Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Bot.Sat problem


  • This topic is locked This topic is locked
10 replies to this topic

#1 NamelessUser

NamelessUser

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 16 January 2013 - 08:20 PM

Hi!

My latest Malwarebytes Anti-Malware scan discovered a threat from Backdoor.Bot.Sat. I read that it can be a really bad trojan and has the ability to steal my passwords and the best way to get rid of it is to format my hard drive and reinstall operating system. Is there a way to clean my PC without doing that? My PC is working fine no weird behavior only disturbing thing is this MBAM scan result. Would really appreciate your help. I“ve included my latest Malwarebytes Anti-Malware scan log in my post also.

DDS posteb below:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2
Run by Denis Pappel at 2:57:16 on 2013-01-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1251.7.1033.18.8146.5409 [GMT 2:00]
.
AV: ESET Smart Security 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Advanced SystemCare 6\ASCService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Advanced SystemCare 6\ASCTray.exe
C:\Program Files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\spool\DRIVERS\x64\3\E_IAMTEDE.EXE
C:\Advanced SystemCare 6\ASC.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: EstEIDIEPluginBHO Class: {2A4E94A4-B275-491A-9E32-CD7A26FC7C3B} - C:\Program Files (x86)\Estonian ID Card\esteid-plugin-ie.dll
BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\AMD\SteadyVideo\SteadyVideo.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Microsoft Office\Office14\URLREDIR.DLL
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Advanced SystemCare 6] "C:\Advanced SystemCare 6\ASCTray.exe" /AutoStart
uRun: [ISUSPM Startup] c:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
uRun: [uTorrent] "C:\uTorrent\uTorrent.exe" /MINIMIZED
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml
mRun: [BCSSync] "C:\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 81.21.240.1 81.21.255.1
TCP: Interfaces\{9A49F9FC-299F-4085-886D-E58EA88D51AB} : DHCPNameServer = 81.21.240.1 81.21.255.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: EstEIDIEPluginBHO Class: {2A4E94A4-B275-491A-9E32-CD7A26FC7C3B} - C:\Program Files\Estonian ID Card\esteid-plugin-ie.dll
x64-BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
x64-Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Denis Pappel\AppData\Roaming\Mozilla\Firefox\Profiles\ery5nd2m.default-1353070793386\
FF - prefs.js: browser.startup.homepage - google.ee
FF - plugin: C:\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Estonian ID Card\npesteid-firefox-plugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.notify.interval - 750000
FF - user.js: content.switch.threshold - 750000
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: nglayout.initialpaint.delay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2012-2-29 38528]
R0 DC3410;DC3410;C:\Windows\System32\drivers\DC3410.sys [2012-2-29 48328]
R0 epfwwfp;epfwwfp;C:\Windows\System32\drivers\epfwwfp.sys [2012-3-14 62496]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-4-13 16152]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-6-25 283200]
R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2012-3-14 209768]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\Windows\System32\drivers\EpfwLWF.sys [2012-3-14 38288]
R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;C:\Advanced SystemCare 6\ASCService.exe [2012-12-16 464256]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-28 239616]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2012-3-7 913144]
R2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);C:\Program Files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-5-14 96896]
R3 atrfiltr;atrfiltr;C:\Windows\System32\drivers\atrfiltr.sys [2012-4-2 16184]
R3 cxbu0x64;OMNIKEY 1021;C:\Windows\System32\drivers\cxbu0x64.sys [2011-9-6 177920]
R3 ISCT;Intel® Smart Connect Technology Device Driver;C:\Windows\System32\drivers\ISCTD64.sys [2012-2-2 44992]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-4-13 356120]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-4-13 788760]
R3 PAC207;SoC PC-Camera;C:\Windows\System32\drivers\PFC027.SYS [2006-12-5 572416]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-6-4 648808]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2012-4-17 44672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
S3 ahcix64s;ahcix64s;C:\Windows\System32\drivers\ahcix64s.sys [2010-6-21 226616]
S3 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2012-2-29 78976]
S3 amdhub30;AMD USB 3.0 Hub Driver;C:\Windows\System32\drivers\amdhub30.sys [2012-4-17 87168]
S3 amdxhc;AMD USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\amdxhc.sys [2012-4-17 188544]
S3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2012-4-13 130536]
S3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2012-4-13 396776]
S3 b06diag;Broadcom NetXtreme II Diag Driver;C:\Windows\System32\drivers\bxdiaga.sys [2012-2-22 88104]
S3 BFN7x64;Bigfoot Networks Killer Gaming Service;C:\Windows\System32\drivers\Xeno7x64.sys [2012-2-22 157288]
S3 BFNVis64;Bigfoot Networks Killer Gaming Service;C:\Windows\System32\drivers\XenoVa64.sys [2012-2-22 157288]
S3 BXOIS;BXOIS;C:\Windows\System32\drivers\bxois.sys [2012-2-22 533544]
S3 cbaf;UWB Cable Based Association Framework Driver;C:\Windows\System32\drivers\cbaf.sys [2012-4-13 15872]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 DC133;DC133;C:\Windows\System32\drivers\DC133.sys [2012-2-29 39320]
S3 DC150;DC150;C:\Windows\System32\drivers\DC150.sys [2012-2-29 39832]
S3 DC154;DC154;C:\Windows\System32\drivers\DC154.sys [2012-2-29 48136]
S3 DC300e;DC300e;C:\Windows\System32\drivers\DC300e.sys [2012-2-29 40344]
S3 DC324e;DC324e;C:\Windows\System32\drivers\DC324e.sys [2012-2-29 49752]
S3 DC4300;DC4300;C:\Windows\System32\drivers\DC4300.sys [2012-2-29 48360]
S3 DC600e;DC600e;C:\Windows\System32\drivers\DC600e.sys [2012-2-29 40744]
S3 dfuuwb;Intel Wireless UWB Link 1480M Device Firmware Utility;C:\Windows\System32\drivers\DfuUWB.sys [2012-4-13 503296]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2012-4-13 59520]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2012-4-13 84736]
S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;C:\Windows\System32\drivers\FLxHCIc.sys [2012-4-13 221184]
S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;C:\Windows\System32\drivers\FLxHCIh.sys [2012-4-13 65536]
S3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2012-8-6 62784]
S3 HWA;Intel® Wireless USB Host Adapter;C:\Windows\System32\drivers\HWA.sys [2012-4-13 61440]
S3 IAMTVE;Driver for Intel® Active Management Technology - KCS;C:\Windows\System32\drivers\IAMTVE.sys [2012-2-22 43416]
S3 IAMTXPE;Driver for Intel® Active Management Technology - KCS;C:\Windows\System32\drivers\IAMTXPE.sys [2012-2-22 51096]
S3 IFCoEMP;IFCoEMP;C:\Windows\System32\drivers\ifM60x64.sys [2012-2-22 388368]
S3 IFCoEVB;IFCoEVB;C:\Windows\System32\drivers\ifP60x64.sys [2012-2-22 77584]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-6-21 158976]
S3 ioatdma1;ioatdma1;C:\Windows\System32\drivers\qd162x64.sys [2012-2-22 40144]
S3 ioatdma2;Intel® QuickData Technology device ver.2;C:\Windows\System32\drivers\qd262x64.sys [2012-2-22 42192]
S3 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2010-6-21 297512]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2012-4-13 95744]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2012-4-13 212992]
S3 nvamacpi;nvamacpi;C:\Windows\System32\drivers\nvamacpi.sys [2010-6-21 28192]
S3 O2MDRDR;O2MDRDR;C:\Windows\System32\drivers\o2mdx64.sys [2012-2-29 58400]
S3 O2SDRDR;O2SDRDR;C:\Windows\System32\drivers\o2sdx64.sys [2012-2-29 56096]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-5 19456]
S3 rimspci;rimspci;C:\Windows\System32\drivers\rimspe64.sys [2012-2-29 61952]
S3 risdpcie;risdpcie;C:\Windows\System32\drivers\risdpe64.sys [2012-2-29 79360]
S3 risdxc;risdxc;C:\Windows\System32\drivers\risdxc64.sys [2012-2-29 99328]
S3 rixdpcie;rixdpcie;C:\Windows\System32\drivers\rixdpe64.sys [2012-2-29 55808]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2012-2-29 250984]
S3 rusb3hub;Renesas Electronics USB 3.0 Hub Driver (Version 3.0);C:\Windows\System32\drivers\rusb3hub.sys [2012-4-13 100352]
S3 rusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver (Version 3.0);C:\Windows\System32\drivers\rusb3xhc.sys [2012-4-13 216064]
S3 SmartCardRemoval;Smart Card Removal;C:\Program Files\Estonian ID Card\SmartCardRemoval.exe [2012-6-26 321040]
S3 tihub3;TI USB3 Hub Service;C:\Windows\System32\drivers\tihub3.sys [2012-4-13 136000]
S3 tixhci;TI XHCI Service;C:\Windows\System32\drivers\tixhci.sys [2012-4-13 410944]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-5 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-11-5 30208]
S3 uwbusb;UWB Bus Control USB-Miniport Driver;C:\Windows\System32\drivers\usbuwbmini.sys [2012-4-13 13312]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-1 1255736]
S3 vcrdrx64;VIA MSP Card Reader Host Controller;C:\Windows\System32\drivers\vcrdrx64.sys [2012-2-29 127088]
S3 VUSB3HUB;VIA USB 3 Root Hub Service;C:\Windows\System32\drivers\ViaHub3.sys [2012-4-13 205312]
S3 xhcdrv;VIA USB eXtensible Host Controller Service;C:\Windows\System32\drivers\xhcdrv.sys [2012-4-13 254464]
.
=============== Created Last 30 ================
.
2013-01-16 02:10:40 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FD079D9D-E216-45C1-A747-E54B59E63CA8}\offreg.dll
2013-01-15 14:34:38 9125352 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FD079D9D-E216-45C1-A747-E54B59E63CA8}\mpengine.dll
2013-01-15 12:40:24 -------- d-----w- C:\Users\Denis Pappel\AppData\Roaming\Might & Magic Heroes VI
2013-01-15 12:21:59 -------- d-----w- C:\Might&Magic Heroes VI
2013-01-14 10:43:21 -------- d-----w- C:\The Settlers IV
2013-01-14 10:43:06 306688 ----a-w- C:\Windows\IsUninst.exe
2013-01-11 13:41:25 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\{9900E96D-93AB-4611-BC1B-2B9825441C05}
2013-01-09 18:19:01 800768 ----a-w- C:\Windows\System32\usp10.dll
2013-01-09 18:19:01 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2013-01-09 18:18:31 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2013-01-09 18:18:31 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2013-01-09 18:09:58 68608 ----a-w- C:\Windows\System32\taskhost.exe
2013-01-09 18:09:55 3149824 ----a-w- C:\Windows\System32\win32k.sys
2013-01-09 13:40:15 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-01-09 13:37:55 750592 ----a-w- C:\Windows\System32\win32spl.dll
2013-01-09 13:37:55 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-01-09 13:37:54 2002432 ----a-w- C:\Windows\System32\msxml6.dll
2013-01-09 13:37:54 1882624 ----a-w- C:\Windows\System32\msxml3.dll
2013-01-09 13:37:53 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2013-01-09 13:37:53 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2013-01-08 15:29:16 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\FLT
2013-01-08 14:31:12 -------- d-----w- C:\XCOM
2013-01-06 23:25:34 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\{F479F308-70CC-46DD-952A-85D8B2BCC1EF}
2013-01-04 13:13:45 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\{D0CCADF2-6B57-4BC0-9A91-92684FEDE807}
2013-01-03 19:56:31 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\{2D3DFC72-A8CE-4293-B7CC-54C1F042B6F2}
2013-01-02 17:04:09 -------- d-----w- C:\Users\Denis Pappel\AppData\Roaming\Windows Live Writer
2013-01-02 17:04:09 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\Windows Live Writer
2012-12-30 22:28:45 -------- d-----w- C:\ProgramData\Divinity 2
2012-12-30 22:28:39 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\Divinity 2
2012-12-30 22:22:40 -------- d-----w- C:\Windows\B83FC356B7C0441F8A4DD71E088E7974.TMP
2012-12-30 18:41:41 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\{8327D287-BA45-4CC7-B6DE-1D140FC500B6}
2012-12-30 08:49:23 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\Programs
2012-12-29 15:12:04 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\{48756E77-35A1-48D6-9B66-F24BCCE3410A}
2012-12-21 13:31:59 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\{609B2227-F056-460B-9EB1-B04341E53993}
2012-12-21 13:19:56 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-21 13:19:56 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-21 13:19:55 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-21 13:19:55 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-20 21:19:05 -------- d-----w- C:\Users\Denis Pappel\AppData\Local\Diagnostics
2012-12-18 15:22:55 -------- d-----w- C:\uTorrent
.
==================== Find3M ====================
.
2013-01-09 16:41:49 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 16:41:49 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-17 09:35:15 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-17 09:35:10 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-12-17 09:35:10 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-12-14 14:49:28 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-05 08:31:48 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-11-05 08:31:48 458712 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-11-05 08:31:48 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-11-05 08:31:48 247808 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-11-05 08:31:48 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-11-05 08:31:48 154480 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-11-05 08:31:48 1448448 ----a-w- C:\Windows\System32\lsasrv.dll
2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll
2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll
.
============= FINISH: 2:57:52,05 ===============



Attach posted below:



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 25.06.2012 17:45:20
System Uptime: 12.01.2013 11:26:18 (111 hours ago)
.
Motherboard: MSI | | Z77A-G43 (MS-7758)
Processor: Intel® Core™ i7-3770 CPU @ 3.40GHz | SOCKET 0 | 3401/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 1863 GiB total, 1513,968 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
J: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: BitDefender Firewall NDIS 6 Filter Driver
Device ID: ROOT\LEGACY_BDFNDISF\0000
Manufacturer:
Name: BitDefender Firewall NDIS 6 Filter Driver
PNP Device ID: ROOT\LEGACY_BDFNDISF\0000
Service: BdfNdisf
.
==== System Restore Points ===================
.
RP155: 15.01.2013 14:27:21 - Installed Ubisoft Game Launcher
RP156: 15.01.2013 14:28:30 - Installed DirectX
RP157: 15.01.2013 16:33:59 - Windows Update
.
==== Installed Programs ======================
.
µTorrent
Варлорды: Боевой клич II
1.0
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.5)
Advanced SystemCare 6
AION Free-To-Play
AMD Accelerated Video Transcoding
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Drag and Drop Transcoding
AMD Media Foundation Decoders
AMD Steady Video Plug-In
BS.Player FREE
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
D3DX10
DAEMON Tools Lite
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dragon Age II
Dragon Age Toolset
Dragon Age: Origins
Eesti ID kaardi tarkvara 3.6.0.904 (64 bit)
Epson Easy Photo Print 2
EPSON Scan
EPSON Stylus SX100_TX100 Manual
EPSON SX100 Series Printer Uninstall
ESET Smart Security
Free Download Manager 3.9
Gothic III
Gothic III Release Update
ISScript
Java 7 Update 9
Java Auto Updater
Junk Mail filter update
K-Lite Codec Pack 9.2.6 (Full)
Malwarebytes Anti-Malware version 1.70.0.1100
Media converter
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2010 Language Pack Service Pack 1 (SP1)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access MUI (Estonian) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Excel MUI (Estonian) 2010
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2010
Microsoft Office Groove MUI (Estonian) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office InfoPath MUI (Estonian) 2010
Microsoft Office Language Pack 2010 - Estonian/Eesti
Microsoft Office O MUI (Estonian) 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office OneNote MUI (Estonian) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office Outlook MUI (Estonian) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint MUI (Estonian) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (Estonian) 2010
Microsoft Office Proof (Finnish) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (German) 2010
Microsoft Office Proof (Russian) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing (Estonian) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Publisher MUI (Estonian) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit MUI (Estonian) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared MUI (Estonian) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Office Word MUI (Estonian) 2010
Microsoft Office X MUI (Estonian) 2010
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (BWDATOOLSET)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 18.0 (x86 et)
Mozilla Maintenance Service
Mount&Blade Warband
MSVCRT
MSVCRT_amd64
NC Launcher (GameForge)
NVIDIA PhysX
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
RESIDENT EVIL 5
Revo Uninstaller 1.94
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft Visio 2010 (KB2687508) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
Skype™ 5.10
The Settlers IV
Ubisoft Game Launcher
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2687277) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.20 (32-bit)
VLC media player 2.0.3
«Might and Magic Heroes VI» 1.7.1
.
==== Event Viewer Messages From Past Week ========
.
12.01.2013 11:28:01, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12.01.2013 11:27:23, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
12.01.2013 11:27:23, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-2147218173.
12.01.2013 11:27:17, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BdfNdisf
12.01.2013 11:26:43, Error: Service Control Manager [7000] - The lirsgt service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
12.01.2013 11:26:42, Error: Service Control Manager [7000] - The atksgt service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
12.01.2013 11:26:36, Error: Microsoft-Windows-Smartcard-Server [602] - WDM Reader driver initialization cannot open reader device: The system cannot find the path specified.
12.01.2013 11:26:27, Error: volmgr [46] - Crash dump initialization failed!
.
==== End Of File ===========================



MBAM scan log posted below:



Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.16.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Denis Pappel :: DENISPAPPEL-PC [administrator]

17.01.2013 1:45:04
MBAM-log-2013-01-17 (03-04-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214300
Time elapsed: 1 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32} (Backdoor.Bot.Sat) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll (Backdoor.Bot.Sat) -> No action taken.

(end)

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 18 January 2013 - 02:14 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review.

#3 NamelessUser

NamelessUser
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 18 January 2013 - 06:28 PM

Combofix log:


ComboFix 13-01-17.04 - Denis Pappel 19.01.2013 1:06.3.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1251.7.1033.18.8146.6356 [GMT 2:00]
Running from: c:\users\Denis Pappel\Desktop\ComboFix.exe
AV: ESET Smart Security 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-18 to 2013-01-18 )))))))))))))))))))))))))))))))
.
.
2013-01-17 19:38 . 2013-01-17 19:44 -------- d-----w- C:\Might&Magic Heroes VI
2013-01-15 12:40 . 2013-01-17 20:30 -------- d-----w- c:\users\Denis Pappel\AppData\Roaming\Might & Magic Heroes VI
2013-01-15 12:27 . 2013-01-15 12:27 -------- d-----w- c:\program files (x86)\Ubisoft
2013-01-14 10:43 . 2013-01-14 19:03 -------- d-----w- C:\The Settlers IV
2013-01-14 10:43 . 1998-10-29 14:45 306688 ----a-w- c:\windows\IsUninst.exe
2013-01-09 18:19 . 2012-11-22 05:44 800768 ----a-w- c:\windows\system32\usp10.dll
2013-01-09 18:19 . 2012-11-22 04:45 626688 ----a-w- c:\windows\SysWow64\usp10.dll
2013-01-09 18:18 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 18:18 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll
2013-01-09 18:09 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe
2013-01-09 18:09 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 13:40 . 2012-11-30 05:41 424448 ----a-w- c:\windows\system32\KernelBase.dll
2013-01-09 13:37 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll
2013-01-09 13:37 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-01-09 13:37 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll
2013-01-09 13:37 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll
2013-01-09 13:37 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
2013-01-09 13:37 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2013-01-08 15:29 . 2013-01-08 15:29 -------- d-----w- c:\users\Denis Pappel\AppData\Local\FLT
2013-01-08 14:31 . 2013-01-08 15:20 -------- d-----w- C:\XCOM
2013-01-02 17:04 . 2013-01-02 17:04 -------- d-----w- c:\users\Denis Pappel\AppData\Local\Windows Live Writer
2013-01-02 17:04 . 2013-01-02 17:04 -------- d-----w- c:\users\Denis Pappel\AppData\Roaming\Windows Live Writer
2012-12-30 22:28 . 2012-12-30 22:29 -------- d-----w- c:\users\Denis Pappel\AppData\Local\Divinity 2
2012-12-30 22:22 . 2012-12-30 22:22 -------- d-----w- c:\windows\B83FC356B7C0441F8A4DD71E088E7974.TMP
2012-12-30 08:49 . 2012-12-30 08:49 -------- d-----w- c:\users\Denis Pappel\AppData\Local\Programs
2012-12-21 13:19 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-21 13:19 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-21 13:19 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-21 13:19 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-20 21:19 . 2012-12-20 21:19 -------- d-----w- c:\users\Denis Pappel\AppData\Local\Diagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-09 22:44 . 2010-06-01 09:44 67599240 ----a-w- c:\windows\system32\MRT.exe
2013-01-09 16:41 . 2012-06-25 18:38 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 16:41 . 2012-06-25 18:38 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-12-17 09:35 . 2012-12-17 09:35 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-12-17 09:35 . 2012-12-17 09:35 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-12-17 09:35 . 2012-12-17 09:35 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-12-14 14:49 . 2012-12-17 09:48 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-12 18:57 . 2012-12-12 18:57 9728 ----a-w- c:\windows\SysWow64\winrssrv.dll
2012-12-12 18:57 . 2012-12-12 18:57 92160 ----a-w- c:\windows\SysWow64\winrscmd.dll
2012-12-12 18:57 . 2012-12-12 18:57 83456 ----a-w- c:\windows\SysWow64\wevtfwd.dll
2012-12-12 18:57 . 2012-12-12 18:57 78336 ----a-w- c:\windows\SysWow64\wecutil.exe
2012-12-12 18:57 . 2012-12-12 18:57 61440 ----a-w- c:\windows\SysWow64\wecapi.dll
2012-12-12 18:57 . 2012-12-12 18:57 60416 ----a-w- c:\windows\SysWow64\WsmRes.dll
2012-12-12 18:57 . 2012-12-12 18:57 56832 ----a-w- c:\windows\SysWow64\WSManMigrationPlugin.dll
2012-12-12 18:57 . 2012-12-12 18:57 526848 ----a-w- c:\windows\SysWow64\WsmGCDeps.dll
2012-12-12 18:57 . 2012-12-12 18:57 42496 ----a-w- c:\windows\SysWow64\pwrshplugin.dll
2012-12-12 18:57 . 2012-12-12 18:57 39936 ----a-w- c:\windows\SysWow64\winrs.exe
2012-12-12 18:57 . 2012-12-12 18:57 35840 ----a-w- c:\windows\SysWow64\wsmprovhost.exe
2012-12-12 18:57 . 2012-12-12 18:57 30208 ----a-w- c:\windows\SysWow64\WSManHTTPConfig.exe
2012-12-12 18:57 . 2012-12-12 18:57 227328 ----a-w- c:\windows\SysWow64\WsmWmiPl.dll
2012-12-12 18:57 . 2012-12-12 18:57 21504 ----a-w- c:\windows\SysWow64\WsmAgent.dll
2012-12-12 18:57 . 2012-12-12 18:57 20480 ----a-w- c:\windows\SysWow64\winrshost.exe
2012-12-12 18:57 . 2012-12-12 18:57 204105 ----a-w- c:\windows\SysWow64\winrm.vbs
2012-12-12 18:57 . 2012-12-12 18:57 2039296 ----a-w- c:\windows\SysWow64\WsmSvc.dll
2012-12-12 18:57 . 2012-12-12 18:57 1536 ----a-w- c:\windows\SysWow64\winrsmgr.dll
2012-12-12 18:57 . 2012-12-12 18:57 138752 ----a-w- c:\windows\SysWow64\WsmAuto.dll
2012-12-12 18:57 . 2012-12-12 18:57 10240 ----a-w- c:\windows\SysWow64\wsmplpxy.dll
2012-12-12 18:57 . 2012-12-12 18:57 66560 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2012-12-12 18:57 . 2012-12-12 18:57 630784 ----a-w- c:\windows\system32\WsmGCDeps.dll
2012-12-12 18:57 . 2012-12-12 18:57 46080 ----a-w- c:\windows\system32\winrs.exe
2012-12-12 18:57 . 2012-12-12 18:57 30720 ----a-w- c:\windows\system32\wsmprovhost.exe
2012-12-12 18:57 . 2012-12-12 18:57 28672 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2012-12-12 18:57 . 2012-12-12 18:57 2832384 ----a-w- c:\windows\system32\WsmSvc.dll
2012-12-12 18:57 . 2012-12-12 18:57 26112 ----a-w- c:\windows\system32\WsmAgent.dll
2012-12-12 18:57 . 2012-12-12 18:57 23040 ----a-w- c:\windows\system32\winrshost.exe
2012-12-12 18:57 . 2012-12-12 18:57 157184 ----a-w- c:\windows\system32\WsmAuto.dll
2012-12-12 18:57 . 2012-12-12 18:57 1536 ----a-w- c:\windows\system32\winrsmgr.dll
2012-12-12 18:57 . 2012-12-12 18:57 12800 ----a-w- c:\windows\system32\winrssrv.dll
2012-12-12 18:57 . 2012-12-12 18:57 108544 ----a-w- c:\windows\system32\wevtfwd.dll
2012-12-12 18:57 . 2012-12-12 18:57 106496 ----a-w- c:\windows\system32\winrscmd.dll
2012-12-12 18:57 . 2012-12-12 18:57 91136 ----a-w- c:\windows\SysWow64\wbem\wmiutils.dll
2012-12-12 18:57 . 2012-12-12 18:57 89088 ----a-w- c:\windows\SysWow64\mi.dll
2012-12-12 18:57 . 2012-12-12 18:57 83456 ----a-w- c:\windows\system32\wecapi.dll
2012-12-12 18:57 . 2012-12-12 18:57 73728 ----a-w- c:\windows\system32\wbem\xml\wmi2xml.dll
2012-12-12 18:57 . 2012-12-12 18:57 72192 ----a-w- c:\windows\SysWow64\wbem\WMICOOKR.dll
2012-12-12 18:57 . 2012-12-12 18:57 71168 ----a-w- c:\windows\system32\wbem\mofinstall.dll
2012-12-12 18:57 . 2012-12-12 18:57 69632 ----a-w- c:\windows\system32\wbem\wbemcons.dll
2012-12-12 18:57 . 2012-12-12 18:57 60416 ----a-w- c:\windows\system32\WsmRes.dll
2012-12-12 18:57 . 2012-12-12 18:57 49664 ----a-w- c:\windows\SysWow64\wbem\wbemsvc.dll
2012-12-12 18:57 . 2012-12-12 18:57 494592 ----a-w- c:\windows\system32\wbemcomn2.dll
2012-12-12 18:57 . 2012-12-12 18:57 48128 ----a-w- c:\windows\system32\PSModuleDiscoveryProvider.dll
2012-12-12 18:57 . 2012-12-12 18:57 46080 ----a-w- c:\windows\SysWow64\ncobjapi.dll
2012-12-12 18:57 . 2012-12-12 18:57 45568 ----a-w- c:\windows\system32\wbem\SMTPCons.dll
2012-12-12 18:57 . 2012-12-12 18:57 453120 ----a-w- c:\windows\system32\wbem\wbemess.dll
2012-12-12 18:57 . 2012-12-12 18:57 44544 ----a-w- c:\windows\system32\wbem\scrcons.exe
2012-12-12 18:57 . 2012-12-12 18:57 396288 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2012-12-12 18:57 . 2012-12-12 18:57 309248 ----a-w- c:\windows\system32\WsmWmiPl.dll
2012-12-12 18:57 . 2012-12-12 18:57 29184 ----a-w- c:\windows\SysWow64\wbem\wbemprox.dll
2012-12-12 18:57 . 2012-12-12 18:57 283136 ----a-w- c:\windows\SysWow64\wbem\esscli.dll
2012-12-12 18:57 . 2012-12-12 18:57 216576 ----a-w- c:\windows\system32\wecsvc.dll
2012-12-12 18:57 . 2012-12-12 18:57 204105 ----a-w- c:\windows\system32\winrm.vbs
2012-12-12 18:57 . 2012-12-12 18:57 195072 ----a-w- c:\windows\SysWow64\wbem\mofd.dll
2012-12-12 18:57 . 2012-12-12 18:57 192512 ----a-w- c:\windows\SysWow64\framedynos.dll
2012-12-12 18:57 . 2012-12-12 18:57 189952 ----a-w- c:\windows\SysWow64\framedyn.dll
2012-12-12 18:57 . 2012-12-12 18:57 18944 ----a-w- c:\windows\SysWow64\wbem\mofcomp.exe
2012-12-12 18:57 . 2012-12-12 18:57 172544 ----a-w- c:\windows\SysWow64\miutils.dll
2012-12-12 18:57 . 2012-12-12 18:57 13824 ----a-w- c:\windows\system32\wsmplpxy.dll
2012-12-12 18:57 . 2012-12-12 18:57 123904 ----a-w- c:\windows\SysWow64\wbem\WMIADAP.exe
2012-12-12 18:57 . 2012-12-12 18:57 105472 ----a-w- c:\windows\system32\wecutil.exe
2012-12-12 18:57 . 2012-12-12 18:57 93184 ----a-w- c:\windows\SysWow64\wbem\WmiApRpl.dll
2012-12-12 18:57 . 2012-12-12 18:57 88064 ----a-w- c:\windows\system32\wbem\WMICOOKR.dll
2012-12-12 18:57 . 2012-12-12 18:57 857088 ----a-w- c:\windows\system32\wbem\fastprox.dll
2012-12-12 18:57 . 2012-12-12 18:57 79872 ----a-w- c:\windows\system32\wbem\WinMgmt.exe
2012-12-12 18:57 . 2012-12-12 18:57 79360 ----a-w- c:\windows\system32\prvdmofcomp.dll
2012-12-12 18:57 . 2012-12-12 18:57 77824 ----a-w- c:\windows\SysWow64\wbem\WinMgmt.exe
2012-12-12 18:57 . 2012-12-12 18:57 74240 ----a-w- c:\windows\system32\wbem\NCProv.dll
2012-12-12 18:57 . 2012-12-12 18:57 724480 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2012-12-12 18:57 . 2012-12-12 18:57 64512 ----a-w- c:\windows\system32\wbem\wbemsvc.dll
2012-12-12 18:57 . 2012-12-12 18:57 636928 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
2012-12-12 18:57 . 2012-12-12 18:57 63488 ----a-w- c:\windows\SysWow64\wbem\xml\wmi2xml.dll
2012-12-12 18:57 . 2012-12-12 18:57 59904 ----a-w- c:\windows\SysWow64\prvdmofcomp.dll
2012-12-12 18:57 . 2012-12-12 18:57 58368 ----a-w- c:\windows\system32\ncobjapi.dll
2012-12-12 18:57 . 2012-12-12 18:57 51712 ----a-w- c:\windows\system32\wbem\wmitimep.dll
2012-12-12 18:57 . 2012-12-12 18:57 44544 ----a-w- c:\windows\system32\wbem\unsecapp.exe
2012-12-12 18:57 . 2012-12-12 18:57 432128 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2012-12-12 18:57 . 2012-12-12 18:57 401408 ----a-w- c:\windows\system32\wbem\esscli.dll
2012-12-12 18:57 . 2012-12-12 18:57 39424 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2012-12-12 18:57 . 2012-12-12 18:57 382464 ----a-w- c:\windows\SysWow64\wbemcomn2.dll
2012-12-12 18:57 . 2012-12-12 18:57 36352 ----a-w- c:\windows\SysWow64\PSModuleDiscoveryProvider.dll
2012-12-12 18:57 . 2012-12-12 18:57 328704 ----a-w- c:\windows\SysWow64\wbem\WmiPrvSE.exe
2012-12-12 18:57 . 2012-12-12 18:57 31744 ----a-w- c:\windows\system32\wbem\WinMgmtR.dll
2012-12-12 18:57 . 2012-12-12 18:57 258048 ----a-w- c:\windows\system32\wbem\mofd.dll
2012-12-12 18:57 . 2012-12-12 18:57 247296 ----a-w- c:\windows\system32\framedynos.dll
2012-12-12 18:57 . 2012-12-12 18:57 242688 ----a-w- c:\windows\system32\framedyn.dll
2012-12-12 18:57 . 2012-12-12 18:57 22528 ----a-w- c:\windows\system32\wbem\mofcomp.exe
2012-12-12 18:57 . 2012-12-12 18:57 223232 ----a-w- c:\windows\system32\miutils.dll
2012-12-12 18:57 . 2012-12-12 18:57 219136 ----a-w- c:\windows\system32\wbem\WMIsvc.dll
2012-12-12 18:57 . 2012-12-12 18:57 214528 ----a-w- c:\windows\system32\wmitomi.dll
2012-12-12 18:57 . 2012-12-12 18:57 208384 ----a-w- c:\windows\system32\wbem\wbemtest.exe
2012-12-12 18:57 . 2012-12-12 18:57 2048 ----a-w- c:\windows\system32\wbem\WmiApRes.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2A4E94A4-B275-491A-9E32-CD7A26FC7C3B}]
2012-06-26 21:32 677944 ----a-w- c:\program files (x86)\Estonian ID Card\esteid-plugin-ie.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2012-12-16 09:38 220160 ----a-w- c:\programdata\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 6"="c:\advanced systemcare 6\ASCTray.exe" [2012-09-24 490880]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"uTorrent"="c:\utorrent\uTorrent.exe" [2012-12-18 969104]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"BCSSync"="c:\microsoft office\Office14\BCSSync.exe" [2010-03-13 91520]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-08-06 642216]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
R1 BdfNdisf;BitDefender Firewall NDIS 6 Filter Driver; [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-06-07 160944]
R3 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys [2009-07-14 226616]
R3 amd_sata;amd_sata;c:\windows\system32\drivers\amd_sata.sys [2011-03-04 78976]
R3 amdhub30;AMD USB 3.0 Hub Driver;c:\windows\system32\drivers\amdhub30.sys [2011-03-17 87168]
R3 amdxhc;AMD USB 3.0 Host Controller Driver;c:\windows\system32\drivers\amdxhc.sys [2011-03-17 188544]
R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [2012-02-21 130536]
R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [2012-02-21 396776]
R3 b06diag;Broadcom NetXtreme II Diag Driver;c:\windows\system32\drivers\bxdiaga.sys [2010-12-16 88104]
R3 BFN7x64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\drivers\Xeno7x64.sys [2011-01-14 157288]
R3 BFNVis64;Bigfoot Networks Killer Gaming Service;c:\windows\system32\drivers\XenoVa64.sys [2011-01-14 157288]
R3 BXOIS;BXOIS;c:\windows\system32\drivers\bxois.sys [2010-12-10 533544]
R3 cbaf;UWB Cable Based Association Framework Driver;c:\windows\System32\Drivers\cbaf.sys [2008-01-09 15872]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\dragon age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 DC133;DC133;c:\windows\system32\drivers\DC133.sys [2011-05-02 39320]
R3 DC150;DC150;c:\windows\system32\drivers\DC150.sys [2011-05-02 39832]
R3 DC154;DC154;c:\windows\system32\drivers\DC154.sys [2011-05-02 48136]
R3 DC300e;DC300e;c:\windows\system32\drivers\DC300e.sys [2011-05-02 40344]
R3 DC324e;DC324e;c:\windows\system32\drivers\DC324e.sys [2011-05-02 49752]
R3 DC4300;DC4300;c:\windows\system32\drivers\DC4300.sys [2011-05-02 48360]
R3 DC600e;DC600e;c:\windows\system32\drivers\DC600e.sys [2011-05-02 40744]
R3 dfuuwb;Intel Wireless UWB Link 1480M Device Firmware Utility;c:\windows\System32\Drivers\DfuUWB.sys [2008-09-11 503296]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [x]
R3 esgiguard;esgiguard; [x]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\System32\Drivers\EtronHub3.sys [2012-02-18 59520]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\System32\Drivers\EtronXHCI.sys [2012-02-18 84736]
R3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\drivers\FLxHCIc.sys [2012-03-02 221184]
R3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\drivers\FLxHCIh.sys [2012-03-02 65536]
R3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [2012-08-06 62784]
R3 HWA;Intel® Wireless USB Host Adapter;c:\windows\System32\Drivers\HWA.sys [2008-09-29 61440]
R3 IAMTVE;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTVE.sys [2007-04-11 43416]
R3 IAMTXPE;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXPE.sys [2007-04-11 51096]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM60x64.sys [2011-09-13 388368]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP60X64.sys [2011-09-13 77584]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-27 158976]
R3 ioatdma1;ioatdma1;c:\windows\System32\Drivers\qd162x64.sys [2009-11-16 40144]
R3 ioatdma2;Intel® QuickData Technology device ver.2;c:\windows\System32\Drivers\qd262x64.sys [2009-11-16 42192]
R3 MSICDSetup;MSICDSetup;D:\CDriver64.sys [x]
R3 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [2009-12-25 297512]
R3 NTIOLib_1_0_C;NTIOLib_1_0_C;D:\NTIOLib_X64.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-09-13 95744]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-09-13 212992]
R3 nvamacpi;nvamacpi;c:\windows\system32\drivers\NVAMACPI.sys [2009-07-16 28192]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2mdx64.sys [2009-07-26 58400]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sdx64.sys [2009-07-26 56096]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-11-05 19456]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys [2009-10-26 61952]
R3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe64.sys [2009-10-28 79360]
R3 risdxc;risdxc;c:\windows\system32\drivers\risdxc64.sys [2010-12-28 99328]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys [2009-12-11 55808]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys [2010-10-29 250984]
R3 rusb3hub;Renesas Electronics USB 3.0 Hub Driver (Version 3.0);c:\windows\system32\drivers\rusb3hub.sys [2011-09-15 100352]
R3 rusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver (Version 3.0);c:\windows\system32\drivers\rusb3xhc.sys [2011-09-15 216064]
R3 SmartCardRemoval;Smart Card Removal;c:\program files\Estonian ID Card\SmartCardRemoval.exe [2012-06-26 321040]
R3 tihub3;TI USB3 Hub Service;c:\windows\system32\drivers\tihub3.sys [2011-11-22 136000]
R3 tixhci;TI XHCI Service;c:\windows\system32\drivers\tixhci.sys [2011-11-22 410944]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-11-05 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-11-05 30208]
R3 uwbusb;UWB Bus Control USB-Miniport Driver;c:\windows\System32\Drivers\usbuwbmini.sys [2008-09-15 13312]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-01 1255736]
R3 vcrdrx64;VIA MSP Card Reader Host Controller;c:\windows\system32\drivers\vcrdrx64.sys [2010-08-13 127088]
R3 VUSB3HUB;VIA USB 3 Root Hub Service;c:\windows\system32\drivers\ViaHub3.sys [2012-01-20 205312]
R3 xhcdrv;VIA USB eXtensible Host Controller Service;c:\windows\system32\drivers\xhcdrv.sys [2012-01-20 254464]
S0 amd_xata;amd_xata;c:\windows\system32\drivers\amd_xata.sys [2011-03-04 38528]
S0 DC3410;DC3410;c:\windows\system32\drivers\DC3410.sys [2011-05-02 48328]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2012-03-14 62496]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2012-02-27 16152]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-06-25 283200]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-03-14 209768]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-14 148528]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [2012-03-14 38288]
S2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\advanced systemcare 6\ASCService.exe [2012-10-31 464256]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-28 239616]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2012-03-07 913144]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\DAODB\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-05-14 96896]
S3 atrfiltr;atrfiltr;c:\windows\system32\drivers\atrfiltr.sys [2012-04-02 16184]
S3 cxbu0x64;OMNIKEY 1021;c:\windows\system32\DRIVERS\cxbu0x64.sys [2011-09-06 177920]
S3 ISCT;Intel® Smart Connect Technology Device Driver;c:\windows\system32\DRIVERS\ISCTD64.sys [2012-02-02 44992]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-02-27 356120]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-02-27 788760]
S3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-12-05 572416]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-11-23 648808]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2010-11-29 44672]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 16:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A4E94A4-B275-491A-9E32-CD7A26FC7C3B}]
2012-06-26 21:31 978192 ----a-w- c:\program files\Estonian ID Card\esteid-plugin-ie.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-08-31 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-08-31 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-08-31 416024]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-08 10867816]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-03-07 4081008]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\micros~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\micros~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 81.21.240.1 81.21.255.1
FF - ProfilePath - c:\users\Denis Pappel\AppData\Roaming\Mozilla\Firefox\Profiles\ery5nd2m.default-1353070793386\
FF - prefs.js: browser.startup.homepage - google.ee
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: content.notify.ontimer - true
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.notify.interval - 750000
FF - user.js: content.switch.threshold - 750000
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: nglayout.initialpaint.delay - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{6C680BAE-655C-4E3D-8FC4-E6A520C3D928}"=hex:51,66,7a,6c,4c,1d,38,12,c0,08,7b,
68,6e,2b,53,0b,f0,d2,a5,e5,25,9d,9d,3c
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{CC59E0F9-7E43-44FA-9FAA-8377850BF205}"=hex:51,66,7a,6c,4c,1d,38,12,97,e3,4a,
c8,71,30,94,01,e0,bc,c0,37,80,55,b6,11
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:60,b0,be,e4,47,76,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,fb,b0,f7,ad,76,7f,4c,b0,84,d3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,99,fb,b0,f7,ad,76,7f,4c,b0,84,d3,\
.
[HKEY_USERS\S-1-5-21-1700693878-753476921-2325795863-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1700693878-753476921-2325795863-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_USERS\S-1-5-21-1700693878-753476921-2325795863-1000\Software\SecuROM\License information*]
"datasecu"=hex:49,f0,a3,31,6f,90,91,6d,72,b9,f5,10,7c,05,7a,ca,4d,43,9c,8f,ad,
b9,e0,8d,09,ab,3e,db,3b,03,03,53,fd,e9,90,03,91,84,61,d8,28,b8,07,a7,b8,03,\
"rkeysecu"=hex:c9,bd,d9,8d,8e,a5,bd,47,62,56,5e,91,49,9b,e4,38
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
.
**************************************************************************
.
Completion time: 2013-01-19 01:18:38 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-18 23:18
.
Pre-Run: 1 642 228 305 920 bytes free
Post-Run: 1 642 256 424 960 bytes free
.
- - End Of File - - 7416D935673B6C180A3F030D5951F486



SecurityCheck log:



Results of screen317's Security Check version 0.99.57
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
ESET Smart Security 5.2
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
Java 7 Update 9
Java version out of Date!
Adobe Flash Player 11.5.502.146
Adobe Reader 10.1.5 Adobe Reader out of Date!
Mozilla Firefox (18.0)
````````Process Check: objlist.exe by Laurent````````
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


AdwCleaner log:



# AdwCleaner v2.106 - Logfile created 01/19/2013 at 01:25:48
# Updated 17/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Denis Pappel - DENISPAPPEL-PC
# Boot Mode : Normal
# Running from : C:\Users\Denis Pappel\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\95388dee06fef15
Key Found : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (et)

File : C:\Users\Denis Pappel\AppData\Roaming\Mozilla\Firefox\Profiles\ery5nd2m.default-1353070793386\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [871 octets] - [19/01/2013 01:25:48]
AdwCleaner[S1].txt - [4023 octets] - [16/12/2012 21:41:18]

########## EOF - C:\AdwCleaner[R1].txt - [990 octets] ##########

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 19 January 2013 - 09:26 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html



You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java 7 Update 9


Java 7 update 10 introduced important new security controls
You can read about it here.
http://nakedsecurity.sophos.com/2012/12/19/java-7-update-10-introduces-important-new-security-controls/
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..

Please post the log for my review and let me know of any issues with this computer.

#5 NamelessUser

NamelessUser
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 19 January 2013 - 11:22 AM

MBAM still finds Backdoor.Bot.Sat.


AdwCleaner log:





# AdwCleaner v2.106 - Logfile created 01/19/2013 at 18:17:05
# Updated 17/01/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Denis Pappel - DENISPAPPEL-PC
# Boot Mode : Normal
# Running from : C:\Users\Denis Pappel\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\95388dee06fef15
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16457

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.1 (et)

File : C:\Users\Denis Pappel\AppData\Roaming\Mozilla\Firefox\Profiles\ery5nd2m.default-1353070793386\prefs.js

C:\Users\Denis Pappel\AppData\Roaming\Mozilla\Firefox\Profiles\ery5nd2m.default-1353070793386\user.js ... Deleted !

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1054 octets] - [19/01/2013 01:25:48]
AdwCleaner[S1].txt - [4023 octets] - [16/12/2012 21:41:18]
AdwCleaner[S2].txt - [1118 octets] - [19/01/2013 18:17:05]

########## EOF - C:\AdwCleaner[S2].txt - [1178 octets] ##########

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 19 January 2013 - 01:17 PM

MBAM still finds Backdoor.Bot.Sat.

Please post the MBAM log.

#7 NamelessUser

NamelessUser
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 19 January 2013 - 03:43 PM

MBAM log:


Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.16.11

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Denis Pappel :: DENISPAPPEL-PC [administrator]

19.01.2013 22:42:38
MBAM-log-2013-01-19 (22-43-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213879
Time elapsed: 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32} (Backdoor.Bot.Sat) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll (Backdoor.Bot.Sat) -> No action taken.

(end)

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 20 January 2013 - 11:52 AM

Why did you not remove the items found?

Please run MBAM again and delete them.

How is it now?

#9 NamelessUser

NamelessUser
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 20 January 2013 - 01:28 PM

I thought maybe these items were essential for something :). But i“ve deleted them now and everything looks ok and MBAM scan is now clean also.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,888 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:58 AM

Posted 20 January 2013 - 02:31 PM

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===

#11 NamelessUser

NamelessUser
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 20 January 2013 - 02:56 PM

Deleted everything. Thanks for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users