIMFLT01060044;PANDA NDIS IM Filter Miniport v1.6.0.44;C:\Windows\system32\DRIVERS\n64i1644.sys --> C:\Windows\system32\DRIVERS\n64i1644.sys [?]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S0 pavboot;Panda boot driver;C:\Windows\system32\Drivers\pavboot64.sys --> C:\Windows\system32\Drivers\pavboot64.sys [?]
S1 AppleCharger;AppleCharger;C:\Windows\system32\DRIVERS\AppleCharger.sys --> C:\Windows\system32\DRIVERS\AppleCharger.sys [?]
S2 !SASCORE;SAS Core Service;"C:\Users\Administrator\Desktop\SASCORE64.EXE" --> C:\Users\Administrator\Desktop\SASCORE64.EXE [?]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/28 20:27:57];C:\Program Files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-11-17 146928]
S2 AmFSM;AmFSM;C:\Windows\system32\DRIVERS\amm6460.sys --> C:\Windows\system32\DRIVERS\amm6460.sys [?]
S2 APPFLT;App Filter Plugin;\??\C:\Windows\system32\Drivers\APPFLT64.SYS --> C:\Windows\system32\Drivers\APPFLT64.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 DSAFLT;DSA Filter Plugin;\??\C:\Windows\system32\Drivers\DSAFLT64.SYS --> C:\Windows\system32\Drivers\DSAFLT64.SYS [?]
S2 FNETMON;NetMon Filter Plugin;\??\C:\Windows\system32\Drivers\fnetm64.SYS --> C:\Windows\system32\Drivers\fnetm64.SYS [?]
S2 IDSFLT;Ids Filter Plugin;\??\C:\Windows\system32\Drivers\IDSFLT64.SYS --> C:\Windows\system32\Drivers\IDSFLT64.SYS [?]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-5-22 654408]
S2 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\Windows\system32\Drivers\NETTDI64.SYS --> C:\Windows\system32\Drivers\NETTDI64.SYS [?]
S2 Panda Software Controller;Panda Software Controller;C:\Program Files (x86)\Panda Security\Panda Global Protection 2012\PsCtrlS.exe [2012-5-22 173312]
S2 PAVFNSVR;Panda Function Service;C:\Program Files (x86)\Panda Security\Panda Global Protection 2012\PavFnSvr.exe [2012-5-22 202048]
S2 PAVSRV;Panda anti-virus service;C:\Program Files (x86)\Panda Security\Panda Global Protection 2012\pavsrvx86.exe [2012-5-22 314176]
S2 PskSvcRetail;Panda PSK service;C:\Program Files (x86)\Panda Security\Panda Global Protection 2012\psksvc.exe [2012-5-22 28992]
S2 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\Windows\system32\Drivers\WNMFLT64.SYS --> C:\Windows\system32\Drivers\WNMFLT64.SYS [?]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
S3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
S3 AppleChargerSrv;AppleChargerSrv;system32\AppleChargerSrv.exe --> system32\AppleChargerSrv.exe [?]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;\??\C:\Windows\system32\drivers\BVRPMPR5a64.SYS --> C:\Windows\system32\drivers\BVRPMPR5a64.SYS [?]
S3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
S3 lvsels64;Logitech Selective Suspend Filter;C:\Windows\system32\DRIVERS\lvsels64.sys --> C:\Windows\system32\DRIVERS\lvsels64.sys [?]
S3 LVUVC64;Logitech HD Pro Webcam C910(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 rtkio;rtkio;C:\Program Files (x86)\Realtek\Smart Dual Lan\rtkio.sys [2011-2-20 17392]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S4 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-1-4 354304]
S4 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]
S4 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-19 136176]
S4 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-19 136176]
S4 JMB36X;JMB36X;C:\Windows\SysWOW64\XSrvSetup.exe [2011-2-20 72304]
S4 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-3-4 1153368]
S4 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]
.
=============== File Associations ===============
.
inffile=%SystemRoot%\SysWow64\NOTEPAD.EXE %1
JSEFile=C:\PROGRA~2\PANDAS~1\PANDAG~1\PavScrip.exe "%1" %*
VBEFile=C:\PROGRA~2\PANDAS~1\PANDAG~1\PavScrip.exe "%1" %*
VBSFile=C:\PROGRA~2\PANDAS~1\PANDAG~1\PavScrip.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-05-23 01:46:07 82952 ----a-w- C:\Windows\System32\drivers\dsaflt64.sys
2012-05-23 01:46:07 78920 ----a-w- C:\Windows\System32\drivers\idsflt64.sys
2012-05-23 01:46:07 74760 ----a-w- C:\Windows\System32\drivers\wnmflt64.sys
2012-05-23 01:33:51 -------- d-----w- C:\Users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2012-05-23 01:33:51 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-05-23 00:53:20 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-23 00:51:18 -------- d-----w- C:\Users\Administrator\Tracing
2012-05-23 00:00:14 -------- d-----w- C:\ComboFix
2012-05-22 23:40:23 -------- d-----w- C:\dull
2012-05-22 21:48:32 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-05-22 21:38:29 -------- d-----w- C:\Users\Administrator\Pavark
2012-05-22 21:32:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-22 04:42:22 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Malwarebytes
2012-05-21 19:07:25 98816 ----a-w- C:\Windows\sed.exe
2012-05-21 19:07:25 518144 ----a-w- C:\Windows\SWREG.exe
2012-05-21 19:07:25 256000 ----a-w- C:\Windows\PEV.exe
2012-05-21 19:07:25 184320 ----a-w- C:\Windows\MBR.exe
2012-05-21 09:44:06 87872 ----a-w- C:\Windows\SysWow64\PavLspHookWow.dll
2012-05-21 09:44:06 114496 ----a-w- C:\Windows\System32\PavLspHook64.dll
2012-05-21 09:44:05 -------- d-----w- C:\Users\Administrator\AppData\Roaming\Panda Security
2012-05-21 04:23:18 200976 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2012-05-21 01:04:39 -------- d-----w- C:\Windows\pss
2012-05-20 23:52:53 -------- d-----w- C:\Users\Administrator\AppData\Local\CRE
2012-05-20 20:41:43 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-05-20 20:41:43 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-05-20 20:41:43 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-05-20 20:41:43 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-05-20 20:41:43 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-05-20 20:41:43 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-05-20 20:41:43 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-05-20 02:20:09 1544704 ----a-w- C:\Windows\System32\DWrite.dll
2012-05-20 02:20:09 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-05-20 02:20:07 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-20 02:20:05 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-05-20 02:20:03 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-20 02:20:03 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-20 02:18:48 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-05-20 02:17:01 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-05-20 02:16:57 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-20 02:16:56 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-20 02:16:56 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-20 02:16:56 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-05-20 02:16:56 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-20 01:57:32 8955792 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{47A2419B-E200-49AA-B300-A26D6A95ACD4}\mpengine.dll
2012-05-20 00:58:32 -------- d-----w- C:\Program Files (x86)\Panda USB Vaccine
2012-05-20 00:27:24 -------- d-----w- C:\Windows\SysWow64\BestPractices
2012-05-20 00:27:24 -------- d-----w- C:\Windows\System32\BestPractices
2012-05-20 00:27:24 -------- d-----w- C:\inetpub
2012-05-15 04:09:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-04-19 03:56:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2012-04-19 03:56:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2012-02-28 00:51:47 3628016 ----a-w- C:\Program Files\ccsetup316.exe
.
============= FINISH: 19:59:05.17 ===============

#6 Notsol337

Notsol337
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 31 May 2012 - 10:06 PM

As I am pretty sure that the antivirus programs aren't running properly, I don't think there is any script blocking going on. Mind you, I would be happy to uninstall/disable some programs should I be required to.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 01 June 2012 - 07:25 AM

Now we can run these tools.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs for my review.

#8 Notsol337

Notsol337
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 01 June 2012 - 06:01 PM

Here are the logs that you requested. Just FYI, when I first ran ComboFix, I drag and dropped it onto my Desktop, from my thumbdrive. I was met with a message that said, "Superspywaresweeper, running script blocking...yadda yadda. I opened SSS and it was not set to run at startup but once I had opened it, then it started a chain-reaction of said program opening and opening repeatedly. I managed to close the program and let ComboFix run it's course. Then, at the end, before I could save the text file, the computer shutdown. Upon restart, I double clicked ComboFix again, but from my USB drive this time hoping it would give me the option of installing it on my desktop. It did not, but knowing that some rootkit virus' re-run at start-up, I thought it would be smart to run ComboFix again, in case anything it had deleted or, quarantined would still be found. Then, just to be safe and do what you wanted in the first place, I installed it on the desktop, ran it and copied the text. So, I have 3 ComboFix Logs for you to view, I know you're probably super happy, but you can always just go by the 3rd one if you wish. As well here is the security check log too. Thanks again for your help.


ComboFix 12-06-01.03 - Administrator 06/01/2012 15:04:48.9.6 - x64 NETWORK
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.8189.6867 [GMT -7:00]
Running from: E:\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
.
---- Previous Run -------
.
c:\programdata\TEMP
.
-- Previous Run --
.
c:\windows\SysWow64\sfcfiles.dll . . . is missing!!
.
c:\windows\SysWow64\sfcfiles.dll . . . is missing!!
.
c:\windows\system32\drivers\ipsec.sys . . . is missing!!
.
c:\windows\system32\drivers\psched.sys . . . is missing!!
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2012-05-01 to 2012-06-01 )))))))))))))))))))))))))))))))
.
.
2012-06-01 22:12 . 2012-06-01 22:12 -------- d-----w- c:\users\User\AppData\Local\temp
2012-06-01 22:12 . 2012-06-01 22:12 -------- d-----w- c:\users\Guardian\AppData\Local\temp
2012-06-01 22:12 . 2012-06-01 22:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-01 22:12 . 2012-06-01 22:12 -------- d-----w- c:\users\Admin\AppData\Local\temp
2012-05-23 01:46 . 2010-09-09 23:23 78920 ----a-w- c:\windows\system32\drivers\idsflt64.sys
2012-05-23 01:46 . 2009-09-25 21:54 74760 ----a-w- c:\windows\system32\drivers\wnmflt64.sys
2012-05-23 01:46 . 2009-09-25 21:54 82952 ----a-w- c:\windows\system32\drivers\dsaflt64.sys
2012-05-23 01:33 . 2012-05-23 01:33 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2012-05-23 01:33 . 2012-05-23 01:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-23 00:51 . 2012-05-23 01:50 -------- d-----w- c:\users\Administrator\Tracing
2012-05-22 23:40 . 2012-05-22 23:41 -------- d-----w- C:\dull
2012-05-22 21:48 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-22 21:38 . 2012-05-23 00:45 -------- d-----w- c:\users\Administrator\Pavark
2012-05-22 21:32 . 2012-05-22 21:32 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-22 04:42 . 2012-05-22 04:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2012-05-21 09:44 . 2010-06-22 00:01 87872 ----a-w- c:\windows\SysWow64\PavLspHookWow.dll
2012-05-21 09:44 . 2010-06-22 00:01 114496 ----a-w- c:\windows\system32\PavLspHook64.dll
2012-05-21 09:44 . 2012-05-23 01:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Panda Security
2012-05-21 04:23 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-05-20 23:52 . 2012-05-20 23:52 -------- d-----w- c:\users\Administrator\AppData\Local\CRE
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-05-20 20:41 . 2012-05-20 20:41 -------- d-----w- c:\program files (x86)\QuickTime
2012-05-20 02:20 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-20 02:20 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-20 02:20 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-20 02:20 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-20 02:20 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-20 02:20 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-20 02:18 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-20 02:17 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-20 02:16 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-20 02:16 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-20 02:16 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-20 02:16 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-20 02:16 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-20 01:57 . 2012-05-08 17:02 8955792 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{47A2419B-E200-49AA-B300-A26D6A95ACD4}\mpengine.dll
2012-05-20 00:58 . 2012-05-30 22:54 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
2012-05-20 00:27 . 2012-05-20 00:27 -------- d-----w- c:\windows\SysWow64\BestPractices
2012-05-20 00:27 . 2012-05-20 00:27 -------- d-----w- c:\windows\system32\BestPractices
2012-05-20 00:27 . 2012-05-20 00:27 -------- d-----w- C:\inetpub
2012-05-19 22:47 . 2012-05-19 22:47 -------- d-----w- c:\users\Administrator\AppData\Roaming\Media Player Classic
2012-05-15 16:15 . 2012-05-15 16:15 -------- d-----w- c:\users\User\AppData\Roaming\TeamViewer
2012-05-15 04:09 . 2012-05-23 00:55 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-12 22:10 . 2012-05-21 03:47 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-19 03:56 . 2012-04-19 03:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-19 03:56 . 2012-04-19 03:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-02-28 00:51 . 2012-02-28 00:51 3628016 ----a-w- c:\program files\ccsetup316.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-05-22_01.42.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-05-21 09:44 . 2009-08-10 20:46 25344 c:\windows\SysWOW64\sysHelper32.dll
+ 2012-05-23 01:45 . 2009-08-10 20:46 25344 c:\windows\SysWOW64\sysHelper32.dll
- 2012-05-21 09:44 . 2010-06-22 00:01 66880 c:\windows\SysWOW64\PavIpcWow.dll
+ 2012-05-23 01:45 . 2010-06-22 00:01 66880 c:\windows\SysWOW64\PavIpcWow.dll
+ 2009-07-14 04:54 . 2012-05-30 22:43 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-05-22 00:29 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-05-22 00:29 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-05-30 22:43 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-02-21 01:52 . 2012-05-23 01:52 56752 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-23 01:52 36486 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-05-23 01:45 . 2009-08-10 20:46 25344 c:\windows\system32\sysHelper64.dll
- 2012-05-21 09:44 . 2009-08-10 20:46 25344 c:\windows\system32\sysHelper64.dll
- 2012-05-21 09:44 . 2010-06-22 00:01 90944 c:\windows\system32\PavIpc64.dll
+ 2012-05-23 01:45 . 2010-06-22 00:01 90944 c:\windows\system32\PavIpc64.dll
+ 2009-07-14 05:30 . 2012-05-23 01:45 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-05-21 09:44 86016 c:\windows\system32\DriverStore\infpub.dat
- 2012-05-21 09:44 . 2010-06-23 01:20 30792 c:\windows\system32\drivers\pavboot64.sys
+ 2012-05-23 01:45 . 2010-06-23 01:20 30792 c:\windows\system32\drivers\pavboot64.sys
- 2012-05-21 09:44 . 2009-09-25 21:54 31752 c:\windows\system32\drivers\fnetm64.sys
+ 2012-05-23 01:45 . 2009-09-25 21:54 31752 c:\windows\system32\drivers\fnetm64.sys
+ 2012-05-23 01:45 . 2010-05-21 20:50 65608 c:\windows\system32\drivers\amm6460.sys
- 2012-05-21 09:44 . 2010-05-21 20:50 65608 c:\windows\system32\drivers\amm6460.sys
- 2012-05-21 09:44 . 2010-03-24 19:56 64768 c:\windows\system32\avldr64.dll
+ 2012-05-23 01:45 . 2010-03-24 19:56 64768 c:\windows\system32\avldr64.dll
+ 2011-05-23 22:42 . 2012-05-23 01:52 8190 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1526159538-2137221921-2185218036-500_UserData.bin
+ 2012-06-01 21:50 . 2012-06-01 21:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-05-22 01:33 . 2012-05-22 01:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-05-22 01:33 . 2012-05-22 01:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-01 21:50 . 2012-06-01 21:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-05-21 09:44 . 2010-06-22 00:02 202048 c:\windows\SysWOW64\TpUtilWow.dll
+ 2012-05-23 01:45 . 2010-06-22 00:02 202048 c:\windows\SysWOW64\TpUtilWow.dll
- 2012-05-21 09:44 . 2010-06-22 00:01 546624 c:\windows\SysWOW64\PavSHookWow.dll
+ 2012-05-23 01:45 . 2010-06-22 00:01 546624 c:\windows\SysWOW64\PavSHookWow.dll
- 2011-03-06 02:50 . 2012-05-22 00:29 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-03-06 02:50 . 2012-05-30 22:43 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 04:54 . 2012-05-30 22:43 114688 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-05-22 00:29 114688 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-05-23 01:45 . 2010-06-22 00:02 323392 c:\windows\system32\TpUtil64.dll
- 2012-05-21 09:44 . 2010-06-22 00:02 323392 c:\windows\system32\TpUtil64.dll
- 2009-07-14 02:36 . 2012-05-22 00:35 719768 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-05-23 02:25 719768 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-05-23 02:25 143660 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-05-22 00:35 143660 c:\windows\system32\perfc009.dat
+ 2012-05-23 01:45 . 2010-06-22 00:01 839488 c:\windows\system32\PavSHook64.dll
- 2012-05-21 09:44 . 2010-06-22 00:01 839488 c:\windows\system32\PavSHook64.dll
- 2011-02-21 01:49 . 2012-01-31 12:44 279656 c:\windows\system32\MpSigStub.exe
+ 2011-02-21 01:49 . 2012-02-23 17:18 279656 c:\windows\system32\MpSigStub.exe
+ 2009-07-14 05:30 . 2012-05-23 01:45 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-05-21 09:44 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-05-23 01:45 143360 c:\windows\system32\DriverStore\infstor.dat
- 2009-07-14 05:30 . 2012-05-21 09:44 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2012-05-23 01:45 . 2010-09-01 18:09 216648 c:\windows\system32\DriverStore\FileRepository\netflt.inf_amd64_neutral_b8ae9e6d99ebb6a1\n64i1644.sys
- 2012-05-21 09:44 . 2010-09-01 18:09 216648 c:\windows\system32\DriverStore\FileRepository\netflt.inf_amd64_neutral_b8ae9e6d99ebb6a1\n64i1644.sys
+ 2012-05-23 01:45 . 2009-09-25 21:54 170504 c:\windows\system32\drivers\NETTDI64.SYS
- 2012-05-21 09:44 . 2009-09-25 21:54 170504 c:\windows\system32\drivers\NETTDI64.SYS
- 2012-05-21 09:44 . 2010-09-01 18:09 216648 c:\windows\system32\drivers\n64i1644.sys
+ 2012-05-23 01:45 . 2010-09-01 18:09 216648 c:\windows\system32\drivers\n64i1644.sys
- 2012-05-21 09:44 . 2011-01-31 23:41 129096 c:\windows\system32\drivers\APPFLT64.SYS
+ 2012-05-23 01:45 . 2011-01-31 23:41 129096 c:\windows\system32\drivers\APPFLT64.SYS
+ 2012-05-23 01:46 . 2012-05-23 01:46 220132 c:\windows\system32\drivers\APPFCONT.DAT
- 2012-05-21 09:44 . 2012-05-21 09:44 220132 c:\windows\system32\drivers\APPFCONT.DAT
+ 2009-07-14 04:46 . 2012-05-30 22:47 107960 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 05:01 . 2012-05-30 22:48 322872 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-05-21 09:35 322872 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\users\Administrator\Desktop\SUPERAntiSpyware.exe" [2012-05-21 4786048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"APVXDWIN"="c:\program files (x86)\Panda Security\Panda Global Protection 2012\APVXDWIN.EXE" [2011-03-24 1000768]
"SCANINICIO"="c:\program files (x86)\Panda Security\Panda Global Protection 2012\Inicio.exe" [2011-02-02 70464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"InstallShieldSetup"="c:\progra~2\INSTAL~1\{81A25~1\SETUP.exe" [2005-04-07 121064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:1033 /heur:80 /RA:ask /pup /archives /IA:0 /KBD:2 /wow /dir:C:\Program
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"LWS"=c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
.
R0 pavboot;Panda boot driver;c:\windows\system32\Drivers\pavboot64.sys [x]
R1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\Administrator\Desktop\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Administrator\Desktop\SASKUTIL64.SYS [x]
R2 !SASCORE;SAS Core Service;c:\users\Administrator\Desktop\SASCORE64.EXE [x]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/28 20:27];c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-11-18 04:29 146928]
R2 AmFSM;AmFSM;c:\windows\system32\DRIVERS\amm6460.sys [x]
R2 APPFLT;App Filter Plugin;c:\windows\system32\Drivers\APPFLT64.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 ComFiltr;Panda Anti-Dialer;c:\windows\system32\DRIVERS\COMFiltr.sys [x]
R2 DSAFLT;DSA Filter Plugin;c:\windows\system32\Drivers\DSAFLT64.SYS [x]
R2 FNETMON;NetMon Filter Plugin;c:\windows\system32\Drivers\fnetm64.SYS [x]
R2 IDSFLT;Ids Filter Plugin;c:\windows\system32\Drivers\IDSFLT64.SYS [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R2 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\Drivers\NETTDI64.SYS [x]
R2 PskSvcRetail;Panda PSK service;c:\program files (x86)\Panda Security\Panda Global Protection 2012\PskSvc.exe [2010-08-16 28992]
R2 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\Drivers\WNMFLT64.SYS [x]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [x]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 lvsels64;Logitech Selective Suspend Filter;c:\windows\system32\DRIVERS\lvsels64.sys [x]
R3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PavTPK.sys;PavTPK.sys;c:\windows\system32\PavTPK.sys [x]
R3 Prot6Flt;Prot6Flt; [x]
R3 rtkio;rtkio;c:\program files (x86)\Realtek\Smart Dual Lan\rtkio.sys [2010-01-21 17392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-05 354304]
R4 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 136176]
R4 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe [2010-01-19 72304]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R4 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S1 JSWPSLWF;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwfx.sys [x]
S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [x]
S3 NETIMFLT01060044;PANDA NDIS IM Filter Miniport v1.6.0.44;c:\windows\system32\DRIVERS\n64i1644.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-30 c:\windows\Tasks\Basic clean-up.job
- c:\program files (x86)\Panda Security\Panda Global Protection 2012\PlaTasks.exe [2012-05-23 21:23]
.
2012-05-23 c:\windows\Tasks\Basic clean-up1.job
- c:\program files (x86)\Panda Security\Panda Global Protection 2012\PlaTasks.exe [2012-05-23 21:23]
.
2012-05-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000Core.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-04 03:46]
.
2012-05-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000UA.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-04 03:46]
.
2012-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 19:37]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 19:37]
.
2012-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-26 06:15]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-26 06:15]
.
2012-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-500Core.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-24 20:47]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-500UA.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-24 20:47]
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
.
.
------- File Associations -------
.
JSEFile=c:\progra~2\PANDAS~1\PANDAG~1\PavScrip.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"=hex:51,66,7a,6c,4c,1d,38,12,c4,f1,d4,
8c,0d,b7,42,06,f0,18,f4,98,5c,39,e1,33
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:9f,5f,dd,ce,3a,09,cd,01
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"=hex:51,66,7a,6c,4c,1d,3b,1b,ba,ed,d0,
93,0e,ab,46,07,96,06,fd,98,5b,25,e3,3c
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,17,c8,
03,9c,ba,e9,06,bc,9e,b0,17,8e,6c,fb,d8
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,3b,1b,74,cb,27,
8b,33,1e,d5,0e,97,c4,1b,24,74,4a,25,dd
"{32004B8A-44A9-43E7-84E9-808838809519}"=hex:51,66,7a,6c,4c,1d,3b,1b,9a,54,17,
29,98,16,8d,07,9d,e1,ca,c8,3a,c2,d3,02
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,3b,1b,21,81,12,
e4,6b,9e,44,0a,a6,33,dc,a9,2b,94,13,18
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,3b,1b,6f,c1,fd,
a6,54,90,ba,55,a5,e5,4a,e0,cb,48,f3,14
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:f0,43,20,09,e2,36,cc,01
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,ca,c3,62,da,7b,a5,49,a0,d5,14,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,ca,c3,62,da,7b,a5,49,a0,d5,14,\
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-01 15:14:38
ComboFix-quarantined-files.txt 2012-06-01 22:14
ComboFix2.txt 2012-05-22 21:47
ComboFix3.txt 2012-05-22 05:22
ComboFix4.txt 2012-05-22 01:43
ComboFix5.txt 2012-05-23 00:00
.
Pre-Run: 699,773,648,896 bytes free
Post-Run: 699,881,943,040 bytes free
.
- - End Of File - - 6DB06EA33673B58092EAF0393D5E1988


Second one:


ComboFix 12-06-01.03 - Administrator 06/01/2012 15:21:52.10.6 - x64 NETWORK
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.8189.6809 [GMT -7:00]
Running from: E:\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-05-01 to 2012-06-01 )))))))))))))))))))))))))))))))
.
.
2012-06-01 22:27 . 2012-06-01 22:27 -------- d-----w- c:\users\User\AppData\Local\temp
2012-06-01 22:27 . 2012-06-01 22:27 -------- d-----w- c:\users\Guardian\AppData\Local\temp
2012-06-01 22:27 . 2012-06-01 22:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-01 22:27 . 2012-06-01 22:27 -------- d-----w- c:\users\Admin\AppData\Local\temp
2012-06-01 22:18 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D23B5D97-A41B-4EAD-B811-4AD16E43F806}\mpengine.dll
2012-05-23 01:46 . 2010-09-09 23:23 78920 ----a-w- c:\windows\system32\drivers\idsflt64.sys
2012-05-23 01:46 . 2009-09-25 21:54 74760 ----a-w- c:\windows\system32\drivers\wnmflt64.sys
2012-05-23 01:46 . 2009-09-25 21:54 82952 ----a-w- c:\windows\system32\drivers\dsaflt64.sys
2012-05-23 01:33 . 2012-05-23 01:33 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2012-05-23 01:33 . 2012-05-23 01:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-23 00:51 . 2012-05-23 01:50 -------- d-----w- c:\users\Administrator\Tracing
2012-05-22 23:40 . 2012-05-22 23:41 -------- d-----w- C:\dull
2012-05-22 21:48 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-22 21:38 . 2012-05-23 00:45 -------- d-----w- c:\users\Administrator\Pavark
2012-05-22 21:32 . 2012-05-22 21:32 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-22 04:42 . 2012-05-22 04:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2012-05-21 09:44 . 2010-06-22 00:01 87872 ----a-w- c:\windows\SysWow64\PavLspHookWow.dll
2012-05-21 09:44 . 2010-06-22 00:01 114496 ----a-w- c:\windows\system32\PavLspHook64.dll
2012-05-21 09:44 . 2012-05-23 01:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Panda Security
2012-05-21 04:23 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-05-20 23:52 . 2012-05-20 23:52 -------- d-----w- c:\users\Administrator\AppData\Local\CRE
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-05-20 20:41 . 2012-05-20 20:41 -------- d-----w- c:\program files (x86)\QuickTime
2012-05-20 02:20 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-20 02:20 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-20 02:20 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-20 02:20 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-20 02:20 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-20 02:20 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-20 02:18 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-20 02:17 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-20 02:16 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-20 02:16 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-20 02:16 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-20 02:16 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-20 02:16 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-20 00:58 . 2012-05-30 22:54 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
2012-05-20 00:27 . 2012-05-20 00:27 -------- d-----w- c:\windows\SysWow64\BestPractices
2012-05-20 00:27 . 2012-05-20 00:27 -------- d-----w- c:\windows\system32\BestPractices
2012-05-20 00:27 . 2012-05-20 00:27 -------- d-----w- C:\inetpub
2012-05-19 22:47 . 2012-05-19 22:47 -------- d-----w- c:\users\Administrator\AppData\Roaming\Media Player Classic
2012-05-15 16:15 . 2012-05-15 16:15 -------- d-----w- c:\users\User\AppData\Roaming\TeamViewer
2012-05-15 04:09 . 2012-05-23 00:55 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-12 22:10 . 2012-05-21 03:47 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-19 03:56 . 2012-04-19 03:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-19 03:56 . 2012-04-19 03:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-02-28 00:51 . 2012-02-28 00:51 3628016 ----a-w- c:\program files\ccsetup316.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-06-01_22.12.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-06-01 21:50 . 2012-06-01 21:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-01 22:18 . 2012-06-01 22:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-01 22:18 . 2012-06-01 22:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-01 21:50 . 2012-06-01 21:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\users\Administrator\Desktop\SUPERAntiSpyware.exe" [2012-05-21 4786048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"APVXDWIN"="c:\program files (x86)\Panda Security\Panda Global Protection 2012\APVXDWIN.EXE" [2011-03-24 1000768]
"SCANINICIO"="c:\program files (x86)\Panda Security\Panda Global Protection 2012\Inicio.exe" [2011-02-02 70464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"InstallShieldSetup"="c:\progra~2\INSTAL~1\{81A25~1\SETUP.exe" [2005-04-07 121064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:1033 /heur:80 /RA:ask /pup /archives /IA:0 /KBD:2 /wow /dir:C:\Program
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"LWS"=c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
.
R0 pavboot;Panda boot driver;c:\windows\system32\Drivers\pavboot64.sys [x]
R1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\Administrator\Desktop\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Administrator\Desktop\SASKUTIL64.SYS [x]
R2 !SASCORE;SAS Core Service;c:\users\Administrator\Desktop\SASCORE64.EXE [x]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/28 20:27];c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-11-18 04:29 146928]
R2 AmFSM;AmFSM;c:\windows\system32\DRIVERS\amm6460.sys [x]
R2 APPFLT;App Filter Plugin;c:\windows\system32\Drivers\APPFLT64.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 ComFiltr;Panda Anti-Dialer;c:\windows\system32\DRIVERS\COMFiltr.sys [x]
R2 DSAFLT;DSA Filter Plugin;c:\windows\system32\Drivers\DSAFLT64.SYS [x]
R2 FNETMON;NetMon Filter Plugin;c:\windows\system32\Drivers\fnetm64.SYS [x]
R2 IDSFLT;Ids Filter Plugin;c:\windows\system32\Drivers\IDSFLT64.SYS [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R2 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\Drivers\NETTDI64.SYS [x]
R2 PskSvcRetail;Panda PSK service;c:\program files (x86)\Panda Security\Panda Global Protection 2012\PskSvc.exe [2010-08-16 28992]
R2 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\Drivers\WNMFLT64.SYS [x]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [x]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 lvsels64;Logitech Selective Suspend Filter;c:\windows\system32\DRIVERS\lvsels64.sys [x]
R3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PavTPK.sys;PavTPK.sys;c:\windows\system32\PavTPK.sys [x]
R3 Prot6Flt;Prot6Flt; [x]
R3 rtkio;rtkio;c:\program files (x86)\Realtek\Smart Dual Lan\rtkio.sys [2010-01-21 17392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-05 354304]
R4 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 136176]
R4 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe [2010-01-19 72304]
R4 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S1 JSWPSLWF;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwfx.sys [x]
S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [x]
S3 NETIMFLT01060044;PANDA NDIS IM Filter Miniport v1.6.0.44;c:\windows\system32\DRIVERS\n64i1644.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-30 c:\windows\Tasks\Basic clean-up.job
- c:\program files (x86)\Panda Security\Panda Global Protection 2012\PlaTasks.exe [2012-05-23 21:23]
.
2012-05-23 c:\windows\Tasks\Basic clean-up1.job
- c:\program files (x86)\Panda Security\Panda Global Protection 2012\PlaTasks.exe [2012-05-23 21:23]
.
2012-05-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000Core.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-04 03:46]
.
2012-05-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000UA.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-04 03:46]
.
2012-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 19:37]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 19:37]
.
2012-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-26 06:15]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-26 06:15]
.
2012-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-500Core.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-24 20:47]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-500UA.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-24 20:47]
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
.
.
------- File Associations -------
.
JSEFile=c:\progra~2\PANDAS~1\PANDAG~1\PavScrip.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"=hex:51,66,7a,6c,4c,1d,38,12,c4,f1,d4,
8c,0d,b7,42,06,f0,18,f4,98,5c,39,e1,33
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:9f,5f,dd,ce,3a,09,cd,01
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"=hex:51,66,7a,6c,4c,1d,3b,1b,ba,ed,d0,
93,0e,ab,46,07,96,06,fd,98,5b,25,e3,3c
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,17,c8,
03,9c,ba,e9,06,bc,9e,b0,17,8e,6c,fb,d8
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,3b,1b,74,cb,27,
8b,33,1e,d5,0e,97,c4,1b,24,74,4a,25,dd
"{32004B8A-44A9-43E7-84E9-808838809519}"=hex:51,66,7a,6c,4c,1d,3b,1b,9a,54,17,
29,98,16,8d,07,9d,e1,ca,c8,3a,c2,d3,02
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,3b,1b,21,81,12,
e4,6b,9e,44,0a,a6,33,dc,a9,2b,94,13,18
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,3b,1b,6f,c1,fd,
a6,54,90,ba,55,a5,e5,4a,e0,cb,48,f3,14
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:f0,43,20,09,e2,36,cc,01
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,ca,c3,62,da,7b,a5,49,a0,d5,14,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,ca,c3,62,da,7b,a5,49,a0,d5,14,\
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-01 15:28:58
ComboFix-quarantined-files.txt 2012-06-01 22:28
ComboFix2.txt 2012-06-01 22:14
ComboFix3.txt 2012-05-22 21:47
ComboFix4.txt 2012-05-22 05:22
ComboFix5.txt 2012-06-01 22:21
.
Pre-Run: 700,085,768,192 bytes free
Post-Run: 699,901,112,320 bytes free
.
- - End Of File - - AF4B09FA50632FE4CD92F521C85676FA


Third One:


ComboFix 12-06-01.03 - Administrator 06/01/2012 15:35:12.11.6 - x64 NETWORK
Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.8189.7033 [GMT -7:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-05-01 to 2012-06-01 )))))))))))))))))))))))))))))))
.
.
2012-06-01 22:37 . 2012-06-01 22:37 -------- d-----w- c:\users\User\AppData\Local\temp
2012-06-01 22:37 . 2012-06-01 22:37 -------- d-----w- c:\users\Guardian\AppData\Local\temp
2012-06-01 22:37 . 2012-06-01 22:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-01 22:37 . 2012-06-01 22:37 -------- d-----w- c:\users\Admin\AppData\Local\temp
2012-06-01 22:18 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D23B5D97-A41B-4EAD-B811-4AD16E43F806}\mpengine.dll
2012-05-23 01:46 . 2010-09-09 23:23 78920 ----a-w- c:\windows\system32\drivers\idsflt64.sys
2012-05-23 01:46 . 2009-09-25 21:54 74760 ----a-w- c:\windows\system32\drivers\wnmflt64.sys
2012-05-23 01:46 . 2009-09-25 21:54 82952 ----a-w- c:\windows\system32\drivers\dsaflt64.sys
2012-05-23 01:33 . 2012-05-23 01:33 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2012-05-23 01:33 . 2012-05-23 01:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-23 00:51 . 2012-05-23 01:50 -------- d-----w- c:\users\Administrator\Tracing
2012-05-22 23:40 . 2012-05-22 23:41 -------- d-----w- C:\dull
2012-05-22 21:48 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-22 21:38 . 2012-05-23 00:45 -------- d-----w- c:\users\Administrator\Pavark
2012-05-22 21:32 . 2012-05-22 21:32 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-22 04:42 . 2012-05-22 04:42 -------- d-----w- c:\users\Administrator\AppData\Roaming\Malwarebytes
2012-05-21 09:44 . 2010-06-22 00:01 87872 ----a-w- c:\windows\SysWow64\PavLspHookWow.dll
2012-05-21 09:44 . 2010-06-22 00:01 114496 ----a-w- c:\windows\system32\PavLspHook64.dll
2012-05-21 09:44 . 2012-05-23 01:45 -------- d-----w- c:\users\Administrator\AppData\Roaming\Panda Security
2012-05-21 04:23 . 2011-06-21 04:09 200976 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-05-20 23:52 . 2012-05-20 23:52 -------- d-----w- c:\users\Administrator\AppData\Local\CRE
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-05-20 20:41 . 2012-05-20 20:41 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-05-20 20:41 . 2012-05-20 20:41 -------- d-----w- c:\program files (x86)\QuickTime
2012-05-20 02:20 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-20 02:20 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-20 02:20 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-20 02:20 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-20 02:20 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-20 02:20 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-20 02:18 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-20 02:17 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-20 02:16 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-20 02:16 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-20 02:16 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-20 02:16 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-20 02:16 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-20 00:58 . 2012-05-30 22:54 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
2012-05-20 00:27 . 2012-05-20 00:27 -------- d-----w- c:\windows\SysWow64\BestPractices
2012-05-20 00:27 . 2012-05-20 00:27 -------- d-----w- c:\windows\system32\BestPractices
2012-05-20 00:27 . 2012-05-20 00:27 -------- d-----w- C:\inetpub
2012-05-19 22:47 . 2012-05-19 22:47 -------- d-----w- c:\users\Administrator\AppData\Roaming\Media Player Classic
2012-05-15 16:15 . 2012-05-15 16:15 -------- d-----w- c:\users\User\AppData\Roaming\TeamViewer
2012-05-15 04:09 . 2012-05-23 00:55 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-12 22:10 . 2012-05-21 03:47 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-19 03:56 . 2012-04-19 03:56 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-19 03:56 . 2012-04-19 03:56 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2012-02-28 00:51 . 2012-02-28 00:51 3628016 ----a-w- c:\program files\ccsetup316.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-06-01_22.12.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2012-06-01 21:50 . 2012-06-01 21:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-01 22:18 . 2012-06-01 22:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-01 22:18 . 2012-06-01 22:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-06-01 21:50 . 2012-06-01 21:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"APVXDWIN"="c:\program files (x86)\Panda Security\Panda Global Protection 2012\APVXDWIN.EXE" [2011-03-24 1000768]
"SCANINICIO"="c:\program files (x86)\Panda Security\Panda Global Protection 2012\Inicio.exe" [2011-02-02 70464]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"InstallShieldSetup"="c:\progra~2\INSTAL~1\{81A25~1\SETUP.exe" [2005-04-07 121064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:1033 /heur:80 /RA:ask /pup /archives /IA:0 /KBD:2 /wow /dir:C:\Program
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"LWS"=c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
.
R0 pavboot;Panda boot driver;c:\windows\system32\Drivers\pavboot64.sys [x]
R1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\Administrator\Desktop\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Administrator\Desktop\SASKUTIL64.SYS [x]
R2 !SASCORE;SAS Core Service;c:\users\Administrator\Desktop\SASCORE64.EXE [x]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/28 20:27];c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-11-18 04:29 146928]
R2 AmFSM;AmFSM;c:\windows\system32\DRIVERS\amm6460.sys [x]
R2 APPFLT;App Filter Plugin;c:\windows\system32\Drivers\APPFLT64.SYS [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 ComFiltr;Panda Anti-Dialer;c:\windows\system32\DRIVERS\COMFiltr.sys [x]
R2 DSAFLT;DSA Filter Plugin;c:\windows\system32\Drivers\DSAFLT64.SYS [x]
R2 FNETMON;NetMon Filter Plugin;c:\windows\system32\Drivers\fnetm64.SYS [x]
R2 IDSFLT;Ids Filter Plugin;c:\windows\system32\Drivers\IDSFLT64.SYS [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R2 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\Drivers\NETTDI64.SYS [x]
R2 PskSvcRetail;Panda PSK service;c:\program files (x86)\Panda Security\Panda Global Protection 2012\PskSvc.exe [2010-08-16 28992]
R2 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\Drivers\WNMFLT64.SYS [x]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [x]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
R3 lvsels64;Logitech Selective Suspend Filter;c:\windows\system32\DRIVERS\lvsels64.sys [x]
R3 LVUVC64;Logitech HD Pro Webcam C910(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PavTPK.sys;PavTPK.sys;c:\windows\system32\PavTPK.sys [x]
R3 Prot6Flt;Prot6Flt; [x]
R3 rtkio;rtkio;c:\program files (x86)\Realtek\Smart Dual Lan\rtkio.sys [2010-01-21 17392]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-05 354304]
R4 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 136176]
R4 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe [2010-01-19 72304]
R4 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S1 JSWPSLWF;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwfx.sys [x]
S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys [x]
S3 NETIMFLT01060044;PANDA NDIS IM Filter Miniport v1.6.0.44;c:\windows\system32\DRIVERS\n64i1644.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-30 c:\windows\Tasks\Basic clean-up.job
- c:\program files (x86)\Panda Security\Panda Global Protection 2012\PlaTasks.exe [2012-05-23 21:23]
.
2012-05-23 c:\windows\Tasks\Basic clean-up1.job
- c:\program files (x86)\Panda Security\Panda Global Protection 2012\PlaTasks.exe [2012-05-23 21:23]
.
2012-05-19 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000Core.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-04 03:46]
.
2012-05-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000UA.job
- c:\users\User\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-04 03:46]
.
2012-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 19:37]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 19:37]
.
2012-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-26 06:15]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-26 06:15]
.
2012-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-500Core.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-24 20:47]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1526159538-2137221921-2185218036-500UA.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-24 20:47]
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
.
.
------- File Associations -------
.
JSEFile=c:\progra~2\PANDAS~1\PANDAG~1\PavScrip.exe "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-SUPERAntiSpyware - c:\users\Administrator\Desktop\SUPERAntiSpyware.exe
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"=hex:51,66,7a,6c,4c,1d,38,12,c4,f1,d4,
8c,0d,b7,42,06,f0,18,f4,98,5c,39,e1,33
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,
57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:9f,5f,dd,ce,3a,09,cd,01
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{88C7F2AA-F93F-432C-8F0E-B7D85967A527}"=hex:51,66,7a,6c,4c,1d,3b,1b,ba,ed,d0,
93,0e,ab,46,07,96,06,fd,98,5b,25,e3,3c
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,17,c8,
03,9c,ba,e9,06,bc,9e,b0,17,8e,6c,fb,d8
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,3b,1b,74,cb,27,
8b,33,1e,d5,0e,97,c4,1b,24,74,4a,25,dd
"{32004B8A-44A9-43E7-84E9-808838809519}"=hex:51,66,7a,6c,4c,1d,3b,1b,9a,54,17,
29,98,16,8d,07,9d,e1,ca,c8,3a,c2,d3,02
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,3b,1b,21,81,12,
e4,6b,9e,44,0a,a6,33,dc,a9,2b,94,13,18
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,3b,1b,6f,c1,fd,
a6,54,90,ba,55,a5,e5,4a,e0,cb,48,f3,14
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:f0,43,20,09,e2,36,cc,01
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,ca,c3,62,da,7b,a5,49,a0,d5,14,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4e,ca,c3,62,da,7b,a5,49,a0,d5,14,\
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_USERS\S-1-5-21-1526159538-2137221921-2185218036-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="ChromeHTML.Administrator"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-06-01 15:38:45
ComboFix-quarantined-files.txt 2012-06-01 22:38
ComboFix2.txt 2012-06-01 22:28
ComboFix3.txt 2012-06-01 22:14
ComboFix4.txt 2012-05-22 21:47
ComboFix5.txt 2012-06-01 22:34
.
Pre-Run: 699,978,846,208 bytes free
Post-Run: 699,903,246,336 bytes free
.
- - End Of File - - 4377B63FE6E1D20E71191CD76F838BF9


Security Check Log:

Results of screen317's Security Check version 0.99.41
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Panda ActiveScan Cleaner
Adobe Flash Player 10 Flash Player out of date!
Adobe Reader X (10.1.3)
Google Chrome 18.0.1025.151
Google Chrome 19.0.1084.46
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:
````````````````````End of Log``````````````````````

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 02 June 2012 - 07:34 AM

c:\windows\SysWow64\sfcfiles.dll . . . is missing!!
.
c:\windows\system32\drivers\ipsec.sys . . . is missing!!
.
c:\windows\system32\drivers\psched.sys . . . is missing!!


Lets find out if you have other copies on your computer.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    sfcfiles.dll
    ipsec.sys
    psched.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

In the event that no copy exists do you have the Windows 7 installation disk, or access to an other computer with the same operating system?

Do you have access to the internet with this computer?

#10 Notsol337

Notsol337
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 02 June 2012 - 05:43 PM

Here is the SysLook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 15:33 on 02/06/2012 by Administrator
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "sfcfiles.dll"
No files found.

Searching for "ipsec.sys"
No files found.

Searching for "psched.sys"
No files found.

-= EOF =-

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 03 June 2012 - 08:06 AM

As you can see the files are not available on your computer.

Do you have the Windows 7 installation disk?

Did you create a startup disk the first day you got the computer?

Do you have access to an other computer with a good Windows 7 operating system?

#12 Notsol337

Notsol337
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 03 June 2012 - 12:31 PM

Perhaps you skipped one of my posts, but yes, I do have an installation disk. Unfortunately, (or stupidly) however I do not have a startup disk. So, am I to infer that you would like me to search for these files on my installation disk?

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 03 June 2012 - 12:44 PM

Use Systemlook and search the disk for all file similar file with different exension.

sfcfiles.*
ipsec.*
psched.*


Post the result.

#14 Notsol337

Notsol337
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 05 June 2012 - 01:38 PM

Use Systemlook and search the disk for all file similar file with different exension.

sfcfiles.*
ipsec.*
psched.*


Post the result.



#15 Notsol337

Notsol337
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 05 June 2012 - 01:45 PM

Hello, Nasdaq. I have researched these items with the new extension, but I had much difficulty, because once the results were displayed, my PC went rogue and began switching programs, and preventing me from saving the results onto my thumb drive. I noticed before having to do a shutdown, that the first and last items seamed to be missing entirely, but the IPSec search did turn up something. I'll try and post any syslook logs later, hopefully I was able to save it before everything went loopy. Also, the syslook program said I was running sysWOW32 version but that I would get better results running an X64 version. Should I be?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users