Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Invisible internet explorer running audio adds


  • Please log in to reply
14 replies to this topic

#1 moss_1184

moss_1184

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 27 February 2013 - 07:58 PM

Hello Everyone,

 

I've been scanning the forum and this seems like it's been dealt with before but I can't for the life of me figure it out.  When I Open Google Chrome, usually within a minute or two, a bunch of cases of internet explorer open up in the background.  You can't see them unless looking at task manager.  They start as blank pages then play audio Adds.  As of now I ran an AVG scan and it found nothing.  .  I downloaded DDS and ran the scans.  I have the logs but I'm not sure how to attach them in the proper way.  I'm currently running a malware bytes scan and will update with results from that in the morning. (Looking through other threads it seems to rarely fix it).  I also tried to do a quick system restore.  To a restore point about a week ago and it went through the process normally but then came up after going through the reboot of the restore saying the restore failed, could not rewrite one of the files.  I went to try again and that restore point was gone and replaced with one from only 10 minutes ago.  At any rate when I look at the task list processes window, I see about 5 processes for IE and if I end one or more of them they almost instantly repopulate.

 

I'm worried about this and need to get this computer back to proper running shape as I use it for anything.  I have no idea where this virus has come from as I can't think of anything strange I've downloaded recently.  I'm not useless with computers but I'm far from an expert and could definitely use any help you could provide.  I know I'll need to give more information for you wonderful people to help but I need to know what information and how you prefer for it to be presented.  Thanks so much.

 

Luke



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:17 AM

Posted 27 February 2013 - 07:59 PM


  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters




  • Check Loaded Modules  and Detect TDLFS file systemDo not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now




  • Click Start Scan and allow the scan process to run

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue




  • Click Reboot computer
  • Please post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.



  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.



  • Please post the contents of the log in your next reply.

NOTE:  aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan  This process may may take several hours, that is normal

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the   button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply.   Note:  If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log
  • ESET results

 



#3 moss_1184

moss_1184
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 February 2013 - 01:52 PM

Hi,  Sorry this took so long.  I'm  a teacher and had to get some sleep then go into work.  I did all the steps just finished now.  Here are the logs.

 

 

 
ESET Results:
C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$R5EZZ6M.exe          a variant of Win32/InstallCore.AZ

application          cleaned by deleting -
quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$RIQY5XM.exe          a variant of Win32/InstallCore.AG
application          cleaned by deleting -
quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$RJMY4WH.exe        a variant of Win32/InstallCore.AG
application          cleaned by deleting -
quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$RKQNAOW.exe      a variant of Win32/InstallCore.AG
application          cleaned by deleting -
quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$RL710HR.exe            a variant of Win32/InstallCore.AY
application          cleaned by deleting -
quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$ROJ2Z8X.exe            a variant of Win32/InstallCore.AG
application          cleaned by deleting -
quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$RY4A4JL.dll                a variant of
Win32/Bundled.Toolbar.Ask application                cleaned
by deleting - quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$RNZYL5X\MyBabylonTB.exe             a variant of
Win32/Toolbar.Babylon.A application     cleaned
by deleting - quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$RV1SAWA\299900289_Setup.EXE   Win32/OpenCandy application          cleaned by deleting - quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$RV1SAWA\521321669_Setup.EXE   Win32/OpenCandy application          cleaned by deleting - quarantined



C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$RV1SAWA\8692167_Setup.EXE        Win32/OpenCandy application          cleaned by deleting - quarantined



C:\Users\Luke\AppData\Local\bcf67321-9c64-4bec-a976-71742b8a93de.crx        JS/Redirector.NCG trojan             deleted - quarantined



C:\Users\Luke\AppData\Local\Google\Chrome\User
Data\Default\Extensions\cdjbnddbclciabnckgeahmneohjlahdm\1.0_0\manager.js          JS/Redirector.NCG trojan                cleaned by deleting -
quarantined



C:\Users\Luke\Downloads\Alcohol120_trial_2.0.2.4713.exe        a variant of Win32/InstallCore.AZ
application      cleaned by deleting -
quarantined



C:\Users\Luke\Downloads\cbsidlm-tr1_7-TimeLeft-10034817.exe           Win32/DownloadAdmin.D application    cleaned by deleting - quarantined



C:\Users\Luke\Downloads\DAEMONToolsPro520-0348.exe        Win32/OpenCandy application  cleaned by deleting - quarantined



C:\Users\Luke\Downloads\Setup_FreeConverter.exe  Win32/Toolbar.SearchSuite application  cleaned by deleting - quarantined



C:\Users\Luke\Downloads\SoftonicDownloader_for_utorrent.exe         a variant of Win32/SoftonicDownloader.D
application          cleaned by deleting -
quarantined



C:\Users\Luke\Downloads\VDownloaderInstaller.exe   a variant of Win32/InstallCore.AG application     cleaned by deleting - quarantined



C:\Users\Luke\Downloads\Sopcast-3.4.8_by_Wiziwig\Setup-SopCast-3.4.8-2012-1-1.exe            a variant of
Win32/Bundled.Toolbar.Ask application                cleaned
by deleting - quarantined

 

 

The log for TDSSkiller was like 194 pages.  I also ended up with one that's one page which i'll copy and paste below but the 190 page log would not connect to the post  I believe this one didn't run through the whole process though so advise would be helpful.

 

01:03:35.0513 9976  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
01:03:35.0769 9976  ============================================================
01:03:35.0769 9976  Current date / time: 2013/02/28 01:03:35.0769
01:03:35.0769 9976  SystemInfo:
01:03:35.0769 9976  
01:03:35.0769 9976  OS Version: 6.1.7601 ServicePack: 1.0
01:03:35.0769 9976  Product type: Workstation
01:03:35.0770 9976  ComputerName: LUKE-VAIO
01:03:35.0770 9976  UserName: Luke
01:03:35.0770 9976  Windows directory: C:\Windows
01:03:35.0770 9976  System windows directory: C:\Windows
01:03:35.0770 9976  Running under WOW64
01:03:35.0770 9976  Processor architecture: Intel x64
01:03:35.0770 9976  Number of processors: 4
01:03:35.0770 9976  Page size: 0x1000
01:03:35.0770 9976  Boot type: Normal boot
01:03:35.0770 9976  ============================================================
01:03:37.0720 9976  Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
01:03:37.0751 9976  ============================================================
01:03:37.0751 9976  \Device\Harddisk0\DR0:
01:03:37.0752 9976  MBR partitions:
01:03:37.0752 9976  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1B97000, BlocksNum 0x32000
01:03:37.0752 9976  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1BC9000, BlocksNum 0x48C8EAB0
01:03:37.0752 9976  ============================================================
01:03:37.0898 9976  C: <-> \Device\Harddisk0\DR0\Partition2
01:03:37.0899 9976  ============================================================
01:03:37.0899 9976  Initialize success
01:03:37.0899 9976  ============================================================

01:04:04.0866 9772  Deinitialize success 

 

Thanks so much.  What are the next steps?  



#4 moss_1184

moss_1184
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 February 2013 - 01:53 PM

Sorry, realised i cut the awb log here it is.

 

 

ASWMBR.LOG



 



 



aswMBR
version 0.9.9.1707 Copyright© 2011 AVAST Software



Run date:
2013-02-28 01:15:46



-----------------------------



01:15:46.320
   OS Version: Windows x64 6.1.7601 Service Pack 1



01:15:46.321
   Number of processors: 4 586 0x2A07



01:15:46.322
   ComputerName: LUKE-VAIO  UserName: Luke



01:15:51.013
   Initialize success



01:18:31.392
   AVAST engine defs: 13022701



01:18:48.433
   Disk 0 (boot) \Device\Harddisk0\DR0 ->
\Device\Ide\IAAStorageDevice-1



01:18:48.439
   Disk 0 Vendor: Hitachi_ JEDO Size: 610480MB BusType: 3



01:18:48.459
   Disk 0 MBR read successfully



01:18:48.466
   Disk 0 MBR scan



01:18:48.477
   Disk 0 Windows 7 default MBR code



01:18:48.490
   Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS
       14125 MB offset 2048



01:18:48.513
   Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS  
       100 MB offset 28930048



01:18:48.536
   Disk 0 Partition 3 00     07    HPFS/NTFS NTFS
      596253 MB offset 29134848



01:18:48.562
   Disk 0 scanning C:\Windows\system32\drivers



01:19:08.634
   Service scanning



01:19:58.109
   Modules scanning



01:19:58.128
   Disk 0 trace - called modules:



01:19:58.152
   ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 



01:19:58.504
   1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065f0060]



01:19:58.516
   3 CLASSPNP.SYS[fffff8800104d43f] -> nt!IofCallDriver ->
\Device\Ide\IAAStorageDevice-1[0xfffffa8004715050]



01:20:01.053
   AVAST engine scan C:\Windows



01:20:05.520
   AVAST engine scan C:\Windows\system32



01:25:06.117
   AVAST engine scan C:\Windows\system32\drivers



01:25:30.188
   AVAST engine scan C:\Users\Luke



01:27:53.102
   Disk 0 MBR has been saved successfully to
"C:\Users\Luke\Desktop\MBR.dat"



01:27:53.104
   The log file has been saved successfully to
"C:\Users\Luke\Desktop\aswMBR.txt"



 



 



aswMBR
version 0.9.9.1707 Copyright© 2011 AVAST Software



Run date:
2013-02-28 01:33:43



-----------------------------



01:33:43.798
   OS Version: Windows x64 6.1.7601 Service Pack 1



01:33:43.799
   Number of processors: 4 586 0x2A07



01:33:43.801
   ComputerName: LUKE-VAIO  UserName: Luke



01:34:04.818
   Initialize success



01:34:16.742
   AVAST engine defs: 13022701



01:34:19.760
   Disk 0 (boot) \Device\Harddisk0\DR0 ->
\Device\Ide\IAAStorageDevice-1



01:34:19.766
   Disk 0 Vendor: Hitachi_ JEDO Size: 610480MB BusType: 3



01:34:19.786
   Disk 0 MBR read successfully



01:34:19.791
   Disk 0 MBR scan



01:34:19.801
   Disk 0 Windows 7 default MBR code



01:34:19.808
   Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS
       14125 MB offset 2048



01:34:19.829
   Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS  
       100 MB offset 28930048



01:34:19.852
   Disk 0 Partition 3 00     07    HPFS/NTFS NTFS
      596253 MB offset 29134848



01:34:19.880
   Disk 0 scanning C:\Windows\system32\drivers



01:34:46.041
   Service scanning



01:35:48.737
   Modules scanning



01:35:48.755
   Disk 0 trace - called modules:



01:35:48.781
   ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys 



01:35:49.135
   1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ce0060]



01:35:49.146
   3 CLASSPNP.SYS[fffff880013ca43f] -> nt!IofCallDriver ->
\Device\Ide\IAAStorageDevice-1[0xfffffa8004ac0050]



01:35:52.594
   AVAST engine scan C:\Windows



01:36:06.369
   AVAST engine scan C:\Windows\system32



01:42:22.303
   AVAST engine scan C:\Windows\system32\drivers



01:42:46.259
   AVAST engine scan C:\Users\Luke



01:59:42.036
   AVAST engine scan C:\ProgramData



02:02:32.476
   Scan finished successfully



05:59:56.383
   Disk 0 MBR has been saved successfully to
"C:\Users\Luke\Desktop\MBR.dat"



05:59:56.432
   The log file has been saved successfully to
"C:\Users\Luke\Desktop\aswMBR.txt"



 



 



aswMBR
version 0.9.9.1707 Copyright© 2011 AVAST Software



Run date:
2013-02-28 01:33:43



-----------------------------



01:33:43.798
   OS Version: Windows x64 6.1.7601 Service Pack 1



01:33:43.799
   Number of processors: 4 586 0x2A07



01:33:43.801
   ComputerName: LUKE-VAIO  UserName: Luke



01:34:04.818
   Initialize success



01:34:16.742
   AVAST engine defs: 13022701



01:34:19.760
   Disk 0 (boot) \Device\Harddisk0\DR0 ->
\Device\Ide\IAAStorageDevice-1



01:34:19.766
   Disk 0 Vendor: Hitachi_ JEDO Size: 610480MB BusType: 3



01:34:19.786
   Disk 0 MBR read successfully



01:34:19.791
   Disk 0 MBR scan



01:34:19.801
   Disk 0 Windows 7 default MBR code



01:34:19.808
   Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS
       14125 MB offset 2048



01:34:19.829
   Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS  
       100 MB offset 28930048



01:34:19.852
   Disk 0 Partition 3 00     07    HPFS/NTFS NTFS
      596253 MB offset 29134848



01:34:19.880
   Disk 0 scanning C:\Windows\system32\drivers



01:34:46.041
   Service scanning



01:35:48.737
   Modules scanning



01:35:48.755
   Disk 0 trace - called modules:



01:35:48.781
   ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys 



01:35:49.135
   1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ce0060]



01:35:49.146
   3 CLASSPNP.SYS[fffff880013ca43f] -> nt!IofCallDriver ->
\Device\Ide\IAAStorageDevice-1[0xfffffa8004ac0050]



01:35:52.594
   AVAST engine scan C:\Windows



01:36:06.369
   AVAST engine scan C:\Windows\system32



01:42:22.303
   AVAST engine scan C:\Windows\system32\drivers



01:42:46.259
   AVAST engine scan C:\Users\Luke



01:59:42.036
   AVAST engine scan C:\ProgramData



02:02:32.476
   Scan finished successfully



05:59:56.383
   Disk 0 MBR has been saved successfully to
"C:\Users\Luke\Desktop\MBR.dat"



05:59:56.432
   The log file has been saved successfully to
"C:\Users\Luke\Desktop\aswMBR.txt"



18:06:21.658
   Disk 0 MBR has been saved successfully to
"C:\Users\Luke\Desktop\MBR.dat"



18:06:21.786
   The log file has been saved successfully to
"C:\Users\Luke\Desktop\aswMBR.txt"



#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:17 AM

Posted 28 February 2013 - 02:02 PM

Please post the last few lines of TDSSkiller log

 

Malwarebytes

--------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.  If you already have it installed launch the program and update the database.

  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.  You can also right click on the link and select Save Link As

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings except to uncheck any offer for a free Pro trial version
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


===================================================


Farbar's MiniToolBox

--------------------

  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure the following options are checked:

    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Devices
    • List Users, Partitions and Memory size.
  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply


===================================================


Farbar's Service Scanner

--------------------

Please download Farbar Service Scanner, save it to your desktop, and run it.

  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


===================================================


AdwCleaner by Xplode - Search for Adware

-------------------

  • Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on DELETE
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well


===================================================


Junkware Removal Tooll by thisisu

-------------------

  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply


===================================================


Rkill

-------------------

Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another...) and save it to your desktop:


  • In order for Rkill to run properly you must disable your anti-malware software.  Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
    • Note:  You may have to run Rkill a few times before it is successful.  You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear.  Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again.  If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.


===================================================


Autoruns

--------------------

  • Please download AutoRuns and save it to your desktop
  • Double click the AutoRuns.zip folder
  • Double click autoruns.exe (not autorunsc.exe), select Run, then Run again and allow the information to populate
  • Select File, Save, Desktop (in the left hand pane), then Save filename as Autoruns.txt and change Save as type to  Text(*.txt).
  • Double click on the text file,copy and paste the contents in your reply


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Malwarebytes log
  • MiniToolBox log
  • Farbar's Service Scanner log
  • AdwCleaner log
  • Junkware Removal Tool log
  • Rkill log
  • Autoruns log



#6 moss_1184

moss_1184
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 February 2013 - 03:57 PM

I have done them all and am compiling them to post.  The mini toolbox log is 58 pages long.  Do you need it all?



#7 moss_1184

moss_1184
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 February 2013 - 04:04 PM

Below are all the logs except the minitoolbox log, let me know which parts of that to post when you can, and again, thank you so much for all your help.

 

 

TDSS KILLER LOG
last lines



01:13:45.0684 3644 
Scan finished



01:13:45.0684 3644 
============================================================



01:13:45.0694 1124 
Detected object count: 0



01:13:45.0694 1124 
Actual detected object count: 0



01:27:24.0749 3280 
Deinitialize success



 



Malware bites LOG



Malwarebytes
Anti-Malware (Trial) 1.70.0.1100



www.malwarebytes.org



 



Database
version: v2013.02.27.12



 



Windows 7
Service Pack 1 x64 NTFS



Internet
Explorer 9.0.8112.16421



Luke ::
LUKE-VAIO [administrator]



 



Protection:
Disabled



 



28/02/2013
7:21:46 AM



mbam-log-2013-02-28
(07-21-46).txt



 



Scan type:
Full scan (C:\|D:\|F:\|G:\|Q:\|)



Scan options
enabled: Memory | Startup | Registry | File System | Heuristics/Extra |
Heuristics/Shuriken | PUP | PUM



Scan options
disabled: P2P



Objects
scanned: 362740



Time
elapsed: 40 minute(s), 32 second(s)



 



Memory
Processes Detected: 0



(No
malicious items detected)



 



Memory
Modules Detected: 0



(No
malicious items detected)



 



Registry
Keys Detected: 0



(No
malicious items detected)



 



Registry
Values Detected: 0



(No
malicious items detected)



 



Registry
Data Items Detected: 0



(No
malicious items detected)



 



Folders
Detected: 0



(No
malicious items detected)



 



Files
Detected: 1



C:\Users\Luke\Downloads\mplayer_Setup.exe
(Adware.IBryte) -> Quarantined and deleted successfully.



 



(end)



 



Mínitool box log



 



Missing because long



 



FARBars Service
Scanner LOG



Farbar
Service Scanner Version: 20-02-2013



Ran by Luke
(administrator) on 28-02-2013 at 20:19:20



Running from
"C:\Users\Luke\Downloads"



Windows 7
Home Premium Service Pack 1 (X64)



Boot Mode:
Normal



****************************************************************



 



Internet
Services:



============



 



Connection
Status:



==============



Localhost is
accessible.



LAN
connected.



Google IP is
accessible.



Google.com
is accessible.



Yahoo IP is
accessible.



Yahoo.com is
accessible.



 



 



Windows
Firewall:



=============



mpsdrv
Service is not running. Checking service configuration:



The start
type of mpsdrv service is OK.



The
ImagePath of mpsdrv service is OK.



 



MpsSvc
Service is not running. Checking service configuration:



Checking
Start type: ATTENTION!=====> Unable to retrieve start type of MpsSvc. The
value does not exist.



Checking
ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of MpsSvc. The
value does not exist.



Unable to
retrieve ServiceDll of MpsSvc. The value does not exist.



 



bfe Service
is not running. Checking service configuration:



Checking
Start type: ATTENTION!=====> Unable to open bfe registry key. The service
key does not exist.



Checking
ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key
does not exist.



Checking
ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service
key does not exist.



 



 



Firewall
Disabled Policy:



==================



 



 



System
Restore:



============



 



System
Restore Disabled Policy:



========================



 



 



Action
Center:



============



wscsvc
Service is not running. Checking service configuration:



Checking
Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service
key does not exist.



Checking
ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service
key does not exist.



Checking
ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service
key does not exist.



 



 



Windows
Update:



============



 



Windows
Autoupdate Disabled Policy:



============================



 



 



Windows
Defender:



==============



WinDefend
Service is not running. Checking service configuration:



Checking
Start type: ATTENTION!=====> Unable to open WinDefend registry key. The
service key does not exist.



Checking
ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The
service key does not exist.



Checking
ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The
service key does not exist.



 



 



Windows
Defender Disabled Policy:



==========================



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
Defender]



"DisableAntiSpyware"=DWORD:1



 



 



Other
Services:



==============



Checking
Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type
of SharedAccess. The value does not exist.



Checking
ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of
SharedAccess. The value does not exist.



Checking
ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll
of SharedAccess. The value does not exist.



Checking
Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry
key. The service key does not exist.



Checking
ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry
key. The service key does not exist.



Checking
ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry
key. The service key does not exist.



 



 



File Check:



========



C:\Windows\System32\nsisvc.dll
=> MD5 is legit



C:\Windows\System32\drivers\nsiproxy.sys
=> MD5 is legit



C:\Windows\System32\dhcpcore.dll
=> MD5 is legit



C:\Windows\System32\drivers\afd.sys
=> MD5 is legit



C:\Windows\System32\drivers\tdx.sys
=> MD5 is legit



C:\Windows\System32\Drivers\tcpip.sys
=> MD5 is legit



C:\Windows\System32\dnsrslvr.dll
=> MD5 is legit



C:\Windows\System32\mpssvc.dll
=> MD5 is legit



C:\Windows\System32\bfe.dll
=> MD5 is legit



C:\Windows\System32\drivers\mpsdrv.sys
=> MD5 is legit



C:\Windows\System32\SDRSVC.dll
=> MD5 is legit



C:\Windows\System32\vssvc.exe
=> MD5 is legit



C:\Windows\System32\wscsvc.dll
=> MD5 is legit



C:\Windows\System32\wbem\WMIsvc.dll
=> MD5 is legit



C:\Windows\System32\wuaueng.dll
=> MD5 is legit



C:\Windows\System32\qmgr.dll
=> MD5 is legit



C:\Windows\System32\es.dll
=> MD5 is legit



C:\Windows\System32\cryptsvc.dll
=> MD5 is legit



C:\Program
Files\Windows Defender\MpSvc.dll => MD5 is legit



C:\Windows\System32\ipnathlp.dll
=> MD5 is legit



C:\Windows\System32\iphlpsvc.dll
=> MD5 is legit



C:\Windows\System32\svchost.exe
=> MD5 is legit



C:\Windows\System32\rpcss.dll
=> MD5 is legit



 



 



**** End of
log ****



 



ADW cleaner LOG  (In Italian as my windows in Italian and I didn’t
get an option)



 



# AdwCleaner v2.113 - Logfile creato il
28/02/2013 alle 20:20:47



# Aggiornamento 23/02/2013 by Xplode



# Sistema Operativo : Windows 7 Home
Premium Service Pack 1 (64 bits)



# Utente : Luke - LUKE-VAIO



# Modalità Avvio : Modalità Normale



# Eseguito da :
C:\Users\Luke\Downloads\AdwCleaner.exe



# Opzioni [Elimina]



 



 



***** [Servizi] *****



 



 



***** [File / Cartelle] *****



 



Cartella Eliminato :
C:\ProgramData\BetterSoft



Cartella Eliminato :
C:\ProgramData\InstallMate



Cartella Eliminato : C:\ProgramData\RightClick



Cartella Eliminato :
C:\Users\Luke\AppData\Roaming\OpenCandy



 



***** [Registro] *****



 



Chiave Eliminata : HKCU\Software\Softonic



Chiave
Eliminata : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension
Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}



Chiave
Eliminata : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension
Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}



Chiave
Eliminata : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension
Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}



Chiave
Eliminata :
HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{7D86A08B-0A8F-4BE0-B693-F05E6947E780}



 



*****
[Browser Internet] *****



 



-\\ Internet
Explorer v9.0.8112.16464



 



[OK] Registro Pulito.



 



-\\ Google Chrome v25.0.1364.97



 



File :
C:\Users\Luke\AppData\Local\Google\Chrome\User Data\Default\Preferences



 



[OK] File
Pulito.



 



*************************



 



AdwCleaner[R1].txt
- [1516 octets] - [28/02/2013 20:20:26]



AdwCleaner[S1].txt
- [1467 octets] - [28/02/2013 20:20:47]



 



########## EOF
- C:\AdwCleaner[S1].txt - [1527 octets] ##########7



 



JUNK Removal tool LOG



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Junkware
Removal Tool (JRT) by Thisisu



Version:
4.6.6 (02.27.2013:1)



OS: Windows
7 Home Premium x64



Ran by Luke
on 28/02/2013 at 20:26:24.90



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



 



~~~ Services



 



~~~ Registry
Values



 



~~~ Registry
Keys



 



~~~ Files



 



~~~ Folders



 



~~~ Chrome



 



Successfully
deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\cdjbnddbclciabnckgeahmneohjlahdm



 



~~~ Event
Viewer Logs were cleared



 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Scan was
completed on 28/02/2013 at 20:38:47.32





End
of JRT log


 


 



RKILL log



 



Rkill 2.4.7
by Lawrence Abrams (Grinler)



http://www.bleepingcomputer.com/



Copyright
2008-2013 BleepingComputer.com



More
Information about Rkill can be found at this link:



 http://www.bleepingcomputer.com/forums/topic308364.html



 



Program
started at: 02/28/2013 08:41:21 PM in x64 mode.



Windows
Version: Windows 7 Home Premium Service Pack 1



 



Checking for
Windows services to stop:



 



 * No malware services found to stop.



 



Checking for
processes to terminate:



 



 * C:\Users\Luke\Downloads\JRT.exe (PID: 6688)
[UP-HEUR]



 



1 proccess
terminated!



 



Checking
Registry for malware related settings:



 



 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]



 



Backup
Registry file created at:



 C:\Users\Luke\Desktop\rkill\rkill-02-28-2013-08-41-32.reg



 



Resetting
.EXE, .COM, & .BAT associations in the Windows Registry.



 



Performing
miscellaneous checks:



 



 * Windows Defender Disabled



 



   [HKLM\SOFTWARE\Microsoft\Windows Defender]



   "DisableAntiSpyware" =
dword:00000001



 



 * ALERT: ZEROACCESS rootkit symptoms found!



 



     *
HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32
[ZA Reg Hijack]



     * HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32
[ZA Reg Hijack]



     *
C:\$Recycle.Bin\S-1-5-18\$19d392ec61536f6deb3cf1ec0340fb48\ [ZA Dir]



     * C:\$Recycle.Bin\S-1-5-18\$19d392ec61536f6deb3cf1ec0340fb48\@ [ZA File]



    
* C:\$Recycle.Bin\S-1-5-18\$19d392ec61536f6deb3cf1ec0340fb48\L\
[ZA Dir]



     *
C:\$Recycle.Bin\S-1-5-18\$19d392ec61536f6deb3cf1ec0340fb48\U\ [ZA Dir]



     *
C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$19d392ec61536f6deb3cf1ec0340fb48\
[ZA Dir]



     * C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$19d392ec61536f6deb3cf1ec0340fb48\@
[ZA File]



    
*
C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$19d392ec61536f6deb3cf1ec0340fb48\L\
[ZA Dir]



     * C:\$Recycle.Bin\S-1-5-21-958222914-3290714124-3701117634-1000\$19d392ec61536f6deb3cf1ec0340fb48\U\
[ZA Dir]



 



Checking
Windows Service Integrity:



 



 * Driver di autorizzazione di Windows Firewall
(mpsdrv) is not Running.



   Startup Type set to: Manual



 



 * BFE [Missing Service]



 * iphlpsvc [Missing Service]



 * WinDefend [Missing Service]



 * wscsvc [Missing Service]



 



 * MpsSvc [Missing ImagePath]



 * SharedAccess [Missing ImagePath]



 



Searching
for Missing Digital Signatures:



 



 * No issues found.



 



Checking
HOSTS File:



 



 * No issues found.



 



Program
finished at: 02/28/2013 08:41:52 PM



Execution
time: 0 hours(s), 0 minute(s), and 30 seconds(s)



 



AutoRuns Log



"HKLM\System\CurrentControlSet\Control\Terminal
Server\Wds\rdpwd\StartupPrograms"      ""            ""            ""



+
"rdpclip"           ""            ""            "File not found: rdpclip"



"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ""            ""            ""



+
"Apoint"           "Alps
Pointing-device Driver"     "Alps
Electric Co., Ltd."  "c:\program
files\apoint\apoint.exe"



+
"AthBtTray"    "Bluetooth
Tray"              "Atheros
Commnucations"          "c:\program
files (x86)\bluetooth suite\athbttray.exe"



+
"AtherosBtStack"         "Server
stack Bluetooth"              "Atheros
Communications"         "c:\program
files (x86)\bluetooth suite\btvstack.exe"



+
"cAudioFilterAgent"    "Conexant
High Definition Audio Filter Agent"    "Conexant
Systems, Inc."             "c:\program
files\conexant\caudiofilteragent\caudiofilteragent64.exe"



+
"M-Audio Taskbar Icon"            "M-Audio
Task Bar Icon Applet"                "Avid
Technology, Inc." "c:\windows\system32\m-audiotaskbaricon.exe"



+
"ncmgae"        ""            ""            "File not found:
C:\Users\Luke\AppData\Roaming\ncmgae.dll"



+
"neapi"             ""            ""            "File not found:
C:\Users\Luke\AppData\Roaming\neapi.dll"



+
"spnscs"           "DIA UK
English language resource library"           "DIA
Corporation"                "c:\users\luke\appdata\roaming\spnscs.dll"



+
"VDownloader"            "VDownloader"                "Vitzo"  "c:\program
files\vdownloader\vdownloader.exe"



"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"                ""            ""            ""



+
"APSDaemon"               "Apple
Push"     "Apple Inc."        "c:\program files (x86)\common
files\apple\apple application support\apsdaemon.exe"



+
"AVG_UI"        "AVG User
Interface"    "AVG Technologies
CZ, s.r.o."    "c:\program files
(x86)\avg\avg2013\avgui.exe"



+
"DigidesignMMERefresh"         "Digidesign
MME Binder"             "Avid
Technology, Inc.."                "c:\program
files (x86)\digidesign\drivers\mmerefresh.exe"



+ "HP
Software Update"               "hpwuSchd
Application"               "Hewlett-Packard"          "c:\program files (x86)\hp\hp
software update\hpwuschd2.exe"



+
"IAStorIcon"   "IAStorIcon"       "Intel Corporation"         "c:\program files
(x86)\intel\intel® rapid storage technology\iastoricon.exe"



+
"ISBMgr.exe" ""            "Sony Corporation"         "c:\program files (x86)\sony\isb
utility\isbmgr.exe"



+
"iTunesHelper"             "iTunesHelper" "Apple Inc."        "c:\program files (x86)\itunes\ituneshelper.exe"



+
"PMBVolumeWatcher"             "Media
Check Tool"        "Sony
Corporation"         "c:\program
files (x86)\sony\pmb\pmbvolumewatcher.exe"



+
"QuickTime Task"         "QuickTime
Task"             "Apple
Inc."        "c:\program files
(x86)\quicktime\qttask.exe"



+
"SunJavaUpdateSched"            "Java™
Update Scheduler"    "Sun
Microsystems, Inc."             "c:\program
files (x86)\common files\java\java update\jusched.exe"



"C:\Users\Luke\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup"             ""            ""            ""



+
"Monitora avvisi inchiostro - HP Deskjet 3070 B611 series (Rete).lnk"   "Print Driver Status Business
Logic"          "Hewlett-Packard
Co."      "c:\program
files\hp\hp deskjet 3070 b611 series\bin\hpstatusbl.dll"



"HKLM\SOFTWARE\Microsoft\Active
Setup\Installed Components"       ""            ""            ""



+ "Microsoft
Windows" "Windows Mail"               "Microsoft Corporation"               "c:\program files\windows
mail\winmail.exe"



"HKLM\SOFTWARE\Wow6432Node\Microsoft\Active
Setup\Installed Components"      ""            ""            ""



+
"Google Chrome"        "Google
Chrome"            "Google
Inc."     "c:\program files
(x86)\google\chrome\application\25.0.1364.97\installer\chrmstp.exe"



+
"Microsoft Windows" "Windows
Mail"               "Microsoft
Corporation"               "c:\program
files (x86)\windows mail\winmail.exe"



"HKCU\Software\Microsoft\Windows\CurrentVersion\Run"      ""            ""            ""



+
"DAEMON Tools Pro Agent"    "DAEMON
Tools Pro Agent"        "DT Soft
Ltd"      "c:\program files
(x86)\daemon tools pro\dtagent.exe"



+ "HP
Deskjet 3070 B611 series (NET)"    "ScanToPCActivationApp"            "Hewlett-Packard Co."  "c:\program files\hp\hp deskjet 3070 b611
series\bin\scantopcactivationapp.exe"



+
"Sidebar"         "Gadget
per il desktop di Windows"        "Microsoft
Corporation"               "c:\program
files\windows sidebar\sidebar.exe"



"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers"     ""            ""            ""



+
"Atheros"        "Estensione
autenticazione Bluetooth" "Atheros
Commnucations"          "c:\program
files (x86)\bluetooth suite\btvappext.dll"



+ "AVG
Shell Extension"               "AVG
Shell Extension"   "AVG
Technologies CZ, s.r.o."    "c:\program
files (x86)\avg\avg2013\avgsea.dll"



+
"WinRAR"        "WinRAR
shell extension"            "Alexander
Roshal"         "c:\program files
(x86)\winrar\rarext64.dll"



"HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers"    ""            ""            ""



+ "AVG
Shell Extension"               "AVG
Shell Extension"   "AVG
Technologies CZ, s.r.o."    "c:\program
files (x86)\avg\avg2013\avgse.dll"



+
"WinRAR32"   "WinRAR shell
extension"            "Alexander
Roshal"         "c:\program
files (x86)\winrar\rarext.dll"



"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers"             ""            ""            ""



+
"AddtoVAIOGate"       "VAIOGateShellExt"       "Sony Corporation"         "c:\program files\sony\vaio
gate\vaiogateshellext.dll"



+
"FTShellContext"          "Bluetooth
Tray"              "Atheros
Commnucations"          "c:\program
files (x86)\bluetooth suite\shellcontextext.dll"



+
"MBAMShlExt"              "Malwarebytes
Anti-Malware"  "Malwarebytes
Corporation"     "c:\program
files (x86)\malwarebytes' anti-malware\mbamext.dll"



"HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers"            ""            ""            ""



+
"Ath_CopyHook"         "AthCopyHook
Dynamic Link Library"      "Atheros
Commnucations"          "c:\program
files (x86)\bluetooth suite\athcopyhook.dll"



"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers"           ""            ""            ""



+
"Gadgets"       "Sidebar
droptarget"      "Microsoft
Corporation"               "c:\program
files\windows sidebar\sbdrop.dll"



+
"NvCplDesktopContext"           ""            "NVIDIA Corporation"    "c:\windows\system32\nvshext.dll"



"HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers"          ""            ""            ""



+
"Gadgets"       "Sidebar
droptarget"      "Microsoft
Corporation"               "c:\program
files (x86)\windows sidebar\sbdrop.dll"



"HKLM\Software\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers"      ""            ""            ""



+ "PDF
Shell Extension" "PDF Shell
Extension"    "Adobe Systems,
Inc."   "c:\program files
(x86)\common files\adobe\acrobat\activex\pdfshell.dll"



"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers"           ""            ""            ""



+
"AddtoVAIOGate"       "VAIOGateShellExt"       "Sony Corporation"         "c:\program files\sony\vaio
gate\vaiogateshellext.dll"



+ "AVG
Shell Extension"               "AVG
Shell Extension"   "AVG
Technologies CZ, s.r.o."    "c:\program
files (x86)\avg\avg2013\avgsea.dll"



+
"MBAMShlExt"              "Malwarebytes
Anti-Malware"  "Malwarebytes
Corporation"     "c:\program
files (x86)\malwarebytes' anti-malware\mbamext.dll"



+
"WinRAR"        "WinRAR
shell extension"            "Alexander
Roshal"         "c:\program
files (x86)\winrar\rarext64.dll"



"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers"         ""            ""            ""



+ "AVG
Shell Extension"               "AVG
Shell Extension"   "AVG
Technologies CZ, s.r.o."    "c:\program
files (x86)\avg\avg2013\avgse.dll"



+
"WinRAR32"   "WinRAR shell
extension"            "Alexander
Roshal"         "c:\program
files (x86)\winrar\rarext.dll"



"HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers"    ""            ""            ""



+
"WinRAR"        "WinRAR
shell extension"            "Alexander
Roshal"         "c:\program
files (x86)\winrar\rarext64.dll"



"HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers"   ""            ""            ""



+
"WinRAR32"   "WinRAR shell
extension"            "Alexander
Roshal"         "c:\program
files (x86)\winrar\rarext.dll"



"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects"          ""            ""            ""



+
"Java™ Plug-In 2 SSV Helper"             "Java™
Platform SE binary"   "Sun
Microsystems, Inc."             "c:\program
files\java\jre6\bin\jp2ssv.dll"



+
"McAfee Phishing Filter"           ""            ""            "File not found:
c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL"



+
"Windows Live ID Sign-in Helper"          "Microsoft®
Windows Live ID Login Helper"         "Microsoft
Corp."            "c:\program
files\common files\microsoft shared\windows live\windowslivelogin.dll"



"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects"         ""            ""                ""



+
"Adobe PDF Link Helper"          "Adobe
PDF Helper for Internet Explorer"            "Adobe
Systems Incorporated" "c:\program
files (x86)\common files\adobe\acrobat\activex\acroiehelpershim.dll"



+ "Bing
Bar Helper"         "Bing Client
Extensions"                "Microsoft
Corporation."              "c:\program
files (x86)\microsoft\bingbar\bingext.dll"



+
"CIESpeechBHO Class"               "Bluetooth
IE PlugIn"     "Atheros
Commnucations"          "c:\program
files (x86)\bluetooth suite\ieplugin.dll"



+
"Guida per l'accesso a Windows Live ID"            "Microsoft® Windows Live ID Login Helper"         "Microsoft Corp."                "c:\program files
(x86)\common files\microsoft shared\windows live\windowslivelogin.dll"



+
"Java™ Plug-In 2 SSV Helper"             "Java™
Platform SE binary"   "Oracle Corporation"      "c:\program files (x86)\oracle\javafx
2.1 runtime\bin\jp2ssv.dll"



+
"Java™ Plug-In SSV Helper"                "Java™
Platform SE binary"   "Oracle
Corporation"      "c:\program
files (x86)\oracle\javafx 2.1 runtime\bin\ssv.dll"



+
"McAfee Phishing Filter"           ""            ""            "File not found:
c:\progra~1\mcafee\msk\mskapbho.dll"



"HKLM\Software\Wow6432Node\Microsoft\Internet
Explorer\Toolbar"              ""            ""            ""



+
"Bing"                "Bing
Client Extensions"                "Microsoft
Corporation."              "c:\program
files (x86)\microsoft\bingbar\bingext.dll"



"HKLM\Software\Wow6432Node\Microsoft\Internet
Explorer\Extensions"       ""            ""            ""



+
"Pubblica su un &blog in Windows Live Writer"               "Windows Live Writer Blog
This Extension"          "Microsoft
Corporation"      "c:\program
files (x86)\windows live\writer\writerbrowserextension.dll"



+ "Send
by Bluetooth to"             "Bluetooth
IE PlugIn"     "Atheros
Commnucations"          "c:\program
files (x86)\bluetooth suite\ieplugin.dll"



+
"SmartPrint"   "HP Smart
Print Setup"  "Hewlett-Packard"          "c:\program files
(x86)\hewlett-packard\smartprint\smartprintsetup.exe"



"Task
Scheduler"              ""            ""            ""



+
"\Adobe Flash Player Updater"              "Adobe®
Flash® Player Update Service 11.3 r300"             "Adobe
Systems Incorporated"   "c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe"



+
"\Apple\AppleSoftwareUpdate"          "Apple
Software Update"            "Apple
Inc."        "c:\program files
(x86)\apple software update\softwareupdate.exe"



+
"\GoogleUpdateTaskMachineCore"    "Google
Installer"            "Google
Inc."     "c:\program files
(x86)\google\update\googleupdate.exe"



+
"\GoogleUpdateTaskMachineUA"       "Google
Installer"            "Google
Inc."     "c:\program files
(x86)\google\update\googleupdate.exe"



+ "\HP
Photo Creations Messager"          ""            ""            "c:\programdata\hp photo
creations\messagecheck.exe"



+
"\HPCustParticipation HP Deskjet 3070 B611 series"     "HP Customer Participation."      "Hewlett-Packard Co."  "c:\program files\hp\hp deskjet 3070 b611
series\bin\hpcustpartic.exe"



+
"\Microsoft\Windows Live\SOXE\Extractor Definitions Update Task"  "Windows Live Social Object Extractor
Engine"                "Microsoft
Corporation"               "c:\program
files (x86)\windows live\soxe\wlsoxe.dll"



+
"\Microsoft\Windows\NetTrace\GatherNetworkInfo"              ""            ""                "c:\windows\system32\gathernetworkinfo.vbs"



+
"\Microsoft\Windows\Windows Media Sharing\UpdateLibrary"            "Applicazione di configurazione
Servizio di condivisione in rete Windows Media Player"       "Microsoft Corporation"               "c:\program files\windows
media player\wmpnscfg.exe"



+
"\SidebarExecute"       "Gadget
per il desktop di Windows"        "Microsoft
Corporation"               "c:\program
files\windows sidebar\sidebar.exe"



+
"\Sony Corporation\VAIO Care\VAIO Care"     "VAIO Care"       "Sony
Corporation"         "c:\program
files\sony\vaio care\vcsystray.exe"



+
"\Sony Corporation\VAIO Care\VCOneClick"   "VCOneClick"     "Sony
Corporation"         "c:\program
files\sony\vaio care\vconeclick.exe"



+
"\Sony Corporation\VAIO Improvement Validation\VAIO Improvement Validation"    "VAIO Improvement Validation"                "Sony Corporation"         "c:\program files\sony\vaio
improvement validation\viv.exe"



+
"\Sony Corporation\VAIO Improvement\VAIOImprovementUploader"             "viuploader"      "Sony Corporation"                "c:\program files\sony\vaio
improvement\viuploader.exe"



+
"\Sony Corporation\VAIO Smart Network\VSN Logon Start"    "VAIO Smart Network" "Sony Corporation"         "c:\program files\sony\vaio smart
network\vsnclient.exe"



+
"\Sony Corporation\VAIO Update\VAIO Update 5"      "VAIO Update" "Sony
Corporation"         "c:\program
files\sony\vaio update 5\vaioupdt.exe"



+
"\SONY\VAIO Gate\StartExecuteProxy"            "VAIO
Gate"      "Sony
Corporation"         "c:\program
files\sony\vaio gate\executionproxy.exe"



+
"\SONY\VAIO Gate\VAIO Gate"            "VAIO
Gate"      "Sony
Corporation"         "c:\program
files\sony\vaio gate\vaio gate.exe"



+
"\{8FDD410D-D418-47CD-8B26-204E74406839}"              ""            ""            "c:\program files (x86)\onda
connection manager\uimain.exe"



"HKLM\System\CurrentControlSet\Services"     ""            ""            ""



+
"ACDaemon" "ArcSoft Connect
Service"           "ArcSoft
Inc."     "c:\program files
(x86)\common files\arcsoft\connection service\bin\acservice.exe"



+ "AdobeFlashPlayerUpdateSvc"              "Questo servizio mantiene
aggiornata l'installazione di Adobe Flash Player con gli ultimi miglioramenti e
le più recenti correzioni relative alla sicurezza."     "Adobe Systems Incorporated"                "c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe"



+
"Apple Mobile Device"              "Provides
the interface to Apple mobile devices."            "Apple
Inc."        "c:\program files
(x86)\common files\apple\mobile device
support\applemobiledeviceservice.exe"



+
"Atheros Bt&Wlan Coex Agent"            "Co-existence
Coordinator Service between 11a/b/g/n Wireless LAN and Bluetooth."        "Atheros"            "c:\program files (x86)\bluetooth
suite\ath_coexagent.exe"



+
"AtherosSvc" "Atheros BT
Stack Service Agent"             "Atheros
Commnucations"          "c:\program
files (x86)\bluetooth suite\adminservice.exe"



+
"AVGIDSAgent"            "Provides
Identity Protection Against Cyber Crime."        "AVG
Technologies CZ, s.r.o."    "c:\program
files (x86)\avg\avg2013\avgidsagent.exe"



+
"avgwd"           "AVG
Watchdog Service"             "AVG
Technologies CZ, s.r.o."    "c:\program
files (x86)\avg\avg2013\avgwdsvc.exe"



+
"BBSvc"            "Keeps
Bing Bar up-to-date. Disabling this service might prevent updates and expose
your computer to security vulnerabilities or functional flaws in Bing
Bar."   "Microsoft
Corporation."              "c:\program
files (x86)\microsoft\bingbar\bbsvc.exe"



+
"BBUpdate"    "Enables the
detection, download and installation of up-to-date configuration files for Bing
Bar. Also provides server communication for the customer experience improvement
program. Stopping or disabling this service may prevent you from getting the
latest updates for Bing Bar, which may expose your computer to security
vulnerabilities or functional flaws in the Bing Bar."               "Microsoft Corporation"               "c:\program files
(x86)\microsoft\bingbar\seaport.exe"



+
"Bonjour Service"        "Enables
hardware devices and software services to automatically configure themselves on
the network and advertise their presence."                "Apple
Inc."        "c:\program
files\bonjour\mdnsresponder.exe"



+
"cvhsvc"           "Client
Virtualization Handler Service (unlocalized description)" "Microsoft Corporation"               "c:\program files
(x86)\common files\microsoft shared\virtualization handler\cvhsvc.exe"



+
"DigiRefresh" "Digidesign
MME Binder"             "Avid
Technology, Inc.."                "c:\program
files (x86)\digidesign\drivers\mmerefresh.exe"



+
"gupdate"       "Keeps your
Google software up to date. If this service is disabled or stopped, your Google
software will not be kept up to date, meaning security vulnerabilities that may
arise cannot be fixed and features may not work. This service uninstalls itself
when there is no Google software using it."          "Google Inc."     "c:\program
files (x86)\google\update\googleupdate.exe"



+
"gupdatem"   "Keeps your
Google software up to date. If this service is disabled or stopped, your Google
software will not be kept up to date, meaning security vulnerabilities that may
arise cannot be fixed and features may not work. This service uninstalls itself
when there is no Google software using it."          "Google Inc."     "c:\program
files (x86)\google\update\googleupdate.exe"



+ "IAStorDataMgrSvc"   "Fornisce la notifica degli eventi di
archiviazione e gestisce le comunicazioni tra il driver di archiviazione e le
applicazioni dello spazio utente."          "Intel
Corporation"         "c:\program
files (x86)\intel\intel® rapid storage technology\iastordatamgrsvc.exe"



+
"IconMan_R" "Realtek Card
Reader Icon Tool."              "Realsil
Microelectronics Inc."    "c:\program
files (x86)\realtek\realtek pcie card reader\riconman.exe"



+ "iPod
Service"                "iPod
hardware management services" "Apple
Inc."        "c:\program
files\ipod\bin\ipodservice.exe"



+
"LMS"                "Allows
applications to access the local Intel® Management and Security Application
using its locally-available selected network interfaces." "Intel Corporation"         "c:\program files
(x86)\intel\intel® management engine components\lms\lms.exe"



+
"MBAMScheduler"      "Malwarebytes
Anti-Malware scheduler"             "Malwarebytes
Corporation"     "c:\program
files (x86)\malwarebytes' anti-malware\mbamscheduler.exe"



+
"MBAMService"           "Malwarebytes
Anti-Malware service"  "Malwarebytes
Corporation"     "c:\program
files (x86)\malwarebytes' anti-malware\mbamservice.exe"



+
"Mobile Broadband HL Service"             "Provide
service for mobile broadband device."                ""                "c:\programdata\mobilebrserv\mbbservice.exe"



+
"NVSvc"           "NVIDIA
Driver Helper Service, Version 267.21" "NVIDIA
Corporation"                "c:\windows\system32\nvvsvc.exe"



+ "ose" "Salva i file di installazione utilizzati per operazioni di
aggiornamento e ripristino ed è necessario per il download di aggiornamenti al
programma di installazione e per segnalazioni errori Watson." "Microsoft Corporation"               "c:\program files
(x86)\common files\microsoft shared\source engine\ose.exe"



+
"osppsvc"        "Office
Software Protection Platform Service (unlocalized description)" "Microsoft Corporation"                "c:\program files\common
files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe"



+ "PMBDeviceInfoProvider"       "Abilita la comunicazione tra PMB e
la periferica."             "Sony
Corporation"         "c:\program
files (x86)\sony\pmb\pmbdeviceinfoprovider.exe"



+
"SampleCollector"       "Checks
the systems performance for VAIO Care."          "Sony
Corporation"         "c:\program
files\sony\vaio care\vcperfservice.exe"



+
"sftlist"             "Streams
and manages applications."     "Microsoft
Corporation"               "c:\program
files (x86)\microsoft application virtualization client\sftlist.exe"



+
"sftvsa"            "Monitors
global service events and launches virtual services."  "Microsoft Corporation"               "c:\program files
(x86)\microsoft application virtualization client\sftvsa.exe"



+
"SkypeUpdate"             "Enables
the detection, download and installation of updates for Skype."             "Skype Technologies"   "c:\program files
(x86)\skype\updater\updater.exe"



+
"SOHCImp"     "VAIO Content
Importer"            "Sony
Corporation"         "c:\program
files (x86)\common files\sony shared\sohlib\sohcimp.exe"



+
"SOHDs"           "VAIO
Device Searcher"                "Sony
Corporation"         "c:\program
files (x86)\common files\sony shared\sohlib\sohds.exe"



+
"SpfService"   "VAIO
Entertainment Common Service"               "Sony
Corporation"         "c:\program
files\common files\sony shared\vaio entertainment
platform\spf\spfservice64.exe"



+
"Stereo Service"           "Provides
system support for NVIDIA Stereoscopic 3D driver"    "NVIDIA Corporation"    "c:\program
files (x86)\nvidia corporation\3d vision\nvscpapisvr.exe"



+
"uCamMonitor"            "Monitor
the status of the webcam on PC startup."         "ArcSoft,
Inc."   "c:\program files
(x86)\arcsoft\magic-i visual effects 2\ucammonitor.exe"



+
"UNS"               "Intel®
Management and Security Application User Notification Service - Updates the
Windows Event Log with notifications of pre defined events received from the
local Intel® Management and Security Application Device."                "Intel Corporation"         "c:\program files
(x86)\intel\intel® management engine components\uns\uns.exe"



+ "VAIO Event Service" "Fornisce la gestione degli eventi
hardware per VAIO. Durante il completamento di questo servizio, alcune
funzionalità, quali il pulsante S, i tasti di scelta rapida e le impostazioni
di risparmio energia originali VAIO, sono limitate."             "Sony Corporation"         "c:\program files (x86)\sony\vaio
event service\vesmgr.exe"



+
"VCFw"             "VAIO
Content Folder Watcher"               "Sony
Corporation"         "c:\program
files (x86)\common files\sony shared\vaio content folder watcher\vcfw.exe"



+ "VcmIAlzMgr"                "Fornisce la funzione di
analisi del contenuto utilizzata con il software originale VAIO."   "Sony Corporation"      "c:\program files\sony\vcm
intelligent analyzing manager\vcmialzmgr.exe"



+ "VcmINSMgr"                "Fornisce la funzione del
servizio di richiamo delle informazioni utilizzata con il software originale
VAIO."  "Sony
Corporation"         "c:\program
files\sony\vcm intelligent network service manager\vcminsmgr.exe"



+
"VcmXmlIfHelper"       "VcmXml
Helper Interface"         "Sony
Corporation"         "c:\program
files\common files\sony shared\vcmxml\vcmxmlifhelper64.exe"



+ "VCService"    "Fornisce la funzionalità VAIO Care di
importanza cruciale. Se il servizio viene interrotto o disabilitato, VAIO Care
potrebbe non funzionare correttamente."                "Sony
Corporation"         "c:\program
files\sony\vaio care\vcservice.exe"



+
"VSNService" "VAIO Smart
Network Service"  "Sony
Corporation"         "c:\program
files\sony\vaio smart network\vsnservice.exe"



+
"VUAgent"      "Agent for
VAIO Update."           "Sony
Corporation"         "c:\program
files\sony\vaio update 5\vuagent.exe"



+ "wlidsvc"          "Abilita l'autenticazione di
Windows Live ID."      "Microsoft
Corp."            "c:\program
files\common files\microsoft shared\windows live\wlidsvc.exe"



+ "WMPNetworkSvc"    "Consente di condividere il Catalogo
multimediale di Windows Media Player con altri lettori e dispositivi
multimediali in rete mediante Universal Plug and Play"             "Microsoft Corporation"               "c:\program files\windows
media player\wmpnetwk.exe"



 



"HKLM\System\CurrentControlSet\Services"     ""            ""            ""



+
"adp94xx"       "Adaptec
Windows SAS/SATA Storport Driver"  "Adaptec,
Inc."                "c:\windows\system32\drivers\adp94xx.sys"



+
"adpahci"         "Adaptec
Windows SATA Storport Driver"            "Adaptec,
Inc."                "c:\windows\system32\drivers\adpahci.sys"



+
"adpu320"       "Adaptec
StorPort Ultra320 SCSI Driver (X64)"    "Adaptec,
Inc."                "c:\windows\system32\drivers\adpu320.sys"



+
"aliide"              "ALi
mini IDE Driver"       "Acer
Laboratories Inc."                "c:\windows\system32\drivers\aliide.sys"



+
"amdsata"       "AHCI 1.2
Device Driver"               "Advanced
Micro Devices"                "c:\windows\system32\drivers\amdsata.sys"



+
"amdsbs"         "AMD
Technology AHCI Compatible Controller Driver for Windows - AMD64 platform"   "AMD Technologies Inc."       "c:\windows\system32\drivers\amdsbs.sys"



+
"amdxata"       "Storage
Filter Driver"    "Advanced
Micro Devices"          "c:\windows\system32\drivers\amdxata.sys"



+
"ApfiltrService"             "Alps
Touch Pad Driver"                "Alps
Electric Co., Ltd."  "c:\windows\system32\drivers\apfiltr.sys"



+
"arc"  "Adaptec RAID
Storport Driver" "Adaptec,
Inc." "c:\windows\system32\drivers\arc.sys"



+
"arcsas"            "Adaptec
SAS RAID WS03 Driver"              "Adaptec,
Inc." "c:\windows\system32\drivers\arcsas.sys"



+
"ArcSoftKsUFilter"       "For
X64"             "ArcSoft,
Inc."   "c:\windows\system32\drivers\arcsoftksufilter.sys"



+
"AthBTPort"   "Atheros
FILTER driver" "Atheros"            "c:\windows\system32\drivers\btath_flt.sys"



+
"ATHDFU"       "BulkUsb
Driver"              "Windows
® Win 7 DDK provider"          "c:\windows\system32\drivers\athdfu.sys"



+
"athr"                "Atheros
Extensible Wireless LAN device driver"               "Atheros
Communications, Inc."                "c:\windows\system32\drivers\athrx.sys"



+
"AVGIDSDriver"            "AVG
Technologies IDS Application Activity Monitor Driver"         "AVG Technologies CZ, s.r.o.
"                "c:\windows\system32\drivers\avgidsdrivera.sys"



+
"AVGIDSHA"  "AVG
Technologies IDS Application Activity Monitor Helper Driver"          "AVG Technologies CZ, s.r.o.
"                "c:\windows\system32\drivers\avgidsha.sys"



+
"Avgldx64"      "AVG AVI
Loader Driver"              "AVG
Technologies CZ, s.r.o."                "c:\windows\system32\drivers\avgldx64.sys"



+
"Avgloga"        "AVG
Logging Driver"     "AVG
Technologies CZ, s.r.o."    "c:\windows\system32\drivers\avgloga.sys"



+
"Avgmfx64"    "AVG Resident
Shield Minifilter Driver" "AVG
Technologies CZ, s.r.o."                "c:\windows\system32\drivers\avgmfx64.sys"



+
"Avgrkx64"      "AVG
Anti-Rootkit Driver"            "AVG
Technologies CZ, s.r.o."                "c:\windows\system32\drivers\avgrkx64.sys"



+
"Avgtdia"         "AVG
Network connection watcher"      "AVG
Technologies CZ, s.r.o."                "c:\windows\system32\drivers\avgtdia.sys"



+
"b06bdrv"        "Broadcom
NetXtreme II GigE VBD"        "Broadcom
Corporation"                "c:\windows\system32\drivers\bxvbda.sys"



+
"b57nd60a"     "Broadcom
NetXtreme Gigabit Ethernet NDIS6.x Unified Driver."             "Broadcom Corporation"                "c:\windows\system32\drivers\b57nd60a.sys"



+
"BrFiltLo"         "Windows
ME USB Mass-Storage Bulk-Only Lower Filter Driver"                "Brother Industries, Ltd."                "c:\windows\system32\drivers\brfiltlo.sys"



+ "BrFiltUp"        "Windows ME USB Mass-Storage
Bulk-Only Upper Filter Driver"                "Brother
Industries, Ltd."                "c:\windows\system32\drivers\brfiltup.sys"



+
"Brserid"          "Driver
I/F seriale Brother (WDM)"          "Brother
Industries Ltd."                "c:\windows\system32\drivers\brserid.sys"



+
"BrSerWdm"  "Brother Serial
driver (WDM version)"   "Brother
Industries Ltd."                "c:\windows\system32\drivers\brserwdm.sys"



+
"BrUsbMdm" "Brother USB MDM
Driver "        "Brother
Industries Ltd."                "c:\windows\system32\drivers\brusbmdm.sys"



+
"BrUsbSer"     "Brother USB
Serial Driver"          "Brother
Industries Ltd."                "c:\windows\system32\drivers\brusbser.sys"



+
"BTATH_A2DP"             "Atheros
A2DP driver"   "Atheros"            "c:\windows\system32\drivers\btath_a2dp.sys"



+
"btath_avdt"  "Atheros
Bluetooth AVDT driver"             "Atheros"            "c:\windows\system32\drivers\btath_avdt.sys"



+
"BTATH_BUS"                "Atheros
BUS driver"     "Atheros"            "c:\windows\system32\drivers\btath_bus.sys"



+
"BTATH_HCRP"             "Atheros
HCRP driver"   "Atheros"            "c:\windows\system32\drivers\btath_hcrp.sys"



+
"BTATH_LWFLT"           "Atheros
FILTER driver" "Atheros"            "c:\windows\system32\drivers\btath_lwflt.sys"



+
"BTATH_RCP"                "Atheros
AVRCP driver"                "Atheros"            "c:\windows\system32\drivers\btath_rcp.sys"



+
"BtFilter"          "BtFilter
Driver"                "Atheros"            "c:\windows\system32\drivers\btfilter.sys"



+
"cmdide"         "CMD PCI
IDE Bus Driver"             "CMD
Technology, Inc."                "c:\windows\system32\drivers\cmdide.sys"



+
"CnxtHdAudService"  "64-bit
High Definition Audio Function Driver"    "Conexant
Systems Inc."                "c:\windows\system32\drivers\chdrt64.sys"



+
"dtsoftbus01"                "DAEMON
Tools Virtual Bus Driver"         "DT
Soft Ltd"                "c:\windows\system32\drivers\dtsoftbus01.sys"



+
"e1yexpress" "Intel®
Gigabit Network Connection NDIS 6 deserialized driver"             "Intel Corporation"                "c:\windows\system32\drivers\e1y60x64.sys"



+ "ebdrv"            "Broadcom NetXtreme II 10 GigE
VBD"  "Broadcom
Corporation"                "c:\windows\system32\drivers\evbda.sys"



+
"elxstor"          "Storport
Miniport Driver for LightPulse HBAs"   "Emulex"             "c:\windows\system32\drivers\elxstor.sys"



+
"GEARAspiWDM"         "CD
DVD Filter" "GEAR Software
Inc."     "c:\windows\system32\drivers\gearaspiwdm.sys"



+
"hcw85cir"       "Hauppauge
WinTV 885 Consumer IR Driver for eHome"               "Hauppauge
Computer Works, Inc."                "c:\windows\system32\drivers\hcw85cir.sys"



+
"HpSAMD"      "Smart Array
SAS/SATA Controller Media Driver"              "Hewlett-Packard
Company"                "c:\windows\system32\drivers\hpsamd.sys"



+
"iaStor"             "Intel
Rapid Storage Technology driver - x64"      "Intel
Corporation"                "c:\windows\system32\drivers\iastor.sys"



+
"iaStorV"          "Intel
Matrix Storage Manager driver - x64"         "Intel
Corporation"                "c:\windows\system32\drivers\iastorv.sys"



+
"iirsp"                "Intel/ICP
Raid Storport Driver" "Intel
Corp./ICP vortex GmbH"  "c:\windows\system32\drivers\iirsp.sys"



+
"LSI_FC"           "LSI
Fusion-MPT FC Driver (StorPort)"    "LSI
Corporation"             "c:\windows\system32\drivers\lsi_fc.sys"



+
"LSI_SAS"        "LSI
Fusion-MPT SAS Driver (StorPort)"  "LSI
Corporation"             "c:\windows\system32\drivers\lsi_sas.sys"



+
"LSI_SAS2"      "LSI SAS
Gen2 Driver (StorPort)"               "LSI
Corporation"                "c:\windows\system32\drivers\lsi_sas2.sys"



+
"LSI_SCSI"       "LSI
Fusion-MPT SCSI Driver (StorPort)" "LSI
Corporation"             "c:\windows\system32\drivers\lsi_scsi.sys"



+
"MAUSBFASTTRACK" "M-Audio
USB Audio Driver (WDM)"      "Avid
Technology, Inc."                "c:\windows\system32\drivers\maudiofasttrack.sys"



+
"MBAMProtector"       "Malwarebytes
Anti-Malware"  "Malwarebytes
Corporation"                "c:\windows\system32\drivers\mbam.sys"



+
"megasas"       "MEGASAS
RAID Controller Driver for Windows 7\Server 2008 R2 for x64"             "LSI Corporation"                "c:\windows\system32\drivers\megasas.sys"



+
"MegaSR"        "LSI
MegaRAID Software RAID Driver"    "LSI
Corporation, Inc."                "c:\windows\system32\drivers\megasr.sys"



+
"MEIx64"         "Intel®
Management Engine Interface"              "Intel
Corporation"                "c:\windows\system32\drivers\hecix64.sys"



+
"nfrd960"         "IBM
ServeRAID Controller Driver"          "IBM
Corporation"                "c:\windows\system32\drivers\nfrd960.sys"



+
"NVHDA"         "NVIDIA
HDMI Audio Driver"      "NVIDIA
Corporation"    "c:\windows\system32\drivers\nvhda64v.sys"



+
"nvlddmkm"   "NVIDIA
Windows Kernel Mode Driver, Version 267.21 "               "NVIDIA Corporation"                "c:\windows\system32\drivers\nvlddmkm.sys"



+
"nvraid"            "NVIDIA®
nForce™ RAID Driver"         "NVIDIA
Corporation"    "c:\windows\system32\drivers\nvraid.sys"



+
"nvstor"           "NVIDIA®
nForce™ Sata Performance Driver"               "NVIDIA
Corporation"                "c:\windows\system32\drivers\nvstor.sys"



+
"ONDAusbmdm6k"     "USB
Modem/Serial Device Driver"         "Onda
Communication"                "c:\windows\system32\drivers\ondausbmdm6k.sys"



+
"ONDAusbnet"             "USB
NDIS Miniport Driver"         "ONDA
Corporation"                "c:\windows\system32\drivers\ondausbnet.sys"



+
"ONDAusbnmea"         "USB
Modem/Serial Device Driver"         "Onda
Communication"                "c:\windows\system32\drivers\ondausbnmea.sys"



+
"ONDAusbser6k"         "USB
Modem/Serial Device Driver"         "Onda
Communication"                "c:\windows\system32\drivers\ondausbser6k.sys"



+
"ql2300"           "QLogic
Fibre Channel Stor Miniport Driver"        "QLogic
Corporation"                "c:\windows\system32\drivers\ql2300.sys"



+
"ql40xx"           "QLogic
iSCSI Storport Miniport Driver"  "QLogic
Corporation"     "c:\windows\system32\drivers\ql40xx.sys"



+
"RimUsb"         "BlackBerry
Device Driver"           "Research
In Motion Limited"                "c:\windows\system32\drivers\rimusb_amd64.sys"



+
"RSPCIESTOR"                "Realtek
Pcie CardReader Driver for 2K/XP/Vista/Win7"                "Realtek Semiconductor Corp."                "c:\windows\system32\drivers\rtspstor.sys"



+
"RTL8167"        "Realtek
8136/8168/8169 NDIS 6.20 64-bit Driver                "             "Realtek                                           
"                "c:\windows\system32\drivers\rt64win7.sys"



+
"secdrv"           "Macrovision
SECURITY Driver"  "Macrovision
Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia
K.K."       "c:\windows\system32\drivers\secdrv.sys"



+
"SFEP"               "Sony
Firmware Extension Parser driver"              "Sony
Corporation"                "c:\windows\system32\drivers\sfep.sys"



+
"SiSRaid2"        "SiS RAID
Stor Miniport Driver"  "Silicon
Integrated Systems Corp."                "c:\windows\system32\drivers\sisraid2.sys"



+
"SiSRaid4"        "SiS AHCI
Stor-Miniport Driver" "Silicon
Integrated Systems"                "c:\windows\system32\drivers\sisraid4.sys"



+
"stexstor"        "Promise  SuperTrak EX Series Driver for Windows "        "Promise Technology"                "c:\windows\system32\drivers\stexstor.sys"



+
"Tpkd"              "64bit
Tpkd Device Driver"           "PACE
Anti-Piracy, Inc." "c:\windows\system32\drivers\tpkd.sys"



+
"USBAAPL64" "Apple Mobile
Device USB Driver"           "Apple,
Inc."      "c:\windows\system32\drivers\usbaapl64.sys"



+
"viaide"            "VIA
Generic PCI IDE Bus Driver"               "VIA
Technologies, Inc."                "c:\windows\system32\drivers\viaide.sys"



+
"vsmraid"        "VIA RAID
DRIVER FOR AMD-X86-64"      "VIA
Technologies Inc.,Ltd"                "c:\windows\system32\drivers\vsmraid.sys"



"HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Drivers32"    ""            ""            ""



+
"msacm.l3acm"             "MPEG
Layer-3 Audio Codec for MSACM"            "Fraunhofer
Institut Integrierte Schaltungen IIS"                "c:\windows\system32\l3codeca.acm"



"HKLM\Software\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Drivers32"  ""            ""            ""



+
"msacm.l3acm"             "MPEG
Layer-3 Audio Codec for MSACM"            "Fraunhofer
Institut Integrierte Schaltungen IIS"                "c:\windows\syswow64\l3codeca.acm"



+
"vidc.cvid"       "Codec
Cinepak®"           "Radius
Inc."      "c:\windows\syswow64\iccvid.dll"



"HKLM\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance"               ""            ""                ""



+
"Capture File Writer"  "Windows
Live Video Acquisition Filters"              "Microsoft
Corporation"               "c:\program
files (x86)\windows live\photo gallery\wlxvafilt.dll"



+
"Record Queue"           "Windows
Live Video Acquisition Filters"              "Microsoft
Corporation"               "c:\program
files (x86)\windows live\photo gallery\wlxvafilt.dll"



+ "VAIO
Content Metadata Univ Filter" "DirectShow
Filter for VCM Intelligent Analyzing Manager"          "Sony Corporation"                "c:\program files\sony\vcm intelligent analyzing
manager\vcmsmplcapflt.ax"



+
"VcmIAlzGPDFilter"     "VCM
Intelligent Analyzing Manager GPD Library"            "Sony
Corporation"         "c:\program
files\sony\vcm intelligent analyzing manager\vcmialzgpdfilter.ax"



+
"VcmIAlzGPDFilter2"  "VCM
Intelligent Analyzing Manager GPD Library"            "Sony
Corporation"         "c:\program
files\sony\vcm intelligent analyzing manager\vcmialzgpdfilter2.ax"



+ "WM
VIH2 Fix"              "Windows
Live Video Acquisition Filters"              "Microsoft
Corporation"               "c:\program
files (x86)\windows live\photo gallery\wlxvafilt.dll"



+ "WMT
DV Extract Filter"            "Windows
Live Video Acquisition Filters"              "Microsoft
Corporation"               "c:\program
files (x86)\windows live\photo gallery\wlxvafilt.dll"



+ "WMT
Sample Info Filter"         "Windows
Live Video Acquisition Filters"              "Microsoft
Corporation"               "c:\program
files (x86)\windows live\photo gallery\wlxvafilt.dll"



+ "WMT
Switch Filter"    "Windows Live
Video Acquisition Filters"              "Microsoft
Corporation"               "c:\program
files (x86)\windows live\photo gallery\wlxvafilt.dll"



+ "WMT
Virtual Renderer"           "Windows
Live Video Acquisition Filters"              "Microsoft
Corporation"               "c:\program
files (x86)\windows live\photo gallery\wlxvafilt.dll"



+ "WMT
Virtual Source"                "Windows
Live Video Acquisition Filters"              "Microsoft
Corporation"               "c:\program
files (x86)\windows live\photo gallery\wlxvafilt.dll"



"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential
Providers"                ""            ""            ""



+
"WLIDCredentialProvider"       "Microsoft®
Windows Live ID Credential Provider"           "Microsoft
Corp."            "c:\program files\common
files\microsoft shared\windows live\wlidcredprov.dll"



"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries"      ""            ""                ""



+
"mdnsNSP"     "Bonjour
Namespace Provider"                "Apple
Inc."        "c:\program files
(x86)\bonjour\mdnsnsp.dll"



+
"WindowsLive Local NSP"         "Microsoft®
Windows Live ID Namespace Provider"        "Microsoft
Corp."            "c:\program
files (x86)\common files\microsoft shared\windows live\wlidnsp.dll"



+
"WindowsLive NSP"    "Microsoft®
Windows Live ID Namespace Provider"        "Microsoft
Corp."            "c:\program
files (x86)\common files\microsoft shared\windows live\wlidnsp.dll"



"HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64" ""            ""                ""



+
"mdnsNSP"     "Bonjour
Namespace Provider"                "Apple
Inc."        "c:\program
files\bonjour\mdnsnsp.dll"



+
"WindowsLive Local NSP"         "Microsoft®
Windows Live ID Namespace Provider"        "Microsoft
Corp."            "c:\program
files\common files\microsoft shared\windows live\wlidnsp.dll"



+
"WindowsLive NSP"    "Microsoft®
Windows Live ID Namespace Provider"        "Microsoft
Corp."            "c:\program
files\common files\microsoft shared\windows live\wlidnsp.dll"



"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors"     ""            ""            ""



+ "HP
a211 Status Monitor"         "Print
Status Language Monitor"               "Hewlett-Packard
Co."                "c:\windows\system32\hpinkstsa211lm.dll"



+ "HP
Discovery Port Monitor (HP Deskjet 3070 B611 series)"      "HP Discovery Port Monitor"      "Hewlett-Packard Co."                "c:\windows\system32\hpdiscopma211.dll"



"C:\Users\Luke\AppData\Local\Microsoft\Windows
Sidebar\Settings.ini"            ""            ""            ""



+
"AVG"               "AVG"   "AVG Technologies"       "C:\Program Files\Windows
Sidebar\Shared Gadgets\AVG.Gadget\\Gadget.xml"



 



#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:17 AM

Posted 28 February 2013 - 04:10 PM

Please post all the logs here

 

http://pastebin.com/ and post the generated link here



#9 moss_1184

moss_1184
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 February 2013 - 04:14 PM

Never used Pastebin but I think I used it right.  PAsted everything from the post above, and then added on the mintitoolbox log after the rest.  Thanks again.

 

http://pastebin.com/K3vtXAA7



#10 moss_1184

moss_1184
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 February 2013 - 04:18 PM

Its worth noting that right now there are no phantom IE windows open in the background.  Don't know if that will last though.



#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:17 AM

Posted 28 February 2013 - 04:27 PM


Run the services repair tool

http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

Run Farbar service scanner again and post the new log


Edited by narenxp, 28 February 2013 - 05:21 PM.


#12 moss_1184

moss_1184
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 February 2013 - 04:55 PM

Here are the two logs you asked for.  Thanks for the help!

 

 

 

Rkill 2.4.7 by Lawrence Abrams (Grinler)



http://www.bleepingcomputer.com/



Copyright 2008-2013 BleepingComputer.com



More Information about Rkill can be found at this link:



 http://www.bleepingcomputer.com/forums/topic308364.html



 



Program started at: 02/28/2013 09:33:56 PM in x64 mode.



Windows Version: Windows 7 Home Premium Service Pack 1



 



Checking for Windows services to stop:



 



 * No malware services found to stop.



 



Checking for processes to terminate:



 



 * No malware processes found to kill.



 



Checking Registry for malware related settings:



 



 * No issues found in the Registry.



 



Resetting .EXE, .COM, & .BAT associations in the Windows Registry.



 



Performing miscellaneous checks:



 



 * Windows Defender Disabled



 



   [HKLM\SOFTWARE\Microsoft\Windows Defender]



   "DisableAntiSpyware" = dword:00000001



 



Checking Windows Service Integrity: 



 



 * Driver di autorizzazione di Windows Firewall (mpsdrv) is not
Running.



   Startup Type set to: Manual



 



 * BFE [Missing Service]



 * iphlpsvc [Missing Service]



 * WinDefend [Missing Service]



 * wscsvc [Missing Service]



 



 * MpsSvc [Missing ImagePath]



 * SharedAccess [Missing ImagePath]



 



Searching for Missing Digital Signatures: 



 



 * No issues found.



 



Checking HOSTS File: 



 



 * No issues found.



 



Program finished at: 02/28/2013 09:34:18 PM



Execution time: 0 hours(s), 0 minute(s), and 21 seconds(s)



 



 



Farbar
Service Scanner Version: 20-02-2013



Ran by Luke
(administrator) on 28-02-2013 at 21:50:42



Running from
"C:\Users\Luke\Downloads"



Windows 7
Home Premium Service Pack 1 (X64)



Boot Mode:
Normal



****************************************************************



 



Internet
Services:



============



 



Connection
Status:



==============



Localhost is
accessible.



LAN
connected.



Google IP is
accessible.



Google.com
is accessible.



Yahoo IP is
accessible.



Yahoo.com is
accessible.



 



 



Windows
Firewall:



=============



 



Firewall
Disabled Policy:



==================



 



 



System
Restore:



============



 



System
Restore Disabled Policy:



========================



 



 



Action
Center:



============



 



Windows
Update:



============



 



Windows
Autoupdate Disabled Policy:



============================



 



 



Windows
Defender:



==============



WinDefend
Service is not running. Checking service configuration:



The start
type of WinDefend service is set to Demand. The default start type is Auto.



The
ImagePath of WinDefend service is OK.



The
ServiceDll of WinDefend service is OK.



 



 



Windows
Defender Disabled Policy:



==========================



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
Defender]



"DisableAntiSpyware"=DWORD:1



 



 



Other
Services:



==============



 



 



File Check:



========



C:\Windows\System32\nsisvc.dll
=> MD5 is legit



C:\Windows\System32\drivers\nsiproxy.sys
=> MD5 is legit



C:\Windows\System32\dhcpcore.dll
=> MD5 is legit



C:\Windows\System32\drivers\afd.sys
=> MD5 is legit



C:\Windows\System32\drivers\tdx.sys
=> MD5 is legit



C:\Windows\System32\Drivers\tcpip.sys
=> MD5 is legit



C:\Windows\System32\dnsrslvr.dll
=> MD5 is legit



C:\Windows\System32\mpssvc.dll
=> MD5 is legit



C:\Windows\System32\bfe.dll
=> MD5 is legit



C:\Windows\System32\drivers\mpsdrv.sys
=> MD5 is legit



C:\Windows\System32\SDRSVC.dll
=> MD5 is legit



C:\Windows\System32\vssvc.exe
=> MD5 is legit



C:\Windows\System32\wscsvc.dll
=> MD5 is legit



C:\Windows\System32\wbem\WMIsvc.dll
=> MD5 is legit



C:\Windows\System32\wuaueng.dll
=> MD5 is legit



C:\Windows\System32\qmgr.dll
=> MD5 is legit



C:\Windows\System32\es.dll
=> MD5 is legit



C:\Windows\System32\cryptsvc.dll
=> MD5 is legit



C:\Program
Files\Windows Defender\MpSvc.dll => MD5 is legit



C:\Windows\System32\ipnathlp.dll
=> MD5 is legit



C:\Windows\System32\iphlpsvc.dll
=> MD5 is legit



C:\Windows\System32\svchost.exe
=> MD5 is legit



C:\Windows\System32\rpcss.dll
=> MD5 is legit


 



**** End of
log ****



#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:17 AM

Posted 28 February 2013 - 05:21 PM


That looks good

Remove temporary and junk files

Download

TFC

Launch it,it will close all running programs

click on START,it should ask for reboot.If TFC locks up the system,run it in safemode


Create a new restore point

Follow this guide to turn off and turn on your restore points

XP- http://support.microsoft.com/kb/310405

Vista & windows 7- http://windows.microsoft.com/en-US/windows7/Turn-System-Restore-on-or-off

Turn off your system restore-It deletes old infected restore points

Turn on system restore and create a new restore point

Update JAVA and Flash player

Uninstall old version of java from control panel-Add or remove programs.Download the latest version from here

http://java.com/en/

Update your flash player

Antivirus recommendations

Update your antivirus frequently.Two free antivirus that i would suggest are

Microsoft security essentials or Avast.You can select either one of them.

If you have a paid one,make sure to update it frequently.Do not use multiple security softwares.

Informative guides that could prevent you from being infected again

How did I get infected?

http://www.bleepingcomputer.com/forums/topic2520.html

Best Practices for Safe Computing - Prevention of Malware Infection

http://www.bleepingcomputer.com/forums/topic407147.html

Simple and easy ways to keep your computer safe and secure on the Internet

http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

Safe surfing :)



#14 moss_1184

moss_1184
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 28 February 2013 - 05:51 PM

Thanks a million times over.  I really appreciate your kind, insightful and prompt help.  Great to see people helping others.  Done all the above steps, read through some of the links.  One last Thank you!



#15 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:17 AM

Posted 28 February 2013 - 06:03 PM

:welcome:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users