Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant ad.yieldmanager popups on left or right side of window


  • This topic is locked This topic is locked
20 replies to this topic

#1 Moca Java

Moca Java

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 23 September 2012 - 08:00 PM

Hello BleepingComputer community,

I thought I could fix this on my own, but I need expert help. At first, MalwareBytes identified a "Trojan.lameshield" infection, which it removed. I also ran McAfee and removed a "generic" trojan. Then, the popups started appearing, no matter which site I would visit, showing up at times on the bottom left, others on the bottom right of the screen. I noticed the name "ad.yieldmanager" by hovering on the popups. These popups happen both in Normal Windows mode as well as Safe mode.

After reading some of the forum posts, I downloaded "Rkill" and ran it from Windows Safe mode. Every time I execute Rkill it logs the following message:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
* C:\Users\I804129\AppData\Local\{66d01091-30b0-d091-7070-ea6fe4297d6c}\ [ZA Dir]
* C:\Users\I804129\AppData\Local\{66d01091-30b0-d091-7070-ea6fe4297d6c}\L\ [ZA Dir]
* C:\Users\I804129\AppData\Local\{66d01091-30b0-d091-7070-ea6fe4297d6c}\U\ [ZA Dir]

Since then, I have ran MalwareBytes in full mode, TDSSKiller, SuperAntiSpyware, SpyBot S&D, and cleaned the Temp directory with TFC (TempFileCleaner by OldTimer). Every time, I get a clean result, nothing found, but the popups continue. So I have to give up and turn to the forum.

Thank you in advance for your help.

Here is the DDS.txt report below. Also, the Attach.txt file is in the attachment.

-----------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.7.2
Run by I804129 at 17:18:42 on 2012-09-23
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3892.2121 [GMT -7:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Host Intrusion Prevention Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\wininit.exe
C:\WINDOWS\system32\lsm.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe
c:\WINDOWS\SysWOW64\F5InstallerService.exe
C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
c:\Program Files (x86)\McAfee\Host Intrusion Prevention\HIPSCore\x64\HIPSvc.exe
C:\WINDOWS\system32\svchost.exe -k HsfXAudioService
C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\Program Files (x86)\iPass\SAPVPN\iPassPeriodicUpdateService.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Windows\system32\mfevtps.exe
c:\Program Files\1E\Agent\NightWatchman\NwmSvc.exe
C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\SysWOW64\PGPserv.exe
c:\Program Files (x86)\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
C:\WINDOWS\system32\conhost.exe
c:\Program Files (x86)\SAP\Rescue Account V5.0\RaccountV5.exe
C:\WINDOWS\system32\svchost.exe -k regsvc
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UI0Detect.exe
c:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\CCM\CcmExec.exe
C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
c:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\taskhost.exe
C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftdcc.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\WINDOWS\system32\Dwm.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\taskeng.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\Iron Mountain\Connected BackupPC\Agent.exe
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
c:\Program Files (x86)\SECUDE\OfficeSecurity\psesvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
c:\Program Files\1E\Agent\NightWatchman\NWMCLI.EXE
C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPcbt64.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files (x86)\iPass\SAPVPN\iPassPeriodicUpdateApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\WINDOWS\sysWOW64\wbem\wmiprvse.exe
C:\WINDOWS\sysWOW64\wbem\wmiprvse.exe
C:\WINDOWS\sysWOW64\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil10zf_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\conhost.exe
C:\WINDOWS\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com/search?q={searchTerms}
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: PDFXChange 4.0 IE Plugin: {42dfa04f-0f16-418e-b80c-ab97a5afad39} - C:\Program Files\Tracker Software\PDF-XChange 4\PXCIEAddin4.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120326012640.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: KMPlayer Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: PDFXChange 4.0 IE Plugin: {42dfa04f-0f16-418e-b80c-ab97a5afad39} - C:\Program Files\Tracker Software\PDF-XChange 4\PXCIEAddin4.dll
TB: KMPlayer Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [SoftGridTray] "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTTray.exe" /autostart
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfee Host Intrusion Prevention Tray] "c:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey
mRun: [SECUDE PSE Service] c:\Program Files (x86)\SECUDE\OfficeSecurity\psesvc.exe
mRun: [<NO NAME>]
mRun: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [AgentUiRunKey] "C:\Program Files (x86)\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
mRun: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PGPTRA~1.LNK - C:\Windows\Installer\{B9237AF0-9A09-41AA-A721-AFD77862B23E}\Icon6560581611.exe
uPolicies-explorer: DisallowCPL = 1 (0x1)
uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoViewOnDrive = 65536 (0x10000)
mPolicies-explorer: NoAutorun = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: LocalAccountTokenFilterPolicy = 1 (0x1)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: bcdtravel.com
Trusted Zone: cubetree.com
Trusted Zone: datasltn.com
Trusted Zone: ddi.com
Trusted Zone: hubwoo.com
Trusted Zone: isrsurveys.net
Trusted Zone: lsl.de
Trusted Zone: mymeetingroom.com
Trusted Zone: pgiconnect.com
Trusted Zone: plateau.com
Trusted Zone: sap-ag.de
Trusted Zone: sap-tv.com
Trusted Zone: sap.com
Trusted Zone: sap.corp
Trusted Zone: sap.corp\*.phl
Trusted Zone: sap.corp\*.wdf
Trusted Zone: streamwork.com
Trusted Zone: successfactors.eu
DPF: N1E.WakeUp.Web.Client.ComputerProbe - Install via WebWakeUpActiveX.msi
DPF: {00627E89-A19D-4A2B-938B-059CB7B1B493} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5certchk.cab
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - C:\WINDOWS\TEMP\f5tmp\cachecleaner.cab
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - C:\WINDOWS\TEMP\f5tmp\urxvpn.cab
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - C:\WINDOWS\TEMP\f5tmp\f5tunsrv.cab
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - file://C:/Program Files (x86)/F5 VPN/F5_TMP/InstallerControl.cab
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5InspectionHost.cab
DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/msrdp.cab
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/vdeskctrl.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://virtualkitchenshowroom.homedepot.com/VS/Core/Player/2020PlayerAX_WEB_Win32.cab
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/ur5250x.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - C:\WINDOWS\TEMP\f5tmp\urxshost.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP1-321/event/ieatgpc1.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - C:\WINDOWS\TEMP\f5tmp\urxhost.cab
DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5syschk.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/urvncx.cab
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {EE5E646C-4D96-4DAD-A362-C210B507A0B2} - hxxps://portal.wdf.sap.corp/irj/go/km/docs/etc/docservice/DocService.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0904D491-4619-4949-AC6D-4D706E98C7BA} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0904D491-4619-4949-AC6D-4D706E98C7BA}\142524F4943563 : DhcpNameServer = 192.168.10.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files (x86)\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files (x86)\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL
AppInit_DLLs: PGPmapih.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
LSA: Notification Packages = scecli PGPpwflt
mASetup: {0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4} - c:\WINDOWS\SysWOW64\msiexec.exe /i{0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4} /qn REINSTALL=ALL REINSTALLMODE=mus
mASetup: {0EEB34F6-991D-4a1b-8EEB-772DA0EADB22} - msiexec /fu {0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4} /qn
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: PDFXChange 4.0 IE Plugin: {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - C:\Program Files\Tracker Software\PDF-XChange 4\PXCIEAddin4.dll
BHO-X64: PXCIEaddin - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120326012640.dll
BHO-X64: scriptproxy - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: KMPlayer Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB-X64: PDFXChange 4.0 IE Plugin: {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - C:\Program Files\Tracker Software\PDF-XChange 4\PXCIEAddin4.dll
TB-X64: KMPlayer Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mRun-x64: [SoftGridTray] "C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTTray.exe" /autostart
mRun-x64: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun-x64: [McAfee Host Intrusion Prevention Tray] "c:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe"
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey
mRun-x64: [SECUDE PSE Service] c:\Program Files (x86)\SECUDE\OfficeSecurity\psesvc.exe
mRun-x64: [(Default)]
mRun-x64: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun-x64: [AgentUiRunKey] "C:\Program Files (x86)\Iron Mountain\Connected BackupPC\Agent.exe" -ni -sss -e http://localhost:16386/
mRun-x64: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
mRun-x64: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
AppInit_DLLs-X64: PGPmapih.dll
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 64.46.36.178 www.google-analytics.com.
Hosts: 64.46.36.178 ad-emea.doubleclick.net.
Hosts: 64.46.36.178 www.statcounter.com.
Hosts: 64.27.10.42 www.google-analytics.com.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 DzHDD64;DzHDD64;C:\WINDOWS\system32\DRIVERS\DzHDD64.sys --> C:\WINDOWS\system32\DRIVERS\DzHDD64.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\WINDOWS\system32\drivers\mfehidk.sys --> C:\WINDOWS\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\WINDOWS\system32\drivers\mfewfpk.sys --> C:\WINDOWS\system32\drivers\mfewfpk.sys [?]
R0 Pgpwdefs;Pgpwdefs;C:\WINDOWS\system32\DRIVERS\Pgpwdefs.sys --> C:\WINDOWS\system32\DRIVERS\Pgpwdefs.sys [?]
R0 TPDIGIMN;TPDIGIMN;C:\WINDOWS\system32\DRIVERS\ApsHM64.sys --> C:\WINDOWS\system32\DRIVERS\ApsHM64.sys [?]
R1 ctxusbm;Citrix USB Monitor Driver;C:\WINDOWS\system32\DRIVERS\ctxusbm.sys --> C:\WINDOWS\system32\DRIVERS\ctxusbm.sys [?]
R1 lenovo.smi;Lenovo System Interface Driver;C:\WINDOWS\system32\DRIVERS\smiifx64.sys --> C:\WINDOWS\system32\DRIVERS\smiifx64.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\WINDOWS\system32\DRIVERS\vwififlt.sys --> C:\WINDOWS\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-27 63960]
R2 AgentService;AgentService;C:\Program Files (x86)\Iron Mountain\Connected BackupPC\AgentService.exe [2011-9-21 7632288]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe [2010-6-15 1498224]
R2 F5 Networks Component Installer;F5 Networks Component Installer;C:\Windows\SysWOW64\F5InstallerService.exe [2012-3-20 379320]
R2 hips;McAfee HIPSCore Service;C:\Program Files (x86)\McAfee\Host Intrusion Prevention\HIPSCore\x64\HIPSvc.exe [2011-7-9 39840]
R2 HsfXAudioService;HsfXAudioService;C:\WINDOWS\system32\svchost.exe -k HsfXAudioService [2011-7-9 21504]
R2 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2012-8-3 352248]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2012-3-20 45496]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe [2012-3-20 93032]
R2 LV_Tracker;LV_Tracker;C:\WINDOWS\system32\DRIVERS\LV_Tracker64.sys --> C:\WINDOWS\system32\DRIVERS\LV_Tracker64.sys [?]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2011-11-15 132672]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-7-9 199008]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
R2 NightWatchman;1E NightWatchman;C:\Program Files\1E\Agent\NightWatchman\NwmSvc.exe [2012-4-10 1547608]
R2 PanService;PandoraService;C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-5-13 624856]
R2 prgnDiscAgent;HP DDMI Agent;C:\Program Files (x86)\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe [2012-8-31 826752]
R2 PwmEWSvc;Cisco EnergyWise Enabler;C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe [2012-3-20 148840]
R2 Raccount;Rescue account;C:\Program Files (x86)\SAP\Rescue Account V5.0\RaccountV5.exe [2011-3-31 57344]
R2 rimspci;rimspci;C:\WINDOWS\system32\DRIVERS\rimspe64.sys --> C:\WINDOWS\system32\DRIVERS\rimspe64.sys [?]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-9-23 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-11-17 508776]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;C:\Program Files\Lenovo\HOTKEY\tphkload.exe [2012-3-20 114024]
R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2012-3-20 64440]
R2 WakeUpAgt;1E WakeUp Agent;C:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe [2012-4-10 769864]
R3 5U877;USB Video Device;C:\WINDOWS\system32\DRIVERS\5U877.sys --> C:\WINDOWS\system32\DRIVERS\5U877.sys [?]
R3 CAXHWAZL;CAXHWAZL;C:\WINDOWS\system32\DRIVERS\CAXHWAZL.sys --> C:\WINDOWS\system32\DRIVERS\CAXHWAZL.sys [?]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\WINDOWS\system32\DRIVERS\e1k62x64.sys --> C:\WINDOWS\system32\DRIVERS\e1k62x64.sys [?]
R3 FirehkMP;FirehkMP;C:\WINDOWS\system32\DRIVERS\firehk.sys --> C:\WINDOWS\system32\DRIVERS\firehk.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\WINDOWS\system32\DRIVERS\HECIx64.sys --> C:\WINDOWS\system32\DRIVERS\HECIx64.sys [?]
R3 HIPK;McAfee Inc. HIPK;C:\WINDOWS\system32\drivers\HIPK.sys --> C:\WINDOWS\system32\drivers\HIPK.sys [?]
R3 HIPPSK;McAfee Inc. HIPPSK;C:\WINDOWS\system32\drivers\HIPPSK.sys --> C:\WINDOWS\system32\drivers\HIPPSK.sys [?]
R3 HIPQK;McAfee Inc. HIPQK;C:\WINDOWS\system32\drivers\HIPQK.sys --> C:\WINDOWS\system32\drivers\HIPQK.sys [?]
R3 Impcd;Impcd;C:\WINDOWS\system32\DRIVERS\Impcd.sys --> C:\WINDOWS\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\WINDOWS\system32\DRIVERS\IntcDAud.sys --> C:\WINDOWS\system32\DRIVERS\IntcDAud.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\WINDOWS\system32\drivers\mfeavfk.sys --> C:\WINDOWS\system32\drivers\mfeavfk.sys [?]
R3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\WINDOWS\system32\DRIVERS\NETwNs64.sys --> C:\WINDOWS\system32\DRIVERS\NETwNs64.sys [?]
R3 Sftfs;Sftfs;C:\WINDOWS\system32\DRIVERS\Sftfswin7.sys --> C:\WINDOWS\system32\DRIVERS\Sftfswin7.sys [?]
R3 Sftplay;Sftplay;C:\WINDOWS\system32\DRIVERS\Sftplaywin7.sys --> C:\WINDOWS\system32\DRIVERS\Sftplaywin7.sys [?]
R3 Sftredir;Sftredir;C:\WINDOWS\system32\DRIVERS\Sftredirwin7.sys --> C:\WINDOWS\system32\DRIVERS\Sftredirwin7.sys [?]
R3 Sftvol;Sftvol;C:\WINDOWS\system32\DRIVERS\Sftvolwin7.sys --> C:\WINDOWS\system32\DRIVERS\Sftvolwin7.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-11-17 219496]
R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\covpnv64.sys --> C:\WINDOWS\system32\DRIVERS\covpnv64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\WINDOWS\system32\DRIVERS\vwifimp.sys --> C:\WINDOWS\system32\DRIVERS\vwifimp.sys [?]
S3 dmvsc;dmvsc;C:\WINDOWS\system32\drivers\dmvsc.sys --> C:\WINDOWS\system32\drivers\dmvsc.sys [?]
S3 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2012-3-20 477032]
S3 f5ipfw;F5 Networks StoneWall Filter;\??\C:\WINDOWS\system32\drivers\urfltv64.sys --> C:\WINDOWS\system32\drivers\urfltv64.sys [?]
S3 Firehk;McAfee NDIS Intermediate Filter;C:\WINDOWS\system32\DRIVERS\firehk.sys --> C:\WINDOWS\system32\DRIVERS\firehk.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;C:\WINDOWS\system32\drivers\mferkdet.sys --> C:\WINDOWS\system32\drivers\mferkdet.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2012-3-20 83304]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\WINDOWS\system32\drivers\rdpvideominiport.sys --> C:\WINDOWS\system32\drivers\rdpvideominiport.sys [?]
S3 rixdpcie;rixdpcie;C:\WINDOWS\system32\drivers\rixdpe64.sys --> C:\WINDOWS\system32\drivers\rixdpe64.sys [?]
S3 StorSvc;Storage Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2011-7-9 21504]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\WINDOWS\system32\drivers\Synth3dVsc.sys --> C:\WINDOWS\system32\drivers\Synth3dVsc.sys [?]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\WINDOWS\system32\drivers\terminpt.sys --> C:\WINDOWS\system32\drivers\terminpt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\WINDOWS\system32\drivers\tsusbflt.sys --> C:\WINDOWS\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\WINDOWS\system32\drivers\TsUsbGD.sys --> C:\WINDOWS\system32\drivers\TsUsbGD.sys [?]
S3 tsusbhub;Remote Deskotop USB Hub;C:\WINDOWS\system32\drivers\tsusbhub.sys --> C:\WINDOWS\system32\drivers\tsusbhub.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl64.sys --> C:\WINDOWS\system32\Drivers\usbaapl64.sys [?]
.
=============== Created Last 30 ================
.
2012-09-23 22:09:02 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-09-23 22:09:02 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-09-23 19:27:33 47080 ----a-w- C:\WINDOWS\System32\HIPIS0e011b5.dll
2012-09-23 19:27:33 40328 ----a-w- C:\WINDOWS\SysWow64\HIPIS0e011b5.dll
2012-09-23 04:37:01 -------- d-----w- C:\Users\I804129\AppData\Roaming\SUPERAntiSpyware.com
2012-09-23 04:36:54 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-09-23 04:36:54 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-09-23 04:30:46 95208 ----a-w- C:\WINDOWS\SysWow64\WindowsAccessBridge-32.dll
2012-09-17 19:01:46 821736 ----a-w- C:\WINDOWS\SysWow64\npdeployJava1.dll
.
==================== Find3M ====================
.
2012-09-23 04:30:32 746984 ----a-w- C:\WINDOWS\SysWow64\deployJava1.dll
2012-09-19 17:16:02 404680 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
2012-09-08 00:04:46 25928 ----a-w- C:\WINDOWS\System32\drivers\mbam.sys
2012-09-05 06:20:20 143040 ----a-w- C:\WINDOWS\SysWow64\KevlarSigs.dll
2012-08-18 21:26:09 260 ----a-w- C:\WINDOWS\SysWow64\cmdVBS.vbs
2012-08-18 21:26:09 256 ----a-w- C:\WINDOWS\SysWow64\MSIevent.bat
2012-07-18 18:15:06 3148800 ----a-w- C:\WINDOWS\System32\win32k.sys
2012-07-04 22:13:27 59392 ----a-w- C:\WINDOWS\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\WINDOWS\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\WINDOWS\SysWow64\browcli.dll
2012-06-27 07:06:53 1188864 ----a-w- C:\WINDOWS\System32\wininet.dll
2012-06-27 05:53:07 981504 ----a-w- C:\WINDOWS\SysWow64\wininet.dll
2012-06-27 04:53:10 1638912 ----a-w- C:\WINDOWS\System32\mshtml.tlb
2012-06-27 04:10:55 1638912 ----a-w- C:\WINDOWS\SysWow64\mshtml.tlb
.
============= FINISH: 17:20:40.09 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 AM

Posted 24 September 2012 - 01:15 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Moca Java

Moca Java
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 24 September 2012 - 09:32 PM

Hello Gringo,

I downloaded and ran the programs you recommended in exact sequence as administrator:
1 - Security Check
2 - AdwCleaner
3 - RogueKiller

I am pasting the 3 logs below. Unfortunately, the popups are still there, including one that is asking me if I want to "find the best malware removal tool" (the little bugger is context sensitive too).

Should I repeat this process in Windows Safe mode? Please advise, thank you!

1 - SECURITY CHECKUP LOG

Results of screen317's Security Check version 0.99.51
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
McAfee VirusScan Enterprise
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
SpywareBlaster 4.6
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.65.0.1400
Java 7 Update 7
Adobe Flash Player 10 Flash Player out of Date!
Adobe Reader X (10.1.4)
Mozilla Firefox (15.0.1)
````````Process Check: objlist.exe by Laurent````````
Spybot Teatimer.exe is disabled!
McAfee VirusScan Enterprise vstskmgr.exe
McAfee VirusScan Enterprise mfeann.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


2 - ADW CLEANER LOG

# AdwCleaner v2.003 - Logfile created 09/24/2012 at 19:07:58
# Updated 23/09/2012 by Xplode
# Operating system : Windows 7 Enterprise Service Pack 1 (64 bits)
# User : I804129 - LOSN00483325A
# Boot Mode : Normal
# Running from : C:\Users\I804129\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\Users\I804129\AppData\LocalLow\AskToolbar
Folder Deleted : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****

Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7601.17514

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0.1 (en-US)

Profile name : default
File : C:\Users\I804129\AppData\Roaming\Mozilla\Firefox\Profiles\ee9j6spy.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [4939 octets] - [24/09/2012 19:07:58]

########## EOF - C:\AdwCleaner[S1].txt - [4999 octets] ##########


3 - ROGUE KILLER LOG

RogueKiller V8.0.5 [09/23/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : I804129 [Admin rights]
Mode : Remove -- Date : 09/24/2012 19:15:49

Bad processes : 0

Registry Entries : 6
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\I804129\AppData\Local\{66d01091-30b0-d091-7070-ea6fe4297d6c}\n.) -> REPLACED (C:\WINDOWS\system32\shell32.dll)

Particular Files / Folders:
[ZeroAccess][FOLDER] ROOT : C:\Users\I804129\AppData\Local\{66d01091-30b0-d091-7070-ea6fe4297d6c}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Users\I804129\AppData\Local\{66d01091-30b0-d091-7070-ea6fe4297d6c}\L --> REMOVED

Driver : [NOT LOADED]

Extern Hives:

Infection : ZeroAccess

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost
64.46.36.178 www.google-analytics.com.
64.46.36.178 ad-emea.doubleclick.net.
64.46.36.178 www.statcounter.com.
64.27.10.42 www.google-analytics.com.
64.27.10.42 ad-emea.doubleclick.net.
64.27.10.42 www.statcounter.com.
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
[...]


MBR Check:

+++++ PhysicalDrive0: HITACHI HTS725032A9A364 +++++
--- User ---
[MBR] c5c31bc3c730f2798564b9db864471a0
[BSP] 4668728cbfbfc9c2ccf8051e90ee1858 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 305243 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 AM

Posted 25 September 2012 - 01:31 AM

I wanrt you to rerun rougekiller and this time click on fix hosts


restart the computer and let me know if you still get the popups


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Moca Java

Moca Java
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 25 September 2012 - 12:18 PM

Hello Gringo,

First of all, thank you for being persistent in helping getting rid of this nasty thing. I ran again RogueKiller with admin rights asking it to fix the HOSTS file. After restart, the problem is still there (popups on the bottom left or right of the screen). Then I ran RogueKiller again in Windows Safe mode just in case, with the same result - see log post below.

I am particularly concerned about the block of "ad-emea.doubleclick.net" and "www.google-analytics.com" addresses which seems to be sticking around - I wonder if there is an issue with permissions to make changes to the file. I also read that HiJackThis could be the way to go, but I will wait for your instructions.

Thank you for your help.

------------------------------------------------------

RogueKiller V8.0.5 [09/23/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Safe mode with network support
User : I804129 [Admin rights]
Mode : HOSTSFix -- Date : 09/25/2012 09:46:28

Bad processes : 0

Registry Entries : 0

Driver : [NOT LOADED]

Extern Hives:

Infection :

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost
64.46.36.178 www.google-analytics.com.
64.46.36.178 ad-emea.doubleclick.net.
64.46.36.178 www.statcounter.com.
64.27.10.42 www.google-analytics.com.
64.27.10.42 ad-emea.doubleclick.net.
64.27.10.42 www.statcounter.com.
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
[...]


Resetted HOSTS:


Finished : << RKreport[9].txt >>
RKreport[8].txt ; RKreport[9].txt

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 AM

Posted 25 September 2012 - 03:10 PM

Hello Moca Java

Those are the problem and I will knock them out sooner or later.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Moca Java

Moca Java
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 25 September 2012 - 09:56 PM

OK, I configured OTL per your instructions and ran the scan. Here is the post from OTL.txt. Please let me know if I should run the Fix in OTL, which I have not done yet.

OTL logfile created on: 9/25/2012 7:38:49 PM - Run 2
OTL by OldTimer - Version 3.2.68.0 Folder = C:\Users\I804129\Desktop
64bit- Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.80 Gb Total Physical Memory | 2.04 Gb Available Physical Memory | 53.60% Memory free
7.89 Gb Paging File | 6.05 Gb Available in Paging File | 76.72% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 298.09 Gb Total Space | 58.70 Gb Free Space | 19.69% Space Free | Partition Type: NTFS

Computer Name: LOSN00483325A | User Name: I804129 | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\I804129\Desktop\OTL.exe (OldTimer Tools)
PRC - c:\Program Files (x86)\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe ()
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe (Pandora.TV)
PRC - c:\Windows\SysWOW64\F5InstallerService.exe (F5 Networks, Inc.)
PRC - C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE (Lenovo Group Limited)
PRC - C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\ZOOM\TpScrex.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\micmute.exe (Lenovo Group Limited)
PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftdcc.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
PRC - C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files (x86)\McAfee\Common Framework\McTray.exe (McAfee, Inc.)
PRC - C:\Program Files (x86)\Iron Mountain\Connected BackupPC\AgentService.exe (Autonomy Corporation plc)
PRC - C:\Program Files (x86)\Iron Mountain\Connected BackupPC\Agent.exe (Autonomy Corporation plc)
PRC - C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)
PRC - C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe (PGP Corporation)
PRC - C:\Windows\SysWOW64\PGPserv.exe (PGP Corporation)
PRC - C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe (McAfee, Inc.)
PRC - C:\Program Files (x86)\iPass\SAPVPN\iPassPeriodicUpdateService.exe (iPass, Inc.)
PRC - C:\Program Files (x86)\iPass\SAPVPN\iPassPeriodicUpdateApp.exe (iPass, Inc.)
PRC - C:\Windows\SysWOW64\wbem\WmiPrvSE.exe (Microsoft Corporation)
PRC - C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
PRC - C:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe (McAfee, Inc.)
PRC - c:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe (McAfee, Inc.)
PRC - c:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe (Citrix Systems, Inc.)
PRC - C:\Windows\SysWOW64\CCM\CcmExec.exe (Microsoft Corporation)
PRC - c:\Program Files (x86)\SECUDE\OfficeSecurity\psesvc.exe (SECUDE AG)
PRC - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - c:\Program Files (x86)\SECUDE\OfficeSecurity\libxml2.dll ()


========== Services (SafeList) ==========

SRV:64bit: - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe (SUPERAntiSpyware.com)
SRV:64bit: - (NightWatchman) -- c:\Program Files\1E\Agent\NightWatchman\NwmSvc.exe (1E)
SRV:64bit: - (WakeUpAgt) -- c:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe (1E)
SRV:64bit: - (mfevtp) -- C:\Windows\SysNative\mfevtps.exe (McAfee, Inc.)
SRV:64bit: - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV:64bit: - (Lenovo.VIRTSCRLSVC) -- C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe (Lenovo Group Limited)
SRV:64bit: - (TPHKSVC) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
SRV:64bit: - (LENOVO.MICMUTE) -- C:\Program Files\Lenovo\HOTKEY\micmute.exe (Lenovo Group Limited)
SRV:64bit: - (TPHKLOAD) -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe (Lenovo Group Limited)
SRV:64bit: - (IBMPMSVC) -- C:\Windows\SysNative\ibmpmsvc.exe (Lenovo.)
SRV:64bit: - (TPHDEXLGSVC) -- C:\Windows\SysNative\TPHDEXLG64.exe (Lenovo.)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (prgnDiscAgent) -- c:\Program Files (x86)\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe ()
SRV - (IHA_MessageCenter) -- C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe (Verizon)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (PanService) -- C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe (Pandora.TV)
SRV - (F5 Networks Component Installer) -- c:\Windows\SysWOW64\F5InstallerService.exe (F5 Networks, Inc.)
SRV - (PwmEWSvc) -- C:\Program Files (x86)\ThinkPad\Utilities\PWMEWSVC.exe (Lenovo Group Limited)
SRV - (Power Manager DBC Service) -- C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe (Lenovo)
SRV - (DozeSvc) -- C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE (Lenovo.)
SRV - (HsfXAudioService) -- C:\Windows\SysWOW64\XAudio64.dll (Conexant Systems, Inc.)
SRV - (sftvsa) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation)
SRV - (sftlist) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation)
SRV - (McAfeeFramework) -- C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (AgentService) -- C:\Program Files (x86)\Iron Mountain\Connected BackupPC\AgentService.exe (Autonomy Corporation plc)
SRV - (PGPserv) -- C:\Windows\SysWOW64\PGPserv.exe (PGP Corporation)
SRV - (Raccount) -- c:\Program Files (x86)\SAP\Rescue Account V5.0\RaccountV5.exe (Microsoft)
SRV - (McTaskManager) -- C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe (McAfee, Inc.)
SRV - (iPassConnectEngine) -- C:\Program Files (x86)\iPass\SAPVPN\iPassConnectEngine.exe (iPass, Inc.)
SRV - (iPassPeriodicUpdateService) -- C:\Program Files (x86)\iPass\SAPVPN\iPassPeriodicUpdateService.exe (iPass, Inc.)
SRV - (iPassPeriodicUpdateApp) -- C:\Program Files (x86)\iPass\SAPVPN\iPassPeriodicUpdateApp.exe (iPass, Inc.)
SRV - (enterceptAgent) -- c:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe (McAfee, Inc.)
SRV - (hips) -- c:\Program Files (x86)\McAfee\Host Intrusion Prevention\HIPSCore\x64\HIPSvc.exe (McAfee, Inc.)
SRV - (CcmExec) -- C:\Windows\SysWOW64\CCM\CcmExec.exe (Microsoft Corporation)
SRV - (smstsmgr) -- C:\Windows\SysWOW64\CCM\TSManager.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (IviRegMgr) -- C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)


========== Driver Services (SafeList) ==========

DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV:64bit: - (mfewfpk) -- C:\Windows\SysNative\drivers\mfewfpk.sys (McAfee, Inc.)
DRV:64bit: - (mferkdet) -- C:\Windows\SysNative\drivers\mferkdet.sys (McAfee, Inc.)
DRV:64bit: - (mfehidk) -- C:\Windows\SysNative\drivers\mfehidk.sys (McAfee, Inc.)
DRV:64bit: - (mfeavfk) -- C:\Windows\SysNative\drivers\mfeavfk.sys (McAfee, Inc.)
DRV:64bit: - (mfeapfk) -- C:\Windows\SysNative\drivers\mfeapfk.sys (McAfee, Inc.)
DRV:64bit: - (NETwNs64) -- C:\Windows\SysNative\drivers\NETwNs64.sys (Intel Corporation)
DRV:64bit: - (TPPWRIF) -- C:\Windows\SysNative\drivers\TPPWR64V.SYS (Lenovo Group Limited)
DRV:64bit: - (DzHDD64) -- C:\Windows\SysNative\drivers\DZHDD64.SYS (Lenovo.)
DRV:64bit: - (SynTP) -- C:\Windows\SysNative\drivers\SynTP.sys (Synaptics Incorporated)
DRV:64bit: - (CnxtHdAudService) -- C:\Windows\SysNative\drivers\CHDRT64.sys (Conexant Systems Inc.)
DRV:64bit: - (lenovo.smi) -- C:\Windows\SysNative\drivers\smiifx64.sys (Lenovo Group Limited)
DRV:64bit: - (IBMPMDRV) -- C:\Windows\SysNative\drivers\ibmpmdrv.sys (Lenovo.)
DRV:64bit: - (rixdpcie) -- C:\Windows\SysNative\drivers\rixdpe64.sys (REDC)
DRV:64bit: - (rimspci) -- C:\Windows\SysNative\drivers\rimspe64.sys (REDC)
DRV:64bit: - (XAudio) -- C:\Windows\SysNative\drivers\XAudio64.sys (Conexant Systems, Inc.)
DRV:64bit: - (mdmxsdk) -- C:\Windows\SysNative\drivers\mdmxsdk.sys (Conexant)
DRV:64bit: - (HSF_DPV) -- C:\Windows\SysNative\drivers\CAX_DPV.sys (Conexant Systems, Inc.)
DRV:64bit: - (CAXHWAZL) -- C:\Windows\SysNative\drivers\CAXHWAZL.sys (Conexant Systems, Inc.)
DRV:64bit: - (winachsf) -- C:\Windows\SysNative\drivers\CAX_CNXT.sys (Conexant Systems, Inc.)
DRV:64bit: - (e1kexpress) -- C:\Windows\SysNative\drivers\e1k62x64.sys (Intel Corporation)
DRV:64bit: - (HECIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (RimUsb) -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys (Research In Motion Limited)
DRV:64bit: - (Fs_Rec) -- C:\WINDOWS\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.)
DRV:64bit: - (Sftvol) -- C:\Windows\SysNative\drivers\Sftvolwin7.sys (Microsoft Corporation)
DRV:64bit: - (Sftplay) -- C:\Windows\SysNative\drivers\Sftplaywin7.sys (Microsoft Corporation)
DRV:64bit: - (Sftredir) -- C:\Windows\SysNative\drivers\Sftredirwin7.sys (Microsoft Corporation)
DRV:64bit: - (Sftfs) -- C:\Windows\SysNative\drivers\Sftfswin7.sys (Microsoft Corporation)
DRV:64bit: - (LV_Tracker) -- C:\Windows\SysNative\drivers\LV_Tracker64.sys ()
DRV:64bit: - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (urvpndrv) -- C:\Windows\SysNative\drivers\covpnv64.sys (F5 Networks, Inc.)
DRV:64bit: - (f5ipfw) -- C:\Windows\SysNative\drivers\urfltv64.sys (F5 Networks, Inc.)
DRV:64bit: - (PGPwded) -- C:\WINDOWS\SysNative\drivers\PGPwded.sys (PGP Corporation)
DRV:64bit: - (PGPdisk) -- C:\WINDOWS\SysNative\drivers\PGPdisk.sys (PGP Corporation)
DRV:64bit: - (Pgpwdefs) -- C:\Windows\SysNative\drivers\PGPwdefs.sys (PGP Corporation)
DRV:64bit: - (PGPsdkDriver) -- C:\Windows\SysNative\drivers\PGPsdk.sys (PGP Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (Shockprf) -- C:\Windows\SysNative\drivers\ApsX64.sys (Lenovo.)
DRV:64bit: - (TPDIGIMN) -- C:\Windows\SysNative\drivers\ApsHM64.sys (Lenovo.)
DRV:64bit: - (5U877) -- C:\Windows\SysNative\drivers\5U877.sys (Ricoh co.,Ltd.)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (tsusbhub) -- C:\Windows\SysNative\drivers\tsusbhub.sys (Microsoft Corporation)
DRV:64bit: - (Synth3dVsc) -- C:\Windows\SysNative\drivers\Synth3dVsc.sys (Microsoft Corporation)
DRV:64bit: - (dmvsc) -- C:\Windows\SysNative\drivers\dmvsc.sys (Microsoft Corporation)
DRV:64bit: - (terminpt) -- C:\Windows\SysNative\drivers\terminpt.sys (Microsoft Corporation)
DRV:64bit: - (sdbus) -- C:\Windows\SysNative\drivers\sdbus.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel® Corporation)
DRV:64bit: - (firelm01) -- C:\Windows\SysNative\drivers\firelm01.sys (McAfee, Inc.)
DRV:64bit: - (FireTDI) -- C:\Windows\SysNative\drivers\FireTDI.sys (McAfee, Inc.)
DRV:64bit: - (FirePM) -- C:\Windows\SysNative\drivers\FirePM.sys (McAfee, Inc.)
DRV:64bit: - (ctxusbm) -- C:\Windows\SysNative\drivers\ctxusbm.sys (Citrix Systems, Inc.)
DRV:64bit: - (Impcd) -- C:\Windows\SysNative\drivers\Impcd.sys (Intel Corporation)
DRV:64bit: - (mfetdik) -- C:\Windows\SysNative\drivers\mfetdik.sys (McAfee, Inc.)
DRV:64bit: - (HIPQK) -- C:\Windows\SysNative\drivers\HIPQK.sys (McAfee, Inc.)
DRV:64bit: - (HIPPSK) -- C:\Windows\SysNative\drivers\HIPPSK.sys (McAfee, Inc.)
DRV:64bit: - (HIPK) -- C:\Windows\SysNative\drivers\HIPK.sys (McAfee, Inc.)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (TPM) -- C:\Windows\SysNative\drivers\tpm.sys (Microsoft Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (FirehkMP) -- C:\Windows\SysNative\drivers\firehk.sys (McAfee, Inc.)
DRV:64bit: - (Firehk) -- C:\Windows\SysNative\drivers\firehk.sys (McAfee, Inc.)
DRV - (prepdrvr) -- C:\Windows\SysWOW64\CCM\PrepDrv.sys (Microsoft Corporation)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
DRV - (regi) -- C:\Windows\SysWOW64\drivers\regi.sys (InterVideo)
DRV - (Iviaspi) -- C:\Windows\SysWOW64\drivers\iviaspi.sys (InterVideo, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{3319A3A7-153D-4D87-9F41-58841D57F3D8}: "URL" = https://intranet.sap.corp/~form/handler?_APP=00200682500000002174&_EVENT=RESULT&01100107900000000574={searchTerms}
IE:64bit: - HKLM\..\SearchScopes\{52052DF6-619F-4D0A-9976-A893111E279D}: "URL" = https://portal.wdf.sap.corp/irj/go/portal/prtroot/pcd!3aportal_content!2fcom.sap.sen.search!2fcom.sap.sen.search.iViews!2fnew_advanced_search?SearchType=quick&QueryString={searchTerms}
IE:64bit: - HKLM\..\SearchScopes\{E24C52F5-9946-420D-BCA0-55923A165A41}: "URL" = http://www.google.com/search?q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{3319A3A7-153D-4D87-9F41-58841D57F3D8}: "URL" = https://intranet.sap.corp/~form/handler?_APP=00200682500000002174&_EVENT=RESULT&01100107900000000574={searchTerms}
IE - HKLM\..\SearchScopes\{52052DF6-619F-4D0A-9976-A893111E279D}: "URL" = https://portal.wdf.sap.corp/irj/go/portal/prtroot/pcd!3aportal_content!2fcom.sap.sen.search!2fcom.sap.sen.search.iViews!2fnew_advanced_search?SearchType=quick&QueryString={searchTerms}
IE - HKLM\..\SearchScopes\{E24C52F5-9946-420D-BCA0-55923A165A41}: "URL" = http://www.google.com/search?q={searchTerms}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/search?q={searchTerms}
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BF 05 25 FB AA 45 CA 01 [binary data]
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\.DEFAULT\..\SearchScopes\{3319A3A7-153D-4D87-9F41-58841D57F3D8}: "URL" = https://intranet.sap.corp/~form/handler?_APP=00200682500000002174&_EVENT=RESULT&01100107900000000574={searchTerms}
IE - HKU\.DEFAULT\..\SearchScopes\{52052DF6-619F-4D0A-9976-A893111E279D}: "URL" = https://portal.wdf.sap.corp/irj/go/portal/prtroot/pcd!3aportal_content!2fcom.sap.sen.search!2fcom.sap.sen.search.iViews!2fnew_advanced_search?SearchType=quick&QueryString={searchTerms}
IE - HKU\.DEFAULT\..\SearchScopes\{E24C52F5-9946-420D-BCA0-55923A165A41}: "URL" = http://www.google.com/search?q={searchTerms}
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.sap-ag.de;*.sap.corp;<local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy:8080
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://proxy:8083/

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BF 05 25 FB AA 45 CA 01 [binary data]
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-18\..\SearchScopes\{3319A3A7-153D-4D87-9F41-58841D57F3D8}: "URL" = https://intranet.sap.corp/~form/handler?_APP=00200682500000002174&_EVENT=RESULT&01100107900000000574={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{52052DF6-619F-4D0A-9976-A893111E279D}: "URL" = https://portal.wdf.sap.corp/irj/go/portal/prtroot/pcd!3aportal_content!2fcom.sap.sen.search!2fcom.sap.sen.search.iViews!2fnew_advanced_search?SearchType=quick&QueryString={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{E24C52F5-9946-420D-BCA0-55923A165A41}: "URL" = http://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.sap-ag.de;*.sap.corp;<local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy:8080
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://proxy:8083/

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..\SearchScopes,DefaultScope = {E24C52F5-9946-420D-BCA0-55923A165A41}
IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..\SearchScopes\{3319A3A7-153D-4D87-9F41-58841D57F3D8}: "URL" = https://intranet.sap.corp/~form/handler?_APP=00200682500000002174&_EVENT=RESULT&01100107900000000574={searchTerms}
IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..\SearchScopes\{52052DF6-619F-4D0A-9976-A893111E279D}: "URL" = https://portal.wdf.sap.corp/irj/go/portal/prtroot/pcd!3aportal_content!2fcom.sap.sen.search!2fcom.sap.sen.search.iViews!2fnew_advanced_search?SearchType=quick&QueryString={searchTerms}
IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..\SearchScopes\{E24C52F5-9946-420D-BCA0-55923A165A41}: "URL" = http://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll (Tracker Software Products Ltd.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files (x86)\Common Files\McAfee\SystemCore [2012/03/26 01:29:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/06/08 12:13:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/09/23 20:38:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins

[2012/09/23 20:38:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\I804129\AppData\Roaming\mozilla\Extensions
[2012/09/23 20:44:58 | 000,000,000 | ---D | M] (No name found) -- C:\Users\I804129\AppData\Roaming\mozilla\Firefox\Profiles\ee9j6spy.default\extensions
[2012/09/23 20:38:18 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/09/05 18:27:05 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/09/05 18:26:22 | 000,002,465 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/09/05 18:26:22 | 000,002,253 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/09/25 19:16:44 | 000,444,971 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 64.46.36.178 www.google-analytics.com.
O1 - Hosts: 64.46.36.178 ad-emea.doubleclick.net.
O1 - Hosts: 64.46.36.178 www.statcounter.com.
O1 - Hosts: 64.27.10.42 www.google-analytics.com.
O1 - Hosts: 64.27.10.42 ad-emea.doubleclick.net.
O1 - Hosts: 64.27.10.42 www.statcounter.com.
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 15270 more lines...
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120326012640.dll (McAfee, Inc.)
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (PDFXChange 4.0 IE Plugin) - {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - C:\Program Files\Tracker Software\PDF-XChange 4\PXCIEAddin4.dll (Tracker Softaware)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120326012640.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (PDFXChange 4.0 IE Plugin) - {42DFA04F-0F16-418e-B80C-AB97A5AFAD39} - C:\Program Files\Tracker Software\PDF-XChange 4\PXCIEAddin4.dll (Tracker Softaware)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:64bit: - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [TpShocks] C:\WINDOWS\SysNative\TpShocks.exe (Lenovo.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AgentUiRunKey] C:\Program Files (x86)\Iron Mountain\Connected BackupPC\Agent.exe (Autonomy Corporation plc)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Communicator] C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [McAfee Host Intrusion Prevention Tray] c:\Program Files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe (Ricoh co.,Ltd.)
O4 - HKLM..\Run: [SECUDE PSE Service] c:\Program Files (x86)\SECUDE\OfficeSecurity\psesvc.exe (SECUDE AG)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SoftGridTray] C:\Program Files (x86)\Microsoft Application Virtualization Client\SFTTray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] c:\program files (x86)\real\realplayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 65536
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewOnDrive = 65536
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutorun = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LocalAccountTokenFilterPolicy = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\kerberos\parameters: supportedencryptiontypes = 31
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\SearchScopes present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\SearchScopes present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\SearchScopes present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\SearchScopes present
O7 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O7 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\Software\Policies\Microsoft\Internet Explorer\SearchScopes present
O7 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowCPL = 1
O7 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 1
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Domains: bcdtravel.com ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: datasltn.com ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: ddi.com ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: isrsurveys.net ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: localhost ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: mymeetingroom.com ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: pgiconnect.com ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sap.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: sap.com ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sap.corp ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: sap.corp ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sap.corp ([*.phl] * in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: sap.corp ([*.phl] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sap.corp ([*.wdf] * in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: sap.corp ([*.wdf] https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sap-ag.de ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: sap-ag.de ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sap-tv.com ([]* in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: sap-tv.com ([]https in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: streamwork.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: bcdtravel.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: datasltn.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: ddi.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: isrsurveys.net ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: localhost ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: mymeetingroom.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: pgiconnect.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sap.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: sap.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sap.corp ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: sap.corp ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sap.corp ([*.phl] * in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: sap.corp ([*.phl] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sap.corp ([*.wdf] * in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: sap.corp ([*.wdf] https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sap-ag.de ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: sap-ag.de ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sap-tv.com ([]* in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: sap-tv.com ([]https in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: streamwork.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: bcdtravel.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: cubetree.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: datasltn.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: ddi.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: hubwoo.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: isrsurveys.net ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: localhost ([]* in Local intranet)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: lsl.de ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: mymeetingroom.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: pgiconnect.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: plateau.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap.corp ([]* in Local intranet)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap.corp ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap.corp ([*.phl] * in Local intranet)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap.corp ([*.phl] https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap.corp ([*.wdf] * in Local intranet)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap.corp ([*.wdf] https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap-ag.de ([]* in Local intranet)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap-ag.de ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap-tv.com ([]* in Local intranet)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: sap-tv.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: streamwork.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-42933632-2124368392-1501187911-105889\..Trusted Domains: successfactors.eu ([]https in Trusted sites)
O16 - DPF: {00627E89-A19D-4A2B-938B-059CB7B1B493} file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5certchk.cab (F5 Networks Certificate Checker)
O16 - DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab (OPSWAT AntiViruses Class)
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} C:\WINDOWS\TEMP\f5tmp\cachecleaner.cab (F5 Networks CacheCleaner)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} C:\WINDOWS\TEMP\f5tmp\urxvpn.cab (F5 Networks VPN Manager)
O16 - DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab (OPSWAT FireWalls Class)
O16 - DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} C:\WINDOWS\TEMP\f5tmp\f5tunsrv.cab (F5 Networks Dynamic Application Tunnel Control)
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} file://C:/Program Files (x86)/F5 VPN/F5_TMP/InstallerControl.cab (F5 Networks Auto Update)
O16 - DPF: {49EC7987-E331-44E3-B170-748B58A268B9} file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab (OPSWAT ProcessesScanner Class)
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5InspectionHost.cab (F5 Networks Policy Agent Host Class)
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} file://c:/Program Files (x86)/F5 VPN/F5_TMP/msrdp.cab (Microsoft RDP Client Control (redistributable) - version 4)
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} file://c:/Program Files (x86)/F5 VPN/F5_TMP/vdeskctrl.cab (F5 Virtual Sandbox Class)
O16 - DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} https://virtualkitchenshowroom.homedepot.com/VS/Core/Player/2020PlayerAX_WEB_Win32.cab (20-20 3D Viewer for WEB)
O16 - DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab (F5 Networks Group Policy Control)
O16 - DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} file://c:/Program Files (x86)/F5 VPN/F5_TMP/ur5250x.cab (F5 Networks 5250 Terminal Emulator)
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} C:\WINDOWS\TEMP\f5tmp\urxshost.cab (F5 Networks SuperHost Class)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T28L10NSP1-321/event/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} C:\WINDOWS\TEMP\f5tmp\urxhost.cab (F5 Networks Host Control)
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5syschk.cab (F5 Networks OS Policy Agent)
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} file://c:/Program Files (x86)/F5 VPN/F5_TMP/urvncx.cab (URVNCX Class)
O16 - DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab (F5 Networks OPSWAT Helper Control)
O16 - DPF: {EE5E646C-4D96-4DAD-A362-C210B507A0B2} https://portal.wdf.sap.corp/irj/go/km/docs/etc/docservice/DocService.cab (SAP KM DocService Control)
O16 - DPF: N1E.WakeUp.Web.Client.ComputerProbe Install via WebWakeUpActiveX.msi (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0904D491-4619-4949-AC6D-4D706E98C7BA}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\saphtmlp - No CLSID value found
O18:64bit: - Protocol\Handler\sapr3 - No CLSID value found
O18 - Protocol\Handler\saphtmlp {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files (x86)\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP, Walldorf)
O18 - Protocol\Handler\sapr3 {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\Program Files (x86)\SAP\FrontEnd\SAPgui\SAPHTMLP.DLL (SAP, Walldorf)
O18:64bit: - Protocol\Filter\application/x-ica - No CLSID value found
O18:64bit: - Protocol\Filter\ica - No CLSID value found
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - AppInit_DLLs: (PGPmapih.dll) - C:\WINDOWS\SysWow64\PGPmapih.dll (PGP Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - ("C:\Program Files (x86)\Microsoft Application Virtualization Client\sftdcc.exe") - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftdcc.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\WINDOWS\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\WINDOWS\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/25 19:29:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Verizon
[2012/09/25 19:23:20 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\I804129\Desktop\OTL.exe
[2012/09/25 09:50:36 | 000,047,080 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\SysNative\HIPIS0e011b5.dll
[2012/09/25 09:50:36 | 000,040,328 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\SysWow64\HIPIS0e011b5.dll
[2012/09/25 09:22:33 | 000,000,000 | ---D | C] -- C:\Users\I804129\Desktop\RK_Quarantine
[2012/09/24 10:01:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/09/24 10:01:54 | 000,033,240 | ---- | C] (GEAR Software Inc.) -- C:\WINDOWS\SysNative\drivers\GEARAspiWDM.sys
[2012/09/24 10:00:25 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/09/24 10:00:24 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2012/09/24 10:00:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2012/09/24 10:00:24 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2012/09/24 09:56:53 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/09/23 20:38:31 | 000,000,000 | ---D | C] -- C:\Users\I804129\AppData\Roaming\Mozilla
[2012/09/23 20:38:31 | 000,000,000 | ---D | C] -- C:\Users\I804129\AppData\Local\Mozilla
[2012/09/23 20:38:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/09/23 20:38:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service
[2012/09/23 20:38:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2012/09/23 15:09:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2012/09/23 15:09:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/09/23 15:09:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2012/09/22 21:37:01 | 000,000,000 | ---D | C] -- C:\Users\I804129\AppData\Roaming\SUPERAntiSpyware.com
[2012/09/22 21:36:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2012/09/22 21:36:54 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/09/22 21:36:54 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/09/22 21:31:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2012/09/22 21:31:01 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2012/09/22 21:30:55 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\SysWow64\javaws.exe
[2012/09/22 21:30:46 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\SysWow64\javaw.exe
[2012/09/22 21:30:46 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\SysWow64\java.exe
[2012/09/22 21:30:46 | 000,095,208 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\SysWow64\WindowsAccessBridge-32.dll
[2012/09/17 12:01:46 | 000,821,736 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\SysWow64\npdeployJava1.dll

========== Files - Modified Within 30 Days ==========

[2012/09/25 19:27:52 | 000,019,104 | -H-- | M] () -- C:\WINDOWS\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/25 19:27:51 | 000,019,104 | -H-- | M] () -- C:\WINDOWS\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/25 19:23:33 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\I804129\Desktop\OTL.exe
[2012/09/25 19:22:47 | 000,000,392 | ---- | M] () -- C:\WINDOWS\SMSCFG.INI
[2012/09/25 19:20:03 | 000,126,945 | ---- | M] () -- C:\WINDOWS\SysWow64\api_hook_list.dat
[2012/09/25 19:20:02 | 000,002,033 | ---- | M] () -- C:\WINDOWS\SysNative\api_hook_list.dat
[2012/09/25 19:19:49 | 000,067,584 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/25 19:19:40 | 3060,518,912 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/25 19:16:44 | 000,444,971 | R--- | M] () -- C:\WINDOWS\SysNative\drivers\etc\hosts
[2012/09/25 19:10:12 | 000,487,391 | ---- | M] () -- C:\WINDOWS\SysNative\drivers\etc\services
[2012/09/25 19:09:36 | 000,074,770 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2012/09/25 19:09:30 | 000,024,488 | RHS- | M] () -- C:\Users\I804129\ntuser.pol
[2012/09/24 22:38:51 | 000,000,106 | ---- | M] () -- C:\WINDOWS\VaultMediaClient.INI
[2012/09/24 22:38:09 | 000,213,187 | ---- | M] () -- C:\Users\I804129\AppData\Roaming\MMUpgrade.jpg
[2012/09/24 10:01:55 | 000,001,789 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/09/24 01:36:54 | 000,869,304 | ---- | M] () -- C:\Users\I804129\AppData\Local\census.cache
[2012/09/24 01:36:21 | 000,117,659 | ---- | M] () -- C:\Users\I804129\AppData\Local\ars.cache
[2012/09/24 01:27:50 | 000,000,036 | ---- | M] () -- C:\Users\I804129\AppData\Local\housecall.guid.cache
[2012/09/23 15:13:30 | 000,444,973 | R--- | M] () -- C:\WINDOWS\SysNative\drivers\etc\hosts.20120923-151456.backup
[2012/09/23 15:09:47 | 000,001,292 | ---- | M] () -- C:\Users\I804129\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/09/22 21:46:28 | 000,077,590 | ---- | M] () -- C:\Users\I804129\Documents\cc_20120922_214620.reg
[2012/09/22 21:30:37 | 000,095,208 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\SysWow64\WindowsAccessBridge-32.dll
[2012/09/22 21:30:34 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\SysWow64\javaws.exe
[2012/09/22 21:30:34 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\SysWow64\javaw.exe
[2012/09/22 21:30:33 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\SysWow64\java.exe
[2012/09/22 21:30:32 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\SysWow64\npdeployJava1.dll
[2012/09/22 21:30:32 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\SysWow64\deployJava1.dll
[2012/09/22 15:01:44 | 000,460,761 | ---- | M] () -- C:\WINDOWS\sapmsg.ini
[2012/09/21 20:13:18 | 000,717,354 | ---- | M] () -- C:\WINDOWS\SysNative\PerfStringBackup.INI
[2012/09/21 20:13:18 | 000,617,526 | ---- | M] () -- C:\WINDOWS\SysNative\perfh009.dat
[2012/09/21 20:13:18 | 000,104,464 | ---- | M] () -- C:\WINDOWS\SysNative\perfc009.dat
[2012/09/19 10:16:02 | 000,404,680 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
[2012/09/18 18:08:29 | 000,486,749 | ---- | M] () -- C:\WINDOWS\SysNative\drivers\etc\services.sav
[2012/09/16 22:13:19 | 000,001,386 | RHS- | M] () -- C:\WINDOWS\SysNative\drivers\etc\hosts.bak
[2012/09/16 22:13:19 | 000,001,386 | RHS- | M] () -- C:\WINDOWS\SysNative\drivers\etc\hosts.20120923-151329.backup
[2012/09/07 17:04:46 | 000,025,928 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\SysNative\drivers\mbam.sys
[2012/09/04 23:20:20 | 000,143,040 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\SysWow64\KevlarSigs.dll
[2012/09/03 16:37:43 | 000,733,642 | ---- | M] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI

========== Files Created - No Company Name ==========

[2012/09/25 19:20:02 | 000,126,945 | ---- | C] () -- C:\WINDOWS\SysWow64\api_hook_list.dat
[2012/09/25 19:20:02 | 000,002,033 | ---- | C] () -- C:\WINDOWS\SysNative\api_hook_list.dat
[2012/09/24 22:36:56 | 000,213,187 | ---- | C] () -- C:\Users\I804129\AppData\Roaming\MMUpgrade.jpg
[2012/09/24 10:01:55 | 000,001,789 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/09/24 01:36:54 | 000,869,304 | ---- | C] () -- C:\Users\I804129\AppData\Local\census.cache
[2012/09/24 01:36:21 | 000,117,659 | ---- | C] () -- C:\Users\I804129\AppData\Local\ars.cache
[2012/09/24 01:27:50 | 000,000,036 | ---- | C] () -- C:\Users\I804129\AppData\Local\housecall.guid.cache
[2012/09/23 20:38:25 | 000,001,152 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/09/23 15:09:47 | 000,001,292 | ---- | C] () -- C:\Users\I804129\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/09/22 21:46:22 | 000,077,590 | ---- | C] () -- C:\Users\I804129\Documents\cc_20120922_214620.reg
[2012/08/18 15:16:42 | 000,000,106 | ---- | C] () -- C:\WINDOWS\VaultMediaClient.INI
[2012/08/18 15:13:13 | 000,003,584 | ---- | C] () -- C:\Users\I804129\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/06/29 16:50:31 | 000,000,054 | ---- | C] () -- C:\Users\I804129\AppData\Roaming\mbam.context.scan
[2012/04/03 18:42:44 | 000,059,232 | ---- | C] () -- C:\WINDOWS\SysWow64\CNC8100W.DAT
[2012/03/26 01:12:51 | 000,024,488 | RHS- | C] () -- C:\Users\I804129\ntuser.pol
[2012/03/20 12:21:42 | 000,074,770 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2012/03/20 12:15:49 | 000,460,761 | ---- | C] () -- C:\WINDOWS\sapmsg.ini
[2012/03/20 12:15:49 | 000,000,351 | ---- | C] () -- C:\WINDOWS\saproute.ini
[2012/03/20 12:15:49 | 000,000,185 | ---- | C] () -- C:\WINDOWS\sapdoccd.ini
[2012/03/20 11:53:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\f5unistall.INI
[2012/03/20 11:46:03 | 000,066,856 | ---- | C] () -- C:\WINDOWS\SysWow64\SynTPEnhPS.dll
[2012/03/20 11:44:02 | 000,867,020 | ---- | C] () -- C:\WINDOWS\SysWow64\igkrng575.bin
[2012/03/20 11:43:52 | 000,105,420 | ---- | C] () -- C:\WINDOWS\SysWow64\igfcg575m.bin
[2012/03/20 11:43:44 | 000,128,204 | ---- | C] () -- C:\WINDOWS\SysWow64\igcompkrng575.bin
[2012/03/20 11:05:28 | 000,004,764 | ---- | C] () -- C:\WINDOWS\SysWow64\CcmFramework.ini
[2011/07/09 06:10:47 | 004,527,616 | ---- | C] () -- C:\WINDOWS\SAPCAR.exe
[2011/07/09 05:42:51 | 000,051,200 | ---- | C] () -- C:\WINDOWS\SysWow64\h5tool32.dll
[2011/07/09 05:42:50 | 001,064,960 | ---- | C] () -- C:\WINDOWS\SysWow64\h5krnl32.dll
[2011/07/09 05:42:50 | 000,188,928 | ---- | C] () -- C:\WINDOWS\SysWow64\h5icon32.dll
[2011/07/09 05:42:50 | 000,175,616 | ---- | C] () -- C:\WINDOWS\SysWow64\h5menu32.dll
[2011/07/09 05:42:50 | 000,095,744 | ---- | C] () -- C:\WINDOWS\SysWow64\h5rtf32.dll
[2011/07/09 04:39:36 | 000,733,642 | ---- | C] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI
[2011/07/09 04:38:22 | 000,000,392 | ---- | C] () -- C:\WINDOWS\SMSCFG.INI
[2011/05/19 02:53:00 | 000,000,280 | ---- | C] () -- C:\WINDOWS\SysWow64\PGPsdk.dll.sig

========== ZeroAccess Check ==========

[2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"ThreadingModel" = Both
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 22:23:17 | 014,175,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 22:23:17 | 014,175,232 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 21:24:45 | 012,874,752 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 20:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Alternate Data Streams ==========

@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 AM

Posted 26 September 2012 - 12:51 PM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    FF - user.js - File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
    O16 - DPF: N1E.WakeUp.Web.Client.ComputerProbe Install via WebWakeUpActiveX.msi (Reg Error: Key error.)
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\saphtmlp - No CLSID value found
    O18:64bit: - Protocol\Handler\sapr3 - No CLSID value found
    O18:64bit: - Protocol\Filter\application/x-ica - No CLSID value found
    O18:64bit: - Protocol\Filter\ica - No CLSID value found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    :Files
    %SystemRoot%\system32\drivers\etc\hosts
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptytemp]
    [resethosts]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Moca Java

Moca Java
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 27 September 2012 - 11:24 PM

Hello Gringo,

I applied your code and everything worked well. I used the laptop for a few hours without any popups. Attached is my report. You have been extremely helpful, and there is no way I would have been able to get rid of this malware by myself.

This forum is amazing, not only effective, but also very prompt, courteous, and tenacious. Thank you so much for your help!


All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Starting removal of ActiveX control N1E.WakeUp.Web.Client.ComputerProbe Install via WebWakeUpActiveX.msi
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\N1E.WakeUp.Web.Client.ComputerProbe Install via WebWakeUpActiveX.msi\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\N1E.WakeUp.Web.Client.ComputerProbe Install via WebWakeUpActiveX.msi\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
File Protocol\Handler\ms-help - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\saphtmlp\ deleted successfully.
File Protocol\Handler\saphtmlp - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\sapr3\ deleted successfully.
File Protocol\Handler\sapr3 - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
========== FILES ==========
C:\WINDOWS\system32\drivers\etc\hosts moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\I804129\Desktop\cmd.bat deleted successfully.
C:\Users\I804129\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: I804129
->Temp folder emptied: 90437322 bytes
->Temporary Internet Files folder emptied: 99186706 bytes
->Java cache emptied: 1874 bytes
->FireFox cache emptied: 160068676 bytes
->Flash cache emptied: 5320476 bytes

User: Public

User: raccount
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: TempAccount
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4732366 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 115951 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 343.00 mb

HOSTS file reset successfully

OTL by OldTimer - Version 3.2.68.0 log created on 09262012_153151

Files\Folders moved on Reboot...
C:\Users\I804129\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\WINDOWS\temp\F5InstServLog.txt scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\mavcperf-setup.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 AM

Posted 28 September 2012 - 11:53 AM

Hello Moca Java

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Moca Java

Moca Java
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 29 September 2012 - 11:27 PM

Hello Gringo,

I ran ComboFix as instructed. As for MacAfee, I was able to disable the firewall prior to running ComboFix, but not the MacAfee VirusScan Enterprise, I believe that it is locked by our corporate IT, so I cannot disable it from my side. I ran ComboFix anyway at my own risk and it completed its job and rebooted.

I have been able to use Internet Explorer without popups all day. Do you think it is fixed now?

------------------------------------------------------------------------------------------------

ComboFix 12-09-27.03 - I804129 09/28/2012 21:20:03.1.4 - x64
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3892.2295 [GMT -7:00]
Running from: c:\users\I804129\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Host Intrusion Prevention Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PGPtray.exe.lnk
c:\users\I804129\AppData\Local\assembly\tmp
c:\users\Public\sdelevURL.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-08-28 to 2012-09-29 )))))))))))))))))))))))))))))))
.
.
2012-09-29 02:52 . 2010-01-26 15:56 40328 ----a-w- c:\windows\SysWow64\HIPIS0e011b5.dll
2012-09-29 02:52 . 2010-01-26 15:44 47080 ----a-w- c:\windows\system32\HIPIS0e011b5.dll
2012-09-26 22:31 . 2012-09-26 22:31 -------- d-----w- C:\_OTL
2012-09-24 17:01 . 2012-08-21 20:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-09-24 17:00 . 2012-09-24 17:00 -------- d-----w- c:\program files\iPod
2012-09-24 17:00 . 2012-09-24 17:01 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-24 17:00 . 2012-09-24 17:01 -------- d-----w- c:\program files\iTunes
2012-09-24 17:00 . 2012-09-24 17:01 -------- d-----w- c:\program files (x86)\iTunes
2012-09-24 03:38 . 2012-09-24 03:38 -------- d-----w- c:\users\I804129\AppData\Local\Mozilla
2012-09-24 03:38 . 2012-09-24 03:38 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-09-23 22:09 . 2012-09-24 08:43 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-09-23 22:09 . 2012-09-23 22:12 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-09-23 04:37 . 2012-09-23 04:37 -------- d-----w- c:\users\I804129\AppData\Roaming\SUPERAntiSpyware.com
2012-09-23 04:36 . 2012-09-23 04:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-09-23 04:36 . 2012-09-23 04:36 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-09-23 04:31 . 2012-09-23 04:31 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-23 04:30 . 2012-09-23 04:30 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-17 19:01 . 2012-09-23 04:30 821736 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-23 04:30 . 2011-07-09 12:05 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-09-19 17:16 . 2012-03-20 20:32 404680 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-19 17:14 . 2012-03-26 08:46 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-09-08 00:04 . 2012-03-27 07:34 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-05 06:20 . 2011-07-09 12:05 143040 ----a-w- c:\windows\SysWow64\KevlarSigs.dll
2012-08-21 20:01 . 2012-03-26 22:10 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 20:01 . 2012-03-26 22:10 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-08-18 21:26 . 2012-08-18 21:26 260 ----a-w- c:\windows\SysWow64\cmdVBS.vbs
2012-08-18 21:26 . 2012-08-18 21:26 256 ----a-w- c:\windows\SysWow64\MSIevent.bat
2012-07-18 18:15 . 2012-08-22 15:10 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-04 22:16 . 2012-08-22 15:15 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:13 . 2012-08-22 15:15 59392 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:13 . 2012-08-22 15:15 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-22 15:15 41984 ----a-w- c:\windows\SysWow64\browcli.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoftGridTray"="c:\program files (x86)\Microsoft Application Virtualization Client\SFTTray.exe" [2011-11-17 853864]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"McAfee Host Intrusion Prevention Tray"="c:\program files (x86)\McAfee\Host Intrusion Prevention\FireTray.exe" [2010-06-15 979104]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2012-05-15 5164120]
"SECUDE PSE Service"="c:\program files (x86)\SECUDE\OfficeSecurity\psesvc.exe" [2009-07-20 1283464]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2012-03-20 1553256]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2011-11-15 333376]
"AgentUiRunKey"="c:\program files (x86)\Iron Mountain\Connected BackupPC\Agent.exe" [2011-09-22 287744]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-24 206240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-06-08 296056]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-10 421776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"LocalAccountTokenFilterPolicy"= 1 (0x1)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCPL"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 regi;regi;c:\windows\system32\drivers\regi.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2012-03-20 477032]
R3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltv64.sys [2011-06-22 18512]
R3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\DRIVERS\firehk.sys [2008-10-17 56648]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-03-26 100904]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-06 114144]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [2012-03-20 83304]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys [2012-03-20 55808]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys [2012-03-20 31344]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-03-26 283744]
S0 Pgpwdefs;Pgpwdefs;c:\windows\system32\DRIVERS\Pgpwdefs.sys [2011-05-19 14968]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys [2011-01-13 23664]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2010-04-16 87600]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys [2012-03-20 15472]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 AgentService;AgentService;c:\program files (x86)\Iron Mountain\Connected BackupPC\AgentService.exe [2011-09-22 7632288]
S2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files (x86)\McAfee\Host Intrusion Prevention\FireSvc.exe [2010-06-15 1498224]
S2 F5 Networks Component Installer;F5 Networks Component Installer;c:\windows\SysWOW64\F5InstallerService.exe [2012-03-20 379320]
S2 hips;McAfee HIPSCore Service;c:\program files (x86)\McAfee\Host Intrusion Prevention\HIPSCore\x64\HIPSvc.exe [2010-01-26 39840]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2011-03-01 27648]
S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2012-08-03 352248]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2012-03-20 45496]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [2012-03-20 93032]
S2 LV_Tracker;LV_Tracker;c:\windows\system32\DRIVERS\LV_Tracker64.sys [2011-09-21 54824]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-03-26 158832]
S2 NightWatchman;1E NightWatchman;c:\program files\1E\Agent\NightWatchman\NwmSvc.exe [2012-04-10 1547608]
S2 PanService;PandoraService;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-05-13 624856]
S2 prgnDiscAgent;HP DDMI Agent;c:\program files (x86)\Hewlett-Packard\Discovery Agent\bin32\discagnt.exe [2012-08-31 826752]
S2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files (x86)\ThinkPad\Utilities\PWMEWSVC.EXE [2012-03-20 148840]
S2 Raccount;Rescue account;c:\program files (x86)\SAP\Rescue Account V5.0\RaccountV5.exe [2011-03-31 57344]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe64.sys [2012-03-20 61952]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-11-17 508776]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [2012-03-20 114024]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2012-03-20 64440]
S2 WakeUpAgt;1E WakeUp Agent;c:\program files\1E\Agent\WakeUp\WakeUpAgt.exe [2012-04-10 769864]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2011-01-13 166656]
S3 CAXHWAZL;CAXHWAZL;c:\windows\system32\DRIVERS\CAXHWAZL.sys [2012-03-20 299648]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2012-03-20 294064]
S3 FirehkMP;FirehkMP;c:\windows\system32\DRIVERS\firehk.sys [2008-10-17 56648]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2012-03-20 56344]
S3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2010-01-26 138904]
S3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2010-01-26 45424]
S3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2010-01-26 40152]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 158976]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 317440]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [2012-03-20 8505856]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfswin7.sys [2011-11-17 762216]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaywin7.sys [2011-11-17 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirwin7.sys [2011-11-17 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvolwin7.sys [2011-11-17 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-11-17 219496]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpnv64.sys [2011-06-22 43856]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4}]
2010-11-21 03:24 73216 ----a-w- c:\windows\SysWOW64\msiexec.exe
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-23 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-23 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-23 418840]
"TpShocks"="TpShocks.exe" [2011-01-14 380776]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 2780776]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
Trusted Zone: bcdtravel.com
Trusted Zone: cubetree.com
Trusted Zone: datasltn.com
Trusted Zone: ddi.com
Trusted Zone: hubwoo.com
Trusted Zone: isrsurveys.net
Trusted Zone: lsl.de
Trusted Zone: mymeetingroom.com
Trusted Zone: pgiconnect.com
Trusted Zone: plateau.com
Trusted Zone: sap-ag.de
Trusted Zone: sap-tv.com
Trusted Zone: sap.com
Trusted Zone: sap.corp
Trusted Zone: sap.corp\*.phl
Trusted Zone: sap.corp\*.wdf
Trusted Zone: streamwork.com
Trusted Zone: successfactors.eu
TCP: DhcpNameServer = 192.168.1.1
DPF: N1E.WakeUp.Web.Client.ComputerProbe - Install via WebWakeUpActiveX.msi
DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {49EC7987-E331-44E3-B170-748B58A268B9} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {8A5BE387-D09A-4DFA-A56B-DCB89BD11468} - hxxps://virtualkitchenshowroom.homedepot.com/VS/Core/Player/2020PlayerAX_WEB_Win32.cab
DPF: {8F6AFB67-F834-4227-94A7-A51377E0678E} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5GroupPolicyAgent.cab
DPF: {B8693DEF-98AC-43FC-AA00-E7D728334C80} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/ur5250x.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/urvncx.cab
DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} - file://c:/Program Files (x86)/F5 VPN/F5_TMP/f5opswati.cab
DPF: {EE5E646C-4D96-4DAD-A362-C210B507A0B2} - hxxps://portal.wdf.sap.corp/irj/go/km/docs/etc/docservice/DocService.cab
FF - ProfilePath - c:\users\I804129\AppData\Roaming\Mozilla\Firefox\Profiles\ee9j6spy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22} - msiexec
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,47,99,84,eb,95,e2,4a,90,1b,ea,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,eb,47,99,84,eb,95,e2,4a,90,1b,ea,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\FlashUtil10zf_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\FlashUtil10zf_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\Flash10zf.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\Flash10zf.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\Flash10zf.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\SysWOW64\\Macromed\\Flash\\Flash10zf.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\iPass\SAPVPN\iPassPeriodicUpdateService.exe
c:\program files (x86)\McAfee\Common Framework\FrameworkService.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\windows\SysWOW64\PGPserv.exe
c:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe
c:\program files (x86)\Citrix\ICA Client\ssonsvr.exe
c:\windows\SysWOW64\CCM\CcmExec.exe
c:\program files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe
c:\program files\LENOVO\HOTKEY\tposdsvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files (x86)\iPass\SAPVPN\iPassPeriodicUpdateApp.exe
.
**************************************************************************
.
Completion time: 2012-09-28 21:35:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-29 04:35
.
Pre-Run: 61,525,213,184 bytes free
Post-Run: 61,203,812,352 bytes free
.
- - End Of File - - CA136D635E69E33C975D551F2537C84B

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 AM

Posted 29 September 2012 - 11:47 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Moca Java

Moca Java
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 02 October 2012 - 08:53 PM

Hello Gringo,

I downloaded and ran TDSSKiller, and provided a clean log (see below). I also downloaded and ran aswMBR, seems clean as well. Do you think the laptop is now finally clean from malware/spyware/viruses?



18:19:59.0616 5916 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
18:19:59.0979 5916 ============================================================
18:19:59.0979 5916 Current date / time: 2012/10/02 18:19:59.0979
18:19:59.0979 5916 SystemInfo:
18:19:59.0979 5916
18:19:59.0979 5916 OS Version: 6.1.7601 ServicePack: 1.0
18:19:59.0979 5916 Product type: Workstation
18:19:59.0980 5916 ComputerName: LOSN00483325A
18:19:59.0980 5916 UserName: I804129
18:19:59.0980 5916 Windows directory: C:\WINDOWS
18:19:59.0980 5916 System windows directory: C:\WINDOWS
18:19:59.0980 5916 Running under WOW64
18:19:59.0980 5916 Processor architecture: Intel x64
18:19:59.0980 5916 Number of processors: 4
18:19:59.0980 5916 Page size: 0x1000
18:19:59.0980 5916 Boot type: Normal boot
18:19:59.0980 5916 ============================================================
18:20:00.0504 5916 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0xA181, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
18:20:00.0511 5916 ============================================================
18:20:00.0511 5916 \Device\Harddisk0\DR0:
18:20:00.0511 5916 MBR partitions:
18:20:00.0511 5916 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x2542D800
18:20:00.0511 5916 ============================================================
18:20:00.0521 5916 Initialize success
18:20:00.0521 5916 ============================================================
18:20:05.0120 3868 ============================================================
18:20:05.0120 3868 Scan started
18:20:05.0120 3868 Mode: Manual;
18:20:05.0120 3868 ============================================================
18:20:05.0132 3868 ================ Scan system memory ========================
18:20:05.0132 3868 System memory - ok
18:20:05.0133 3868 ================ Scan services =============================
18:20:05.0180 3868 !SASCORE - ok
18:20:05.0260 3868 1394ohci - ok
18:20:05.0269 3868 5U877 - ok
18:20:05.0275 3868 ACPI - ok
18:20:05.0280 3868 AcpiPmi - ok
18:20:05.0305 3868 AdobeARMservice - ok
18:20:05.0312 3868 adp94xx - ok
18:20:05.0318 3868 adpahci - ok
18:20:05.0324 3868 adpu320 - ok
18:20:05.0332 3868 AeLookupSvc - ok
18:20:05.0348 3868 AFD - ok
18:20:05.0354 3868 AgentService - ok
18:20:05.0358 3868 agp440 - ok
18:20:05.0363 3868 ALG - ok
18:20:05.0374 3868 aliide - ok
18:20:05.0378 3868 amdide - ok
18:20:05.0382 3868 AmdK8 - ok
18:20:05.0386 3868 AmdPPM - ok
18:20:05.0390 3868 amdsata - ok
18:20:05.0393 3868 amdsbs - ok
18:20:05.0397 3868 amdxata - ok
18:20:05.0400 3868 AppID - ok
18:20:05.0404 3868 AppIDSvc - ok
18:20:05.0408 3868 Appinfo - ok
18:20:05.0433 3868 Apple Mobile Device - ok
18:20:05.0446 3868 AppMgmt - ok
18:20:05.0452 3868 arc - ok
18:20:05.0458 3868 arcsas - ok
18:20:05.0465 3868 AsyncMac - ok
18:20:05.0471 3868 atapi - ok
18:20:05.0476 3868 AudioEndpointBuilder - ok
18:20:05.0479 3868 AudioSrv - ok
18:20:05.0483 3868 AxInstSV - ok
18:20:05.0487 3868 b06bdrv - ok
18:20:05.0491 3868 b57nd60a - ok
18:20:05.0496 3868 BDESVC - ok
18:20:05.0499 3868 Beep - ok
18:20:05.0512 3868 BFE - ok
18:20:05.0516 3868 BITS - ok
18:20:05.0519 3868 blbdrive - ok
18:20:05.0523 3868 Bonjour Service - ok
18:20:05.0526 3868 bowser - ok
18:20:05.0530 3868 BrFiltLo - ok
18:20:05.0533 3868 BrFiltUp - ok
18:20:05.0556 3868 BridgeMP - ok
18:20:05.0562 3868 Browser - ok
18:20:05.0566 3868 Brserid - ok
18:20:05.0570 3868 BrSerWdm - ok
18:20:05.0574 3868 BrUsbMdm - ok
18:20:05.0577 3868 BrUsbSer - ok
18:20:05.0581 3868 BTHMODEM - ok
18:20:05.0608 3868 BTHPORT - ok
18:20:05.0611 3868 bthserv - ok
18:20:05.0615 3868 BTHUSB - ok
18:20:05.0619 3868 catchme - ok
18:20:05.0623 3868 CAXHWAZL - ok
18:20:05.0627 3868 CcmExec - ok
18:20:05.0631 3868 cdfs - ok
18:20:05.0635 3868 cdrom - ok
18:20:05.0638 3868 CertPropSvc - ok
18:20:05.0644 3868 circlass - ok
18:20:05.0648 3868 CLFS - ok
18:20:05.0654 3868 clr_optimization_v2.0.50727_32 - ok
18:20:05.0658 3868 clr_optimization_v2.0.50727_64 - ok
18:20:05.0688 3868 CmBatt - ok
18:20:05.0692 3868 cmdide - ok
18:20:05.0695 3868 CNG - ok
18:20:05.0698 3868 CnxtHdAudService - ok
18:20:05.0702 3868 Compbatt - ok
18:20:05.0705 3868 CompositeBus - ok
18:20:05.0709 3868 COMSysApp - ok
18:20:05.0713 3868 crcdisk - ok
18:20:05.0717 3868 CryptSvc - ok
18:20:05.0721 3868 CSC - ok
18:20:05.0724 3868 CscService - ok
18:20:05.0728 3868 ctxusbm - ok
18:20:05.0732 3868 DcomLaunch - ok
18:20:05.0736 3868 defragsvc - ok
18:20:05.0739 3868 DfsC - ok
18:20:05.0743 3868 Dhcp - ok
18:20:05.0746 3868 discache - ok
18:20:05.0773 3868 Disk - ok
18:20:05.0777 3868 dmvsc - ok
18:20:05.0781 3868 Dnscache - ok
18:20:05.0784 3868 dot3svc - ok
18:20:05.0797 3868 DozeSvc - ok
18:20:05.0801 3868 DPS - ok
18:20:05.0805 3868 drmkaud - ok
18:20:05.0808 3868 DXGKrnl - ok
18:20:05.0812 3868 DzHDD64 - ok
18:20:05.0815 3868 E1G60 - ok
18:20:05.0825 3868 e1kexpress - ok
18:20:05.0837 3868 EapHost - ok
18:20:05.0841 3868 ebdrv - ok
18:20:05.0844 3868 EFS - ok
18:20:05.0848 3868 ehRecvr - ok
18:20:05.0851 3868 ehSched - ok
18:20:05.0854 3868 elxstor - ok
18:20:05.0858 3868 enterceptAgent - ok
18:20:05.0861 3868 ErrDev - ok
18:20:05.0868 3868 EventSystem - ok
18:20:05.0871 3868 exfat - ok
18:20:05.0875 3868 F5 Networks Component Installer - ok
18:20:05.0878 3868 f5ipfw - ok
18:20:05.0882 3868 fastfat - ok
18:20:05.0885 3868 Fax - ok
18:20:05.0888 3868 fdc - ok
18:20:05.0891 3868 fdPHost - ok
18:20:05.0895 3868 FDResPub - ok
18:20:05.0898 3868 FileInfo - ok
18:20:05.0902 3868 Filetrace - ok
18:20:05.0905 3868 Firehk - ok
18:20:05.0909 3868 FirehkMP - ok
18:20:05.0912 3868 firelm01 - ok
18:20:05.0916 3868 FirePM - ok
18:20:05.0919 3868 FireTDI - ok
18:20:05.0923 3868 flpydisk - ok
18:20:05.0926 3868 FltMgr - ok
18:20:05.0930 3868 FontCache - ok
18:20:05.0933 3868 FontCache3.0.0.0 - ok
18:20:05.0936 3868 FsDepends - ok
18:20:05.0940 3868 Fs_Rec - ok
18:20:05.0943 3868 fvevol - ok
18:20:05.0947 3868 gagp30kx - ok
18:20:05.0950 3868 GEARAspiWDM - ok
18:20:05.0954 3868 gpsvc - ok
18:20:05.0958 3868 hcw85cir - ok
18:20:05.0961 3868 HdAudAddService - ok
18:20:05.0965 3868 HDAudBus - ok
18:20:05.0976 3868 HECIx64 - ok
18:20:05.0979 3868 HidBatt - ok
18:20:05.0983 3868 HidBth - ok
18:20:05.0986 3868 HidIr - ok
18:20:05.0990 3868 hidserv - ok
18:20:05.0993 3868 HidUsb - ok
18:20:05.0997 3868 HIPK - ok
18:20:06.0000 3868 HIPPSK - ok
18:20:06.0004 3868 HIPQK - ok
18:20:06.0007 3868 hips - ok
18:20:06.0011 3868 hkmsvc - ok
18:20:06.0014 3868 HomeGroupListener - ok
18:20:06.0017 3868 HomeGroupProvider - ok
18:20:06.0022 3868 HpSAMD - ok
18:20:06.0025 3868 HsfXAudioService - ok
18:20:06.0029 3868 HSF_DPV - ok
18:20:06.0032 3868 HTTP - ok
18:20:06.0035 3868 hwpolicy - ok
18:20:06.0039 3868 i8042prt - ok
18:20:06.0044 3868 iaStor - ok
18:20:06.0048 3868 iaStorV - ok
18:20:06.0051 3868 IBMPMDRV - ok
18:20:06.0054 3868 IBMPMSVC - ok
18:20:06.0058 3868 idsvc - ok
18:20:06.0067 3868 igfx - ok
18:20:06.0070 3868 IHA_MessageCenter - ok
18:20:06.0074 3868 iirsp - ok
18:20:06.0078 3868 IKEEXT - ok
18:20:06.0081 3868 Impcd - ok
18:20:06.0086 3868 IntcDAud - ok
18:20:06.0089 3868 intelide - ok
18:20:06.0093 3868 intelppm - ok
18:20:06.0096 3868 iPassConnectEngine - ok
18:20:06.0100 3868 iPassPeriodicUpdateApp - ok
18:20:06.0104 3868 iPassPeriodicUpdateService - ok
18:20:06.0107 3868 IPBusEnum - ok
18:20:06.0111 3868 IpFilterDriver - ok
18:20:06.0114 3868 iphlpsvc - ok
18:20:06.0118 3868 IPMIDRV - ok
18:20:06.0121 3868 IPNAT - ok
18:20:06.0130 3868 iPod Service - ok
18:20:06.0133 3868 IRENUM - ok
18:20:06.0137 3868 isapnp - ok
18:20:06.0140 3868 iScsiPrt - ok
18:20:06.0151 3868 Iviaspi - ok
18:20:06.0154 3868 IviRegMgr - ok
18:20:06.0158 3868 kbdclass - ok
18:20:06.0162 3868 kbdhid - ok
18:20:06.0165 3868 KeyIso - ok
18:20:06.0168 3868 KSecDD - ok
18:20:06.0172 3868 KSecPkg - ok
18:20:06.0175 3868 ksthunk - ok
18:20:06.0179 3868 KtmRm - ok
18:20:06.0183 3868 LanmanServer - ok
18:20:06.0186 3868 LanmanWorkstation - ok
18:20:06.0191 3868 LENOVO.MICMUTE - ok
18:20:06.0198 3868 lenovo.smi - ok
18:20:06.0202 3868 Lenovo.VIRTSCRLSVC - ok
18:20:06.0205 3868 lltdio - ok
18:20:06.0208 3868 lltdsvc - ok
18:20:06.0212 3868 lmhosts - ok
18:20:06.0216 3868 LSI_FC - ok
18:20:06.0220 3868 LSI_SAS - ok
18:20:06.0224 3868 LSI_SAS2 - ok
18:20:06.0227 3868 LSI_SCSI - ok
18:20:06.0230 3868 luafv - ok
18:20:06.0234 3868 LV_Tracker - ok
18:20:06.0239 3868 McAfeeFramework - ok
18:20:06.0245 3868 McShield - ok
18:20:06.0249 3868 McTaskManager - ok
18:20:06.0253 3868 Mcx2Svc - ok
18:20:06.0258 3868 mdmxsdk - ok
18:20:06.0262 3868 megasas - ok
18:20:06.0267 3868 MegaSR - ok
18:20:06.0270 3868 mfeapfk - ok
18:20:06.0274 3868 mfeavfk - ok
18:20:06.0278 3868 mfeavfk01 - ok
18:20:06.0282 3868 mfehidk - ok
18:20:06.0285 3868 mferkdet - ok
18:20:06.0289 3868 mfetdik - ok
18:20:06.0292 3868 mfevtp - ok
18:20:06.0296 3868 mfewfpk - ok
18:20:06.0299 3868 Microsoft SharePoint Workspace Audit Service - ok
18:20:06.0303 3868 MMCSS - ok
18:20:06.0306 3868 Modem - ok
18:20:06.0310 3868 monitor - ok
18:20:06.0313 3868 mouclass - ok
18:20:06.0316 3868 mouhid - ok
18:20:06.0331 3868 mountmgr - ok
18:20:06.0340 3868 MozillaMaintenance - ok
18:20:06.0344 3868 mpio - ok
18:20:06.0347 3868 mpsdrv - ok
18:20:06.0351 3868 MpsSvc - ok
18:20:06.0354 3868 MRxDAV - ok
18:20:06.0357 3868 mrxsmb - ok
18:20:06.0360 3868 mrxsmb10 - ok
18:20:06.0364 3868 mrxsmb20 - ok
18:20:06.0368 3868 msahci - ok
18:20:06.0371 3868 msdsm - ok
18:20:06.0375 3868 MSDTC - ok
18:20:06.0380 3868 Msfs - ok
18:20:06.0384 3868 mshidkmdf - ok
18:20:06.0387 3868 msisadrv - ok
18:20:06.0391 3868 MSiSCSI - ok
18:20:06.0394 3868 msiserver - ok
18:20:06.0397 3868 MSKSSRV - ok
18:20:06.0401 3868 MSPCLOCK - ok
18:20:06.0405 3868 MSPQM - ok
18:20:06.0408 3868 MsRPC - ok
18:20:06.0413 3868 mssmbios - ok
18:20:06.0416 3868 MSTEE - ok
18:20:06.0420 3868 MTConfig - ok
18:20:06.0423 3868 Mup - ok
18:20:06.0427 3868 napagent - ok
18:20:06.0430 3868 NativeWifiP - ok
18:20:06.0434 3868 NDIS - ok
18:20:06.0437 3868 NdisCap - ok
18:20:06.0441 3868 NdisTapi - ok
18:20:06.0445 3868 Ndisuio - ok
18:20:06.0448 3868 NdisWan - ok
18:20:06.0452 3868 NDProxy - ok
18:20:06.0455 3868 NetBIOS - ok
18:20:06.0459 3868 NetBT - ok
18:20:06.0463 3868 Netlogon - ok
18:20:06.0466 3868 Netman - ok
18:20:06.0469 3868 netprofm - ok
18:20:06.0473 3868 NetTcpPortSharing - ok
18:20:06.0477 3868 NETwNs64 - ok
18:20:06.0490 3868 nfrd960 - ok
18:20:06.0494 3868 NightWatchman - ok
18:20:06.0498 3868 NlaSvc - ok
18:20:06.0501 3868 Npfs - ok
18:20:06.0505 3868 nsi - ok
18:20:06.0508 3868 nsiproxy - ok
18:20:06.0513 3868 Ntfs - ok
18:20:06.0517 3868 Null - ok
18:20:06.0528 3868 nvraid - ok
18:20:06.0531 3868 nvstor - ok
18:20:06.0535 3868 nv_agp - ok
18:20:06.0538 3868 ohci1394 - ok
18:20:06.0541 3868 ose - ok
18:20:06.0545 3868 osppsvc - ok
18:20:06.0551 3868 p2pimsvc - ok
18:20:06.0554 3868 p2psvc - ok
18:20:06.0558 3868 PanService - ok
18:20:06.0562 3868 Parport - ok
18:20:06.0566 3868 partmgr - ok
18:20:06.0570 3868 PcaSvc - ok
18:20:06.0573 3868 pci - ok
18:20:06.0577 3868 pciide - ok
18:20:06.0580 3868 pcmcia - ok
18:20:06.0584 3868 pcw - ok
18:20:06.0587 3868 PEAUTH - ok
18:20:06.0591 3868 PeerDistSvc - ok
18:20:06.0596 3868 PerfHost - ok
18:20:06.0604 3868 PGPdisk - ok
18:20:06.0610 3868 PGPsdkDriver - ok
18:20:06.0614 3868 PGPserv - ok
18:20:06.0618 3868 PGPwded - ok
18:20:06.0621 3868 Pgpwdefs - ok
18:20:06.0625 3868 pla - ok
18:20:06.0636 3868 PlugPlay - ok
18:20:06.0639 3868 PNRPAutoReg - ok
18:20:06.0643 3868 PNRPsvc - ok
18:20:06.0648 3868 PolicyAgent - ok
18:20:06.0653 3868 Power - ok
18:20:06.0657 3868 Power Manager DBC Service - ok
18:20:06.0661 3868 PptpMiniport - ok
18:20:06.0665 3868 prepdrvr - ok
18:20:06.0669 3868 prgnDiscAgent - ok
18:20:06.0673 3868 Processor - ok
18:20:06.0676 3868 ProfSvc - ok
18:20:06.0680 3868 ProtectedStorage - ok
18:20:06.0684 3868 Psched - ok
18:20:06.0688 3868 PwmEWSvc - ok
18:20:06.0691 3868 ql2300 - ok
18:20:06.0695 3868 ql40xx - ok
18:20:06.0698 3868 QWAVE - ok
18:20:06.0702 3868 QWAVEdrv - ok
18:20:06.0706 3868 Raccount - ok
18:20:06.0709 3868 RasAcd - ok
18:20:06.0716 3868 RasAgileVpn - ok
18:20:06.0720 3868 RasAuto - ok
18:20:06.0725 3868 Rasl2tp - ok
18:20:06.0738 3868 RasMan - ok
18:20:06.0745 3868 RasPppoe - ok
18:20:06.0749 3868 RasSstp - ok
18:20:06.0753 3868 rdbss - ok
18:20:06.0756 3868 rdpbus - ok
18:20:06.0761 3868 RDPCDD - ok
18:20:06.0767 3868 RDPDR - ok
18:20:06.0771 3868 RDPENCDD - ok
18:20:06.0776 3868 RDPREFMP - ok
18:20:06.0782 3868 RdpVideoMiniport - ok
18:20:06.0785 3868 RDPWD - ok
18:20:06.0789 3868 rdyboost - ok
18:20:06.0793 3868 regi - ok
18:20:06.0796 3868 RemoteAccess - ok
18:20:06.0800 3868 RemoteRegistry - ok
18:20:06.0804 3868 rimspci - ok
18:20:06.0807 3868 RimUsb - ok
18:20:06.0811 3868 rixdpcie - ok
18:20:06.0815 3868 RpcEptMapper - ok
18:20:06.0819 3868 RpcLocator - ok
18:20:06.0823 3868 RpcSs - ok
18:20:06.0826 3868 rspndr - ok
18:20:06.0830 3868 s3cap - ok
18:20:06.0834 3868 SamSs - ok
18:20:06.0854 3868 SASDIFSV - ok
18:20:06.0860 3868 SASKUTIL - ok
18:20:06.0864 3868 sbp2port - ok
18:20:06.0869 3868 SBSDWSCService - ok
18:20:06.0873 3868 SCardSvr - ok
18:20:06.0877 3868 scfilter - ok
18:20:06.0882 3868 Schedule - ok
18:20:06.0886 3868 SCPolicySvc - ok
18:20:06.0890 3868 sdbus - ok
18:20:06.0893 3868 SDRSVC - ok
18:20:06.0897 3868 secdrv - ok
18:20:06.0902 3868 seclogon - ok
18:20:06.0906 3868 SENS - ok
18:20:06.0910 3868 SensrSvc - ok
18:20:06.0914 3868 Serenum - ok
18:20:06.0917 3868 Serial - ok
18:20:06.0921 3868 sermouse - ok
18:20:06.0930 3868 SessionEnv - ok
18:20:06.0934 3868 sffdisk - ok
18:20:06.0938 3868 sffp_mmc - ok
18:20:06.0941 3868 sffp_sd - ok
18:20:06.0945 3868 sfloppy - ok
18:20:06.0949 3868 Sftfs - ok
18:20:06.0961 3868 sftlist - ok
18:20:06.0965 3868 Sftplay - ok
18:20:06.0970 3868 Sftredir - ok
18:20:06.0974 3868 Sftvol - ok
18:20:06.0978 3868 sftvsa - ok
18:20:06.0982 3868 SharedAccess - ok
18:20:06.0986 3868 ShellHWDetection - ok
18:20:06.0990 3868 Shockprf - ok
18:20:06.0994 3868 SiSRaid2 - ok
18:20:06.0998 3868 SiSRaid4 - ok
18:20:07.0005 3868 Smb - ok
18:20:07.0009 3868 smstsmgr - ok
18:20:07.0016 3868 SNMPTRAP - ok
18:20:07.0020 3868 spldr - ok
18:20:07.0024 3868 Spooler - ok
18:20:07.0028 3868 sppsvc - ok
18:20:07.0032 3868 sppuinotify - ok
18:20:07.0035 3868 srv - ok
18:20:07.0039 3868 srv2 - ok
18:20:07.0043 3868 srvnet - ok
18:20:07.0047 3868 SSDPSRV - ok
18:20:07.0051 3868 SstpSvc - ok
18:20:07.0055 3868 stexstor - ok
18:20:07.0059 3868 stisvc - ok
18:20:07.0063 3868 storflt - ok
18:20:07.0067 3868 StorSvc - ok
18:20:07.0071 3868 storvsc - ok
18:20:07.0075 3868 swenum - ok
18:20:07.0079 3868 swprv - ok
18:20:07.0083 3868 Synth3dVsc - ok
18:20:07.0091 3868 SynTP - ok
18:20:07.0095 3868 SysMain - ok
18:20:07.0099 3868 TabletInputService - ok
18:20:07.0104 3868 TapiSrv - ok
18:20:07.0108 3868 TBS - ok
18:20:07.0111 3868 Tcpip - ok
18:20:07.0116 3868 TCPIP6 - ok
18:20:07.0121 3868 tcpipreg - ok
18:20:07.0127 3868 TDPIPE - ok
18:20:07.0131 3868 TDTCP - ok
18:20:07.0135 3868 tdx - ok
18:20:07.0140 3868 TermDD - ok
18:20:07.0144 3868 terminpt - ok
18:20:07.0148 3868 TermService - ok
18:20:07.0152 3868 Themes - ok
18:20:07.0156 3868 THREADORDER - ok
18:20:07.0160 3868 TPDIGIMN - ok
18:20:07.0164 3868 TPHDEXLGSVC - ok
18:20:07.0171 3868 TPHKLOAD - ok
18:20:07.0182 3868 TPHKSVC - ok
18:20:07.0186 3868 TPM - ok
18:20:07.0190 3868 TPPWRIF - ok
18:20:07.0194 3868 TrkWks - ok
18:20:07.0198 3868 TrustedInstaller - ok
18:20:07.0205 3868 tssecsrv - ok
18:20:07.0209 3868 TsUsbFlt - ok
18:20:07.0213 3868 TsUsbGD - ok
18:20:07.0217 3868 tsusbhub - ok
18:20:07.0221 3868 tunnel - ok
18:20:07.0225 3868 uagp35 - ok
18:20:07.0229 3868 udfs - ok
18:20:07.0237 3868 UI0Detect - ok
18:20:07.0242 3868 uliagpkx - ok
18:20:07.0246 3868 umbus - ok
18:20:07.0249 3868 UmPass - ok
18:20:07.0254 3868 UmRdpService - ok
18:20:07.0257 3868 upnphost - ok
18:20:07.0270 3868 urvpndrv - ok
18:20:07.0277 3868 USBAAPL64 - ok
18:20:07.0282 3868 usbccgp - ok
18:20:07.0286 3868 usbcir - ok
18:20:07.0289 3868 usbehci - ok
18:20:07.0294 3868 usbhub - ok
18:20:07.0298 3868 usbohci - ok
18:20:07.0303 3868 usbprint - ok
18:20:07.0307 3868 usbscan - ok
18:20:07.0311 3868 USBSTOR - ok
18:20:07.0315 3868 usbuhci - ok
18:20:07.0319 3868 UxSms - ok
18:20:07.0324 3868 VaultSvc - ok
18:20:07.0327 3868 vdrvroot - ok
18:20:07.0332 3868 vds - ok
18:20:07.0337 3868 vga - ok
18:20:07.0342 3868 VgaSave - ok
18:20:07.0345 3868 VGPU - ok
18:20:07.0349 3868 vhdmp - ok
18:20:07.0353 3868 viaide - ok
18:20:07.0357 3868 vmbus - ok
18:20:07.0362 3868 VMBusHID - ok
18:20:07.0366 3868 volmgr - ok
18:20:07.0370 3868 volmgrx - ok
18:20:07.0374 3868 volsnap - ok
18:20:07.0378 3868 vsmraid - ok
18:20:07.0382 3868 VSS - ok
18:20:07.0386 3868 vwifibus - ok
18:20:07.0390 3868 vwififlt - ok
18:20:07.0412 3868 vwifimp - ok
18:20:07.0416 3868 W32Time - ok
18:20:07.0423 3868 WacomPen - ok
18:20:07.0427 3868 WakeUpAgt - ok
18:20:07.0432 3868 WANARP - ok
18:20:07.0436 3868 Wanarpv6 - ok
18:20:07.0440 3868 wbengine - ok
18:20:07.0444 3868 WbioSrvc - ok
18:20:07.0448 3868 wcncsvc - ok
18:20:07.0452 3868 WcsPlugInService - ok
18:20:07.0457 3868 Wd - ok
18:20:07.0461 3868 Wdf01000 - ok
18:20:07.0466 3868 WdiServiceHost - ok
18:20:07.0470 3868 WdiSystemHost - ok
18:20:07.0474 3868 WebClient - ok
18:20:07.0478 3868 Wecsvc - ok
18:20:07.0482 3868 wercplsupport - ok
18:20:07.0487 3868 WerSvc - ok
18:20:07.0491 3868 WfpLwf - ok
18:20:07.0495 3868 WIMMount - ok
18:20:07.0500 3868 winachsf - ok
18:20:07.0504 3868 WinDefend - ok
18:20:07.0511 3868 WinHttpAutoProxySvc - ok
18:20:07.0515 3868 Winmgmt - ok
18:20:07.0520 3868 WinRM - ok
18:20:07.0530 3868 WinUsb - ok
18:20:07.0534 3868 Wlansvc - ok
18:20:07.0539 3868 WmiAcpi - ok
18:20:07.0545 3868 wmiApSrv - ok
18:20:07.0550 3868 WMPNetworkSvc - ok
18:20:07.0554 3868 WPCSvc - ok
18:20:07.0558 3868 WPDBusEnum - ok
18:20:07.0562 3868 ws2ifsl - ok
18:20:07.0567 3868 wscsvc - ok
18:20:07.0572 3868 WSearch - ok
18:20:07.0579 3868 wuauserv - ok
18:20:07.0584 3868 WudfPf - ok
18:20:07.0611 3868 WUDFRd - ok
18:20:07.0615 3868 wudfsvc - ok
18:20:07.0620 3868 WwanSvc - ok
18:20:07.0625 3868 XAudio - ok
18:20:07.0639 3868 ================ Scan global ===============================
18:20:07.0640 3868 [Global] - ok
18:20:07.0642 3868 ================ Scan MBR ==================================
18:20:07.0654 3868 [ E7C2138652EB40C6749E0A5979DF0C75 ] \Device\Harddisk0\DR0
18:20:07.0758 3868 \Device\Harddisk0\DR0 - ok
18:20:07.0758 3868 ================ Scan VBR ==================================
18:20:07.0762 3868 [ D398BB6BDA8F21EA7A0AFF33FE704902 ] \Device\Harddisk0\DR0\Partition1
18:20:07.0763 3868 \Device\Harddisk0\DR0\Partition1 - ok
18:20:07.0764 3868 ============================================================
18:20:07.0765 3868 Scan finished
18:20:07.0765 3868 ============================================================
18:20:07.0777 5108 Detected object count: 0
18:20:07.0777 5108 Actual detected object count: 0



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-02 18:26:28
-----------------------------
18:26:28.221 OS Version: Windows x64 6.1.7601 Service Pack 1
18:26:28.221 Number of processors: 4 586 0x2505
18:26:28.222 ComputerName: LOSN00483325A UserName: I804129
18:26:29.837 Initialize success
18:42:18.975 AVAST engine defs: 12100300
18:43:48.129 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:43:48.133 Disk 0 Vendor: HITACHI_ PC3Z Size: 305245MB BusType: 3
18:43:48.150 Disk 0 MBR read successfully
18:43:48.154 Disk 0 MBR scan
18:43:48.166 Disk 0 unknown MBR code
18:43:48.174 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS 305243 MB offset 2048
18:43:48.191 Disk 0 scanning C:\WINDOWS\system32\drivers
18:43:48.195 Service scanning
18:46:30.804 Modules scanning
18:46:30.815 Disk 0 trace - called modules:
18:46:30.843 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
18:46:30.850 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80066bf060]
18:46:30.855 3 CLASSPNP.SYS[fffff8800168b43f] -> nt!IofCallDriver -> [0xfffffa80049a3be0]
18:46:30.863 5 ACPI.sys[fffff88000faf7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80049a6050]
18:46:31.893 AVAST engine scan C:\WINDOWS
18:46:31.919 AVAST engine scan C:\WINDOWS\system32
18:46:31.929 AVAST engine scan C:\WINDOWS\system32\drivers
18:46:31.938 AVAST engine scan C:\Users\I804129
18:46:31.946 AVAST engine scan C:\ProgramData
18:46:31.954 Scan finished successfully
18:47:27.652 Disk 0 MBR has been saved successfully to "C:\Users\I804129\Documents\Data\Anti-Malware-Spyware Programs\BleepingComputer Forum\7-aswMBR\MBR.dat"
18:47:27.663 The log file has been saved successfully to "C:\Users\I804129\Documents\Data\Anti-Malware-Spyware Programs\BleepingComputer Forum\7-aswMBR\aswMBR.txt"

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:03 AM

Posted 03 October 2012 - 01:45 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Moca Java

Moca Java
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 05 October 2012 - 12:42 AM

Hello Gringo,

I am concerned that my company's security authorization does not allow me to disable McAfee VirusScan Enterprise so that I can run ComboFix without collisions. Should I run it anyway? The laptop seems to be behaving just fine. Are you still seeing signs of infection?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users