Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeat or continuing infection?


  • This topic is locked This topic is locked
27 replies to this topic

#1 fixit9660

fixit9660

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somerset, UK
  • Local time:03:16 PM

Posted 27 April 2013 - 05:35 AM

I'm getting multiple alerts from Microsoft Secuerity Essentials, and my paid-for product eScan AV, about multiple and various viruses/malware which both products say they're removing but they keep coming back. Apart from this my PC doesn't seem too bad, but something is obviously up.

 

As per the directions by Broni in http://www.bleepingcomputer.com/forums/t/492759/repeat-or-continuing-infection/

 

I've downloaded and run DDS the results of which are pasted and attached as directed here:

 

 DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16476
Run by Andrew at 11:20:29 on 2013-04-27
Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.6142.3556 [GMT 1:00]
.
AV: eScan Anti-Virus (AV) Edition for Windows *Enabled/Updated* {BCDBC2EE-EFD9-33B4-FA81-487C1275AEA6}
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: eScan Anti-Virus (AV) Edition for Windows *Enabled/Updated* {07BA230A-C9E3-3C3A-C031-730E69F2E41B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
FW: eScan Anti-Virus (AV) Edition for Windows *Enabled* {84E043CB-A5B6-32EC-D1DE-E149ECA6E9DD}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\progra~2\escan\EconSer.exe
c:\progra~2\escan\eConceal.exe
C:\PROGRA~3\MICROW~1\eScanBD\avpmapp.exe
C:\Program Files (x86)\eScan\TRAYSSER.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~2\eScan\consctlx.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\HitmanPro\HitmanPro.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~2\eScan\TRAYICOS.EXE
C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
C:\PROGRA~2\eScan\MAILDISP.EXE
C:\PROGRA~2\ESCAN\SPOOLER.EXE
C:\Program Files (x86)\Common Files\MicroWorld\Agent\MWASER.EXE
C:\Program Files (x86)\Common Files\MicroWorld\Agent\MWAgent.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\PROGRA~2\eScan\Vista\eScanMon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Samsung\Kies\Kies.exe
C:\Program Files (x86)\Allway Sync\Bin\syncappw.exe
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe
C:\Program Files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files (x86)\PKWARE\PKZIPM\12.50.0013\PKTray.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_11_6_602_180_ActiveX.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
mSearch Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
uRun: [Allway Sync] "C:\Program Files (x86)\Allway Sync\Bin\syncappw.exe" -m
uRun: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
uRun: [NokiaSuite.exe] C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe -tray
uRun: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE -startup
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
StartupFolder: C:\Users\Andrew\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HDWRIT~1.LNK - C:\Program Files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PKZIPA~1.LNK - C:\Program Files (x86)\PKWARE\PKZIPM\12.50.0013\PKTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:153
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:153
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-Explorer: NoDriveTypeAutoRun = dword:153
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {54848076-14D0-45E7-851E-CAF7EF0125F1} - C:\PROGRA~2\eScan\VKBoard.exe
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
LSP: %SystemRoot%\system32\mwtsp.dll
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://81.86.29.30/cab/OCXChecker_8320.cab
DPF: {C8BC46C7-921C-4102-B67D-F1F7E65FB0BE} - hxxps://battlefield.play4free.com/static/updater/BP4FUpdater_1.0.27.2.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{E5B162B6-9EAC-4FFA-9838-011765887213} : NameServer = 217.72.162.2,212.104.130.65,212.104.130.9
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
x64-Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
x64-Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdcBase.exe
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {54848076-14D0-45E7-851E-CAF7EF0125F1} - C:\PROGRA~2\eScan\VKBoard.exe
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc64.cab
x64-DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
x64-DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
x64-DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
x64-DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2013-1-20 230320]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-3-27 55952]
R0 RapportKE64;RapportKE64;C:\Windows\System32\drivers\RapportKE64.sys [2011-5-7 236248]
R1 RapportCerberus_51755;RapportCerberus_51755;C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_51755.sys [2013-3-24 586072]
R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2013-4-2 228600]
R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2013-4-2 357272]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-1-5 203776]
R2 EconService;eConServ;C:\progra~2\escan\EconSer.exe [2010-9-27 533800]
R2 eScan-trayicos;eScan Server-Updater;C:\Program Files (x86)\eScan\traysser.exe [2010-9-27 132872]
R2 eScan Monitor Service;eScan Monitor Service;C:\PROGRA~3\MICROW~1\eScanBD\avpmapp.exe [2010-9-27 1483072]
R2 HitmanProScheduler;HitmanPro Scheduler;C:\Program Files\HitmanPro\hmpsched.exe [2013-4-13 109352]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-9-19 13592]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2009-10-7 191000]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-4-13 418376]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 130008]
R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2013-4-2 1124184]
R2 RtNdPt60;Realtek NDIS Protocol Driver;C:\Windows\System32\drivers\RtNdPt60.sys [2010-9-23 27136]
R3 econcealMP;econcealMP;C:\Windows\System32\drivers\econceal.sys [2010-9-27 33800]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;C:\Windows\System32\drivers\hitmanpro37.sys [2013-4-26 32152]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-24 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-24 16008]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2009-10-7 30232]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-4-13 25928]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-1-27 379360]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-4-27 83080]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-4-27 184968]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-3-26 425064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-4-13 701512]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-1-8 161536]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-3-26 116240]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-4-20 102936]
S3 econceal;eConceal Service;C:\Windows\System32\drivers\econceal.sys [2010-9-27 33800]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;C:\Windows\System32\drivers\libusb0.sys [2011-11-23 29184]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2009-10-7 327704]
S3 LVUVC64;Logitech QuickCam S7500(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2009-10-7 6379288]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 ProcObsrvesx;Process Creation Monitor;C:\Program Files (x86)\eScan\PROCOBSRVESX.SYS [2010-9-27 20744]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-10-27 19456]
S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);C:\Windows\System32\drivers\RtTeam60.sys [2010-9-23 51712]
S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);C:\Windows\System32\drivers\RtVlan60.sys [2010-9-23 24064]
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;C:\Program Files (x86)\SolarWinds\TFTPServer\SolarWinds TFTP Server.exe [2010-6-10 54784]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-4-20 203544]
S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);C:\Windows\System32\drivers\RtTeam60.sys [2010-9-23 51712]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-27 57856]
S3 VLAN;Realtek Virtual Miniport Driver for VLAN (NDIS 6.2);C:\Windows\System32\drivers\RtVlan60.sys [2010-9-23 24064]
.
=============== File Associations ===============
.
FileExt: .inf: inffile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-04-26 16:04:39 32152 ----a-w- C:\Windows\System32\drivers\hitmanpro37.sys
2013-04-25 19:36:51 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2013-04-25 19:23:51 9317456 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9F61257E-206D-4309-B084-7ED5EDD385CD}\mpengine.dll
2013-04-25 19:12:25 -------- d---a-w- C:\Windows\rundll16.exe
2013-04-25 19:12:25 -------- d---a-w- C:\Windows\logo1_.exe
2013-04-25 18:50:28 9317456 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-24 09:01:48 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2013-04-24 08:59:06 905296 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{81D57FC9-2C04-4618-8723-5E4817CF2212}\gapaengine.dll
2013-04-21 17:11:52 208216 ----a-w- C:\Windows\System32\drivers\65626360.sys
2013-04-20 08:01:32 -------- d-----w- C:\Users\Andrew\AppData\Roaming\EurekaLog
2013-04-20 07:02:10 203544 ----a-w- C:\Windows\System32\drivers\ssudmdm.sys
2013-04-20 07:02:10 102936 ----a-w- C:\Windows\System32\drivers\ssudbus.sys
2013-04-15 19:26:20 -------- d-----w- C:\ProgramData\D8DC44DD4918B5330000D8DB6C07BB11
2013-04-13 14:34:33 -------- d-----w- C:\Program Files\HitmanPro
2013-04-13 14:33:18 -------- d-----w- C:\ProgramData\HitmanPro
2013-04-13 11:50:11 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-04-13 11:50:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-04-13 11:47:19 -------- d-----w- C:\Windows\snack
2013-04-13 11:32:06 -------- d-----w- C:\$RECYCLE.BIN
2013-04-13 11:02:15 208896 ----a-w- C:\Windows\MBR.exe
2013-04-13 11:02:14 98816 ----a-w- C:\Windows\sed.exe
2013-04-13 11:02:14 256000 ----a-w- C:\Windows\PEV.exe
2013-04-10 16:53:54 3153408 ----a-w- C:\Windows\System32\win32k.sys
2013-04-10 16:53:53 223752 ----a-w- C:\Windows\System32\drivers\fvevol.sys
2013-04-10 16:53:50 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-04-10 16:53:49 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-04-10 16:53:49 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-04-10 16:53:48 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2013-04-10 16:53:48 112640 ----a-w- C:\Windows\System32\smss.exe
2013-04-10 16:53:47 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll
.
==================== Find3M  ====================
.
2013-04-02 12:16:10 236248 ----a-w- C:\Windows\System32\drivers\RapportKE64.sys
2013-04-02 10:34:28 282744 ------w- C:\Windows\System32\MpSigStub.exe
2013-03-19 17:51:31 3698408 ----a-w- C:\Windows\SysWow64\asapsdk.dll
2013-03-13 18:57:02 73432 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-13 18:57:02 693976 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-03-13 18:56:51 16486616 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-03-01 18:58:56 350160 ----a-w- C:\Windows\System32\drivers\trufos.sys
2013-02-28 23:19:17 80104 ----a-w- C:\Windows\killproc.exe
2013-02-22 06:27:49 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-02-22 06:20:51 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-02-22 06:19:37 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-02-22 06:15:48 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-02-22 06:15:23 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-02-22 06:12:41 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-02-22 03:46:00 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-02-22 03:38:00 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-02-22 03:37:50 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-02-22 03:34:17 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-02-22 03:34:03 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-02-22 03:31:46 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-02-12 05:45:24 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45:22 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45:22 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45:22 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48:31 474112 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-02-12 04:12:05 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
2013-02-05 16:53:34 4659712 ----a-w- C:\Windows\SysWow64\Redemption.dll
2013-02-05 16:52:46 821824 ----a-w- C:\Windows\SysWow64\dgderapi.dll
.
============= FINISH: 11:24:06.26 ===============
 

 

I hope I've followed and executed the site rules and directions correctly and completely, sincere apologies if not, and please tell me where I've gone wrong?

 

Many thanks to all in advance,

 

Andy, a.k.a. fixit9660.

Attached Files



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 AM

Posted 27 April 2013 - 09:35 AM

Hi and Welcome!!
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to this topic so that you can see when there are new responses.
  • IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.
 
Having said that.... vegeta_zps7f4345cf.gifLet's get going!!
----------
 
 
aswmbr-1-1.jpg Please download aswMBR to your desktop.

 

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

aswmbrscan.jpg
Click the image to enlarge it
----------


Edited by jeffce, 27 April 2013 - 09:35 AM.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 fixit9660

fixit9660
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somerset, UK
  • Local time:03:16 PM

Posted 27 April 2013 - 04:32 PM

Hi Jeff,

 

Thanks for the response. aswMBR downloaded and run as directed. Results are:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-27 18:28:32
-----------------------------
18:28:32.557    OS Version: Windows x64 6.1.7601 Service Pack 1
18:28:32.557    Number of processors: 8 586 0x1A05
18:28:32.558    ComputerName: ANDREW-PC  UserName: Andrew
18:28:42.734    Initialize success
18:31:28.479    AVAST engine defs: 13042700
18:32:09.204    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
18:32:09.206    Disk 0 Vendor: Intel___ 1.0. Size: 953867MB BusType: 8
18:32:09.637    Disk 0 MBR read successfully
18:32:09.640    Disk 0 MBR scan
18:32:09.787    Disk 0 Windows 7 default MBR code
18:32:09.835    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
18:32:09.911    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       953765 MB offset 206848
18:32:10.245    Disk 0 scanning C:\Windows\system32\drivers
18:33:02.681    Service scanning
18:34:20.520    Modules scanning
18:34:20.521    Disk 0 trace - called modules:
18:34:20.535    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
18:34:20.536    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800825d790]
18:34:20.537    3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0xfffffa8005a38050]
18:34:35.767    AVAST engine scan C:\Windows
18:35:09.393    AVAST engine scan C:\Windows\system32
18:49:55.858    AVAST engine scan C:\Windows\system32\drivers
18:50:47.348    AVAST engine scan C:\Users\Andrew
19:05:43.409    File: C:\Users\Andrew\AppData\Local\Temp\tmp00004580\TMP003961D6.MWT  **INFECTED** Win32:Dropper-LVY [Drp]
19:34:40.992    AVAST engine scan C:\ProgramData
19:48:10.024    Scan finished successfully
22:25:17.490    Disk 0 MBR has been saved successfully to "C:\Downloads\eScan\aswMBR\MBR.dat"
22:25:17.550    The log file has been saved successfully to "C:\Downloads\eScan\aswMBR\aswMBR.txt"

 

Best regards

 

Andy a.k.a. fixit9660



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:16 AM

Posted 27 April 2013 - 09:57 PM

ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.  
  • Please post the C:\ComboFix.txt for further review.

  • WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #5 fixit9660

    fixit9660
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somerset, UK
    • Local time:03:16 PM

    Posted 28 April 2013 - 04:11 AM

    Hi Jeff,

     

    Combofix downloaded and run as directed. Log pasted as follows:

     

    ComboFix 13-04-27.04 - Andrew 28/04/2013   9:51.2.8 - x64
    Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.6142.3778 [GMT 1:00]
    Running from: c:\users\Andrew\Desktop\ComboFix.exe
    AV: eScan Anti-Virus (AV) Edition for Windows *Disabled/Updated* {BCDBC2EE-EFD9-33B4-FA81-487C1275AEA6}
    AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
    FW: eScan Anti-Virus (AV) Edition for Windows *Disabled* {84E043CB-A5B6-32EC-D1DE-E149ECA6E9DD}
    SP: eScan Anti-Virus (AV) Edition for Windows *Disabled/Updated* {07BA230A-C9E3-3C3A-C031-730E69F2E41B}
    SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-03-28 to 2013-04-28  )))))))))))))))))))))))))))))))
    .
    .
    2013-04-28 08:59 . 2013-04-28 08:59 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-04-28 08:59 . 2013-04-28 08:59 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2013-04-27 10:25 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BC9D72C3-4FE7-4C1C-A7EC-79E4A3A80926}\mpengine.dll
    2013-04-25 19:36 . 2013-04-25 19:36 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2013-04-25 19:23 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2013-04-25 19:12 . 2013-04-25 19:12 -------- d---a-w- c:\windows\rundll16.exe
    2013-04-25 19:12 . 2013-04-25 19:12 -------- d---a-w- c:\windows\logo1_.exe
    2013-04-24 09:01 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2013-04-24 08:59 . 2013-04-24 08:58 905296 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{81D57FC9-2C04-4618-8723-5E4817CF2212}\gapaengine.dll
    2013-04-21 17:11 . 2013-04-21 17:11 208216 ----a-w- c:\windows\system32\drivers\65626360.sys
    2013-04-20 08:01 . 2013-04-20 08:01 -------- d-----w- c:\users\Andrew\AppData\Roaming\EurekaLog
    2013-04-20 07:02 . 2013-02-22 07:17 203544 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
    2013-04-20 07:02 . 2013-02-22 07:17 102936 ----a-w- c:\windows\system32\drivers\ssudbus.sys
    2013-04-15 19:26 . 2013-04-15 19:33 -------- d-----w- c:\programdata\D8DC44DD4918B5330000D8DB6C07BB11
    2013-04-13 14:34 . 2013-04-13 14:34 -------- d-----w- c:\program files\HitmanPro
    2013-04-13 14:33 . 2013-04-13 14:41 -------- d-----w- c:\programdata\HitmanPro
    2013-04-13 11:50 . 2013-04-16 08:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2013-04-13 11:50 . 2013-04-04 13:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-04-13 11:47 . 2013-04-13 11:47 -------- d-----w- c:\windows\snack
    2013-04-10 16:53 . 2013-03-01 03:36 3153408 ----a-w- c:\windows\system32\win32k.sys
    2013-04-10 16:53 . 2013-01-24 06:01 223752 ----a-w- c:\windows\system32\drivers\fvevol.sys
    2013-04-10 16:53 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-04-10 16:53 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2013-04-10 16:53 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2013-04-10 16:53 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2013-04-10 16:53 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe
    2013-04-10 16:53 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-04-10 21:57 . 2010-11-09 20:47 72702784 ----a-w- c:\windows\system32\MRT.exe
    2013-04-02 12:16 . 2011-05-07 12:20 236248 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
    2013-04-02 10:34 . 2010-09-19 16:24 282744 ------w- c:\windows\system32\MpSigStub.exe
    2013-03-19 17:51 . 2013-03-19 17:51 3698408 ----a-w- c:\windows\SysWow64\asapsdk.dll
    2013-03-13 18:57 . 2012-03-30 15:33 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-03-13 18:57 . 2011-05-15 10:51 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-03-13 18:56 . 2013-03-13 18:56 16486616 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2013-03-01 18:58 . 2013-03-01 18:58 350160 ----a-w- c:\windows\system32\drivers\trufos.sys
    2013-02-28 23:19 . 2010-09-19 17:41 80104 ----a-w- c:\windows\killproc.exe
    2013-02-12 05:45 . 2013-03-13 17:41 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2013-02-12 05:45 . 2013-03-13 17:41 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
    2013-02-12 05:45 . 2013-03-13 17:41 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2013-02-12 05:45 . 2013-03-13 17:41 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
    2013-02-12 04:48 . 2013-03-13 17:41 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2013-02-12 04:48 . 2013-03-13 17:41 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
    2013-02-12 04:12 . 2013-03-13 20:44 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
    2013-02-05 16:53 . 2012-08-15 19:37 4659712 ----a-w- c:\windows\SysWow64\Redemption.dll
    2013-02-05 16:52 . 2012-08-15 19:37 821824 ----a-w- c:\windows\SysWow64\dgderapi.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-03-04 2736128]
    "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-18 911160]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-27 39408]
    "KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-03-28 1511792]
    "Allway Sync"="c:\program files (x86)\Allway Sync\Bin\syncappw.exe" [2013-04-12 93264]
    "KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2013-03-28 1106288]
    "NokiaSuite.exe"="c:\program files (x86)\Nokia\Nokia Suite\NokiaSuite.exe" [2012-12-21 1090040]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-10-17 284440]
    "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
    "EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2011-06-15 307200]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2012-06-28 74752]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
    "KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-03-28 310640]
    .
    c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2013-1-8 246368]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HD Writer.lnk - c:\program files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2012-8-30 292736]
    PKZIP Attachments Status.lnk - c:\program files (x86)\PKWARE\PKZIPM\12.50.0013\PKTray.exe [2010-10-14 304464]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
    R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-08-16 116240]
    R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2013-02-22 102936]
    R3 econceal;eConceal Service;c:\windows\system32\DRIVERS\econceal.sys [2010-06-03 33800]
    R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-11-23 29184]
    R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]
    R3 LVUVC64;Logitech QuickCam S7500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2009-10-07 6379288]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
    R3 ProcObsrvesx;Process Creation Monitor;c:\program files (x86)\eScan\PROCOBSRVESX.SYS [2012-04-16 20744]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
    R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [2009-12-21 51712]
    R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys [2007-12-03 24064]
    R3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files (x86)\SolarWinds\TFTPServer\SolarWinds TFTP Server.exe [2010-06-10 54784]
    R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2013-02-22 203544]
    R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [2009-12-21 51712]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
    R3 VLAN;Realtek Virtual Miniport Driver for VLAN (NDIS 6.2);c:\windows\system32\DRIVERS\RtVLAN60.sys [2007-12-03 24064]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-17 1255736]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-10-04 55952]
    S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2013-04-02 236248]
    S1 RapportCerberus_51755;RapportCerberus_51755;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_51755.sys [2013-03-24 586072]
    S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2013-04-02 228600]
    S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2013-04-02 357272]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 203776]
    S2 EconService;eConServ;c:\progra~2\escan\EconSer.exe [2012-06-18 533800]
    S2 eScan-trayicos;eScan Server-Updater;c:\program files (x86)\eScan\TRAYSSER.EXE [2012-05-09 132872]
    S2 eScan Monitor Service;eScan Monitor Service;c:\progra~3\MICROW~1\eScanBD\avpmapp.exe [2012-06-17 1483072]
    S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-04-13 109352]
    S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-10-17 13592]
    S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
    S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2013-04-02 1124184]
    S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2009-07-20 27136]
    S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-02-26 3560800]
    S3 econcealMP;econcealMP;c:\windows\system32\DRIVERS\econceal.sys [2010-06-03 33800]
    S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 22408]
    S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 16008]
    S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-04-27 83080]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-04-27 184968]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2009-11-11 34160]
    S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso64.sys [2013-03-24 175352]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-26 425064]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - RAPPORTIASO
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2011-03-04 12:29 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:57]
    .
    2013-02-17 c:\windows\Tasks\Allway Sync_{40B4340B846097668D6E2534FBF9AB91}.job
    - c:\program files (x86)\Allway Sync\Bin\syncappw.exe [2012-12-27 11:28]
    .
    2013-04-21 c:\windows\Tasks\Allway Sync_{423727186CC5E405C55C0C8856706B85}.job
    - c:\program files (x86)\Allway Sync\Bin\syncappw.exe [2012-12-27 11:28]
    .
    2013-03-17 c:\windows\Tasks\Allway Sync_{49A571C0EF8CCD7B927AE0D251C95092}.job
    - c:\program files (x86)\Allway Sync\Bin\syncappw.exe [2012-12-27 11:28]
    .
    2013-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-19 19:11]
    .
    2013-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-19 19:11]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 2320752]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360]
    "Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-12-07 5889816]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
    FontCache
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mDefault_Search_URL = hxxp://www.google.com
    mStart Page =
    mSearch Page = hxxp://www.google.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    IE: {{54848076-14D0-45E7-851E-CAF7EF0125F1} - c:\progra~2\eScan\VKBoard.exe
    Trusted Zone: pdfonline.com\www
    TCP: Interfaces\{E5B162B6-9EAC-4FFA-9838-011765887213}: NameServer = 217.72.162.2,212.104.130.65,212.104.130.9
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-CoreAAC Audio Decoder - c:\windows\system32\CoreAAC-uninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
       00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-04-28  10:02:28
    ComboFix-quarantined-files.txt  2013-04-28 09:02
    ComboFix2.txt  2013-04-13 11:35
    .
    Pre-Run: 550,015,049,728 bytes free
    Post-Run: 549,875,724,288 bytes free
    .
    - - End Of File - - 8CCDA4404DCBB927675D62D748A88DA0
     

     

    Many thanks

     

    Andy a.k.a. fixit9660



    #6 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:16 AM

    Posted 28 April 2013 - 12:24 PM

    Hi,
     
    I see that you have both EScan Antivirus and Microsoft Security Essentials on your system.  You should only have one antivirus program or there could be conflicts on your system.  Please remove one (whichever you choose) in Control Panel >> Programs and Features.
     
    ---------------------
     
     
    Please go to: VirusTotal
    On the page you'll find a "Choose File" button.
    Click on the Choose File button.
    In the Choose File to Upload window which opens, copy and paste this into the File Name box.
     
    c:\windows\rundll16.exe
      
    c:\windows\logo1_.exe
     
    c:\windows\system32\drivers\65626360.sys



     
    Next, click the Open button.
    Then click the "Scan It!" button just below.
    This will scan the file. Please be patient.
    If you get a message saying File has already been analyzed: click Reanalyze file now
    Once scanned, copy and paste the link to the results page in your next reply.
    ----------


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #7 fixit9660

    fixit9660
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somerset, UK
    • Local time:03:16 PM

    Posted 28 April 2013 - 02:25 PM

    Hi Jeff,

     

    As per your advice I've deleted one of the AV programs (MSE) but as eScan also failed to spot the virus I'm keen to get rid of that too. Do you have an AV recommendation please?

     

    I've attempted to analyse the files as you asked but;

     

    The file c:\windows\rundll16.exe does not exist BUT there is a folder of that name which is empty?

     

    Similarly with  c:\windows\logo1_.exe the file also does not exist BUT there is a folder of that name which is empty?

     

    By the way, I notice there are also folders called c:\windows\logo_1.exe and c:\windows\RUNDL132.EXE and c:\windows\VDLL.DLL ? Also 8 or 9 files with names like: 1925552;grp=3750850;grp=3884051;jobs=1;sub=0;con=i;seg=122;seg=283;seg=497;seg=477;seg=275;ipc=gb;cont=eu;ipct=eu;sjt=126;jpos=0;dcopt=ist;extra%3Dnull;s=1;ord=288695723[1]

     

    The file c:\windows\system32\drivers\65626360.sys does however exist and analyses fine here:

     

    https://www.virustotal.com/en/file/acd76fbda74e5ae6e0adad03e7a90bb007833f1540d9567375befc3335938c42/analysis/1367176624/

     

    Thanks,

     

    Andy a.k.a fixit9660.


    Edited by fixit9660, 28 April 2013 - 02:31 PM.


    #8 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:16 AM

    Posted 28 April 2013 - 02:40 PM

    As per your advice I've deleted one of the AV programs (MSE) but as eScan also failed to spot the virus I'm keen to get rid of that too. Do you have an AV recommendation please?

     
    I actually like Microsoft Security Essentials or Avast for antivirus programs.  They are both free and reliable.   :)  Don't install anything new until we have completed though.

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      ClearJavaCache::
       
      DDS::
      Trusted Zone: pdfonline.com\www
       
      File::
      c:\windows\rundll16.exe
      c:\windows\logo1_.exe

    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
       
      CFScriptB-4.gif
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix may request an update; please allow it.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
    Post the new ComboFix log and let me know how your system is running now.   :)


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #9 fixit9660

    fixit9660
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somerset, UK
    • Local time:03:16 PM

    Posted 28 April 2013 - 03:08 PM

    Hi Jeff,

     

    Comments on AV solutions noted - and nothing installed or deleted either yet.

     

    All direction followed and Combofix Log follows:

     

    ComboFix 13-04-28.01 - Andrew 28/04/2013  20:51:44.3.8 - x64
    Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.6142.3918 [GMT 1:00]
    Running from: c:\users\Andrew\Desktop\ComboFix.exe
    Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
    AV: eScan Anti-Virus (AV) Edition for Windows *Disabled/Updated* {BCDBC2EE-EFD9-33B4-FA81-487C1275AEA6}
    FW: eScan Anti-Virus (AV) Edition for Windows *Disabled* {84E043CB-A5B6-32EC-D1DE-E149ECA6E9DD}
    SP: eScan Anti-Virus (AV) Edition for Windows *Disabled/Updated* {07BA230A-C9E3-3C3A-C031-730E69F2E41B}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\windows\logo1_.exe"
    "c:\windows\rundll16.exe"
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-03-28 to 2013-04-28  )))))))))))))))))))))))))))))))
    .
    .
    2013-04-28 19:58 . 2013-04-28 19:58 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-04-28 19:58 . 2013-04-28 19:58 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2013-04-25 19:36 . 2013-04-25 19:36 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2013-04-25 19:12 . 2013-04-25 19:12 -------- d---a-w- c:\windows\rundll16.exe
    2013-04-25 19:12 . 2013-04-25 19:12 -------- d---a-w- c:\windows\logo1_.exe
    2013-04-24 09:01 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2013-04-21 17:11 . 2013-04-21 17:11 208216 ----a-w- c:\windows\system32\drivers\65626360.sys
    2013-04-20 08:01 . 2013-04-20 08:01 -------- d-----w- c:\users\Andrew\AppData\Roaming\EurekaLog
    2013-04-20 07:02 . 2013-02-22 07:17 203544 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
    2013-04-20 07:02 . 2013-02-22 07:17 102936 ----a-w- c:\windows\system32\drivers\ssudbus.sys
    2013-04-15 19:26 . 2013-04-15 19:33 -------- d-----w- c:\programdata\D8DC44DD4918B5330000D8DB6C07BB11
    2013-04-13 14:33 . 2013-04-13 14:41 -------- d-----w- c:\programdata\HitmanPro
    2013-04-13 11:50 . 2013-04-16 08:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2013-04-13 11:50 . 2013-04-04 13:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-04-13 11:47 . 2013-04-13 11:47 -------- d-----w- c:\windows\snack
    2013-04-10 16:53 . 2013-03-01 03:36 3153408 ----a-w- c:\windows\system32\win32k.sys
    2013-04-10 16:53 . 2013-01-24 06:01 223752 ----a-w- c:\windows\system32\drivers\fvevol.sys
    2013-04-10 16:53 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-04-10 16:53 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2013-04-10 16:53 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2013-04-10 16:53 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2013-04-10 16:53 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe
    2013-04-10 16:53 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-04-10 21:57 . 2010-11-09 20:47 72702784 ----a-w- c:\windows\system32\MRT.exe
    2013-04-02 12:16 . 2011-05-07 12:20 236248 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
    2013-04-02 10:34 . 2010-09-19 16:24 282744 ------w- c:\windows\system32\MpSigStub.exe
    2013-03-19 17:51 . 2013-03-19 17:51 3698408 ----a-w- c:\windows\SysWow64\asapsdk.dll
    2013-03-13 18:57 . 2012-03-30 15:33 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-03-13 18:57 . 2011-05-15 10:51 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-03-13 18:56 . 2013-03-13 18:56 16486616 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2013-03-01 18:58 . 2013-03-01 18:58 350160 ----a-w- c:\windows\system32\drivers\trufos.sys
    2013-02-28 23:19 . 2010-09-19 17:41 80104 ----a-w- c:\windows\killproc.exe
    2013-02-12 05:45 . 2013-03-13 17:41 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2013-02-12 05:45 . 2013-03-13 17:41 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
    2013-02-12 05:45 . 2013-03-13 17:41 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2013-02-12 05:45 . 2013-03-13 17:41 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
    2013-02-12 04:48 . 2013-03-13 17:41 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2013-02-12 04:48 . 2013-03-13 17:41 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
    2013-02-12 04:12 . 2013-03-13 20:44 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
    2013-02-05 16:53 . 2012-08-15 19:37 4659712 ----a-w- c:\windows\SysWow64\Redemption.dll
    2013-02-05 16:52 . 2012-08-15 19:37 821824 ----a-w- c:\windows\SysWow64\dgderapi.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-03-04 2736128]
    "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-18 911160]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-27 39408]
    "KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-03-28 1511792]
    "Allway Sync"="c:\program files (x86)\Allway Sync\Bin\syncappw.exe" [2013-04-12 93264]
    "KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2013-03-28 1106288]
    "NokiaSuite.exe"="c:\program files (x86)\Nokia\Nokia Suite\NokiaSuite.exe" [2012-12-21 1090040]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-10-17 284440]
    "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
    "EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2011-06-15 307200]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2012-06-28 74752]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
    "KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-03-28 310640]
    .
    c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2013-1-8 246368]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HD Writer.lnk - c:\program files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2012-8-30 292736]
    PKZIP Attachments Status.lnk - c:\program files (x86)\PKWARE\PKZIPM\12.50.0013\PKTray.exe [2010-10-14 304464]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-08-16 116240]
    R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2013-02-22 102936]
    R3 econceal;eConceal Service;c:\windows\system32\DRIVERS\econceal.sys [2010-06-03 33800]
    R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-11-23 29184]
    R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]
    R3 LVUVC64;Logitech QuickCam S7500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2009-10-07 6379288]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
    R3 ProcObsrvesx;Process Creation Monitor;c:\program files (x86)\eScan\PROCOBSRVESX.SYS [2012-04-16 20744]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
    R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [2009-12-21 51712]
    R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys [2007-12-03 24064]
    R3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files (x86)\SolarWinds\TFTPServer\SolarWinds TFTP Server.exe [2010-06-10 54784]
    R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2013-02-22 203544]
    R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [2009-12-21 51712]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
    R3 VLAN;Realtek Virtual Miniport Driver for VLAN (NDIS 6.2);c:\windows\system32\DRIVERS\RtVLAN60.sys [2007-12-03 24064]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-17 1255736]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-10-04 55952]
    S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2013-04-02 236248]
    S1 RapportCerberus_51755;RapportCerberus_51755;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_51755.sys [2013-03-24 586072]
    S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2013-04-02 228600]
    S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2013-04-02 357272]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 203776]
    S2 EconService;eConServ;c:\progra~2\escan\EconSer.exe [2012-06-18 533800]
    S2 eScan-trayicos;eScan Server-Updater;c:\program files (x86)\eScan\TRAYSSER.EXE [2012-05-09 132872]
    S2 eScan Monitor Service;eScan Monitor Service;c:\progra~3\MICROW~1\eScanBD\avpmapp.exe [2012-06-17 1483072]
    S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-10-17 13592]
    S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
    S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2013-04-02 1124184]
    S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2009-07-20 27136]
    S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-02-26 3560800]
    S3 econcealMP;econcealMP;c:\windows\system32\DRIVERS\econceal.sys [2010-06-03 33800]
    S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 22408]
    S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 16008]
    S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-04-27 83080]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-04-27 184968]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2009-11-11 34160]
    S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso64.sys [2013-03-24 175352]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-26 425064]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - NisDrv
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2011-03-04 12:29 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:57]
    .
    2013-02-17 c:\windows\Tasks\Allway Sync_{40B4340B846097668D6E2534FBF9AB91}.job
    - c:\program files (x86)\Allway Sync\Bin\syncappw.exe [2012-12-27 11:28]
    .
    2013-04-21 c:\windows\Tasks\Allway Sync_{423727186CC5E405C55C0C8856706B85}.job
    - c:\program files (x86)\Allway Sync\Bin\syncappw.exe [2012-12-27 11:28]
    .
    2013-03-17 c:\windows\Tasks\Allway Sync_{49A571C0EF8CCD7B927AE0D251C95092}.job
    - c:\program files (x86)\Allway Sync\Bin\syncappw.exe [2012-12-27 11:28]
    .
    2013-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-19 19:11]
    .
    2013-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-19 19:11]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 2320752]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360]
    "Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-12-07 5889816]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
    FontCache
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mDefault_Search_URL = hxxp://www.google.com
    mStart Page =
    mSearch Page = hxxp://www.google.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    TCP: Interfaces\{E5B162B6-9EAC-4FFA-9838-011765887213}: NameServer = 217.72.162.2,212.104.130.65,212.104.130.9
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-CoreAAC Audio Decoder - c:\windows\system32\CoreAAC-uninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
       00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-04-28  21:00:46
    ComboFix-quarantined-files.txt  2013-04-28 20:00
    ComboFix2.txt  2013-04-28 09:02
    ComboFix3.txt  2013-04-13 11:35
    .
    Pre-Run: 550,316,335,104 bytes free
    Post-Run: 550,279,041,024 bytes free
    .
    - - End Of File - - 6A22DE8D8FA1194BD77743F854CF56B6

     

     

    The files you mentioned earlier still do not exist as files, but do as folders, and the strangely named files I mentioned are still there; is this correct please?

     

    Many thanks,

     

    Andy a.k.a. fixit9660.



    #10 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:16 AM

    Posted 28 April 2013 - 03:20 PM

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    ClearJavaCache::
     
    Folder::
    c:\windows\rundll16.exe
    c:\windows\logo1_.exe

    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix may request an update; please allow it.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #11 fixit9660

    fixit9660
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somerset, UK
    • Local time:03:16 PM

    Posted 28 April 2013 - 03:57 PM

    Hi Jeff,

     

    Again, Combofix run as instructed and log pasted as follows:

     

    ComboFix 13-04-28.01 - Andrew 28/04/2013  21:26:48.4.8 - x64
    Microsoft Windows 7 Professional   6.1.7601.1.1252.44.1033.18.6142.3873 [GMT 1:00]
    Running from: c:\users\Andrew\Desktop\ComboFix.exe
    Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
    AV: eScan Anti-Virus (AV) Edition for Windows *Disabled/Updated* {BCDBC2EE-EFD9-33B4-FA81-487C1275AEA6}
    FW: eScan Anti-Virus (AV) Edition for Windows *Disabled* {84E043CB-A5B6-32EC-D1DE-E149ECA6E9DD}
    SP: eScan Anti-Virus (AV) Edition for Windows *Disabled/Updated* {07BA230A-C9E3-3C3A-C031-730E69F2E41B}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\logo1_.exe
    c:\windows\rundll16.exe
    .
    .
    (((((((((((((((((((((((((   Files Created from 2013-03-28 to 2013-04-28  )))))))))))))))))))))))))))))))
    .
    .
    2013-04-28 20:31 . 2013-04-28 20:31 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-04-28 20:31 . 2013-04-28 20:31 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2013-04-28 20:00 . 2013-04-28 20:00 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7E9F8509-C3E9-4E52-B5DE-FE940D6C7D2E}\offreg.dll
    2013-04-25 19:36 . 2013-04-25 19:36 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2013-04-24 09:01 . 2013-04-12 14:45 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys
    2013-04-21 17:11 . 2013-04-21 17:11 208216 ----a-w- c:\windows\system32\drivers\65626360.sys
    2013-04-20 08:01 . 2013-04-20 08:01 -------- d-----w- c:\users\Andrew\AppData\Roaming\EurekaLog
    2013-04-20 07:02 . 2013-02-22 07:17 203544 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
    2013-04-20 07:02 . 2013-02-22 07:17 102936 ----a-w- c:\windows\system32\drivers\ssudbus.sys
    2013-04-15 19:26 . 2013-04-15 19:33 -------- d-----w- c:\programdata\D8DC44DD4918B5330000D8DB6C07BB11
    2013-04-13 14:33 . 2013-04-13 14:41 -------- d-----w- c:\programdata\HitmanPro
    2013-04-13 11:50 . 2013-04-16 08:46 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2013-04-13 11:50 . 2013-04-04 13:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-04-13 11:47 . 2013-04-13 11:47 -------- d-----w- c:\windows\snack
    2013-04-10 16:53 . 2013-03-01 03:36 3153408 ----a-w- c:\windows\system32\win32k.sys
    2013-04-10 16:53 . 2013-01-24 06:01 223752 ----a-w- c:\windows\system32\drivers\fvevol.sys
    2013-04-10 16:53 . 2013-03-19 06:04 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-04-10 16:53 . 2013-03-19 05:04 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2013-04-10 16:53 . 2013-03-19 05:04 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2013-04-10 16:53 . 2013-03-19 05:46 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2013-04-10 16:53 . 2013-03-19 03:06 112640 ----a-w- c:\windows\system32\smss.exe
    2013-04-10 16:53 . 2013-03-19 04:47 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-04-10 21:57 . 2010-11-09 20:47 72702784 ----a-w- c:\windows\system32\MRT.exe
    2013-04-02 12:16 . 2011-05-07 12:20 236248 ----a-w- c:\windows\system32\drivers\RapportKE64.sys
    2013-04-02 10:34 . 2010-09-19 16:24 282744 ------w- c:\windows\system32\MpSigStub.exe
    2013-03-19 17:51 . 2013-03-19 17:51 3698408 ----a-w- c:\windows\SysWow64\asapsdk.dll
    2013-03-13 18:57 . 2012-03-30 15:33 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2013-03-13 18:57 . 2011-05-15 10:51 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-03-13 18:56 . 2013-03-13 18:56 16486616 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2013-03-01 18:58 . 2013-03-01 18:58 350160 ----a-w- c:\windows\system32\drivers\trufos.sys
    2013-02-28 23:19 . 2010-09-19 17:41 80104 ----a-w- c:\windows\killproc.exe
    2013-02-12 05:45 . 2013-03-13 17:41 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll
    2013-02-12 05:45 . 2013-03-13 17:41 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll
    2013-02-12 05:45 . 2013-03-13 17:41 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll
    2013-02-12 05:45 . 2013-03-13 17:41 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll
    2013-02-12 04:48 . 2013-03-13 17:41 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2013-02-12 04:48 . 2013-03-13 17:41 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
    2013-02-12 04:12 . 2013-03-13 20:44 19968 ----a-w- c:\windows\system32\drivers\usb8023.sys
    2013-02-05 16:53 . 2012-08-15 19:37 4659712 ----a-w- c:\windows\SysWow64\Redemption.dll
    2013-02-05 16:52 . 2012-08-15 19:37 821824 ----a-w- c:\windows\SysWow64\dgderapi.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-03-04 2736128]
    "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2012-01-18 911160]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-27 39408]
    "KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-03-28 1511792]
    "Allway Sync"="c:\program files (x86)\Allway Sync\Bin\syncappw.exe" [2013-04-12 93264]
    "KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2013-03-28 1106288]
    "NokiaSuite.exe"="c:\program files (x86)\Nokia\Nokia Suite\NokiaSuite.exe" [2012-12-21 1090040]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-10-17 284440]
    "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
    "EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
    "PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2011-06-15 307200]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
    "WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2012-06-28 74752]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
    "KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-03-28 310640]
    .
    c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2013-1-8 246368]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HD Writer.lnk - c:\program files (x86)\Common Files\Panasonic\HD Writer AutoStart\HDWriterAutoStart.exe [2012-8-30 292736]
    PKZIP Attachments Status.lnk - c:\program files (x86)\PKWARE\PKZIPM\12.50.0013\PKTray.exe [2010-10-14 304464]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2013-01-08 161536]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2010-08-16 116240]
    R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2013-02-22 102936]
    R3 econceal;eConceal Service;c:\windows\system32\DRIVERS\econceal.sys [2010-06-03 33800]
    R3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2011-11-23 29184]
    R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2009-10-07 327704]
    R3 LVUVC64;Logitech QuickCam S7500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2009-10-07 6379288]
    R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-01-09 174440]
    R3 ProcObsrvesx;Process Creation Monitor;c:\program files (x86)\eScan\PROCOBSRVESX.SYS [2012-04-16 20744]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
    R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [2009-12-21 51712]
    R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys [2007-12-03 24064]
    R3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files (x86)\SolarWinds\TFTPServer\SolarWinds TFTP Server.exe [2010-06-10 54784]
    R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2013-02-22 203544]
    R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [2009-12-21 51712]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
    R3 VLAN;Realtek Virtual Miniport Driver for VLAN (NDIS 6.2);c:\windows\system32\DRIVERS\RtVLAN60.sys [2007-12-03 24064]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-17 1255736]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-10-04 55952]
    S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2013-04-02 236248]
    S1 RapportCerberus_51755;RapportCerberus_51755;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_51755.sys [2013-03-24 586072]
    S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2013-04-02 228600]
    S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2013-04-02 357272]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 203776]
    S2 EconService;eConServ;c:\progra~2\escan\EconSer.exe [2012-06-18 533800]
    S2 eScan-trayicos;eScan Server-Updater;c:\program files (x86)\eScan\TRAYSSER.EXE [2012-05-09 132872]
    S2 eScan Monitor Service;eScan Monitor Service;c:\progra~3\MICROW~1\eScanBD\avpmapp.exe [2012-06-17 1483072]
    S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-10-17 13592]
    S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
    S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2013-04-02 1124184]
    S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2009-07-20 27136]
    S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-02-26 3560800]
    S3 econcealMP;econcealMP;c:\windows\system32\DRIVERS\econceal.sys [2010-06-03 33800]
    S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 22408]
    S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 16008]
    S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-04-27 83080]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-04-27 184968]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2009-11-11 34160]
    S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso64.sys [2013-03-24 175352]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-01-26 425064]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - NisDrv
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2011-03-04 12:29 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:57]
    .
    2013-02-17 c:\windows\Tasks\Allway Sync_{40B4340B846097668D6E2534FBF9AB91}.job
    - c:\program files (x86)\Allway Sync\Bin\syncappw.exe [2012-12-27 11:28]
    .
    2013-04-21 c:\windows\Tasks\Allway Sync_{423727186CC5E405C55C0C8856706B85}.job
    - c:\program files (x86)\Allway Sync\Bin\syncappw.exe [2012-12-27 11:28]
    .
    2013-03-17 c:\windows\Tasks\Allway Sync_{49A571C0EF8CCD7B927AE0D251C95092}.job
    - c:\program files (x86)\Allway Sync\Bin\syncappw.exe [2012-12-27 11:28]
    .
    2013-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-19 19:11]
    .
    2013-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-09-19 19:11]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 112512]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 2320752]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 660360]
    "Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-12-07 5889816]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
    FontCache
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mDefault_Search_URL = hxxp://www.google.com
    mStart Page =
    mSearch Page = hxxp://www.google.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
    TCP: Interfaces\{E5B162B6-9EAC-4FFA-9838-011765887213}: NameServer = 217.72.162.2,212.104.130.65,212.104.130.9
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-CoreAAC Audio Decoder - c:\windows\system32\CoreAAC-uninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
       00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-04-28  21:33:52
    ComboFix-quarantined-files.txt  2013-04-28 20:33
    ComboFix2.txt  2013-04-28 20:00
    ComboFix3.txt  2013-04-28 09:02
    ComboFix4.txt  2013-04-13 11:35
    .
    Pre-Run: 550,105,387,008 bytes free
    Post-Run: 550,035,234,816 bytes free
    .
    - - End Of File - - 0A4471EF4FA98CD2CFACF9128017E54E

     

     

    Best regards

     

    Andy.



    #12 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:16 AM

    Posted 28 April 2013 - 03:59 PM

    Good...how is your system running?


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #13 fixit9660

    fixit9660
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somerset, UK
    • Local time:03:16 PM

    Posted 28 April 2013 - 04:10 PM

    Hmm, just running the eScan AV and it's found and removed the following after only a few minutes:

    28 Apr 2013 21:51:29 - ***** Scanning Registry Files *****
    28 Apr 2013 21:51:29 - ERROR(3)!!! Invalid Entry cmdline = %SystemRoot%\system32\ntvdm.exe (in key HKLM\SYSTEM\CurrentControlSet\Control\WOW). Action Taken: Removing it.
    28 Apr 2013 21:58:21 - ***** Scanning Service Files *****
    28 Apr 2013 21:58:23 - ERROR(2)!!! Invalid Entry \??\C:\ComboFix\catchme.sys. Action Taken: Removing HKLM\SYSTEM\CurrentControlSet\Services\catchme.

    28 Apr 2013 22:01:33 - ***** Scanning Registry and File system for Adware/Spyware *****

    28 Apr 2013 22:01:36 - Offending Registry Entry found: HKCU\SOFTWARE\Wget
    28 Apr 2013 22:01:36 - System found infected with Backdoor (IRCBot) Trojans Spyware/Adware (HKCU\SOFTWARE\Wget)! Action taken: Entries Removed.
    28 Apr 2013 22:01:36 - Object "Backdoor (IRCBot) Trojans Spyware/Adware" found in File System! Action Taken: Entries Removed.

    28 Apr 2013 22:01:36 - Offending Registry Entry found: HKCU\Software\Microsoft\OLE
    28 Apr 2013 22:01:36 - System found infected with Backdoor (IRCBot) Trojans Spyware/Adware (HKCU\Software\Microsoft\OLE)! Action taken: Entries Removed.
    28 Apr 2013 22:01:36 - Object "Backdoor (IRCBot) Trojans Spyware/Adware" found in File System! Action Taken: Entries Removed.

    28 Apr 2013 22:01:36 - Offending Registry Entry found: HKCU\Software\Microsoft\Windows\CurrentVersion\Drivers
    28 Apr 2013 22:01:36 - System found infected with AntiSpyware Pro XP Corrupted Adware/Spyware (HKCU\Software\Microsoft\Windows\CurrentVersion\Drivers)! Action taken: Entries Removed.
    28 Apr 2013 22:01:36 - Object "AntiSpyware Pro XP Corrupted Adware/Spyware" found in File System! Action Taken: Entries Removed.

    28 Apr 2013 22:05:54 - File I:\Andy Kendall\My Data Not Backed Up\DATA\Downloads\Cisco\Password Cracker\ca2_setup.exe infected by "Virtool.4034[ZP] (DB)" Virus! Action Taken: File Quarantined.

     

    Is it just "tidying up" after Combofix or is it finding genuinely concerning items? I don't know.

     

    Best regards,

     

    Andy.



    #14 jeffce

    jeffce

      Bleepin' Super Saiyan


    • Malware Response Team
    • 3,442 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:USA
    • Local time:09:16 AM

    Posted 28 April 2013 - 07:28 PM

    Well...hopefully it is not removing any files we needed.  I understand that you want your system back as quickly as you can but please don't run any more scans without being asked.  It may remove a specific file that we need to see...

     

    How is your system running??


    WFxJwA4.png
     
    mvp_horizontal_fullcolor-(copy2).jpeg
     


    #15 fixit9660

    fixit9660
    • Topic Starter

    • Members
    • 30 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Somerset, UK
    • Local time:03:16 PM

    Posted 29 April 2013 - 03:48 AM

    Oh. I'm very sorry Jeff, I misunderstood your comment "how is your system running" to mean you'd finished diagnosis. Sincere apologies. :blush:

    So far I've had no more virus alerts - eScan has been very good so far at detecting and stopping the progress of malware, better in fact than the MSE. I'll go into detail if you want.

    The problem is my system was running fine beforehand. It was only the AV software alerting over the by-product malware installed by the main item(s) that indicated there was anything wrong. By the way, what was the main/original item please?

     

    I've attached the full eScan Log which ran overnight, for your further info if required.

     

    Best regards

     

    Andy.

    Attached Files






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users