Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VBS.TV or VICE.COM pages keep loading at startup unauthorized


  • This topic is locked This topic is locked
14 replies to this topic

#1 3d1l

3d1l

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 11 January 2013 - 07:38 PM

This post has been created as instructed by boopme (original post)

After computer startup process is finished the default internet browser loads automatically without authorization and first it loads the web site VBS.TV then it quickly gets redirected to VICE.COM.

I ran AVG antivirus, Malwarebytes, Superantispyware, AdwCleaner, aswMBR, tdsskiller and so far the problem is still present.

DDS report tells that there could be a possible TDL3 infection.

===============================DDS Report
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2
Run by XXXXXXXX at 20:12:21 on 2013-01-11
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3030.1986 [GMT -4:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\psxss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe
C:\Windows\system32\mqsvc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\mqtgsvc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\nfsclnt.exe
C:\Windows\system32\taskhost.exe
C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\SCHTASK.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LPDService
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Windows\system32\svchost.exe -k bthsvcs
.
============== Pseudo HJT Report ===============
.
uProxyOverride = <local>
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{9FBE8AAB-71C9-412B-AC19-A50CE5BB6E64} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{CB1449A4-DEFB-4312-B618-6BBFD38F8C46} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{CB1449A4-DEFB-4312-B618-6BBFD38F8C46}\05250514 : DHCPNameServer = 130.200.100.51 130.200.100.58
TCP: Interfaces\{CB1449A4-DEFB-4312-B618-6BBFD38F8C46}\9474D264254414 : DHCPNameServer = 130.200.97.2 130.200.100.223
TCP: Interfaces\{FDF8C6E1-F40B-447E-8F95-FF22527C1159} : DHCPNameServer = 130.200.100.51 130.200.100.58
TCP: Interfaces\{FEBAE70E-AA5B-4A67-B12A-2AEE81E8CB14} : DHCPNameServer = 8.8.8.8
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\expressview\expressview.dll
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\expressview\expressview.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\
FF - prefs.js: browser.startup.homepage - www.google.com/en
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\research in motion limited\blackberry app world browser plugin\npappworld.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2_x64.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - ExtSQL: 2012-12-27 14:10; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-12-27 14:15; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2012-12-27 14:16; {a7c6cf7f-112c-4500-a7ea-39801a327e5f}; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}.xpi
FF - ExtSQL: 2012-12-27 14:16; firessh@nightlight.ws; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\firessh@nightlight.ws.xpi
FF - ExtSQL: 2012-12-27 14:19; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi
FF - ExtSQL: 2012-12-27 14:19; fdm_ffext@freedownloadmanager.org; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\fdm_ffext@freedownloadmanager.org
FF - ExtSQL: 2012-12-27 14:19; {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - ExtSQL: 2012-12-27 14:20; {dc572301-7619-498c-a57d-39143191b318}; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
FF - ExtSQL: 2012-12-27 14:21; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2012-12-27 14:22; snaplinks@snaplinks.mozdev.org; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\snaplinks@snaplinks.mozdev.org.xpi
FF - ExtSQL: 2012-12-27 14:22; {54BB9F3F-07E5-486c-9B39-C7398B99391C}; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{54BB9F3F-07E5-486c-9B39-C7398B99391C}.xpi
FF - ExtSQL: 2012-12-27 14:30; {1018e4d6-728f-4b20-ad56-37578a4de76b}; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - ExtSQL: 2012-12-27 14:30; savedpasswordeditor@daniel.dawson; c:\users\XXXXXXXX\appdata\roaming\mozilla\firefox\profiles\0319e3x9.default\extensions\savedpasswordeditor@daniel.dawson.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-10-24 25968]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-12-4 36552]
R1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\drivers\hssdrv6.sys [2012-11-14 35592]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-10-24 13680]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-24 176128]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-12-4 85280]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-12-4 109344]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-12-4 83944]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2012-11-15 527728]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe [2012-11-14 389488]
R2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\lenovo\virtscrl\lvvsst.exe [2011-10-24 127336]
R2 NfsClnt;Client for NFS;c:\windows\system32\nfsclnt.exe [2011-10-24 52736]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\thinkpad\utilities\PWMEWSVC.exe [2011-10-24 148840]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-4-17 2666880]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-10-24 131432]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2011-10-24 142696]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2011-10-24 45736]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-10-24 29472]
R3 CiscoSerial;Cisco Serial;c:\windows\system32\drivers\CiscoUsbConsoleWindowsDriver.sys [2009-10-16 75520]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-10-24 292200]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2011-10-24 223960]
R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2011-11-4 12904]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2010-10-18 7122944]
R3 NfsRdr;Client for NFS Redirector;c:\windows\system32\drivers\nfsrdr.sys [2011-10-24 201728]
R3 PsxDrv;PsxDrv;c:\windows\system32\drivers\psxdrv.sys [2009-7-13 9216]
R3 RpcXdr;Server for NFS Open RPC (ONCRPC);c:\windows\system32\drivers\rpcxdr.sys [2011-10-24 87040]
R3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\drivers\taphss6.sys [2012-11-14 35592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-10-24 101736]
S2 trvjfzhxr;Time Monitor;c:\windows\system32\svchost.exe -k netsvcs [2009-7-13 20992]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 intelkmd;intelkmd;c:\windows\system32\drivers\igdpmd32.sys [2011-10-24 9024512]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\intel\wifi\bin\PanDhcpDns.exe [2010-10-19 227600]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2011-10-24 83304]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-10-24 15872]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 swg3kser00;swg3kser00;c:\windows\system32\drivers\swg3kser00.sys [2012-10-18 215552]
S3 swiwdmbx;swiwdmbx;c:\windows\system32\drivers\swiwdmbx.sys [2012-10-18 83968]
S3 SWNC8UA3;SWNC8UA3;c:\windows\system32\drivers\swnc8ua3.sys [2012-10-18 208128]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-10-24 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-10-24 1343400]
S4 Tftpd32_svc;Tftpd32 service edition;c:\program files\tftpd32_se\tftpd32_svc.exe [2011-5-7 160256]
.
=============== File Associations ===============
.
FileExt: .scr: Notepad++_file="c:\program files\notepad++\notepad++.exe" "%1"
FileExt: .txt: Applications\notepad++.exe="c:\program files\notepad++\notepad++.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-01-11 14:20:01 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Apps
2013-01-10 12:37:50 2345984 ----a-w- c:\windows\system32\win32k.sys
2013-01-10 12:37:44 492032 ----a-w- c:\windows\system32\win32spl.dll
2013-01-10 12:36:29 1389568 ----a-w- c:\windows\system32\msxml6.dll
2013-01-10 12:32:55 220160 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-10 12:32:22 49152 ----a-w- c:\windows\system32\taskhost.exe
2013-01-10 02:52:29 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\picpick
2013-01-08 17:30:34 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\Blackberry Desktop
2013-01-08 15:24:23 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Research In Motion
2013-01-08 15:24:22 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\Research In Motion
2013-01-05 08:16:22 6812136 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{833cbe9f-af27-46c8-bffa-116ec5c9e806}\mpengine.dll
2013-01-05 01:22:07 -------- d-----w- c:\users\XXXXXXXX\dwhelper
2013-01-05 00:09:54 170624 ----a-w- c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
2013-01-03 13:11:38 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Eraser 6
2012-12-29 17:53:17 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Microsoft Games
2012-12-29 13:13:30 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\SUPERAntiSpyware.com
2012-12-29 12:46:05 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\Autodesk
2012-12-29 12:46:05 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Autodesk
2012-12-29 12:43:02 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Apple
2012-12-29 12:30:32 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Apple Computer
2012-12-29 12:23:45 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Windows Live
2012-12-29 05:13:12 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Programs
2012-12-29 05:10:57 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\Malwarebytes
2012-12-29 04:08:06 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\IrfanView
2012-12-27 22:05:13 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\TeraCopy
2012-12-27 19:40:58 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\NCH Software
2012-12-27 19:27:27 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\Free Download Manager
2012-12-27 14:28:35 -------- d-----w- C:\Logos5
2012-12-27 14:20:18 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Logos4
2012-12-27 13:44:21 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\FastCopy
2012-12-27 12:11:07 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\Avira
2012-12-27 12:06:06 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Broadcom
2012-12-26 22:45:38 -------- d-----w- C:\Networking
2012-12-26 16:49:16 -------- d-----w- c:\program files\PowerDataRecovery
2012-12-26 15:08:12 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\PwrMgr
2012-12-26 15:02:24 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Macromedia
2012-12-26 15:01:19 -------- d-----w- c:\users\XXXXXXXX\appdata\local\Mozilla
2012-12-26 14:58:56 -------- d-----w- c:\users\XXXXXXXX\appdata\local\ATI
2012-12-26 14:58:49 -------- d-----w- c:\users\XXXXXXXX\appdata\roaming\Intel
2012-12-25 19:54:18 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-12-25 19:23:48 -------- d-sh--w- C:\$RECYCLE.BIN
2012-12-25 19:10:53 98816 ----a-w- c:\windows\sed.exe
2012-12-25 19:10:53 256000 ----a-w- c:\windows\PEV.exe
2012-12-25 19:10:53 208896 ----a-w- c:\windows\MBR.exe
2012-12-25 18:42:06 -------- d-----w- c:\windows\pss
2012-12-25 18:31:26 -------- d-----w- c:\program files\EasyBCD
2012-12-24 13:38:42 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-24 13:38:42 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-23 19:12:57 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-12-23 19:12:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-12-20 20:10:31 -------- d-----w- c:\program files\Internet Checkers
2012-12-15 15:26:06 -------- d-----w- c:\windows\system32\Hotspot Shield
2012-12-14 20:17:13 -------- d-----w- c:\programdata\Hotspot Shield
2012-12-14 20:17:01 -------- d-----w- c:\program files\Hotspot Shield
2012-12-13 16:40:25 376832 ----a-w- c:\windows\system32\dpnet.dll
.
==================== Find3M ====================
.
2012-12-25 19:57:19 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-25 19:57:19 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-14 20:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-11 15:34:36 83944 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-11-17 00:17:15 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-11-15 01:36:52 35592 ----a-w- c:\windows\system32\drivers\taphss6.sys
2012-11-15 01:29:54 35592 ----a-w- c:\windows\system32\drivers\hssdrv6.sys
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: HITACHI_HTS723216L9SA60 rev.FC2ZC50B -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x82039000]<< >>UNKNOWN [0x8AE2F000]<< >>UNKNOWN [0x8A9D6000]<< >>UNKNOWN [0x8A682000]<< >>UNKNOWN [0x82002000]<< >>UNKNOWN [0x827C6000]<< >>UNKNOWN [0x8A78F000]<< >>UNKNOWN [0x8A796000]<< >>UNKNOWN [0x827BD000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x8207055A] -> \Device\Harddisk0\DR0[0x85572030]
\Driver\Disk[0x85571F38] -> IRP_MJ_CREATE -> 0x8AE3339F
3 [0x8AE3359E] -> ntkrnlpa!IofCallDriver[0x8207055A] -> [0x84727608]
\Driver\ACPI[0x84719D50] -> IRP_MJ_CREATE -> 0x8A68B4CC
5 [0x8A68B3D4] -> ntkrnlpa!IofCallDriver[0x8207055A] -> \Device\Ide\IdeDeviceP0T0L0-0[0x85473610]
\Driver\atapi[0x8546FAC0] -> IRP_MJ_CREATE -> 0x827E08CC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 20:13:44.33 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 PM

Posted 11 January 2013 - 08:09 PM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 3d1l

3d1l
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 11 January 2013 - 10:32 PM

After running ROGUE KILLER i had to reboot the computer because UA was disable (I don't like to have it enable). The problem happens again.

As instructed here are the logs:

================SECURITY CHECK

Results of screen317's Security Check version 0.99.56
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Avira Desktop
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
Duplicate Cleaner 2.1b
Java 2 Runtime Environment Standard Edition v1.3.1_02
JavaFX 2.1.1
Java™ 6 Update 31
Java 7 Update 9
Adobe Flash Player 11.5.502.135
Mozilla Firefox (17.0.1)
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


============================ADWCLEANER

# AdwCleaner v2.105 - Logfile created 01/11/2013 at 23:09:49
# Updated 08/01/2013 by Xplode
# Operating system : Windows 7 Enterprise Service Pack 1 (32 bits)
# User : XXXXXXXX - XXXXXXXX
# Boot Mode : Normal
# Running from : C:\Users\XXXXXXXX\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\prefs.js

[OK] File is clean.

File : C:\Users\Administrator.XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\3wfa4hjb.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1150 octets] - [10/01/2013 22:31:42]
AdwCleaner[S2].txt - [872 octets] - [11/01/2013 23:09:49]

########## EOF - C:\AdwCleaner[S2].txt - [931 octets] ##########


======================================ROGUEKILLER

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : XXXXXXXX [Admin rights]
Mode : Remove -- Date : 01/11/2013 23:18:38

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[84] : NtCreateSection @ 0x8227404D -> HOOKED (Unknown @ 0x8EC485E6)
SSDT[299] : NtRequestWaitReplyPort @ 0x8228EA43 -> HOOKED (Unknown @ 0x8EC485F0)
SSDT[316] : NtSetContextThread @ 0x8232E755 -> HOOKED (Unknown @ 0x8EC485EB)
SSDT[347] : NtSetSecurityObject @ 0x8225271E -> HOOKED (Unknown @ 0x8EC485F5)
SSDT[368] : NtSystemDebugControl @ 0x822D66BC -> HOOKED (Unknown @ 0x8EC485FA)
SSDT[370] : NtTerminateProcess @ 0x822ABBCD -> HOOKED (Unknown @ 0x8EC48587)
S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8EC4860E)
S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8EC48613)

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 pagead.googlesyndication.com
127.0.0.1 pagead2.googlesyndication.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HITACHI HTS723216L9SA60 ATA Device +++++
--- User ---
[MBR] edf37715deb1e23517d71a9c5a0a3607
[BSP] 30bd06bac68a57e5b9208f5520be50f8 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 152525 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[3]_D_01112013_02d2318.txt >>
RKreport[1]_S_01112013_02d2316.txt ; RKreport[2]_D_01112013_02d2317.txt ; RKreport[3]_D_01112013_02d2318.txt

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 PM

Posted 11 January 2013 - 10:42 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 3d1l

3d1l
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 12 January 2013 - 08:59 AM

These are the things I noticed after running Combofix:

1) It finished successfully and the log file was generated.
2) Restarted the computer and it took more time than usual to finish the startup.
3) I though that the computer was not connecting to the internet but after checking the computer is connected. The issue is that the appearance of the icon in the notification area of task bar remains as disconnected and doesn't change to the connected image.
4) Teamviewer (an application for remote access), is not loading automatically (as I like to have it).
5) Again, Firefox was launched without my authorization, but this time the windows that tells me that Firefox is no longer the default browsers shows up and after telling to set firefox as default browser the VBS and VICE web page were opened.

=================================COMBOFIX LOG

ComboFix 13-01-11.02 - XXXXXXXX 01/12/2013 0:47.2.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3030.2063 [GMT -4:00]
Running from: c:\users\XXXXXXXX\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-12-12 to 2013-01-12 )))))))))))))))))))))))))))))))
.
.
2013-01-12 04:54 . 2013-01-12 04:54 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2013-01-12 04:54 . 2013-01-12 04:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-12 04:54 . 2013-01-12 04:54 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2013-01-12 04:54 . 2013-01-12 04:54 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-01-12 04:54 . 2013-01-12 04:54 -------- d-----w- c:\users\administrator.XXXXXXXX\AppData\Local\temp
2013-01-12 04:54 . 2013-01-12 04:54 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Local\temp
2013-01-12 04:54 . 2013-01-12 04:54 60872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{833CBE9F-AF27-46C8-BFFA-116EC5C9E806}\offreg.dll
2013-01-12 04:14 . 2013-01-12 04:14 -------- d-----w- C:\Downloads
2013-01-10 12:37 . 2012-11-23 02:56 2345984 ----a-w- c:\windows\system32\win32k.sys
2013-01-10 12:37 . 2012-11-09 04:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2013-01-10 12:36 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\system32\msxml6.dll
2013-01-10 12:32 . 2012-11-20 04:51 220160 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-10 12:32 . 2012-11-23 02:48 49152 ----a-w- c:\windows\system32\taskhost.exe
2013-01-05 08:16 . 2012-11-19 05:04 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{833CBE9F-AF27-46C8-BFFA-116EC5C9E806}\mpengine.dll
2012-12-27 14:28 . 2012-12-27 14:42 -------- d-----w- C:\Logos5
2012-12-27 11:04 . 2012-12-27 11:04 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Local\Eraser 6
2012-12-27 02:58 . 2012-12-27 03:25 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Roaming\Free Download Manager
2012-12-26 22:45 . 2013-01-04 20:20 -------- d-----w- C:\Networking
2012-12-26 22:44 . 2012-12-26 23:15 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Roaming\FastCopy
2012-12-26 20:29 . 2012-12-26 20:29 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Roaming\IrfanView
2012-12-26 16:49 . 2012-12-26 16:49 -------- d-----w- c:\program files\PowerDataRecovery
2012-12-26 16:47 . 2012-12-27 03:25 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Roaming\Notepad++
2012-12-26 15:12 . 2013-01-06 15:37 -------- d-----w- c:\program files\Recuva
2012-12-26 14:57 . 2013-01-11 13:37 -------- d-----w- c:\users\XXXXXXXX
2012-12-26 04:24 . 2012-12-26 04:24 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Local\Macromedia
2012-12-26 03:21 . 2012-12-26 03:21 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Roaming\NCH Software
2012-12-26 03:10 . 2012-12-26 03:10 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Local\Mozilla
2012-12-25 19:40 . 2012-12-25 19:40 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Roaming\FileZilla
2012-12-25 19:39 . 2012-12-25 19:39 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Roaming\Avira
2012-12-25 19:39 . 2012-12-25 19:39 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Local\NeoSmart_Technologies
2012-12-25 19:35 . 2012-12-25 19:35 -------- d-----w- c:\users\Administrator.XXXXXXXX\AppData\Local\Broadcom
2012-12-25 18:31 . 2012-12-25 18:31 -------- d-----w- c:\program files\EasyBCD
2012-12-24 13:38 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-24 13:38 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-23 19:12 . 2012-12-29 13:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-12-23 19:12 . 2012-12-23 19:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-12-20 20:10 . 2012-12-24 17:29 -------- d-----w- c:\program files\Internet Checkers
2012-12-15 15:26 . 2012-12-15 15:26 -------- d-----w- c:\windows\system32\Hotspot Shield
2012-12-14 20:17 . 2012-12-14 20:17 -------- d-----w- c:\programdata\Hotspot Shield
2012-12-14 20:17 . 2012-12-14 20:17 -------- d-----w- c:\program files\Hotspot Shield
2012-12-13 16:40 . 2012-11-02 05:11 376832 ----a-w- c:\windows\system32\dpnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-12 03:22 . 2011-10-25 12:23 4194304 ----a-w- c:\windows\ServiceProfiles\NetworkService\msmqlog.bin
2012-12-25 19:57 . 2012-12-01 01:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-25 19:57 . 2012-12-01 01:00 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-14 20:49 . 2012-12-04 12:48 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-11 15:34 . 2012-12-04 19:06 134336 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-12-11 15:34 . 2012-12-04 19:06 83944 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-11-17 00:17 . 2012-12-04 19:06 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-11-15 01:36 . 2012-11-15 01:36 35592 ----a-w- c:\windows\system32\drivers\taphss6.sys
2012-11-15 01:29 . 2012-11-15 01:29 35592 ----a-w- c:\windows\system32\drivers\hssdrv6.sys
2012-11-29 08:27 . 2012-12-25 19:54 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-12-11 384800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-07-15 2282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-25 98304]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2011-07-04 1299816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"MsmqIntCert"="mqrt.dll" [2010-11-20 152064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-10-19 1206544]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2011-1-24 804128]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-10-24 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1852535552-2920592808-1772901159-2578\Scripts\Logon\0\0]
"Script"=www.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 19:24 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2011-11-05 16:17 980368 ----a-w- c:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2009-01-21 18:19 92168 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe
.
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
R2 trvjfzhxr;Time Monitor;c:\windows\system32\svchost.exe [x]
R3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd32.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 swg3kser00;swg3kser00;c:\windows\system32\DRIVERS\swg3kser00.sys [x]
R3 swiwdmbx;swiwdmbx;c:\windows\system32\DRIVERS\swiwdmbx.sys [x]
R3 SWNC8UA3;SWNC8UA3;c:\windows\system32\DRIVERS\swnc8ua3.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 Tftpd32_svc;Tftpd32 service edition;c:\program files\Tftpd32_SE\tftpd32_svc.exe [x]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [x]
S2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [x]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [x]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]
S2 NfsClnt;Client for NFS;c:\windows\system32\nfsclnt.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.EXE [x]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 CiscoSerial;Cisco Serial;c:\windows\system32\DRIVERS\CiscoUsbConsoleWindowsDriver.sys [x]
S3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [x]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [x]
S3 mv2;mv2;c:\windows\system32\DRIVERS\mv2.sys [x]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 NfsRdr;Client for NFS Redirector;c:\windows\system32\drivers\nfsrdr.sys [x]
S3 PsxDrv;PsxDrv;c:\windows\system32\drivers\psxdrv.sys [x]
S3 RpcXdr;Server for NFS Open RPC (ONCRPC);c:\windows\system32\drivers\rpcxdr.sys [x]
S3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
LPDService REG_MULTI_SZ LPDSVC
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trvjfzhxr
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-26 c:\windows\Tasks\MyDefrag.job
- c:\windows\tasks\MyDefragTask.cmd [2012-01-26 09:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
FF - ProfilePath - c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\
FF - prefs.js: browser.startup.homepage - www.google.com/en
FF - ExtSQL: 2012-12-27 14:10; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-12-27 14:15; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2012-12-27 14:16; {a7c6cf7f-112c-4500-a7ea-39801a327e5f}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}.xpi
FF - ExtSQL: 2012-12-27 14:16; firessh@nightlight.ws; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\firessh@nightlight.ws.xpi
FF - ExtSQL: 2012-12-27 14:19; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi
FF - ExtSQL: 2012-12-27 14:19; fdm_ffext@freedownloadmanager.org; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\fdm_ffext@freedownloadmanager.org
FF - ExtSQL: 2012-12-27 14:19; {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - ExtSQL: 2012-12-27 14:20; {dc572301-7619-498c-a57d-39143191b318}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
FF - ExtSQL: 2012-12-27 14:21; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2012-12-27 14:22; snaplinks@snaplinks.mozdev.org; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\snaplinks@snaplinks.mozdev.org.xpi
FF - ExtSQL: 2012-12-27 14:22; {54BB9F3F-07E5-486c-9B39-C7398B99391C}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{54BB9F3F-07E5-486c-9B39-C7398B99391C}.xpi
FF - ExtSQL: 2012-12-27 14:30; {1018e4d6-728f-4b20-ad56-37578a4de76b}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - ExtSQL: 2012-12-27 14:30; savedpasswordeditor@daniel.dawson; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\savedpasswordeditor@daniel.dawson.xpi
.
.
------- File Associations -------
.
.scr=Notepad++_file
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\trvjfzhxr]
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4912)
c:\program files\ThinkPad\Bluetooth Software\btmmhook.dll
c:\program files\ThinkPad\Utilities\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
Completion time: 2013-01-12 00:56:37
ComboFix-quarantined-files.txt 2013-01-12 04:56
.
Pre-Run: 60,074,115,072 bytes free
Post-Run: 60,119,871,488 bytes free
.
- - End Of File - - 9852F111CA7A6F6E86897883E8EFF7A8

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 PM

Posted 12 January 2013 - 12:40 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 3d1l

3d1l
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 14 January 2013 - 06:55 PM

Hi again,

Sorry for the delay, family matters over the weekend you know...

Ok finished running the script as instructed nothing out of the ordinary happened except for firefox not set as the default browser. Checking at the Combofix log I noticed this:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1852535552-2920592808-1772901159-2578\Scripts\Logon\0\0]
"Script"=www.vbs

Firefox is still getting executed automatically loading the VBS.TV VICE.COM without authorization.

Here is the full log:

======================COMBOFIX LOG


ComboFix 13-01-14.01 - XXXXXXXX 01/14/2013 18:08:23.3.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3030.2078 [GMT -4:00]
Running from: c:\users\XXXXXXXX\Desktop\ComboFix.exe
Command switches used :: c:\users\XXXXXXXX\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-12-14 to 2013-01-14 )))))))))))))))))))))))))))))))
.
.
2013-01-14 22:16 . 2013-01-14 22:16 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2013-01-14 22:16 . 2013-01-14 22:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-14 22:16 . 2013-01-14 22:16 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2013-01-14 22:16 . 2013-01-14 22:16 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2013-01-14 22:16 . 2013-01-14 22:16 -------- d-----w- c:\users\administrator.XXXXXXXX\AppData\Local\temp
2013-01-14 22:16 . 2013-01-14 22:16 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Local\temp
2013-01-12 04:14 . 2013-01-12 04:14 -------- d-----w- C:\Downloads
2013-01-10 12:37 . 2012-11-23 02:56 2345984 ----a-w- c:\windows\system32\win32k.sys
2013-01-10 12:37 . 2012-11-09 04:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2013-01-10 12:36 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\system32\msxml6.dll
2013-01-10 12:32 . 2012-11-20 04:51 220160 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-10 12:32 . 2012-11-23 02:48 49152 ----a-w- c:\windows\system32\taskhost.exe
2013-01-05 08:16 . 2012-11-19 05:04 6812136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{833CBE9F-AF27-46C8-BFFA-116EC5C9E806}\mpengine.dll
2012-12-27 14:28 . 2012-12-27 14:42 -------- d-----w- C:\Logos5
2012-12-27 11:04 . 2012-12-27 11:04 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Local\Eraser 6
2012-12-27 02:58 . 2012-12-27 03:25 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Roaming\Free Download Manager
2012-12-26 22:45 . 2013-01-04 20:20 -------- d-----w- C:\Networking
2012-12-26 22:44 . 2012-12-26 23:15 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Roaming\FastCopy
2012-12-26 20:29 . 2012-12-26 20:29 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Roaming\IrfanView
2012-12-26 16:49 . 2012-12-26 16:49 -------- d-----w- c:\program files\PowerDataRecovery
2012-12-26 16:47 . 2012-12-27 03:25 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Roaming\Notepad++
2012-12-26 15:12 . 2013-01-06 15:37 -------- d-----w- c:\program files\Recuva
2012-12-26 14:57 . 2013-01-11 13:37 -------- d-----w- c:\users\XXXXXXXX
2012-12-26 04:24 . 2012-12-26 04:24 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Local\Macromedia
2012-12-26 03:21 . 2012-12-26 03:21 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Roaming\NCH Software
2012-12-26 03:10 . 2012-12-26 03:10 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Local\Mozilla
2012-12-25 19:40 . 2012-12-25 19:40 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Roaming\FileZilla
2012-12-25 19:39 . 2012-12-25 19:39 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Roaming\Avira
2012-12-25 19:39 . 2012-12-25 19:39 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Local\NeoSmart_Technologies
2012-12-25 19:35 . 2012-12-25 19:35 -------- d-----w- c:\users\Administrator.XXXXXXXX-37585\AppData\Local\Broadcom
2012-12-25 18:31 . 2012-12-25 18:31 -------- d-----w- c:\program files\EasyBCD
2012-12-24 13:38 . 2012-12-16 14:13 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-24 13:38 . 2012-12-16 14:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-23 19:12 . 2012-12-29 13:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-12-23 19:12 . 2012-12-23 19:12 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-12-20 20:10 . 2012-12-24 17:29 -------- d-----w- c:\program files\Internet Checkers
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-14 17:02 . 2011-10-25 12:23 4194304 ----a-w- c:\windows\ServiceProfiles\NetworkService\msmqlog.bin
2012-12-25 19:57 . 2012-12-01 01:00 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-25 19:57 . 2012-12-01 01:00 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-14 20:49 . 2012-12-04 12:48 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-11 15:34 . 2012-12-04 19:06 134336 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-12-11 15:34 . 2012-12-04 19:06 83944 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-11-17 00:17 . 2012-12-04 19:06 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-11-15 01:36 . 2012-11-15 01:36 35592 ----a-w- c:\windows\system32\drivers\taphss6.sys
2012-11-15 01:29 . 2012-11-15 01:29 35592 ----a-w- c:\windows\system32\drivers\hssdrv6.sys
2012-11-14 02:09 . 2012-12-13 16:38 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58 . 2012-12-13 16:38 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57 . 2012-12-13 16:38 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49 . 2012-12-13 16:38 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48 . 2012-12-13 16:38 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44 . 2012-12-13 16:38 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-13 20:29 . 2012-11-13 20:29 354216 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-11-02 05:11 . 2012-12-13 16:40 376832 ----a-w- c:\windows\system32\dpnet.dll
2012-11-29 08:27 . 2012-12-25 19:54 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-12-11 384800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-07-15 2282792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-04-25 98304]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-19 307768]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2011-07-04 1299816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"MsmqIntCert"="mqrt.dll" [2010-11-20 152064]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-10-19 1206544]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-30 1263512]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2011-1-24 804128]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2011-10-24 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1852535552-2920592808-1772901159-2578\Scripts\Logon\0\0]
"Script"=www.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 11:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 19:24 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2011-11-05 16:17 980368 ----a-w- c:\progra~1\Eraser\Eraser.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
2009-01-21 18:19 92168 ----a-w- c:\program files\Logitech\Gaming Software\LWEMon.exe
.
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
R2 trvjfzhxr;Time Monitor;c:\windows\system32\svchost.exe [x]
R3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd32.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 swg3kser00;swg3kser00;c:\windows\system32\DRIVERS\swg3kser00.sys [x]
R3 swiwdmbx;swiwdmbx;c:\windows\system32\DRIVERS\swiwdmbx.sys [x]
R3 SWNC8UA3;SWNC8UA3;c:\windows\system32\DRIVERS\swnc8ua3.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 Tftpd32_svc;Tftpd32 service edition;c:\program files\Tftpd32_SE\tftpd32_svc.exe [x]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 HssDRV6;Hotspot Shield Routing Driver 6;c:\windows\system32\DRIVERS\hssdrv6.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [x]
S2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [x]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [x]
S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]
S2 NfsClnt;Client for NFS;c:\windows\system32\nfsclnt.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
S2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.EXE [x]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 CiscoSerial;Cisco Serial;c:\windows\system32\DRIVERS\CiscoUsbConsoleWindowsDriver.sys [x]
S3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [x]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [x]
S3 mv2;mv2;c:\windows\system32\DRIVERS\mv2.sys [x]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]
S3 NfsRdr;Client for NFS Redirector;c:\windows\system32\drivers\nfsrdr.sys [x]
S3 PsxDrv;PsxDrv;c:\windows\system32\drivers\psxdrv.sys [x]
S3 RpcXdr;Server for NFS Open RPC (ONCRPC);c:\windows\system32\drivers\rpcxdr.sys [x]
S3 taphss6;Anchorfree HSS VPN Adapter;c:\windows\system32\DRIVERS\taphss6.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
LPDService REG_MULTI_SZ LPDSVC
Akamai REG_MULTI_SZ Akamai
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trvjfzhxr
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-26 c:\windows\Tasks\MyDefrag.job
- c:\windows\tasks\MyDefragTask.cmd [2012-01-26 09:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} - hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
FF - ProfilePath - c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\
FF - prefs.js: browser.startup.homepage - www.google.com/en
FF - ExtSQL: 2012-12-27 14:10; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-12-27 14:15; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2012-12-27 14:16; {a7c6cf7f-112c-4500-a7ea-39801a327e5f}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}.xpi
FF - ExtSQL: 2012-12-27 14:16; firessh@nightlight.ws; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\firessh@nightlight.ws.xpi
FF - ExtSQL: 2012-12-27 14:19; {3d7eb24f-2740-49df-8937-200b1cc08f8a}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}.xpi
FF - ExtSQL: 2012-12-27 14:19; fdm_ffext@freedownloadmanager.org; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\fdm_ffext@freedownloadmanager.org
FF - ExtSQL: 2012-12-27 14:19; {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - ExtSQL: 2012-12-27 14:20; {dc572301-7619-498c-a57d-39143191b318}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi
FF - ExtSQL: 2012-12-27 14:21; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF - ExtSQL: 2012-12-27 14:22; snaplinks@snaplinks.mozdev.org; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\snaplinks@snaplinks.mozdev.org.xpi
FF - ExtSQL: 2012-12-27 14:22; {54BB9F3F-07E5-486c-9B39-C7398B99391C}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{54BB9F3F-07E5-486c-9B39-C7398B99391C}.xpi
FF - ExtSQL: 2012-12-27 14:30; {1018e4d6-728f-4b20-ad56-37578a4de76b}; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
FF - ExtSQL: 2012-12-27 14:30; savedpasswordeditor@daniel.dawson; c:\users\XXXXXXXX\AppData\Roaming\Mozilla\Firefox\Profiles\0319e3x9.default\extensions\savedpasswordeditor@daniel.dawson.xpi
FF - ExtSQL: 2013-01-12 21:15; {23fcfd51-4958-4f00-80a3-ae97e717ed8b}; c:\program files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF - ExtSQL: 2013-01-13 21:20; afurladvisor@anchorfree.com; c:\program files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\trvjfzhxr]
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(6576)
c:\program files\ThinkPad\Bluetooth Software\btmmhook.dll
c:\program files\ThinkPad\Utilities\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
Completion time: 2013-01-14 18:17:38
ComboFix-quarantined-files.txt 2013-01-14 22:17
ComboFix2.txt 2013-01-12 04:56
.
Pre-Run: 56,418,893,824 bytes free
Post-Run: 56,222,838,784 bytes free
.
- - End Of File - - 6C89E255F0A7821C98061FAA9D2EF1F3

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 PM

Posted 14 January 2013 - 07:06 PM

Hello

I want you to try this for firefox and give me a quick update to how things are

I want you to reset firefox back to defaults, to do this I need you to do this

  • At the top of the Firefox window, click the "Firefox" button,
  • go over to the "Help" sub-menu
    • (on Windows XP, click the Help menu at the top of the Firefox window) and select "Troubleshooting Information".
  • Click the "Reset Firefox" button in the upper-right corner of the Troubleshooting Information page.
  • click "Reset Firefox" in the confirmation window that opens.
  • Firefox will close and be reset. When it's done. Click "Finish" and Firefox will open.

restart the computer and check firefox for me now

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 3d1l

3d1l
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 14 January 2013 - 11:18 PM

Well I followed your instructions and apart from loosing all firefox configuration including the password for this forum hahaha :lol: (nah! it did made a backup before getting into "factory mode" but I had to find a way to get it), the stubborn VBS.TV VICE.COM loaded as usual. As I stated in my other post (linked in this one at the beginning), the use of firefox by whatever is causing this, to load those pages is incidental. It just that firefox is set as the default browser, but I already uninstalled firefox with all the plugins and reinstalled it from scratch without the plugins and the problem persisted. Then I set Microsoft Internet Explorer as default and whatever process is causing the problem used MS IE instead of firefox to load them. Then I remove firefox, remove any custom configuration from MS IE and the problem persisted. Also as I explain in the other post the problem is account specific. It doesn't happens with other user accounts so then I switch accounts, removed the affected account, use regmagik to remove any registry key related to that account, run CCleaner on both, files and registry, reboot the computer, create a new account with the same username and the pages got loaded anyways.

Something is "encroached" in my computer that uses the default Internet Browser (it doesn't matter MS IE or Firefox), to load those freaking pages and is driving me crazy. :wacko:

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 PM

Posted 15 January 2013 - 12:20 AM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 3d1l

3d1l
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 15 January 2013 - 09:13 AM

Here it is:

OTL logfile created on: 1/15/2013 9:50:50 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\XXXX\Downloads
Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 1.72 Gb Available Physical Memory | 58.11% Memory free
5.92 Gb Paging File | 4.46 Gb Available in Paging File | 75.43% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 148.95 Gb Total Space | 51.26 Gb Free Space | 34.42% Space Free | Partition Type: NTFS
Drive F: | 232.83 Gb Total Space | 97.08 Gb Free Space | 41.70% Space Free | Partition Type: FAT32

Computer Name: XXXX | User Name: XXXX | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\XXXX\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
PRC - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Hotspot Shield\HssWPR\HssSrv.exe (AnchorFree Inc.)
PRC - C:\Program Files\Hotspot Shield\bin\openvpnas.exe (AnchorFree Inc.)
PRC - C:\Program Files\Hotspot Shield\bin\hsswd.exe ()
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE (Microsoft Corporation)
PRC - C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
PRC - C:\Program Files\TeamViewer\Version7\TeamViewer.exe (TeamViewer GmbH)
PRC - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe (TeamViewer GmbH)
PRC - C:\Program Files\TeamViewer\Version7\tv_w32.exe (TeamViewer GmbH)
PRC - C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\ZOOM\TpScrex.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\tphkload.exe (Lenovo Group Limited)
PRC - C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
PRC - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE (Lenovo.)
PRC - C:\Program Files\ThinkPad\Utilities\PWMEWSVC.exe (Lenovo Group Limited)
PRC - C:\Program Files\ThinkPad\Utilities\SCHTASK.EXE (Lenovo Group Limited)
PRC - C:\Windows\System32\atieclxx.exe (AMD)
PRC - C:\Windows\System32\atiesrxx.exe (AMD)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
PRC - C:\Program Files\ThinkPad\Bluetooth Software\BTStackServer.exe (Broadcom Corporation.)
PRC - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
PRC - C:\Windows\System32\psxss.exe (Microsoft Corporation)
PRC - C:\Windows\System32\nfsclnt.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
PRC - c:\Program Files\Windows Defender\MpCmdRun.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\0ac577a8ad6528ff03b50db5eeeac8be\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\865d2bf19a7af7fab8660a42d92550fe\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll ()
MOD - C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll ()
MOD - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\Program Files\FileZilla FTP Client\fzshellext.dll ()
MOD - C:\Program Files\ThinkPad\Utilities\US\PWMRT32V.DLL ()
MOD - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll ()
MOD - C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF ()
MOD - C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll ()
MOD - C:\Program Files\ThinkPad\Bluetooth Software\BTKeyInd.dll ()
MOD - C:\Program Files\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll ()
MOD - C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll ()


========== Services (SafeList) ==========

SRV - (trvjfzhxr) -- File not found
SRV - (gupdatem) -- File not found
SRV - (gupdate) -- File not found
SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira Operations GmbH & Co. KG)
SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira Operations GmbH & Co. KG)
SRV - (HssSrv) -- C:\Program Files\Hotspot Shield\HssWPR\HssSrv.exe (AnchorFree Inc.)
SRV - (hshld) -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe (AnchorFree Inc.)
SRV - (HssWd) -- C:\Program Files\Hotspot Shield\bin\hsswd.exe ()
SRV - (HssTrayService) -- C:\Program Files\Hotspot Shield\bin\HSSTrayService.exe ()
SRV - (Akamai) -- c:\program files\common files\akamai/netsession_win_ce5ba24.dll ()
SRV - (Microsoft SharePoint Workspace Audit Service) -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE (Microsoft Corporation)
SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe (SUPERAntiSpyware.com)
SRV - (TeamViewer7) -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe (TeamViewer GmbH)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (Lenovo.VIRTSCRLSVC) -- C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe (Lenovo Group Limited)
SRV - (TPHKLOAD) -- C:\Program Files\Lenovo\HOTKEY\tphkload.exe (Lenovo Group Limited)
SRV - (LENOVO.MICMUTE) -- C:\Program Files\Lenovo\HOTKEY\micmute.exe (Lenovo Group Limited)
SRV - (TPHKSVC) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (Lenovo Group Limited)
SRV - (DozeSvc) -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE (Lenovo.)
SRV - (PwmEWSvc) -- C:\Program Files\ThinkPad\Utilities\PWMEWSVC.exe (Lenovo Group Limited)
SRV - (Power Manager DBC Service) -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe (Lenovo)
SRV - (Tftpd32_svc) -- C:\Program Files\Tftpd32_SE\tftpd32_svc.exe ()
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (btwdins) -- C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe (Broadcom Corporation.)
SRV - (WAS) -- C:\Windows\System32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (AppHostSvc) -- C:\Windows\System32\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (NfsClnt) -- C:\Windows\System32\nfsclnt.exe (Microsoft Corporation)
SRV - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
SRV - (MyWiFiDHCPDNS) -- C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe ()
SRV - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
SRV - (rpcapd) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
SRV - (HsfXAudioService) -- C:\Windows\System32\XAudio32.dll (Conexant Systems, Inc.)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (LPDSVC) -- C:\Windows\System32\lpdsvc.dll (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (tsusbhub) -- system32\drivers\tsusbhub.sys File not found
DRV - (trvjfzhxr) -- File not found
DRV - (Synth3dVsc) -- System32\drivers\synth3dvsc.sys File not found
DRV - (PCTINDIS5) -- C:\Windows\system32\PCTINDIS5.SYS File not found
DRV - (Nmea) -- system32\DRIVERS\pctnullport.sys File not found
DRV - (catchme) -- C:\Users\XXXX\AppData\Local\Temp\catchme.sys File not found
DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira Operations GmbH & Co. KG)
DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira Operations GmbH & Co. KG)
DRV - (avkmgr) -- C:\Windows\System32\drivers\avkmgr.sys (Avira Operations GmbH & Co. KG)
DRV - (taphss6) -- C:\Windows\System32\drivers\taphss6.sys (Anchorfree Inc.)
DRV - (HssDRV6) -- C:\Windows\System32\drivers\hssdrv6.sys (AnchorFree Inc.)
DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
DRV - (taphss) -- C:\Windows\System32\drivers\taphss.sys (AnchorFree Inc)
DRV - (mv2) -- C:\Windows\System32\drivers\mv2.sys (UVNC BVBA)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (DozeHDD) -- C:\Windows\System32\drivers\DOZEHDD.SYS (Lenovo.)
DRV - (TPPWRIF) -- C:\Windows\System32\drivers\TPPWR32V.SYS (Lenovo Group Limited)
DRV - (swiwdmbx) -- C:\Windows\System32\drivers\swiwdmbx.sys (Sierra Wireless Inc.)
DRV - (swg3kser00) -- C:\Windows\System32\drivers\swg3kser00.sys (Sierra Wireless Incorporated)
DRV - (amdkmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (amdkmdap) -- C:\Windows\System32\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV - (FTDIBUS) -- C:\Windows\System32\drivers\ftdibus.sys (FTDI Ltd.)
DRV - (FTSER2K) -- C:\Windows\System32\drivers\ftser2k.sys (FTDI Ltd.)
DRV - (NWADI) -- C:\Windows\System32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (SWNC8UA3) -- C:\Windows\System32\drivers\swnc8ua3.sys (Sierra Wireless Inc.)
DRV - (SWNC5E00) -- C:\Windows\System32\drivers\SWNC5E00.sys (Sierra Wireless Inc.)
DRV - (swmx00) -- C:\Windows\System32\drivers\swmx00.sys (Sierra Wireless Inc.)
DRV - (swmsflt) -- C:\Windows\System32\drivers\swmsflt.sys ()
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (MQAC) -- C:\Windows\System32\drivers\mqac.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (RMCAST) -- C:\Windows\System32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (RpcXdr) -- C:\Windows\System32\drivers\rpcxdr.sys (Microsoft Corporation)
DRV - (NfsRdr) -- C:\Windows\System32\drivers\nfsrdr.sys (Microsoft Corporation)
DRV - (NETwNs32) -- C:\Windows\System32\drivers\NETwNs32.sys (Intel Corporation)
DRV - (lenovo.smi) -- C:\Windows\System32\drivers\smiif32.sys (Lenovo Group Limited)
DRV - (intelkmd) -- C:\Windows\System32\drivers\igdpmd32.sys (Intel Corporation)
DRV - (NPF) -- C:\Windows\System32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio32.sys (Conexant Systems, Inc.)
DRV - (btusbflt) -- C:\Windows\System32\drivers\btusbflt.sys (Broadcom Corporation.)
DRV - (e1yexpress) -- C:\Windows\System32\drivers\e1y6232.sys (Intel Corporation)
DRV - (CiscoSerial) -- C:\Windows\System32\drivers\CiscoUsbConsoleWindowsDriver.sys (Cisco Systems, Inc.)
DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (msloop) -- C:\Windows\System32\drivers\loop.sys (Microsoft Corporation)
DRV - (vwifimp) -- C:\Windows\System32\drivers\vwifimp.sys (Microsoft Corporation)
DRV - (PsxDrv) -- C:\Windows\System32\drivers\psxdrv.sys (Microsoft Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (netw5v32) -- C:\Windows\System32\drivers\netw5v32.sys (Intel Corporation)
DRV - (WmXlCore) -- C:\Windows\System32\drivers\WmXlCore.sys (Logitech Inc.)
DRV - (WmVirHid) -- C:\Windows\System32\drivers\WmVirHid.sys (Logitech Inc.)
DRV - (WmFilter) -- C:\Windows\System32\drivers\WmFilter.sys (Logitech Inc.)
DRV - (WmBEnum) -- C:\Windows\System32\drivers\WmBEnum.sys (Logitech Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = XXXX;kroncl;130.200.100.248;XXXXcl.XXXX;XXXXcldev.XXXX;XXXXcltest.XXXX;XXXXmail.XXXX;<local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 130.200.100.19:8080

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = XXXXcl;kroncl;130.200.100.248;XXXXcl.XXXX;XXXXcldev.XXXX;XXXXcltest.XXXX;XXXXmail.XXXX;<local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 130.200.100.19:8080

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-1852535552-2920592808-1772901159-2578\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-1852535552-2920592808-1772901159-2578\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = AE CC CC 97 B4 EA CD 01 [binary data]
IE - HKU\S-1-5-21-1852535552-2920592808-1772901159-2578\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1852535552-2920592808-1772901159-2578\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1852535552-2920592808-1772901159-2578\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1852535552-2920592808-1772901159-2578\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@rim.com/npappworld: C:\Program Files\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll ()
FF - HKLM\Software\MozillaPlugins\@tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf: C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll (Tracker Software Products (Canada) Ltd.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013/01/12 21:15:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/25 15:54:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/01/04 20:09:54 | 000,000,000 | ---D | M]

[2012/12/26 11:01:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\XXXX\AppData\Roaming\mozilla\Extensions
[2013/01/13 21:20:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/01/13 21:20:39 | 000,000,000 | ---D | M] (Hotspot Shield Helper (Please allow this installation)) -- C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com
[2012/11/29 04:27:51 | 000,262,112 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/06/21 11:17:38 | 000,170,624 | ---- | M] (Tracker Software Products (Canada) Ltd.) -- C:\Program Files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
[2012/11/29 04:27:12 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/11/29 04:27:12 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/07/19 19:22:05 | 000,000,907 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 pagead.googlesyndication.com
O1 - Hosts: 127.0.0.1 pagead2.googlesyndication.com
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Free Download Manager) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll (FreeDownloadManager.ORG)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [DivXMediaServer] C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe ()
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [MsmqIntCert] C:\Windows\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [PWMTRV] C:\Program Files\ThinkPad\Utilities\PWMTR32V.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1852535552-2920592808-1772901159-2578\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1852535552-2920592808-1772901159-2578\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1852535552-2920592808-1772901159-2578\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {816BE035-1450-40D0-8A3B-BA7825A83A77} http://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab (IASRunner Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab (Java Plug-in 10.9.2)
O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab (Java Plug-in 1.3.1_02)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.9.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 130.200.100.51 130.200.100.58
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = XXXX
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9FBE8AAB-71C9-412B-AC19-A50CE5BB6E64}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CB1449A4-DEFB-4312-B618-6BBFD38F8C46}: DhcpNameServer = 130.200.100.51 130.200.100.58
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FDF8C6E1-F40B-447E-8F95-FF22527C1159}: DhcpNameServer = 130.200.100.51 130.200.100.58
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FEBAE70E-AA5B-4A67-B12A-2AEE81E8CB14}: DhcpNameServer = 8.8.8.8
O18 - Protocol\Handler\jpip {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\ExpressView\expressview.dll (LizardTech)
O18 - Protocol\Handler\sidlet {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\ExpressView\expressview.dll (LizardTech)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/14 23:39:37 | 000,000,000 | ---D | C] -- C:\Users\XXXX\Desktop\Old Firefox Data
[2013/01/14 18:17:45 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/01/13 21:20:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotspot Shield
[2013/01/12 21:17:07 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\DDMSettings
[2013/01/12 21:14:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DivX Plus
[2013/01/12 00:44:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/01/12 00:39:59 | 005,022,074 | R--- | C] (Swearware) -- C:\Users\XXXX\Desktop\ComboFix.exe
[2013/01/12 00:14:06 | 000,000,000 | ---D | C] -- C:\Downloads
[2013/01/11 23:23:56 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\VirtualStore
[2013/01/11 10:20:01 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Apps
[2013/01/11 10:08:09 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\XXXX\Desktop\dds.com
[2013/01/10 08:37:50 | 002,345,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/01/10 08:32:55 | 000,220,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll
[2013/01/10 08:32:43 | 000,752,283 | ---- | C] (Farbar) -- C:\Users\XXXX\Desktop\MiniToolBox.exe
[2013/01/10 08:32:22 | 000,049,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
[2013/01/09 22:52:29 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\picpick
[2013/01/09 22:46:57 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Users\XXXX\Desktop\aswMBR.exe
[2013/01/09 22:46:41 | 002,213,976 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\XXXX\Desktop\tdsskiller.exe
[2013/01/08 13:30:34 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Blackberry Desktop
[2013/01/08 13:29:04 | 000,000,000 | ---D | C] -- C:\Users\XXXX\Documents\BlackBerry
[2013/01/08 11:24:23 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Research In Motion
[2013/01/08 11:24:22 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Research In Motion
[2013/01/04 21:22:07 | 000,000,000 | ---D | C] -- C:\Users\XXXX\dwhelper
[2013/01/04 20:51:07 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Winamp
[2013/01/03 09:11:38 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Eraser 6
[2013/01/01 12:04:49 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Media Player Classic
[2013/01/01 12:04:48 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\DivX
[2012/12/29 13:53:17 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Microsoft Games
[2012/12/29 09:13:30 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\SUPERAntiSpyware.com
[2012/12/29 08:46:05 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Autodesk
[2012/12/29 08:46:05 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Autodesk
[2012/12/29 08:43:02 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Apple
[2012/12/29 08:30:32 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Apple Computer
[2012/12/29 08:30:15 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Apple Computer
[2012/12/29 08:23:45 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Windows Live
[2012/12/29 01:13:12 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Programs
[2012/12/29 01:10:57 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Malwarebytes
[2012/12/29 00:08:06 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\IrfanView
[2012/12/28 10:25:43 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\vlc
[2012/12/27 18:05:13 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\TeraCopy
[2012/12/27 17:58:07 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Notepad++
[2012/12/27 15:40:58 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\NCH Software
[2012/12/27 15:33:13 | 000,000,000 | --SD | C] -- C:\Users\XXXX\Documents\My Shapes
[2012/12/27 15:27:27 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Free Download Manager
[2012/12/27 10:46:45 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bible
[2012/12/27 10:28:35 | 000,000,000 | ---D | C] -- C:\Logos5
[2012/12/27 10:20:29 | 000,000,000 | ---D | C] -- C:\Users\XXXX\Documents\Logos Log Files
[2012/12/27 10:20:18 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Logos4
[2012/12/27 09:44:21 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\FastCopy
[2012/12/27 08:18:58 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Identities
[2012/12/27 08:11:07 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Avira
[2012/12/27 08:06:06 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Broadcom
[2012/12/27 08:06:06 | 000,000,000 | ---D | C] -- C:\Users\XXXX\Documents\Bluetooth Exchange Folder
[2012/12/26 18:45:38 | 000,000,000 | ---D | C] -- C:\Networking
[2012/12/26 12:49:16 | 000,000,000 | ---D | C] -- C:\Program Files\PowerDataRecovery
[2012/12/26 11:12:30 | 000,000,000 | ---D | C] -- C:\Program Files\Recuva
[2012/12/26 11:08:12 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\PwrMgr
[2012/12/26 11:02:24 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Macromedia
[2012/12/26 11:02:24 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Macromedia
[2012/12/26 11:02:24 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Adobe
[2012/12/26 11:01:19 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Mozilla
[2012/12/26 11:01:19 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Mozilla
[2012/12/26 10:58:56 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\ATI
[2012/12/26 10:58:56 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\ATI
[2012/12/26 10:58:49 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Intel
[2012/12/26 10:58:15 | 000,000,000 | R--D | C] -- C:\Users\XXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2012/12/26 10:58:15 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Searches
[2012/12/26 10:58:15 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Contacts
[2012/12/26 10:58:15 | 000,000,000 | R--D | C] -- C:\Users\XXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2012/12/26 10:58:15 | 000,000,000 | -H-D | C] -- C:\Users\XXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\AppData\Local\Temporary Internet Files
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\Templates
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\Start Menu
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\SendTo
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\Recent
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\PrintHood
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\NetHood
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\Documents\My Videos
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\Documents\My Pictures
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\Documents\My Music
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\My Documents
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\Local Settings
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\AppData\Local\History
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\Cookies
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\Application Data
[2012/12/26 10:57:45 | 000,000,000 | -HSD | C] -- C:\Users\XXXX\AppData\Local\Application Data
[2012/12/26 10:57:44 | 000,000,000 | --SD | C] -- C:\Users\XXXX\AppData\Roaming\Microsoft
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Videos
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Saved Games
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Pictures
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Music
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Links
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Favorites
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Downloads
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Documents
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\Desktop
[2012/12/26 10:57:44 | 000,000,000 | R--D | C] -- C:\Users\XXXX\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2012/12/26 10:57:44 | 000,000,000 | -H-D | C] -- C:\Users\XXXX\AppData
[2012/12/26 10:57:44 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\temp
[2012/12/26 10:57:44 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Local\Microsoft
[2012/12/26 10:57:44 | 000,000,000 | ---D | C] -- C:\Users\XXXX\AppData\Roaming\Media Center Programs
[2012/12/25 15:54:18 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/12/25 15:23:48 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2012/12/25 15:10:53 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/12/25 15:10:53 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/12/25 15:10:53 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/12/25 15:10:18 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2012/12/25 14:42:06 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2012/12/25 14:31:26 | 000,000,000 | ---D | C] -- C:\Program Files\EasyBCD
[2012/12/24 09:38:42 | 000,295,424 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2012/12/24 09:38:42 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2012/12/23 15:12:57 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2012/12/23 15:12:57 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2012/12/20 16:10:31 | 000,000,000 | ---D | C] -- C:\Program Files\Internet Checkers

========== Files - Modified Within 30 Days ==========

[2013/01/15 08:12:18 | 000,712,724 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/01/15 08:12:18 | 000,138,560 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/01/15 08:08:39 | 000,015,488 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/01/15 08:08:39 | 000,015,488 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/01/15 08:01:08 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2013/01/15 08:01:03 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/01/15 08:00:53 | 2382,905,344 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/14 18:04:33 | 005,022,074 | R--- | M] (Swearware) -- C:\Users\XXXX\Desktop\ComboFix.exe
[2013/01/14 13:02:49 | 000,555,688 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/01/11 22:21:05 | 000,764,416 | ---- | M] () -- C:\Users\XXXX\Desktop\RogueKiller.exe
[2013/01/11 22:15:48 | 000,856,731 | ---- | M] () -- C:\Users\XXXX\Desktop\SecurityCheck.exe
[2013/01/11 15:50:21 | 000,006,908 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2013/01/11 10:08:15 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\XXXX\Desktop\dds.com
[2013/01/10 22:30:02 | 000,554,087 | ---- | M] () -- C:\Users\XXXX\Desktop\AdwCleaner.exe
[2013/01/10 08:32:44 | 000,752,283 | ---- | M] (Farbar) -- C:\Users\XXXX\Desktop\MiniToolBox.exe
[2013/01/09 22:47:13 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Users\XXXX\Desktop\aswMBR.exe
[2013/01/09 22:46:47 | 002,213,976 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\XXXX\Desktop\tdsskiller.exe
[2013/01/08 14:57:41 | 000,001,220 | ---- | M] () -- C:\Windows\ricdb.ini
[2013/01/08 13:29:50 | 000,003,584 | ---- | M] () -- C:\Users\XXXX\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/12/28 22:44:14 | 000,001,411 | ---- | M] () -- C:\Users\XXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/12/28 10:24:58 | 000,001,768 | RHS- | M] () -- C:\Users\XXXX\ntuser.pol
[2012/12/27 15:33:11 | 000,000,376 | ---- | M] () -- C:\Windows\ODBC.INI
[2012/12/27 08:18:55 | 000,001,105 | ---- | M] () -- C:\Users\XXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2012/12/25 23:23:34 | 000,002,398 | ---- | M] () -- C:\Windows\RegMagik.INI
[2012/12/25 15:57:19 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2012/12/25 15:57:19 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012/12/16 10:13:28 | 000,295,424 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2012/12/16 10:13:20 | 000,034,304 | ---- | M] (Adobe Systems) -- C:\Windows\System32\atmlib.dll

========== Files Created - No Company Name ==========

[2013/01/14 13:02:33 | 000,555,688 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/01/11 22:21:03 | 000,764,416 | ---- | C] () -- C:\Users\XXXX\Desktop\RogueKiller.exe
[2013/01/11 22:15:46 | 000,856,731 | ---- | C] () -- C:\Users\XXXX\Desktop\SecurityCheck.exe
[2013/01/10 22:30:00 | 000,554,087 | ---- | C] () -- C:\Users\XXXX\Desktop\AdwCleaner.exe
[2013/01/08 13:29:48 | 000,003,584 | ---- | C] () -- C:\Users\XXXX\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/12/28 22:44:14 | 000,001,411 | ---- | C] () -- C:\Users\XXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/12/27 08:18:55 | 000,001,105 | ---- | C] () -- C:\Users\XXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2012/12/26 10:57:50 | 000,001,768 | RHS- | C] () -- C:\Users\XXXX\ntuser.pol
[2012/12/26 10:57:45 | 000,001,304 | ---- | C] () -- C:\Users\XXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Server Manager.lnk
[2012/12/26 10:57:45 | 000,000,290 | ---- | C] () -- C:\Users\XXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2012/12/26 10:57:45 | 000,000,272 | ---- | C] () -- C:\Users\XXXX\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2012/12/25 15:10:53 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/12/25 15:10:53 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/12/25 15:10:53 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/12/25 15:10:53 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/12/25 15:10:53 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/12/25 14:49:46 | 000,001,911 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
[2012/12/25 14:49:46 | 000,000,890 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
[2012/12/12 19:00:16 | 000,000,008 | ---- | C] () -- C:\Windows\System32\PROTOCOL.INI
[2012/09/30 00:04:52 | 000,003,054 | ---- | C] () -- C:\Windows\System32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
[2012/06/12 00:59:03 | 000,000,140 | ---- | C] () -- C:\Windows\gtp2tef.ini
[2012/04/19 15:35:00 | 000,001,220 | ---- | C] () -- C:\Windows\ricdb.ini
[2012/04/07 09:22:34 | 000,092,160 | ---- | C] () -- C:\Windows\System32\lua5.1a.dll
[2012/01/07 12:34:59 | 000,002,398 | ---- | C] () -- C:\Windows\RegMagik.INI
[2011/12/27 09:54:49 | 000,002,638 | ---- | C] () -- C:\Windows\System32\SpoonUninstall-dBpoweramp Midi Decoder.dat
[2011/12/18 09:11:45 | 000,003,221 | ---- | C] () -- C:\Windows\tabled32.ini
[2011/12/13 12:03:15 | 000,669,416 | ---- | C] () -- C:\Windows\System32\SpoonUninstall.exe
[2011/12/13 12:03:15 | 000,017,738 | ---- | C] () -- C:\Windows\System32\SpoonUninstall-dBpoweramp Music Converter.dat
[2011/12/11 10:22:22 | 000,000,101 | ---- | C] () -- C:\Windows\System32\ud-boot-time.ini
[2011/12/07 19:06:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\cd.dat
[2011/11/11 19:33:33 | 000,354,304 | ---- | C] () -- C:\Windows\System32\pythoncom26.dll
[2011/11/11 19:33:33 | 000,110,080 | ---- | C] () -- C:\Windows\System32\pywintypes26.dll
[2011/11/11 19:33:33 | 000,008,192 | ---- | C] () -- C:\Windows\System32\pythoncomloader26.dll
[2011/11/09 07:41:48 | 000,000,435 | ---- | C] () -- C:\Windows\System32\dsac.exe.config
[2011/11/09 07:41:41 | 000,001,311 | ---- | C] () -- C:\Windows\System32\DfsMgmt.dll.config
[2011/11/09 07:41:24 | 000,001,315 | ---- | C] () -- C:\Windows\DfsrAdmin.exe.config
[2011/11/09 04:34:53 | 000,001,702 | ---- | C] () -- C:\Windows\System32\StorageMgmt.dll.config
[2011/11/09 04:34:53 | 000,001,048 | ---- | C] () -- C:\Windows\System32\SetupNfsIdMap.exe.config
[2011/11/09 04:34:53 | 000,000,989 | ---- | C] () -- C:\Windows\System32\NfsConfigGuide.exe.config
[2011/11/09 04:34:53 | 000,000,940 | ---- | C] () -- C:\Windows\System32\ProvisionShare.exe.config
[2011/11/09 04:34:53 | 000,000,933 | ---- | C] () -- C:\Windows\System32\ProvisionStorage.exe.config
[2011/10/25 22:10:23 | 000,069,120 | ---- | C] () -- C:\Windows\SendToClip.exe
[2011/10/24 23:40:49 | 000,000,256 | ---- | C] () -- C:\Windows\System32\pool.bin
[2011/10/24 13:52:26 | 000,006,908 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2011/10/24 13:27:28 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2011/10/24 12:35:42 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2011/10/24 12:35:13 | 000,668,160 | ---- | C] () -- C:\Windows\System32\autochk.exe
[2011/10/24 12:34:51 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2011/10/24 11:39:36 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011/10/24 11:37:45 | 000,002,888 | ---- | C] () -- C:\Windows\System32\atipblup.dat
[2011/10/24 11:35:25 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2011/10/24 11:35:25 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2011/10/24 11:35:25 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2011/10/24 11:35:24 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2011/10/24 11:35:24 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2011/10/24 11:35:23 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2011/10/24 11:35:21 | 000,002,888 | ---- | C] () -- C:\Windows\System32\atipblag.dat
[2011/10/24 11:35:19 | 000,223,990 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2011/02/11 19:08:44 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config

========== ZeroAccess Check ==========

[2013/01/03 09:09:52 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/01/04 04:59:38 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 08:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 21:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 PM

Posted 15 January 2013 - 01:11 PM

Hello

researching what I can i have a feeling that these are related

dBpoweramp Midi Decoder
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec


can you try uninstalling them and then check if you can reset things back to normal?



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 3d1l

3d1l
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 17 January 2013 - 08:24 AM

Bleeping Gringo I want to thank you very much for all your support. The use of Conbofix was of great help because it found the registry key that was causing the problem. dBpoweramp is a paid program that I had use on many computer for many years and I had never experience any problems so I did not followed your suggestion. I removed the registry key that I mentioned was reported by combofix and so far the problem is not getting repeated. The key was:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1852535552-2920592808-1772901159-2578\Scripts\Logon\0\0]
"Script"=www.vbs

I deleted not just "Script"=www.vbs but the entire structure from ...\0\

As to what software or process set that key I don't know but after running; Avira, Malwarebytes, Superantispyware, AdwCleaner, tdsskiller, Combofix, RougueKiller and getting no positive results for virus or other similar threat, I'm confident that my computer is clean of such programs.

I do know that whatever it is, is some sort of virus because two other persons that are connected in my same network told me yesterday that they also got the same problem with the same web sites. They are using Avast and Symantec and got no warning by those tools. They proceed to delete and re-create their user profiles and after that the problem didn't get repeated for them. That didn't work for me I had to delete the registry key as explained.

Again thank you very much for all your help!!!!!

Keep the good work!!!!

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 PM

Posted 17 January 2013 - 08:29 AM

Hello


Thank you very much for sharing your findings with me. :)




The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.[/list]
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:35 PM

Posted 19 January 2013 - 11:30 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users