Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple viruses, music playing through speakers, google redirects


  • This topic is locked This topic is locked
45 replies to this topic

#1 ShaneInFlorida

ShaneInFlorida

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 18 August 2012 - 06:14 PM

This was previously posted in another section and I was asked to post here.

Sirefeff and other viruses - cant run TSSDkiller
Working remotely on monitoring and blocking IPs from a Hacker in China, I may have gotten attacked just after the hacker successfully entered the server and changed all logins and passwords. I was able to get the server up and running again (after several days of working) and without important data loss. However, my laptop was riddled with various viruses. One of which was intended to halt start-up (I recognized the process and did a hard shutdown, opened in safemode, and successsfully removed that viruses. I then began using various utilities to scan for viruses (Mbam, SuperAntiSpyware, ESET online scanner). Five of the viruses removed was Sirefef a, b, c, d, and p. ESET removed five additional (a bot, two trojans, and three redirects). Then ran CCleaner.

I then tried to use the already installed Microsoft Security Essentials but it failed to launch. I noticed that the firewall was also turned off and, when trying to restart it, I would only get an error message relating it could not be restarted.

I tried running TSSDKILLER from Kapersky but it doesn't run. Flushed DNS, deleted TMP files, cleared HOST file, removed rogue Domains (obvious as they referred to sites I never used, would never use) in the registry, renamed it to 'something.com' and it still doesn't run.

Ran Rkill64 which didn't help with TSSDkiller. Ran THC to clear temps, reran Rkill and TSSDkiller still won't run.

I ran Hijack this and there were severl missing files reported (LSASS being the most noticeable) but I am not overly experienced in virus removal (beyond use of apps to remove such) to know if what I am looking at should be deleted or not.

System:
Laptop is Toshiba Satellite
OS is Windows 2007 x64; 4gb ram


Hijack this log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:00:16 AM, on 8/18/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Safe mode with network support

Running processes:
C:\Users\sp\Desktop\router\hack detection tools\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
O2 - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - (no file)
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files (x86)\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript
O4 - HKLM\..\RunOnce: [C2521893-FA01-4075-89C9-5FA01A6D7F76] cmd.exe /C start /D "C:\Users\sp\AppData\Local\Temp" /B C2521893-FA01-4075-89C9-5FA01A6D7F76.exe -postboot
O4 - HKCU\..\Run: [RESTART_STICKY_NOTES] C:\windows\system32\StikyNot.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
O4 - Global Startup: Metro Hi Speed Fax Printer 2.0.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\vmware\vmware player\vsocklib.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - https://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} - https://browsercheck.qualys.com/qbc_ax.cab
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79CF917E-69AB-4D81-BADC-79867C1E8584}: NameServer = 192.168.1.1,192.168.1.192
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\httpd.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Nalpeiron Licensing Service (nlsX86cc) - Nalpeiron Ltd. - C:\windows\SysWOW64\NLSSRV32.EXE
O23 - Service: PlayIt Video Server Manager (PlayItVideoServer) - Unknown owner - C:\Program Files\Luttmann\vmcPlayIt\PlayItVideoServer.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Player\vmware-ufad.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\windows\system32\vmnat.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10131 bytes


I've also now run OTL and here is the log:

OTL logfile created on: 8/18/2012 4:54:38 PM - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Users\sp\Desktop\Fix registry zonemap domains
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.87 Gb Total Physical Memory | 2.46 Gb Available Physical Memory | 63.47% Memory free
7.74 Gb Paging File | 6.12 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 287.68 Gb Total Space | 117.60 Gb Free Space | 40.88% Space Free | Partition Type: NTFS

Computer Name: SP-PC | User Name: sp | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/18 16:48:33 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Users\sp\Desktop\Fix registry zonemap domains\OTL.com
PRC - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/01/26 19:04:18 | 000,484,976 | ---- | M] () -- C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
PRC - [2011/01/31 13:01:28 | 000,068,928 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\SysWOW64\NLSSRV32.EXE
PRC - [2010/12/03 14:18:12 | 008,133,120 | ---- | M] () -- c:\xampp\mysql\bin\mysqld.exe
PRC - [2010/10/17 20:32:10 | 000,020,549 | ---- | M] (Apache Software Foundation) -- C:\xampp\apache\bin\httpd.exe
PRC - [2009/11/18 11:57:04 | 001,032,192 | ---- | M] (Metro Hi Speed) -- C:\Program Files (x86)\Metro Hi Speed\FaxPrinter\FaxPrinter.exe
PRC - [2009/10/22 04:44:24 | 000,395,824 | ---- | M] (VMware, Inc.) -- C:\Windows\SysWOW64\vmnat.exe
PRC - [2009/10/22 04:44:18 | 000,113,200 | ---- | M] (VMware, Inc.) -- C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe
PRC - [2009/10/22 04:44:08 | 000,334,384 | ---- | M] (VMware, Inc.) -- C:\Windows\SysWOW64\vmnetdhcp.exe
PRC - [2009/10/22 04:43:30 | 000,064,048 | ---- | M] (VMware, Inc.) -- C:\Program Files (x86)\VMware\VMware Player\hqtray.exe
PRC - [2009/10/22 03:47:54 | 000,563,760 | ---- | M] (VMware, Inc.) -- C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe


========== Modules (No Company Name) ==========

MOD - [2012/06/13 03:32:10 | 012,436,480 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll
MOD - [2012/06/13 03:32:03 | 001,591,808 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll
MOD - [2012/05/10 09:02:00 | 000,771,584 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll
MOD - [2012/05/10 09:01:08 | 005,452,800 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll
MOD - [2012/05/10 09:01:04 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll
MOD - [2012/05/10 09:01:03 | 007,967,232 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll
MOD - [2012/05/10 09:00:56 | 011,492,864 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll
MOD - [2012/01/26 19:04:18 | 000,484,976 | ---- | M] () -- C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe
MOD - [2009/11/18 11:57:02 | 000,028,672 | ---- | M] () -- C:\Program Files (x86)\Metro Hi Speed\FaxPrinter\ExtendedMapi.dll
MOD - [2009/11/18 11:57:00 | 000,049,152 | ---- | M] () -- C:\Program Files (x86)\Metro Hi Speed\FaxPrinter\OutlookExpress.dll
MOD - [2009/11/18 11:57:00 | 000,040,960 | ---- | M] () -- C:\Program Files (x86)\Metro Hi Speed\FaxPrinter\BasicSMTP.dll
MOD - [2009/11/18 11:56:48 | 000,094,208 | ---- | M] () -- C:\Program Files (x86)\Metro Hi Speed\FaxPrinter\MhsFaxPrinter.Common.dll
MOD - [2009/11/18 11:56:48 | 000,020,480 | ---- | M] () -- C:\Program Files (x86)\Metro Hi Speed\FaxPrinter\FaxRecipient.dll
MOD - [2009/11/18 11:56:48 | 000,016,384 | ---- | M] () -- C:\Program Files (x86)\Metro Hi Speed\FaxPrinter\MhsFaxPrinter.IPC.dll
MOD - [2009/11/18 11:56:48 | 000,016,384 | ---- | M] () -- C:\Program Files (x86)\Metro Hi Speed\FaxPrinter\AddrBookService.dll
MOD - [2009/11/18 10:36:48 | 000,016,384 | ---- | M] () -- C:\Program Files (x86)\Metro Hi Speed\FaxPrinter\EmailService.dll
MOD - [2009/10/22 04:43:58 | 000,970,288 | ---- | M] () -- C:\Program Files (x86)\VMware\VMware Player\libxml2.dll
MOD - [2009/10/22 04:43:46 | 000,068,656 | ---- | M] () -- C:\Program Files (x86)\VMware\VMware Player\zlib1.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2012/03/26 21:49:56 | 000,291,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV:64bit: - [2012/03/26 21:49:56 | 000,012,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV:64bit: - [2011/08/11 19:38:04 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:64bit: - [2010/06/12 09:20:30 | 000,096,768 | ---- | M] () [Auto | Running] -- C:\Program Files\Luttmann\vmcPlayIt\PlayItVideoServer.exe -- (PlayItVideoServer)
SRV:64bit: - [2010/02/05 20:44:48 | 000,137,560 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV:64bit: - [2009/11/06 01:05:28 | 000,489,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV:64bit: - [2009/07/28 18:48:06 | 000,140,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\SysNative\TODDSrv.exe -- (TODDSrv)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/01/31 13:01:28 | 000,068,928 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\SysWOW64\NLSSRV32.EXE -- (nlsX86cc)
SRV - [2010/12/03 14:18:12 | 008,133,120 | ---- | M] () [Auto | Running] -- c:\xampp\mysql\bin\mysqld.exe -- (mysql)
SRV - [2010/10/17 20:32:10 | 000,020,549 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\xampp\apache\bin\httpd.exe -- (Apache2.2)
SRV - [2010/10/17 15:38:42 | 000,742,912 | ---- | M] (FileZilla Project) [On_Demand | Stopped] -- c:\xampp\FileZillaFTP\FileZillaServer.exe -- (FileZilla Server)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/10/22 04:44:24 | 000,395,824 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\vmnat.exe -- (VMware NAT Service)
SRV - [2009/10/22 04:44:18 | 000,113,200 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe -- (VMAuthdService)
SRV - [2009/10/22 04:44:08 | 000,334,384 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2009/10/22 03:47:54 | 000,563,760 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe -- (VMUSBArbService)
SRV - [2009/10/12 14:32:24 | 000,191,024 | ---- | M] (VMware, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\VMware\VMware Player\vmware-ufad.exe -- (ufad-ws60)
SRV - [2009/10/06 12:21:50 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/07/05 18:11:18 | 000,087,488 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\windows\SysNative\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV:64bit: - [2012/06/08 12:06:24 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV:64bit: - [2012/06/08 12:05:56 | 000,011,552 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lmimirr.sys -- (lmimirr)
DRV:64bit: - [2012/03/26 17:45:14 | 000,037,888 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\taphss.sys -- (taphss)
DRV:64bit: - [2012/03/20 23:44:12 | 000,098,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NisDrvWFP.sys -- (NisDrv)
DRV:64bit: - [2012/03/01 02:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/05 15:29:04 | 000,031,232 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tap0901.sys -- (tap0901)
DRV:64bit: - [2011/11/25 01:25:52 | 000,015,360 | ---- | M] (June Fabrics Technology Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\pneteth.sys -- (pneteth)
DRV:64bit: - [2011/07/22 12:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 17:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/06/25 20:56:44 | 000,033,888 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\appliand.sys -- (appliandMP)
DRV:64bit: - [2011/06/25 20:56:44 | 000,033,888 | ---- | M] (Applian Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\appliand.sys -- (appliand)
DRV:64bit: - [2011/04/20 09:24:56 | 000,169,584 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2011/03/31 19:32:00 | 001,424,944 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2011/03/23 17:20:32 | 000,030,720 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tapoas.sys -- (tapoas)
DRV:64bit: - [2011/03/11 02:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 09:34:04 | 000,360,832 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcvmm.sys -- (vpcvmm)
DRV:64bit: - [2010/11/20 09:34:04 | 000,194,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpchbus.sys -- (vpcbus)
DRV:64bit: - [2010/11/20 09:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 07:35:34 | 000,095,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpcusb.sys -- (vpcusb)
DRV:64bit: - [2010/11/20 07:35:22 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcnfltr.sys -- (vpcnfltr)
DRV:64bit: - [2010/11/20 07:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/05/12 06:14:54 | 000,159,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdm.sys -- (ssadmdm)
DRV:64bit: - [2010/05/12 06:14:54 | 000,126,952 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadserd.sys -- (ssadserd)
DRV:64bit: - [2010/05/12 06:14:52 | 000,125,416 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadbus.sys -- (ssadbus)
DRV:64bit: - [2010/05/12 06:14:52 | 000,036,328 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadadb.sys -- (androidusb)
DRV:64bit: - [2010/05/12 06:14:52 | 000,016,872 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdfl.sys -- (ssadmdfl)
DRV:64bit: - [2010/02/20 12:24:34 | 010,300,800 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/02/01 13:29:48 | 000,232,992 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:64bit: - [2010/01/18 20:45:50 | 000,717,368 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CHDRT64.sys -- (CnxtHdAudService)
DRV:64bit: - [2009/12/17 18:25:17 | 000,034,472 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2009/10/22 04:45:28 | 000,080,944 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmci.sys -- (vmci)
DRV:64bit: - [2009/10/22 04:45:22 | 000,029,744 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VMkbd.sys -- (vmkbd)
DRV:64bit: - [2009/10/22 04:45:14 | 000,068,144 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmx86.sys -- (vmx86)
DRV:64bit: - [2009/10/22 04:45:12 | 000,030,256 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV:64bit: - [2009/10/22 03:47:50 | 000,038,960 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\hcmon.sys -- (hcmon)
DRV:64bit: - [2009/10/22 00:13:34 | 000,037,680 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmusb.sys -- (vmusb)
DRV:64bit: - [2009/10/22 00:13:28 | 000,045,104 | R--- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV:64bit: - [2009/10/22 00:13:28 | 000,020,016 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV:64bit: - [2009/09/21 18:00:44 | 001,537,024 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/08/09 17:25:45 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone)
DRV:64bit: - [2009/08/07 08:24:14 | 000,408,600 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/07/30 23:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV:64bit: - [2009/07/14 18:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\TVALZ_O.SYS -- (TVALZ)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009/07/13 20:09:50 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usb8023x.sys -- (usb_rndisx)
DRV:64bit: - [2009/07/13 20:00:13 | 000,013,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Dot4Scan.sys -- (Dot4Scan)
DRV:64bit: - [2009/07/07 11:51:42 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\FwLnk.sys -- (FwLnk)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2011/06/08 13:02:10 | 000,004,992 | ---- | M] () [Kernel | System | Stopped] -- C:\Windows\SysWOW64\drivers\enport.sys -- (enport)
DRV - [2009/10/12 14:31:04 | 000,032,816 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Program Files (x86)\VMware\VMware Player\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {F1010DBE-CE76-4F3F-BB41-7A2D697D7FA9}
IE:64bit: - HKLM\..\SearchScopes\{F1010DBE-CE76-4F3F-BB41-7A2D697D7FA9}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?brand=TSNA&bmod=TSNA
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {3605F864-C883-4416-9502-E4C854BA22DF}
IE - HKCU\..\SearchScopes\{3605F864-C883-4416-9502-E4C854BA22DF}: "URL" = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNA
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF64_11_2_202_235.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\sp\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\sp\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012/03/18 10:46:08 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\sp\AppData\Local\Google\Chrome\Application\21.0.1180.75\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\sp\AppData\Local\Google\Chrome\Application\21.0.1180.75\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\sp\AppData\Local\Google\Chrome\Application\21.0.1180.75\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\sp\AppData\Local\Google\Chrome\Application\21.0.1180.75\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.1.6 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.1.6 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.1.6 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.1.6 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.1.6 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.1.6 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.1.6 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
CHR - plugin: DivX Plus Web Player (Enabled) = C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
CHR - plugin: Foxit Reader Plugin for Mozilla (Enabled) = C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll

O1 HOSTS File: ([2012/08/18 08:09:31 | 000,000,797 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4:64bit: - HKLM..\Run: [] File not found
O4:64bit: - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [cAudioFilterAgent] C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe (Conexant Systems, Inc.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
O4:64bit: - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe (TOSHIBA Corporation)
O4:64bit: - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [VMware hqtray] C:\Program Files (x86)\VMware\VMware Player\hqtray.exe (VMware, Inc.)
O4 - HKCU..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Users\sp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk = C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000011 - C:\Program Files (x86)\VMware\VMware Player\x64\vsocklib.dll (VMware, Inc.)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000012 - C:\Program Files (x86)\VMware\VMware Player\x64\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files (x86)\VMware\VMware Player\vsocklib.dll (VMware, Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} https://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab (Reg Error: Key error.)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} https://browsercheck.qualys.com/qbc_ax.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{477012AE-3274-4556-BE48-83E2294A87FA}: DhcpNameServer = 192.168.80.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{79CF917E-69AB-4D81-BADC-79867C1E8584}: NameServer = 192.168.1.1,192.168.1.192
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B8DE0698-3083-45B5-A53E-FABE7FDC885C}: DhcpNameServer = 192.168.1.1 68.238.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D168C864-6912-4E18-BADE-C8BF6911D2C2}: DhcpNameServer = 192.168.42.129
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - File not found
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - File not found
O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - File not found
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O29:64bit: - HKLM SecurityProviders - (credssp.dll) - File not found
O29 - HKLM SecurityProviders - (credssp.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{f59f8d30-2418-11e0-be54-005056c00008}\Shell - "" = AutoRun
O33 - MountPoints2\{f59f8d30-2418-11e0-be54-005056c00008}\Shell\AutoRun\command - "" = F:\KODAK_Software_Downloader.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/18 16:47:41 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/08/18 07:38:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/08/18 07:38:55 | 000,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysWow64\drivers\mbamswissarmy.sys
[2012/08/17 23:46:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/08/17 23:34:59 | 000,845,728 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\sp\Desktop\rkill64.scr
[2012/08/17 23:26:33 | 001,545,120 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\sp\Desktop\iExplore.exe
[2012/08/17 23:25:25 | 001,545,120 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\sp\Desktop\rkill.scr
[2012/08/17 18:27:03 | 000,000,000 | ---D | C] -- C:\Users\sp\Desktop\Fix registry zonemap domains
[2012/08/17 17:47:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Sophos
[2012/08/17 17:47:02 | 000,000,000 | ---D | C] -- C:\Users\sp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
[2012/08/17 17:46:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2012/08/17 09:28:33 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2012/08/16 16:40:14 | 000,000,000 | ---D | C] -- C:\Users\sp\Desktop\cybot removal
[2012/08/16 16:37:51 | 000,000,000 | ---D | C] -- C:\Users\sp\Desktop\lspfix
[2012/08/16 15:57:27 | 000,000,000 | ---D | C] -- C:\Users\sp\AppData\Local\{71C7D7C9-230B-4954-BEA2-A1680FDA2620}
[2012/08/15 23:45:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Oracle
[2012/08/15 23:04:47 | 000,000,000 | ---D | C] -- C:\Users\Public\Desktop\CC Support
[2012/08/15 02:52:12 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012/08/15 02:42:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2012/08/15 02:41:53 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/08/14 18:19:40 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedyPC Software
[2012/08/14 16:13:56 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/08/14 16:13:37 | 000,000,000 | ---D | C] -- C:\windows\erdnt
[2012/08/14 16:13:32 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2012/08/14 14:56:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\nLite
[2012/08/13 22:10:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2012/08/13 21:48:06 | 000,000,000 | ---D | C] -- C:\Users\sp\Documents\RegRun2
[2012/08/13 21:48:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\UnHackMe
[2012/08/13 19:36:09 | 000,000,000 | ---D | C] -- C:\Users\sp\AppData\Roaming\SUPERAntiSpyware.com
[2012/08/13 19:35:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/08/13 19:35:36 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/08/10 17:27:59 | 000,000,000 | ---D | C] -- C:\Users\sp\Documents\Outlook Files
[2012/08/10 16:49:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Windows Genuine Advantage
[2012/08/08 22:55:55 | 000,000,000 | ---D | C] -- C:\Users\sp\Desktop\script sheets
[2012/08/07 08:56:41 | 000,000,000 | ---D | C] -- C:\Users\sp\1
[2012/08/07 00:23:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\KeePass Password Safe 2
[2012/08/01 10:17:11 | 000,000,000 | ---D | C] -- C:\Program Files\Luttmann
[2012/08/01 10:16:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2012/08/01 09:57:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Teknowebworks LLC
[2012/07/31 16:12:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\DESIGNER
[2012/07/27 12:25:13 | 000,087,488 | ---- | C] (LogMeIn, Inc.) -- C:\windows\SysNative\LMIRfsClientNP.dll
[2012/07/27 12:25:13 | 000,072,216 | ---- | C] (LogMeIn, Inc.) -- C:\windows\SysNative\drivers\LMIRfsDriver.sys
[2012/07/27 12:25:13 | 000,034,720 | ---- | C] (LogMeIn, Inc.) -- C:\windows\SysNative\LMIport.dll
[2012/07/27 12:25:11 | 000,080,800 | ---- | C] (LogMeIn, Inc.) -- C:\windows\SysNative\LMIinit.dll
[2012/07/27 12:25:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LogMeIn
[2012/07/27 12:16:03 | 002,949,048 | ---- | C] (Anyplace Control Software) -- C:\windows\NetworkCfg.exe
[2012/07/27 12:15:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Anyplace Control 4
[2012/07/26 19:26:33 | 000,000,000 | ---D | C] -- C:\windows\pss
[2012/07/26 15:26:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/07/26 11:34:19 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/07/26 11:31:58 | 003,907,920 | ---- | C] (Piriform Ltd) -- C:\Users\sp\ccsetup321.exe
[2012/07/26 11:08:40 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2012/07/26 11:07:45 | 003,503,224 | ---- | C] (McAfee, Inc.) -- C:\Users\sp\SecurityScan_Release.exe
[2012/07/24 17:40:40 | 000,000,000 | ---D | C] -- C:\Users\sp\Desktop\router
[2012/07/23 21:07:33 | 000,000,000 | ---D | C] -- C:\Users\sp\remote desktop lock
[2012/07/22 10:49:16 | 000,000,000 | ---D | C] -- C:\windows\SysWow64\Hotspot Shield
[2012/07/20 23:23:45 | 000,000,000 | ---D | C] -- C:\Users\sp\AppData\Roaming\Synaptics
[2012/07/20 23:18:54 | 000,000,000 | ---D | C] -- C:\Program Files\Synaptics
[2012/07/20 23:18:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Synaptics
[2012/07/20 23:18:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Synaptics
[2012/07/20 23:18:09 | 001,721,576 | ---- | C] (Microsoft Corporation) -- C:\windows\SysNative\WdfCoInstaller01009.dll
[2012/07/20 23:18:06 | 000,411,432 | ---- | C] (Synaptics Incorporated) -- C:\windows\SysNative\SynCOM.dll
[2012/07/20 23:18:06 | 000,274,728 | ---- | C] (Synaptics Incorporated) -- C:\windows\SysNative\SynCtrl.dll
[2012/07/20 23:18:06 | 000,225,576 | ---- | C] (Synaptics Incorporated) -- C:\windows\SysNative\SynTPAPI.dll
[2012/07/20 23:18:06 | 000,218,408 | ---- | C] (Synaptics Incorporated) -- C:\windows\SysWow64\SynCtrl.dll
[2012/07/20 23:18:06 | 000,173,352 | ---- | C] (Synaptics Incorporated) -- C:\windows\SysWow64\SynCOM.dll
[2012/07/20 23:18:06 | 000,148,264 | ---- | C] (Synaptics Incorporated) -- C:\windows\SysNative\SynTPCo9.dll
[2012/07/20 23:18:05 | 001,424,944 | ---- | C] (Synaptics Incorporated) -- C:\windows\SysNative\drivers\SynTP.sys
[2012/07/20 23:18:05 | 000,107,816 | ---- | C] (Synaptics Incorporated) -- C:\windows\SysWow64\SynTPCOM.dll
[2012/07/20 21:10:15 | 000,000,000 | ---D | C] -- C:\Users\sp\seclog
[2011/01/23 09:01:08 | 010,257,160 | ---- | C] (SUPERAntiSpyware.com) -- C:\Users\sp\SUPERAntiSpyware.exe

========== Files - Modified Within 30 Days ==========

[2012/08/18 17:01:21 | 000,000,218 | ---- | M] () -- C:\Users\sp\.recently-used.xbel
[2012/08/18 17:01:07 | 000,018,736 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/08/18 17:01:07 | 000,018,736 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/08/18 16:53:07 | 000,000,266 | ---- | M] () -- C:\windows\tasks\AutoKMS.job
[2012/08/18 16:52:55 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/08/18 16:52:50 | 3117,391,872 | -HS- | M] () -- C:\hiberfil.sys
[2012/08/18 16:44:12 | 000,764,574 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2012/08/18 16:44:12 | 000,651,848 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2012/08/18 16:44:12 | 000,118,062 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2012/08/18 16:36:21 | 000,000,504 | ---- | M] () -- C:\windows\tasks\SUPERAntiSpyware Scheduled Task a7d8e76e-2f65-4376-8b4d-5b999a63c047.job
[2012/08/18 13:49:41 | 000,001,819 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/08/18 08:09:31 | 000,000,797 | ---- | M] () -- C:\windows\SysNative\drivers\etc\hosts
[2012/08/17 23:34:59 | 000,845,728 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\sp\Desktop\rkill64.scr
[2012/08/17 23:26:33 | 001,545,120 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\sp\Desktop\iExplore.exe
[2012/08/17 23:25:25 | 001,545,120 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\sp\Desktop\rkill.scr
[2012/08/17 23:24:57 | 000,000,335 | ---- | M] () -- C:\Users\sp\Desktop\FixExe.reg
[2012/08/17 23:13:14 | 000,000,896 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2171367089-1786558459-2383774983-1001UA.job
[2012/08/17 23:13:14 | 000,000,844 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2171367089-1786558459-2383774983-1001Core.job
[2012/08/17 17:47:02 | 000,003,191 | ---- | M] () -- C:\Users\sp\Desktop\Sophos Virus Removal Tool.lnk
[2012/08/17 14:17:37 | 000,002,082 | -H-- | M] () -- C:\Users\sp\Documents\Default.rdp
[2012/08/16 16:15:22 | 000,216,858 | ---- | M] () -- C:\Users\sp\Desktop\Mxxxxx Dxxxx fax.pdf
[2012/08/16 16:06:00 | 000,185,135 | ---- | M] () -- C:\Users\sp\Desktop\208234399288.PDF
[2012/08/16 16:06:00 | 000,032,124 | ---- | M] () -- C:\Users\sp\Desktop\208234399452.PDF
[2012/08/15 00:27:21 | 000,351,461 | ---- | M] () -- C:\Users\sp\Desktop\sys maint - User defined ports.png
[2012/08/14 14:23:50 | 000,000,504 | ---- | M] () -- C:\windows\tasks\SUPERAntiSpyware Scheduled Task 8b654bda-699d-4728-8348-ecd108a15722.job
[2012/08/13 19:18:29 | 000,180,566 | ---- | M] () -- C:\Users\sp\Desktop\server domain.png
[2012/08/12 14:05:10 | 000,159,625 | ---- | M] () -- C:\Users\sp\Desktop\Untitled.png
[2012/08/12 12:35:55 | 000,033,995 | ---- | M] () -- C:\Users\sp\Desktop\server TCP.png
[2012/08/10 16:50:08 | 000,000,000 | -H-- | M] () -- C:\windows\wusa.lock
[2012/08/06 15:49:23 | 000,001,052 | ---- | M] () -- C:\Users\sp\AppData\Roaming\Videos - Shortcut.lnk
[2012/08/01 12:51:04 | 000,054,156 | -H-- | M] () -- C:\windows\QTFont.qfn
[2012/08/01 12:51:04 | 000,001,409 | ---- | M] () -- C:\windows\QTFont.for
[2012/08/01 10:16:17 | 000,002,447 | ---- | M] () -- C:\Users\sp\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2012/07/31 17:08:04 | 000,001,106 | ---- | M] () -- C:\Users\sp\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2012/07/31 17:02:12 | 004,979,552 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
[2012/07/31 13:24:44 | 000,012,690 | ---- | M] () -- C:\Users\sp\Documents\FRIGGEN TEST PRINT.pdf
[2012/07/27 12:25:10 | 000,001,024 | ---- | M] () -- C:\.rnd
[2012/07/26 11:40:14 | 000,559,364 | ---- | M] () -- C:\Users\sp\Documents\cc_20120726_113959.reg
[2012/07/26 11:32:38 | 003,907,920 | ---- | M] (Piriform Ltd) -- C:\Users\sp\ccsetup321.exe
[2012/07/25 16:34:57 | 003,503,224 | ---- | M] (McAfee, Inc.) -- C:\Users\sp\SecurityScan_Release.exe
[2012/07/24 11:15:56 | 000,000,000 | ---- | M] () -- C:\windows\SysWow64\cd.dat

========== Files Created - No Company Name ==========

[2012/08/18 14:22:24 | 000,000,218 | ---- | C] () -- C:\Users\sp\.recently-used.xbel
[2012/08/18 13:50:10 | 000,000,504 | ---- | C] () -- C:\windows\tasks\SUPERAntiSpyware Scheduled Task a7d8e76e-2f65-4376-8b4d-5b999a63c047.job
[2012/08/18 13:49:41 | 000,001,819 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2012/08/17 23:24:57 | 000,000,335 | ---- | C] () -- C:\Users\sp\Desktop\FixExe.reg
[2012/08/17 17:47:02 | 000,003,191 | ---- | C] () -- C:\Users\sp\Desktop\Sophos Virus Removal Tool.lnk
[2012/08/16 16:15:12 | 000,216,858 | ---- | C] () -- C:\Users\sp\Desktop\Mxxxxx Dxxxx fax.pdf
[2012/08/16 16:06:00 | 000,185,135 | ---- | C] () -- C:\Users\sp\Desktop\208234399288.PDF
[2012/08/16 16:06:00 | 000,032,124 | ---- | C] () -- C:\Users\sp\Desktop\208234399452.PDF
[2012/08/15 00:27:20 | 000,351,461 | ---- | C] () -- C:\Users\sp\Desktop\sys maint - User defined ports.png
[2012/08/13 19:36:15 | 000,000,504 | ---- | C] () -- C:\windows\tasks\SUPERAntiSpyware Scheduled Task 8b654bda-699d-4728-8348-ecd108a15722.job
[2012/08/13 19:18:29 | 000,180,566 | ---- | C] () -- C:\Users\sp\Desktop\server domain.png
[2012/08/12 14:05:09 | 000,159,625 | ---- | C] () -- C:\Users\sp\Desktop\Untitled.png
[2012/08/12 12:35:55 | 000,033,995 | ---- | C] () -- C:\Users\sp\Desktop\server TCP.png
[2012/08/10 16:50:08 | 000,000,000 | -H-- | C] () -- C:\windows\wusa.lock
[2012/08/09 10:52:53 | 000,000,896 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2171367089-1786558459-2383774983-1001UA.job
[2012/08/09 10:52:53 | 000,000,844 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-2171367089-1786558459-2383774983-1001Core.job
[2012/08/06 15:49:23 | 000,001,052 | ---- | C] () -- C:\Users\sp\AppData\Roaming\Videos - Shortcut.lnk
[2012/08/01 12:51:04 | 000,054,156 | -H-- | C] () -- C:\windows\QTFont.qfn
[2012/08/01 12:51:04 | 000,001,409 | ---- | C] () -- C:\windows\QTFont.for
[2012/08/01 10:16:17 | 000,002,447 | ---- | C] () -- C:\Users\sp\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
[2012/07/31 13:24:38 | 000,012,690 | ---- | C] () -- C:\Users\sp\Documents\FRIGGEN TEST PRINT.pdf
[2012/07/26 11:40:02 | 000,559,364 | ---- | C] () -- C:\Users\sp\Documents\cc_20120726_113959.reg
[2012/07/24 11:15:56 | 000,000,000 | ---- | C] () -- C:\windows\SysWow64\cd.dat
[2012/07/20 23:18:05 | 000,066,856 | ---- | C] () -- C:\windows\SysWow64\SynTPEnhPS.dll
[2012/04/11 17:29:00 | 000,000,000 | ---- | C] () -- C:\Users\sp\AppData\Roaming\bibstats
[2012/01/11 01:07:22 | 000,000,000 | ---- | C] () -- C:\Users\sp\AppData\Local\{2C22A97B-BB3F-408F-8B1D-3CC6585F1969}
[2011/12/16 14:33:40 | 000,192,424 | -H-- | C] () -- C:\windows\SysWow64\mlfcache.dat
[2011/12/02 12:10:22 | 000,001,843 | ---- | C] () -- C:\Users\sp\.jscreenfix.licence
[2011/11/15 12:25:05 | 000,000,017 | ---- | C] () -- C:\Users\sp\stinger10101327.opt
[2011/10/31 13:17:21 | 000,081,920 | -H-- | C] () -- C:\windows\SysWow64\v3shrtkgn.dll
[2011/10/28 12:20:14 | 000,000,702 | ---- | C] () -- C:\Users\sp\.jscreenfix-deluxe.licence
[2011/09/26 23:37:22 | 000,000,033 | ---- | C] () -- C:\Users\sp\.gtkrc-2.0
[2011/09/02 10:22:52 | 000,000,017 | ---- | C] () -- C:\Users\sp\AppData\Local\resmon.resmoncfg
[2011/09/01 15:30:07 | 001,589,248 | ---- | C] () -- C:\windows\SysWow64\libmysql_d.dll
[2011/08/09 22:14:42 | 000,000,000 | ---- | C] () -- C:\Users\sp\netstat
[2011/08/09 18:46:06 | 000,000,023 | ---- | C] () -- C:\windows\ODBCINST.INI
[2011/08/03 22:36:49 | 000,707,354 | ---- | C] () -- C:\windows\unins000.exe
[2011/08/03 22:36:49 | 000,005,697 | ---- | C] () -- C:\windows\unins000.dat
[2011/07/03 08:49:55 | 000,004,096 | -H-- | C] () -- C:\Users\sp\AppData\Local\keyfile3.drm
[2011/06/08 13:34:02 | 000,010,752 | ---- | C] () -- C:\windows\SysWow64\BASSMOD.dll
[2011/06/08 13:14:06 | 000,000,116 | ---- | C] () -- C:\ProgramData\avalon2.2.ini
[2011/06/08 13:13:59 | 000,219,136 | ---- | C] () -- C:\windows\sqlite3_engine.dll
[2011/06/08 13:13:55 | 000,340,992 | ---- | C] () -- C:\windows\SysWow64\sqlite36_engine.dll
[2011/06/08 13:02:10 | 000,008,192 | ---- | C] () -- C:\windows\SysWow64\gsimrxnp.dll
[2011/06/08 13:02:09 | 000,004,992 | ---- | C] () -- C:\windows\SysWow64\drivers\enport.sys
[2011/05/10 22:25:08 | 000,085,504 | ---- | C] () -- C:\windows\SysWow64\ff_vfw.dll
[2011/03/30 22:00:00 | 000,490,815 | ---- | C] () -- C:\Users\sp\Big Mountain City 2.sc3
[2011/03/03 20:58:49 | 000,002,560 | ---- | C] () -- C:\windows\_MSRSTRT.EXE
[2011/02/28 16:48:12 | 000,015,666 | ---- | C] () -- C:\Users\sp\playonTV license.pdf
[2011/02/11 11:25:16 | 000,248,320 | ---- | C] () -- C:\Users\sp\Drawing2-test.vsd
[2011/02/10 23:54:21 | 000,479,131 | ---- | C] () -- C:\Users\sp\Big Mountain City.sc3
[2011/02/07 23:32:11 | 000,000,281 | ---- | C] () -- C:\windows\EReg072.dat
[2011/01/19 23:40:38 | 001,247,814 | ---- | C] () -- C:\Users\sp\100_0004.JPG
[2011/01/19 23:40:37 | 001,201,542 | ---- | C] () -- C:\Users\sp\100_0003.JPG
[2010/11/04 08:51:06 | 000,009,308 | ---- | C] () -- C:\Users\sp\AppData\Roaming\Tab Separated Values (Windows).EML
[2010/11/04 08:42:52 | 000,009,305 | ---- | C] () -- C:\Users\sp\AppData\Roaming\Microsoft Excel 97-2003.EML
[2010/08/30 09:19:18 | 000,000,000 | ---- | C] () -- C:\windows\HPMProp.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\Users\sp\AppData\Roaming\Tab Separated Values (Windows).EML:OECustomProperty
@Alternate Data Stream - 143 bytes -> C:\Users\sp\AppData\Roaming\Microsoft Excel 97-2003.EML:OECustomProperty
@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:FB1B13D8
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:9ABD7EE6
@Alternate Data Stream - 118 bytes -> C:\ProgramData\TEMP:C28667BE

< End of report >



Of note: I am not sure what "LogMeIn" software is regarding since I do not use it [unless it is a rename of windows remote desktop service].


Your help is much appreciated,

Shane

Edited by ShaneInFlorida, 18 August 2012 - 06:25 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:49 AM

Posted 20 August 2012 - 03:24 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ShaneInFlorida

ShaneInFlorida
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 20 August 2012 - 02:24 PM

Hi Gringo,

Thank you for responding and I've done as requested.

The system is still redirecting and, upon sending the search query, the page doesn't have the normal search indications ... doesn't have the twirler in the page tab to indicate it is checking, when you click on a result (I always use 'open in new tab', the page first just gray's out the other selctions until the other page is done with the invalid result link loading. If I click on the tab with the invalid page and click the back arrow once, then the page redirects to the one originally desired (sometimes it just reverts to the incorrect site and requires a subsequent back click to get it to point to the correct site).

The sound is still there. Usually it sounds like ... Russian vocals and music? Sometimes it's just commercials (in English ... usually a Mitt Romney political ad) with the music in the background. I mention that I suspect it is Russian region music as the first series of IP addresses iobtained from the Hacker attempting to log remotely to our server were from the Ukraine; thereafter it was usually from China though I suspect he bag using a proxy. I could be wrong but I am not sure if there is relevance or use for such information.



Security Check

No Notepad .txt/log was created. While it was running, the program seemed unable to run any of the commands "'x' is not recognized as an internal or external command, operable program or batch file.", etc. comments throughout. (seemed as though it was trying to look in the wrong directories).

Combofix
Seemed to work through it's processes normally including a reboot in the middle of the process. Below is the output of the text file:




ComboFix 12-08-20.01 - sp 08/20/2012 13:56:20.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3964.2218 [GMT -4:00]

Running from: c:\users\sp\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\sp\SecurityScan_Release.exe

c:\windows\inf\gsiata.inf

c:\windows\inf\gsiata.sys

c:\windows\SysWow64\index.html

F:\Autorun.inf

F:\Setup.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-07-20 to 2012-08-20 )))))))))))))))))))))))))))))))

.

.

2012-08-20 18:28 . 2012-08-20 18:28 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-08-20 04:22 . 2012-08-20 04:22 73728 ----a-r- c:\users\sp\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2012-08-20 04:22 . 2012-08-20 04:22 73728 ----a-r- c:\users\sp\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2012-08-20 04:22 . 2012-08-20 04:22 73728 ----a-r- c:\users\sp\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe

2012-08-20 04:21 . 2012-08-20 04:21 -------- d-----w- c:\program files (x86)\Sophos

2012-08-20 03:39 . 2012-06-29 07:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8283A64F-B1F0-4CE7-AC92-094E0D5741D6}\mpengine.dll

2012-08-19 23:41 . 2012-08-20 01:10 -------- d-----w- C:\FRST

2012-08-19 16:46 . 2012-08-19 21:59 -------- d-----w- c:\windows\SysWow64\wbem\Performance

2012-08-19 16:39 . 2008-05-08 02:03 303616 ----a-w- C:\SetACL.exe

2012-08-19 16:27 . 2004-06-11 20:33 290304 ----a-w- C:\subinacl.exe

2012-08-19 16:26 . 2012-08-19 16:26 -------- d-----w- C:\RegBackup

2012-08-19 15:45 . 2012-08-19 17:04 181064 ----a-w- c:\windows\PSEXESVC.EXE

2012-08-19 15:43 . 2012-08-19 22:12 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs

2012-08-18 23:48 . 2012-06-29 07:04 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-08-18 20:51 . 2012-08-18 20:50 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DB2F5AEB-5244-46FB-8884-CA5DA4968FE0}\gapaengine.dll

2012-08-18 11:38 . 2009-07-13 17:36 38160 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2012-08-17 21:47 . 2012-08-17 21:47 -------- d-----w- c:\programdata\Sophos

2012-08-16 03:45 . 2012-08-16 03:45 -------- d-----w- c:\program files (x86)\Oracle

2012-08-15 06:52 . 2012-08-15 06:52 -------- d-----w- c:\program files\Enigma Software Group

2012-08-14 22:19 . 2012-08-15 04:14 -------- d-----w- c:\programdata\SpeedyPC Software

2012-08-14 18:56 . 2012-08-17 17:52 -------- d-----w- c:\program files (x86)\nLite

2012-08-14 02:10 . 2012-08-18 11:45 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-08-14 01:48 . 2012-08-17 17:52 -------- d-----w- c:\program files (x86)\UnHackMe

2012-08-13 23:36 . 2012-08-13 23:36 -------- d-----w- c:\users\sp\AppData\Roaming\SUPERAntiSpyware.com

2012-08-13 23:35 . 2012-08-18 17:50 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-08-07 04:23 . 2012-08-17 17:52 -------- d-----w- c:\program files (x86)\KeePass Password Safe 2

2012-08-01 14:17 . 2012-08-01 14:17 -------- d-----w- c:\program files\Luttmann

2012-08-01 13:57 . 2012-08-17 17:52 -------- d-----w- c:\program files (x86)\Teknowebworks LLC

2012-07-27 20:51 . 2012-07-27 20:51 184248 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll

2012-07-27 16:25 . 2012-07-05 22:11 87488 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-07-27 16:25 . 2012-07-05 22:10 59808 ----a-w- c:\windows\system32\Spool\prtprocs\x64\LMIproc.dll

2012-07-27 16:25 . 2012-07-05 22:10 34720 ----a-w- c:\windows\system32\LMIport.dll

2012-07-27 16:25 . 2012-06-08 16:06 72216 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys

2012-07-27 16:25 . 2012-07-05 22:10 80800 ----a-w- c:\windows\system32\LMIinit.dll

2012-07-27 16:25 . 2012-07-27 16:26 -------- d-----w- c:\program files (x86)\LogMeIn

2012-07-27 16:16 . 2012-06-15 21:51 2949048 ----a-w- c:\windows\NetworkCfg.exe

2012-07-27 16:15 . 2012-07-27 16:18 -------- d-----w- c:\programdata\Anyplace Control 4

2012-07-26 15:08 . 2012-07-26 15:08 -------- d-----w- c:\programdata\McAfee

2012-07-22 14:49 . 2012-07-22 14:49 -------- d-----w- c:\windows\SysWow64\Hotspot Shield

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-08-18 17:40 . 2010-07-28 01:26 62134624 ----a-w- c:\windows\system32\MRT.exe

2012-07-10 02:48 . 2012-07-10 02:48 41704 ----a-w- c:\windows\system32\drivers\hssdrv6.sys

2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll

2012-06-19 15:08 . 2012-03-30 12:14 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-19 15:08 . 2011-07-15 13:38 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-06-12 03:08 . 2012-07-11 23:59 3148800 ----a-w- c:\windows\system32\win32k.sys

2012-06-09 05:43 . 2012-07-11 13:14 14172672 ----a-w- c:\windows\system32\shell32.dll

2012-06-08 16:05 . 2012-06-08 16:05 35616 ----a-w- c:\windows\system32\lmimirr.dll

2012-06-08 16:05 . 2012-06-08 16:05 14624 ----a-w- c:\windows\system32\lmimirr2.dll

2012-06-08 16:05 . 2012-06-08 16:05 11552 ----a-w- c:\windows\system32\drivers\lmimirr.sys

2012-06-07 00:59 . 2012-06-07 00:59 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX

2012-06-06 06:06 . 2012-07-11 13:14 2004480 ----a-w- c:\windows\system32\msxml6.dll

2012-06-06 06:06 . 2012-07-11 13:14 1881600 ----a-w- c:\windows\system32\msxml3.dll

2012-06-06 06:02 . 2012-07-11 13:14 1133568 ----a-w- c:\windows\system32\cdosys.dll

2012-06-06 05:05 . 2012-07-11 13:14 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll

2012-06-06 05:05 . 2012-07-11 13:14 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2012-06-06 05:03 . 2012-07-11 13:14 805376 ----a-w- c:\windows\SysWow64\cdosys.dll

2012-06-02 22:19 . 2012-06-21 19:53 38424 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2012-06-21 19:53 2428952 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-02 22:19 . 2012-06-21 19:53 57880 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2012-06-21 19:53 44056 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2012-06-21 19:53 701976 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:15 . 2012-06-21 19:53 2622464 ----a-w- c:\windows\system32\wucltux.dll

2012-06-02 22:15 . 2012-06-21 19:53 99840 ----a-w- c:\windows\system32\wudriver.dll

2012-06-02 19:19 . 2012-06-21 19:53 186752 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-02 19:15 . 2012-06-21 19:53 36864 ----a-w- c:\windows\system32\wuapp.exe

2012-06-02 12:49 . 2012-07-11 23:55 17807360 ----a-w- c:\windows\system32\mshtml.dll

2012-06-02 12:17 . 2012-07-11 23:55 10924032 ----a-w- c:\windows\system32\ieframe.dll

2012-06-02 12:12 . 2012-07-11 23:55 2311680 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 12:05 . 2012-07-11 23:55 1346048 ----a-w- c:\windows\system32\urlmon.dll

2012-06-02 12:05 . 2012-07-11 23:55 1392128 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 12:04 . 2012-07-11 23:55 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 12:04 . 2012-07-11 23:55 237056 ----a-w- c:\windows\system32\url.dll

2012-06-02 12:03 . 2012-07-11 23:55 85504 ----a-w- c:\windows\system32\jsproxy.dll

2012-06-02 12:01 . 2012-07-11 23:55 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 12:00 . 2012-07-11 23:55 818688 ----a-w- c:\windows\system32\jscript.dll

2012-06-02 11:59 . 2012-07-11 23:55 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-06-02 11:57 . 2012-07-11 23:55 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-06-02 11:57 . 2012-07-11 23:55 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-02 11:54 . 2012-07-11 23:55 248320 ----a-w- c:\windows\system32\ieui.dll

2012-06-02 08:33 . 2012-07-11 23:55 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-06-02 08:25 . 2012-07-11 23:55 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

2012-06-02 08:25 . 2012-07-11 23:55 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-06-02 08:20 . 2012-07-11 23:55 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-06-02 08:16 . 2012-07-11 23:55 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-06-02 05:50 . 2012-07-11 13:14 458704 ----a-w- c:\windows\system32\drivers\cng.sys

2012-06-02 05:48 . 2012-07-11 13:14 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-06-02 05:48 . 2012-07-11 13:14 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-06-02 05:45 . 2012-07-11 13:14 340992 ----a-w- c:\windows\system32\schannel.dll

2012-06-02 05:44 . 2012-07-11 13:14 307200 ----a-w- c:\windows\system32\ncrypt.dll

2012-06-02 04:40 . 2012-07-11 13:14 22016 ----a-w- c:\windows\SysWow64\secur32.dll

2012-06-02 04:40 . 2012-07-11 13:14 225280 ----a-w- c:\windows\SysWow64\schannel.dll

2012-06-02 04:39 . 2012-07-11 13:14 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll

2012-06-02 04:34 . 2012-07-11 13:14 96768 ----a-w- c:\windows\SysWow64\sspicli.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-09 5661056]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"VMware hqtray"="c:\program files (x86)\VMware\VMware Player\hqtray.exe" [2009-10-22 64048]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]

"BingDesktop"="c:\program files (x86)\Microsoft\BingDesktop\BingDesktop.exe" [2012-03-30 1858152]

.

c:\users\sp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

PdaNet Desktop.lnk - c:\program files (x86)\PdaNet for Android\PdaNetPC.exe [2012-2-21 484976]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Metro Hi Speed Fax Printer 2.0.lnk - c:\windows\Installer\{67D6341F-D624-4546-9313-EAF3545A687B}\_13213725DC6644B2BF8CF5D40C9F2756.exe [2011-3-2 120280]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R1 enport;enport;c:\windows\system32\drivers\enport.sys [x]

R1 vcdrom;Virtual CD-ROM Device Driver;c:\users\sp\Downloads\New folder (2)\VCdRom.sys [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-29 135664]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [x]

R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [2010-05-12 36328]

R3 appliand;Applian Network Service;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 33888]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-29 135664]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-27 291696]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-02-01 232992]

R3 SophosVirusRemovalTool;Sophos Virus Removal Tool;c:\program files (x86)\Sophos\Sophos Virus Removal Tool\SVRTservice.exe [2012-07-10 151104]

R3 SQLAgent$ASI;SQLAgent$ASI;c:\program files (x86)\Microsoft SQL Server\MSSQL$ASI\Binn\sqlagent.EXE [2002-12-17 311872]

R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2010-05-12 125416]

R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2010-05-12 16872]

R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2010-05-12 159208]

R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [2010-05-12 126952]

R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [2011-03-23 30720]

R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-28 1255736]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]

S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2010-10-18 20549]

S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [2012-03-30 151656]

S2 MSSQL$ASI;MSSQL$ASI;c:\program files (x86)\Microsoft SQL Server\MSSQL$ASI\Binn\sqlservr.exe [2002-12-17 7520337]

S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\NLSSRV32.EXE [2011-01-31 68928]

S2 PlayItVideoServer;PlayIt Video Server Manager;c:\program files\Luttmann\vmcPlayIt\PlayItVideoServer.exe [2010-06-12 96768]

S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 80944]

S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]

S3 appliandMP;appliandMP;c:\windows\system32\DRIVERS\appliand.sys [2011-06-26 33888]

S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 9216]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2011-04-20 169584]

S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2011-11-25 15360]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-08-20 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 8b654bda-699d-4728-8348-ecd108a15722.job

- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-18 166424]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-18 391192]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-18 410648]

"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-10 520760]

"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2011-02-03 170496]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 1271168]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1573160]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/ig?brand=TSNA&bmod=TSNA

mStart Page = hxxp://www.google.com/ig?brand=TSNA&bmod=TSNA

mLocal Page = c:\windows\system32\blank.htm

TCP: DhcpNameServer = 192.168.80.1

TCP: Interfaces\{79CF917E-69AB-4D81-BADC-79867C1E8584}: NameServer = 192.168.1.1,192.168.1.192

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\shell32.dll

.

.

------- File Associations -------

.

.txt=bftxtfile

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

ShellIconOverlayIdentifiers-{F072B218-4201-4A43-ADAE-BB7C39395622} - (no file)

Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe

Notify-igfxcui - (no file)

SafeBoot-76399340.sys

Toolbar-Locked - (no file)

WebBrowser-{1392B8D2-5C05-419F-A8F6-B9F15A596612} - (no file)

HKLM-Run-(Default) - (no file)

HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE

HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe

HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

AddRemove-{2EF17083-57D4-4D64-AE4F-55F32A2C4571} - c:\programdata\Codecv\uninstall.exe

AddRemove-{FBBC4667-2521-4E78-B1BD-8706F774549B} - c:\programdata\{249B9E04-F0FC-434D-B0D8-12D3EDFF3B77}\Best Buy Software Installer Setup.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2171367089-1786558459-2383774983-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6CFC5BDB-0327-07F6-95B4-8D10026A237D}*]

@Allowed: (Read) (RestrictedCode)

"iadpipgfkdilbdemgc"=hex:6a,61,68,68,6d,64,68,69,65,70,66,6e,68,65,6a,70,62,6b,

69,6e,00,71

"hajokggnppmofbee"=hex:6a,61,68,68,6d,64,68,69,65,70,66,6e,68,65,6a,70,62,6b,

69,6e,00,fe

"haeedpjdjaokagio"=hex:66,61,62,69,61,63,6d,64,62,6b,6e,6d,00,00

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\xampp\mysql\bin\mysqld.exe

c:\windows\SysWOW64\vmnat.exe

c:\program files (x86)\VMware\VMware Player\vmware-authd.exe

c:\windows\SysWOW64\vmnetdhcp.exe

.

**************************************************************************

.

Completion time: 2012-08-20 14:55:12 - machine was rebooted

ComboFix-quarantined-files.txt 2012-08-20 18:55

.

Pre-Run: 150,151,344,128 bytes free

Post-Run: 149,937,094,656 bytes free

.

- - End Of File - - E6031205FB7EE517CF60E037A1C4E44B

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:49 AM

Posted 20 August 2012 - 03:01 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 ShaneInFlorida

ShaneInFlorida
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 21 August 2012 - 08:38 AM

Hey Gringo,

The TSSDkiller finally ran ... feeling some progress here. However, the AVAST (aswMBR) would not run.

TSSDkiller Log

09:22:54.0711 4168 TDSS rootkit removing tool 2.8.7.0 Aug 20 2012 17:30:03
09:22:55.0132 4168 ============================================================
09:22:55.0132 4168 Current date / time: 2012/08/21 09:22:55.0132
09:22:55.0132 4168 SystemInfo:
09:22:55.0132 4168
09:22:55.0132 4168 OS Version: 6.1.7601 ServicePack: 1.0
09:22:55.0132 4168 Product type: Workstation
09:22:55.0132 4168 ComputerName: SP-PC
09:22:55.0132 4168 UserName: sp
09:22:55.0132 4168 Windows directory: C:\windows
09:22:55.0132 4168 System windows directory: C:\windows
09:22:55.0132 4168 Running under WOW64
09:22:55.0132 4168 Processor architecture: Intel x64
09:22:55.0132 4168 Number of processors: 2
09:22:55.0132 4168 Page size: 0x1000
09:22:55.0132 4168 Boot type: Normal boot
09:22:55.0132 4168 ============================================================
09:22:58.0049 4168 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000020
09:22:58.0065 4168 ============================================================
09:22:58.0065 4168 \Device\Harddisk0\DR0:
09:22:58.0065 4168 MBR partitions:
09:22:58.0065 4168 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2EE800, BlocksNum 0x23F5B800
09:22:58.0065 4168 ============================================================
09:22:58.0096 4168 C: <-> \Device\Harddisk0\DR0\Partition1
09:22:58.0096 4168 ============================================================
09:23:06.0536 5700 Deinitialize success


Still incurring google redirects and the audio advertisements.

Edited by ShaneInFlorida, 21 August 2012 - 12:40 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:49 AM

Posted 21 August 2012 - 12:55 PM

Greetings

I would like you to run this and send me the report,

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 ShaneInFlorida

ShaneInFlorida
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 21 August 2012 - 01:05 PM

Hi Gringo,

Will do. When trying to run the avast, I looked to see if my firewall was possibly blocking it - firewall was down and I noticed three permitted software entries:

@peerdistsh.dll, -1000
@peerdistsh.dll, -1002
@peerdistsh.dll, -1004


In addition, printer and file sharing is checked in such manner to indicate some printer and file sharing is permitted whereas others is denied. I selected it and clicked on details to see what was permitted but the details button merely explains the file and print sharing permission. There should be nothing shared.

Finally, I noticed remote assistance was checked and unchecked it (I always keep this turned off).

will return shortly with log file of rogue killer

#8 ShaneInFlorida

ShaneInFlorida
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 21 August 2012 - 01:15 PM

... and here is the report from RogueKiller:

RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: sp [Admin rights]
Mode: Scan -- Date: 08/21/2012 14:09:52

Bad processes: 0

Registry Entries: 3
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:
[ZeroAccess][FOLDER] U : c:\users\sp\appdata\local\{d94fe6be-4be3-4744-ff3e-600bb2adccfb}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\users\sp\appdata\local\{d94fe6be-4be3-4744-ff3e-600bb2adccfb}\L --> FOUND

Driver: [NOT LOADED]

Infection : ZeroAccess|Root.MBR

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: TOSHIBA MK3265GSXV +++++
--- User ---
[MBR] dc52eefd5faed41870f1ca13d1c44527
[BSP] b9818e7a885bcd3eec8b6b3757018fc4 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 294583 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 606380032 | Size: 9161 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 12d1766dd3789c6e3d1db6144125e298
[BSP] 4c9581b89f344ee869280bb2a4392318 : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 294583 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 606380032 | Size: 9161 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 12d1766dd3789c6e3d1db6144125e298
[BSP] 4c9581b89f344ee869280bb2a4392318 : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 294583 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 606380032 | Size: 9161 Mo

Finished : << RKreport[1].txt >>
RKreport[1].txt

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:49 AM

Posted 21 August 2012 - 04:52 PM

--Run RogueKiller--

  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator" to start
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 ShaneInFlorida

ShaneInFlorida
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 21 August 2012 - 05:13 PM

Thanks again,

Ran the cleaning procedure as instructed. Still getting redirects in google, though. (using a search for carmax and then clicking on the official result page seems to produce the quickest check as it almost always jumps to some other page).

Here's the log post cleaning:

RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: sp [Admin rights]
Mode: Remove -- Date: 08/21/2012 18:05:50

Bad processes: 0

Registry Entries: 3
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:
[ZeroAccess][FOLDER] U : c:\users\sp\appdata\local\{d94fe6be-4be3-4744-ff3e-600bb2adccfb}\U --> REMOVED
[ZeroAccess][FOLDER] L : c:\users\sp\appdata\local\{d94fe6be-4be3-4744-ff3e-600bb2adccfb}\L --> REMOVED

Driver: [NOT LOADED]

Infection : ZeroAccess|Root.MBR

HOSTS File:
127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: TOSHIBA MK3265GSXV +++++
--- User ---
[MBR] dc52eefd5faed41870f1ca13d1c44527
[BSP] b9818e7a885bcd3eec8b6b3757018fc4 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 294583 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 606380032 | Size: 9161 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 12d1766dd3789c6e3d1db6144125e298
[BSP] 4c9581b89f344ee869280bb2a4392318 : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 294583 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 606380032 | Size: 9161 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 12d1766dd3789c6e3d1db6144125e298
[BSP] 4c9581b89f344ee869280bb2a4392318 : MaxSS MBR Code!
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 294583 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 606380032 | Size: 9161 Mo

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:49 AM

Posted 21 August 2012 - 05:42 PM

Greetings


In which browsers does this happen in? check all that are installed



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 ShaneInFlorida

ShaneInFlorida
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 21 August 2012 - 06:25 PM

Hi Gringo,

It happens in internet explorer (vers. 9). The sound/commercials occurs whether the browser is open or not but only occurs if connected to the internet.

Looking at the last RogueKiller log, it noted "MaxSS MBR Code!" in the last section. Is this possibly the cause?

all best,
shane

#13 ShaneInFlorida

ShaneInFlorida
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 21 August 2012 - 06:26 PM

...IE 9 should be the only browser installed. I used to have chrome but had removed it (not sure if some remaining DLL or other could be a culprit).

#14 ShaneInFlorida

ShaneInFlorida
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 21 August 2012 - 06:37 PM

CORRECTION:
IE 9 is now pointing to the correct site(s). I cleared the history (cookies, etc) from today's sessions, closed IE9, reopened a fresh browser window and all search requests/links seemed to work.


I did, however, still get an advertisment on the speakers. But this is significant improvement. The response time on the browser is also quite slow - is this possible due to the temp install of repair/scan software?


THANK YOU VERY MUCH!! This is a huge improvement (and relief to know there's nothing snooping on my computer).

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:49 AM

Posted 21 August 2012 - 07:19 PM

Hello

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users