Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zero Access rootkit - need help removing


  • This topic is locked This topic is locked
18 replies to this topic

#1 knowenough

knowenough

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 28 June 2013 - 03:18 PM

Posted earlier in the "Am I infected?  What do I do?" forum:

 

"Posted Today, 11:29 AM

I got a popup earlier (while on Internet Explorer) that said I had a virus and that I needed to perform a system check.  I Ctrl+Alt+Deleted and forced IE closed.  I then went to do a system scan with Microsoft Security Essentials and an alert told me that I did not have sufficient access to perform that function.  I tried to download MSE anew and I got the below message at the conclusion of my download:

 

Microsoft Security Essentials contained a virus and was deleted.

 

What is going on here?  Can anyone help?"

 

This appears to be the same problem others have been experiencing with root kit malware.  Is that correct?  If so, I've started on step six with the Preparation Guide for malware removal.  Any attention to this is appreciated!

 

Here's the DDS logs:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16611
Run by GAP at 11:43:20 on 2013-06-28
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3327.1702 [GMT -7:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Windows\system32\LxrSII1s.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\PelService.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\Sharp\Sharpdesk\FTPServer.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
C:\Users\GAP\AppData\Local\Lexar Media\LxrAutorun.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\HTC\HTC Sync Manager\HTC Sync\adb.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Sharp\Sharpdesk\nsapp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\rundll32.exe
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\ThinkPad\Utilities\SCHTASK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\FSRremoS.EXE
C:\Program Files\Lenovo\Lenovo Mouse Suite\PelElvDm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\ntvdm.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k swprv
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
uProxyOverride = 192.168.1.*;127.0.0.*;10.0.0.*
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Speech Recognition] "c:\windows\speech\common\sapisvr.exe" -SpeechUX -Startup
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [LxrAutorun] c:\users\gap\appdata\local\lexar media\LxrAutorun.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Daemon for Mouse Suite] c:\program files\lenovo\lenovo mouse suite\ICO.EXE 60
mRun: [Power Manager Power Agenda] c:\progra~1\thinkpad\utilit~1\DPMHost.exe
mRun: [Lenovo Registration] c:\program files\lenovo registration\LenovoReg.exe /boot
mRun: [FileZilla Server Interface] "c:\program files\filezilla server\FileZilla Server Interface.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [IndexTray] "c:\program files\sharp\sharpdesk\IndexTray.exe" /n
mRun: [SharpTray] "c:\program files\sharp\sharpdesk\SharpTray.exe"
mRun: [TypeRegChecker] "c:\program files\sharp\sharpdesk\TypeRegChecker.exe"
mRun: [FtpServer.exe] "c:\program files\sharp\sharpdesk\FtpServer.exe" -usedefault
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\gap\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
TCP: Interfaces\{0A235966-DAAE-4693-AF44-B771991D8288} : NameServer = 184.16.4.22,184.16.33.54
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - c:\program files\sharp\sharpdesk\ExplorerExtensions.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist remote support customer\461\g2ax_winlogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\windows mail\WinMail.exe" OCInstallUserConfigOE
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-1-20 195296]
R2 HTCMonitorService;HTCMonitorService;c:\program files\htc\htc sync manager\HSMServiceEntry.exe [2012-12-12 87368]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2012-1-31 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-9-16 13624]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-4-10 47640]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2013-3-18 63448]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 100328]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2013-1-11 167424]
R2 PelService;Session Launcher Service;c:\program files\lenovo\lenovo mouse suite\PelService.exe [2011-11-28 184320]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2011-11-28 70968]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2011-11-28 2066968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2011-11-28 202408]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2009-7-2 38336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\citrix\gotoassist remote support customer\461\g2ax_service.exe [2012-11-1 610960]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-27 25088]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2012-12-7 23040]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-1-27 295232]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-8-4 1124848]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-10 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2013-06-28 18:41:29 -------- d--h--w- c:\windows\PIF
2013-06-28 17:56:29 -------- d-----w- C:\0eccfa91ad3e742623d7c366c8c0b0
2013-06-28 17:20:00 -------- d-----w- C:\Backup
2013-06-28 16:15:22 60872 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{128ea3bd-ee75-43a0-95a5-83859e93bdfe}\offreg.dll
2013-06-27 22:12:51 -------- d-----w- c:\users\gap\appdata\roaming\RealNetworks
2013-06-27 20:10:36 7068072 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{128ea3bd-ee75-43a0-95a5-83859e93bdfe}\mpengine.dll
2013-06-26 20:10:15 7068072 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-06-21 10:30:21 724464 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8a90b2ea-7143-4fe0-a22c-6c17005a5690}\gapaengine.dll
2013-06-12 22:26:45 -------- d-----w- c:\users\gap\appdata\local\{140814C9-C57B-4321-BC1B-102DEF8408DC}
2013-06-12 10:01:22 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-06-12 10:01:22 218112 ----a-w- c:\program files\internet explorer\sqmapi.dll
2013-06-12 00:38:06 1505280 ----a-w- c:\windows\system32\d3d11.dll
2013-06-12 00:38:02 492544 ----a-w- c:\windows\system32\win32spl.dll
2013-06-12 00:37:59 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-06-12 00:37:56 903168 ----a-w- c:\windows\system32\certutil.exe
2013-06-12 00:37:56 43008 ----a-w- c:\windows\system32\certenc.dll
2013-06-12 00:37:56 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-06-12 00:37:56 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-06-12 00:37:56 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-06-12 00:32:52 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2013-06-12 00:32:31 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-06-12 00:32:31 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-06-12 00:27:28 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-06-05 21:56:12 -------- d-----w- c:\users\gap\appdata\local\{C6FDB26C-2225-4C53-9857-F6D30AFFBF38}
2013-06-03 18:46:43 -------- d-----w- c:\users\gap\appdata\roaming\Softplicity
2013-06-03 18:46:37 -------- d-----w- c:\program files\PDF Combine
.
==================== Find3M  ====================
.
2013-06-24 16:57:04 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-24 16:57:04 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-07 23:04:48 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2013-06-07 23:04:48 53064 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2013-06-07 23:04:47 92488 ----a-w- c:\windows\system32\LMIinit.dll
2013-06-07 23:04:47 31560 ----a-w- c:\windows\system32\LMIport.dll
2013-05-27 23:04:46 86888 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.001.bak
2013-05-17 01:25:57 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-05-17 01:25:27 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-05-17 01:25:26 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-05-17 01:25:26 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-05-14 08:40:13 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-05-02 15:28:50 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-04-12 13:45:29 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18:40 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18:40 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14:06 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-04-05 10:02:08 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
.
============= FINISH: 11:43:27.28 ===============
 

 

 



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:25 PM

Posted 30 June 2013 - 10:55 PM

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 knowenough

knowenough
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 July 2013 - 01:40 PM

Thanks for the reply.  Here's the logs you asked for:

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-07-2013 02
Ran by GAP (administrator) on 01-07-2013 11:23:28
Running from C:\Users\GAP\Desktop
Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(FileZilla Project) C:\Program Files\FileZilla Server\FileZilla Server.exe
(Nero AG) C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\RaMaint.exe
(Intel Corporation) C:\Program Files\Intel\AMT\LMS.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(Lexar Media, Inc.) C:\Windows\system32\LxrSII1s.exe
() C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
() C:\Program Files\Lenovo\Lenovo Mouse Suite\PelService.exe
(Lenovo) C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Primax Electronics Ltd.) C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe
(Intel Corporation) C:\Windows\system32\igfxsrvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(SHARP CORPORATION) C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
(SHARP CORPORATION) C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
(SHARP CORPORATION) C:\Program Files\Sharp\Sharpdesk\FTPServer.exe
(SHARP CORPORATION) C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Users\GAP\AppData\Local\Lexar Media\LxrAutorun.exe
(Google) C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
() C:\Program Files\HTC\HTC Sync Manager\HTC Sync\adb.exe
(SHARP CORPORATION) C:\Program Files\Sharp\Sharpdesk\nsapp.exe
(Lenovo Group Limited) C:\Program Files\ThinkPad\Utilities\SCHTASK.EXE
() C:\Program Files\Lenovo\Lenovo Mouse Suite\FSRremoS.EXE
() C:\Program Files\Lenovo\Lenovo Mouse Suite\PelElvDm.exe
(Lenovo Group Limited) c:\Program Files\Lenovo\System Update\SUService.exe
(Lenovo Group Limited) C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
() C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
(Microsoft Corporation) C:\Windows\system32\wuauclt.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
(ScanSoft, Inc.) C:\Program Files\Sharp\Sharpdesk\xocr32b.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Daemon for Mouse Suite] C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.EXE 60 [69632 2010-07-27] (Primax Electronics Ltd.)
HKLM\...\Run: [Power Manager Power Agenda] C:\PROGRA~1\ThinkPad\UTILIT~1\DPMHost.exe [75064 2010-07-28] ()
HKLM\...\Run: [Lenovo Registration] C:\Program Files\Lenovo Registration\LenovoReg.exe /boot [4351712 2011-07-13] (Lenovo, Inc.)
HKLM\...\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" [1044992 2012-02-26] (FileZilla Project)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [63048 2011-09-16] (LogMeIn, Inc.)
HKLM\...\Run: [IndexTray] "C:\Program Files\Sharp\Sharpdesk\IndexTray.exe" /n [106496 2007-08-02] (SHARP CORPORATION)
HKLM\...\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [32768 2007-08-02] (SHARP CORPORATION)
HKLM\...\Run: [TypeRegChecker] "C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe" [57344 2007-08-02] (SHARP CORPORATION)
HKLM\...\Run: [FtpServer.exe] "C:\Program Files\Sharp\Sharpdesk\FtpServer.exe" -usedefault [692224 2007-07-25] (SHARP CORPORATION)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-10-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM\...\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe"  -osboot [296056 2012-06-14] (RealNetworks, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Remote Support Customer\461\g2ax_winlogon.dll [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess
HKCU\...\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup [51712 2009-07-13] (Microsoft Corporation)
HKCU\...\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent [1635752 2013-05-03] (Valve Corporation)
HKCU\...\Run: [LxrAutorun] C:\Users\GAP\AppData\Local\Lexar Media\LxrAutorun.exe [24576 2009-12-17] ()
HKCR\...0c966feabec1\InprocServer32: [Default-shell32] %SystemRoot%\system32\shell32.dll ATTENTION! ====> ZeroAccess?
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] %SystemRoot%\system32\shell32.dll ATTENTION! ====> ZeroAccess?
HKCU\...\Policies\system: [DisableRegistryTools] 0
HKCU\...\Policies\system: [DisableTaskMgr] 0
MountPoints2: {1949f15b-19fa-11e1-88d1-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\Default\...\RunOnce: []  [x]
HKU\Default\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~1\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [ 2009-03-24] ()
HKU\Default User\...\RunOnce: []  [x]
HKU\Default User\...\RunOnce: [Lenovoautoqdrive] C:\PROGRA~1\Common~1\Lenovo\Lenovo~1\LenovoAutorunreg.exe /DRIVE=Q [ 2009-03-24] ()
Startup: C:\ProgramData\Start Menu\Programs\Startup\Google Calendar Sync.lnk
ShortcutTarget: Google Calendar Sync.lnk -> C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
Startup: C:\Users\GAP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKCU -No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files\Sharp\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
Tcpip\..\Interfaces\{0A235966-DAAE-4693-AF44-B771991D8288}: [NameServer]184.16.4.22,184.16.33.54
 
========================== Services (Whitelisted) =================
 
R2 FileZilla Server; C:\Program Files\FileZilla Server\FileZilla Server.exe [632320 2012-02-26] (FileZilla Project)
S3 GoToAssist Remote Support Customer; C:\Program Files\Citrix\GoToAssist Remote Support Customer\461\g2ax_service.exe [610960 2012-11-01] (Citrix Online, a division of Citrix Systems, Inc.)
R2 HTCMonitorService; C:\Program Files\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2012-12-12] (Nero AG)
R2 LxrSII1s; C:\Windows\system32\LxrSII1s.exe [65536 2009-12-30] (Lexar Media, Inc.)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] ()
R2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] ()
R2 PelService; C:\Program Files\Lenovo\Lenovo Mouse Suite\PelService.exe [184320 2010-04-21] ()
R2 SUService; c:\Program Files\Lenovo\System Update\SUService.exe [28672 2010-03-15] (Lenovo Group Limited)
R2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-07-20] (Intel Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] ()
 
==================== Drivers (Whitelisted) ====================
 
S3 htcnprot; C:\Windows\System32\DRIVERS\htcnprot.sys [23040 2012-12-07] (Windows ® Win 7 DDK provider)
R2 LMIInfo; C:\Program Files\LogMeIn\x86\RaInfo.sys [13624 2013-05-27] (LogMeIn, Inc.)
R2 LMIRfsDriver; C:\Windows\system32\drivers\LMIRfsDriver.sys [47640 2011-09-16] (LogMeIn, Inc.)
R2 LxrSII1d; C:\Windows\System32\Drivers\LxrSII1d.sys [63448 2009-12-30] (Lexar Media, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)
S1 grdexkvn; \??\C:\Windows\system32\drivers\grdexkvn.sys [x]
S4 LMIRfsClientNP; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-07-01 11:23 - 2013-07-01 11:23 - 00000000 ____D C:\FRST
2013-07-01 11:22 - 2013-07-01 11:19 - 01372461 ____A (Farbar) C:\Users\GAP\Desktop\FRST.exe
2013-07-01 09:04 - 2013-07-01 09:04 - 00000000 ____D C:\Users\GAP\Desktop\EmsisoftEmergencyKit
2013-07-01 07:47 - 2013-07-01 07:47 - 00004689 ____A C:\Users\GAP\Desktop\JRT.txt
2013-07-01 07:46 - 2013-07-01 07:46 - 00000000 ____D C:\Windows\ERUNT
2013-07-01 07:45 - 2013-07-01 07:45 - 00000000 ____D C:\JRT
2013-07-01 07:42 - 2013-07-01 07:42 - 00000679 ____A C:\Users\GAP\Desktop\AdwCleaner[S1]_7_1_2013.txt
2013-07-01 07:39 - 2013-07-01 07:39 - 00000679 ____A C:\AdwCleaner[S1].txt
2013-07-01 07:38 - 2013-07-01 07:38 - 00023788 ____A C:\Users\GAP\Desktop\MiniToolBox_result_7_1_2013.txt
2013-06-28 11:41 - 2013-06-28 11:41 - 00000000 __RSH C:\MSDOS.SYS
2013-06-28 11:41 - 2013-06-28 11:41 - 00000000 __RSH C:\IO.SYS
2013-06-28 11:41 - 2013-06-28 11:41 - 00000000 ___HD C:\Windows\PIF
2013-06-28 10:20 - 2013-06-28 10:21 - 00000000 ____D C:\Backup
2013-06-27 15:12 - 2013-06-27 15:12 - 00000000 ____D C:\Users\GAP\AppData\Roaming\RealNetworks
2013-06-12 03:01 - 2013-06-08 04:42 - 01141248 ____N (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-12 03:01 - 2013-06-08 04:40 - 14327808 ____N (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-12 03:01 - 2013-06-08 04:40 - 13760512 ____N (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-12 03:01 - 2013-06-08 04:40 - 02046976 ____N (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-12 03:01 - 2013-06-08 04:40 - 00391168 ____N (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-12 03:01 - 2013-06-08 04:13 - 02706432 ____N (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-12 03:00 - 2013-05-16 18:26 - 00042496 ____N (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-06-12 03:00 - 2013-05-16 18:25 - 02877440 ____N (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-12 03:00 - 2013-05-16 18:25 - 01767936 ____N (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-12 03:00 - 2013-05-16 18:25 - 00690688 ____N (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-12 03:00 - 2013-05-16 18:25 - 00493056 ____N (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-12 03:00 - 2013-05-16 18:25 - 00109056 ____N (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-06-12 03:00 - 2013-05-16 18:25 - 00061440 ____N (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-06-12 03:00 - 2013-05-16 18:25 - 00039424 ____N (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-12 03:00 - 2013-05-16 18:25 - 00033280 ____N (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-06-12 03:00 - 2013-05-14 01:40 - 00071680 ____N (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-11 17:38 - 2013-04-25 21:55 - 00492544 ____N (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 17:38 - 2013-04-25 16:30 - 01505280 ____N (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-11 17:37 - 2013-05-12 21:45 - 01160192 ____N (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 17:37 - 2013-05-12 21:45 - 00140288 ____N (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 17:37 - 2013-05-12 21:45 - 00103936 ____N (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 17:37 - 2013-05-12 20:08 - 00903168 ____N (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 17:37 - 2013-05-12 20:08 - 00043008 ____N (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 17:37 - 2013-05-09 20:20 - 00024576 ____N (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 17:32 - 2013-05-05 22:06 - 03968872 ____N (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2013-06-11 17:32 - 2013-05-05 22:06 - 03913576 ____N (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2013-06-11 17:32 - 2013-04-17 00:02 - 01230336 ____N (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-11 17:27 - 2013-05-07 22:38 - 01293672 ____N (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 15:17 - 2013-06-11 15:17 - 00066048 ____N C:\Users\GAP\Desktop\Lawfirmbudget.xls
2013-06-03 11:50 - 2013-06-03 11:50 - 00009728 ___SH C:\Users\GAP\Thumbs.db
2013-06-03 11:46 - 2013-06-03 11:47 - 00000000 ____D C:\Program Files\PDF Combine
2013-06-03 11:46 - 2013-06-03 11:46 - 00001043 ____N C:\Users\GAP\Desktop\PDFCombine.lnk
2013-06-03 11:46 - 2013-06-03 11:46 - 00000000 ____D C:\Users\GAP\AppData\Roaming\Softplicity
2013-06-03 11:42 - 2013-06-03 11:46 - 06058192 ____N (Softplicity, Inc.                                           ) C:\Users\GAP\Downloads\PDFCombine_Download.exe
2013-06-03 11:39 - 2013-06-03 11:39 - 00584600 ____N C:\Users\GAP\Downloads\cbsidlm-tr1_13-PDF_Combine-SEO-10429191.exe
 
==================== One Month Modified Files and Folders ========
 
2013-07-01 11:23 - 2013-07-01 11:23 - 00000000 ____D C:\FRST
2013-07-01 11:23 - 2012-03-14 16:48 - 00000000 ____D C:\Users\GAP\Documents\Outlook Files
2013-07-01 11:19 - 2013-07-01 11:22 - 01372461 ____A (Farbar) C:\Users\GAP\Desktop\FRST.exe
2013-07-01 10:31 - 2013-03-22 15:44 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-01 10:11 - 2011-11-28 12:52 - 01558676 ____A C:\Windows\WindowsUpdate.log
2013-07-01 09:04 - 2013-07-01 09:04 - 00000000 ____D C:\Users\GAP\Desktop\EmsisoftEmergencyKit
2013-07-01 08:57 - 2012-05-01 08:57 - 00000336 ____A C:\Windows\Tasks\Indexing Task - GAP.job
2013-07-01 08:57 - 2012-05-01 08:57 - 00000258 ____A C:\Windows\Tasks\Indexing Task - GAP - test.job
2013-07-01 08:37 - 2009-07-13 21:34 - 00027984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-01 08:37 - 2009-07-13 21:34 - 00027984 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-01 08:31 - 2013-03-05 10:33 - 00000000 ____D C:\Program Files\Steam
2013-07-01 08:31 - 2013-01-11 16:29 - 00000000 ____D C:\Users\GAP\AppData\Local\HTC MediaHub
2013-07-01 08:30 - 2009-07-13 21:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-01 08:30 - 2009-07-13 21:39 - 00066568 ____A C:\Windows\setupact.log
2013-07-01 07:47 - 2013-07-01 07:47 - 00004689 ____A C:\Users\GAP\Desktop\JRT.txt
2013-07-01 07:46 - 2013-07-01 07:46 - 00000000 ____D C:\Windows\ERUNT
2013-07-01 07:45 - 2013-07-01 07:45 - 00000000 ____D C:\JRT
2013-07-01 07:42 - 2013-07-01 07:42 - 00000679 ____A C:\Users\GAP\Desktop\AdwCleaner[S1]_7_1_2013.txt
2013-07-01 07:41 - 2012-03-08 23:19 - 00000466 ____A C:\Windows\Tasks\SystemToolsDailyTest.job
2013-07-01 07:39 - 2013-07-01 07:39 - 00000679 ____A C:\AdwCleaner[S1].txt
2013-07-01 07:38 - 2013-07-01 07:38 - 00023788 ____A C:\Users\GAP\Desktop\MiniToolBox_result_7_1_2013.txt
2013-07-01 07:34 - 2012-04-25 08:25 - 00037990 ____A C:\Users\GAP\Desktop\Pennies.xlsx
2013-07-01 07:14 - 2011-11-28 13:12 - 00000000 ____D C:\ProgramData\PCDr
2013-07-01 07:13 - 2012-04-10 11:36 - 00000000 ____D C:\ProgramData\LogMeIn
2013-06-28 15:36 - 2011-11-28 13:03 - 00000000 ____D C:\swshare
2013-06-28 11:41 - 2013-06-28 11:41 - 00000000 __RSH C:\MSDOS.SYS
2013-06-28 11:41 - 2013-06-28 11:41 - 00000000 __RSH C:\IO.SYS
2013-06-28 11:41 - 2013-06-28 11:41 - 00000000 ___HD C:\Windows\PIF
2013-06-28 11:23 - 2013-04-02 17:16 - 00000000 ____D C:\Users\GAP\Downloads\ABEstimating(Windows)
2013-06-28 10:57 - 2012-04-02 08:31 - 00002198 ____N C:\Windows\epplauncher.mif
2013-06-28 10:57 - 2010-11-20 14:01 - 00730320 ____N C:\Windows\System32\PerfStringBackup.INI
2013-06-28 10:21 - 2013-06-28 10:20 - 00000000 ____D C:\Backup
2013-06-27 16:12 - 2012-05-02 11:49 - 00982016 ___SH C:\Users\GAP\Desktop\Thumbs.db
2013-06-27 16:12 - 2012-03-22 09:41 - 00000000 ____D C:\Scans
2013-06-27 15:12 - 2013-06-27 15:12 - 00000000 ____D C:\Users\GAP\AppData\Roaming\RealNetworks
2013-06-25 12:59 - 2010-11-20 14:48 - 00680708 ____N C:\Windows\PFRO.log
2013-06-24 09:57 - 2013-03-22 15:44 - 00692104 ____N (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-24 09:57 - 2013-03-22 15:44 - 00071048 ____N (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-21 14:16 - 2012-04-26 10:39 - 00000000 ____D C:\Users\GAP\AppData\Local\CrashDumps
2013-06-12 03:55 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\rescache
2013-06-11 15:50 - 2012-03-08 23:18 - 00000000 ____D C:\users\GAP
2013-06-11 15:20 - 2012-03-08 23:19 - 00000528 ____N C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
2013-06-11 15:17 - 2013-06-11 15:17 - 00066048 ____N C:\Users\GAP\Desktop\Lawfirmbudget.xls
2013-06-08 04:42 - 2013-06-12 03:01 - 01141248 ____N (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-08 04:40 - 2013-06-12 03:01 - 14327808 ____N (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-08 04:40 - 2013-06-12 03:01 - 13760512 ____N (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-08 04:40 - 2013-06-12 03:01 - 02046976 ____N (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-08 04:40 - 2013-06-12 03:01 - 00391168 ____N (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-08 04:13 - 2013-06-12 03:01 - 02706432 ____N (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-07 16:05 - 2012-04-10 11:36 - 00000000 ____D C:\Program Files\LogMeIn
2013-06-07 16:04 - 2012-04-10 11:36 - 00092488 ____N (LogMeIn, Inc.) C:\Windows\System32\LMIinit.dll
2013-06-07 16:04 - 2012-04-10 11:36 - 00086888 ____N (LogMeIn, Inc.) C:\Windows\System32\LMIRfsClientNP.dll
2013-06-07 16:04 - 2012-04-10 11:36 - 00031560 ____N (LogMeIn, Inc.) C:\Windows\System32\LMIport.dll
2013-06-03 11:50 - 2013-06-03 11:50 - 00009728 ___SH C:\Users\GAP\Thumbs.db
2013-06-03 11:47 - 2013-06-03 11:46 - 00000000 ____D C:\Program Files\PDF Combine
2013-06-03 11:46 - 2013-06-03 11:46 - 00001043 ____N C:\Users\GAP\Desktop\PDFCombine.lnk
2013-06-03 11:46 - 2013-06-03 11:46 - 00000000 ____D C:\Users\GAP\AppData\Roaming\Softplicity
2013-06-03 11:46 - 2013-06-03 11:42 - 06058192 ____N (Softplicity, Inc.                                           ) C:\Users\GAP\Downloads\PDFCombine_Download.exe
2013-06-03 11:40 - 2009-07-13 19:37 - 00000000 ____D C:\Windows\Resources
2013-06-03 11:39 - 2013-06-03 11:39 - 00584600 ____N C:\Users\GAP\Downloads\cbsidlm-tr1_13-PDF_Combine-SEO-10429191.exe
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2884768940-1047703118-1905161095-1000\$37743d76880b2ec2ab2f0115f70f1fd8
 
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$37743d76880b2ec2ab2f0115f70f1fd8
 
Files to move or delete:
====================
C:\Users\GAP\g2ax_customer_downloadhelper_win32_x86.exe
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
 
 
LastRegBack: 2013-06-23 00:39
 
==================== End Of Log ============================

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 01-07-2013 02
Ran by GAP at 2013-07-01 11:23:58
Running from C:\Users\GAP\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Installed Programs =======================
 
Access Help (Version: 2.00)
Adobe Flash Player 11 ActiveX (Version: 11.7.700.224)
Adobe Flash Player 11 Plugin (Version: 11.7.700.224)
Adobe Reader 9.2 (Version: 9.2.0)
Blender (Version: 2.63-release)
Bosch Divar 700 Series 3.34 Control Center (Version: 3.34)
Clio Sync (Version: 3.0)
Create Recovery Media (Version: 1.20.0.00)
D3DX10 (Version: 15.4.2368.0902)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
DirectX 9 Runtime (Version: 1.00.0000)
FileZilla Server (Version: beta 0.9.41)
GIMP 2.8.0 (Version: 2.8.0)
Google Calendar Sync
GoToAssist Customer 1.6.0.461 (Version: 1.6.0.461)
HTC Driver Installer (Version: 4.0.1.001)
HTC Sync Manager (Version: 1.1.77.0)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.1872)
Intel® Management Engine Interface
Intel® Network Connections Drivers (Version: 14.2)
Intel® TV Wizard
Intel® Active Management Technology
IPTInstaller (Version: 4.0.8)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 33 (Version: 6.0.330)
Junk Mail filter update (Version: 15.4.3502.0922)
Lenovo Mouse Suite (Version: 6.45)
Lenovo Registration (Version: 1.0.4)
Lenovo ThinkVantage Toolbox (Version: 6.0.5802.24)
Lenovo Welcome (Version: 2.02.003.0)
LogMeIn (Version: 4.1.2138)
Mesh Runtime (Version: 15.4.5722.2)
Message Center Plus (Version: 2.0.0012.00)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office 2010 (Version: 14.0.4763.1000)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Home and Business 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Security Client (Version: 4.2.0223.1)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
PDF Combine (Version: 2.5)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer (Version: 15.0.4)
RealUpgrade 1.1 (Version: 1.1.0)
Rescue and Recovery (Version: 4.30.0025.00)
Roxio Activation Module (Version: 1.0)
Roxio Central Audio (Version: 3.8.0)
Roxio Central Copy (Version: 3.8.0)
Roxio Central Core (Version: 3.8.0)
Roxio Central Data (Version: 3.8.0)
Roxio Central Tools (Version: 3.8.0)
Roxio Creator Business Edition (Version: 10.3)
Roxio Creator Business Edition (Version: 10.3.081)
Roxio Express Labeler 3 (Version: 3.2.1)
Sharpdesk (Version: 3.2)
Sonic CinePlayer Decoder Pack (Version: 4.3.0)
Sonic Icons for Lenovo (Version: 2.0.0)
SoundMAX (Version: 6.10.1.6595)
Steam (Version: 1.0.0.0)
System Requirements Lab CYRI (Version: 4.5.1.0)
System Update (Version: 4.00.0032)
Team Fortress 2
ThinkVantage Power Manager (Version: 1.04.0023)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Windows Driver Package - AnalogDevices (ADIHdAudAddService) MEDIA  (08/05/2009 6.10.01.6595) (Version: 08/05/2009 6.10.01.6595)
Windows Driver Package - Intel (e1kexpress) Net  (06/22/2009 11.0.41.0) (Version: 06/22/2009 11.0.41.0)
Windows Driver Package - Intel (HECI) System  (06/23/2009 5.2.0.1008) (Version: 06/23/2009 5.2.0.1008)
Windows Driver Package - Intel (Serial) Ports  (07/06/2009 5.5.1.1012) (Version: 07/06/2009 5.5.1.1012)
Windows Driver Package - Intel Corporation (igfx) Display  (08/13/2009 8.15.10.1872) (Version: 08/13/2009 8.15.10.1872)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
 
==================== Restore Points  =========================
 
31-05-2013 10:32:14 Windows Update
04-06-2013 10:32:34 Windows Update
08-06-2013 10:32:23 Windows Update
12-06-2013 10:00:12 Windows Update
15-06-2013 10:29:18 Windows Update
18-06-2013 10:34:41 Windows Update
22-06-2013 10:29:19 Windows Update
25-06-2013 17:00:34 Windows Update
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {172FAE82-DACF-4BD6-B82C-0480165E24B4} - System32\Tasks\Microsoft\Windows Live\SOXE\Extractor Definitions Update Task
Task: {38A0C33E-33E4-4D07-BD54-3BC6ABE1E038} - System32\Tasks\TVT\ChangePWD => %RR%\rrcmd.exe No File
Task: {680F8589-BABF-48C9-8A34-F7E568BB4C2A} - System32\Tasks\PMTask => C:\PROGRA~1\ThinkPad\UTILIT~1\PwmIdTsv.exe [2010-07-28] (Lenovo Group Limited)
Task: {7D51A6B9-2209-45B3-B0D0-A6EC678DE04A} - System32\Tasks\TVT\UpdateRnR => %TVTCOMMON%\Scheduler\tvtsetsched.exe No File
Task: {852D2A0A-8DE5-4088-A47F-1FE42919EF8D} - System32\Tasks\RealCreateProcessScheduledTask35267614S-1-5-21-2884768940-1047703118-1905161095-1000 => C:\Program Files\Real\RealPlayer\update\realsched.exe [2012-06-14] (RealNetworks, Inc.)
Task: {8629598D-CBD5-44AD-92FC-EEF747732B5C} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe [2013-01-27] ()
Task: {8C12205A-F652-4AA8-8459-7ABEF3B194C3} - System32\Tasks\TVT\LaunchRnR => %RR%\rrcmd.exe No File
Task: {8CEF9749-4B7D-477F-9FBB-42B6A5C02BB4} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-24] (Adobe Systems Incorporated)
Task: {9DB6308A-D7A8-4B93-B2EC-F2B20B102165} - System32\Tasks\Indexing Task - GAP - test => C:\Program Files\Sharp\Sharpdesk\IndexTask.exe [2007-08-02] (SHARP CORPORATION)
Task: {E225ABEC-6A51-4746-8784-C8D6C6AF022B} - System32\Tasks\Indexing Task - GAP => C:\Program Files\Sharp\Sharpdesk\IndexTask.exe [2007-08-02] (SHARP CORPORATION)
Task: {F1CF5421-ABC9-4EDC-B085-47CC76B735CC} - System32\Tasks\PCDEventLauncher => C:\Program Files\PC-Doctor\sessionchecker.exe [2011-03-31] (PC-Doctor, Inc.)
Task: {F3B37157-C801-467A-BFE2-FD9A5BDDB3B5} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\PC-Doctor\uaclauncher.exe [2011-03-31] (PC-Doctor, Inc.)
Task: {F9C563F5-5181-42A4-A521-E4E2D649F563} - System32\Tasks\MCP => C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe [2009-05-27] ()
Task: {FA9E363F-A14D-4F63-AF39-66D0F0747664} - System32\Tasks\SystemToolsDailyTest => C:\Program Files\PC-Doctor\uaclauncher.exe [2011-03-31] (PC-Doctor, Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Indexing Task - GAP - test.job => C:\Program Files\Sharp\Sharpdesk\IndexTask.exe
Task: C:\Windows\Tasks\Indexing Task - GAP.job => C:\Program Files\Sharp\Sharpdesk\IndexTask.exe
Task: C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job => C:\Program Files\PC-Doctor\uaclauncher.exe
Task: C:\Windows\Tasks\SystemToolsDailyTest.job => C:\Program Files\PC-Doctor\uaclauncher.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/01/2013 10:27:07 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/01/2013 10:25:50 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/01/2013 10:25:49 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/01/2013 08:32:36 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/01/2013 08:31:05 AM) (Source: NSSDK.MfpifValidator.1) (User: )
Description: IP 192.168.1.50 cannot be reached on the network.  (0x8215110b)
 
 
System errors:
=============
Error: (07/01/2013 11:22:32 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
 
Error: (07/01/2013 11:21:57 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
 
Error: (07/01/2013 11:21:27 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.
 
Error: (07/01/2013 11:20:58 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR4.
 
Error: (07/01/2013 09:04:26 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
 
Error: (07/01/2013 08:30:48 AM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error: 
%%5
 
Error: (07/01/2013 07:51:33 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR3.
 
Error: (07/01/2013 07:51:21 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
 
 
Microsoft Office Sessions:
=========================
Error: (07/01/2013 10:27:07 AM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\clio sync\ClxMapi64.exe
 
Error: (07/01/2013 10:25:50 AM) (Source: SideBySide)(User: )
Description: Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"C:\Program Files\HTC\HTC Sync Manager\HTC Sync\FDAgentForOutlook64.exe
 
Error: (07/01/2013 10:25:49 AM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"C:\Program Files\Clio Sync\ClxMapi64.exe
 
Error: (07/01/2013 08:32:36 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/01/2013 08:31:05 AM) (Source: NSSDK.MfpifValidator.1)(User: )
Description: IP 192.168.1.50 cannot be reached on the network.  (0x8215110b)
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 30%
Total physical RAM: 3327.17 MB
Available physical RAM: 2299.4 MB
Total Pagefile: 6652.63 MB
Available Pagefile: 5590.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1895.23 MB
 
==================== Drives ================================
 
Drive c: (Windows7_OS) (Fixed) (Total:454.82 GB) (Free:367.42 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: () (Removable) (Total:1.85 GB) (Free:1.45 GB) FAT
Drive q: (Lenovo_Recovery) (Fixed) (Total:9.77 GB) (Free:2.9 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 466 GB) (Disk ID: 0C951BC6)
Partition 1: (Active) - (Size=1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=455 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 2 GB) (Disk ID: 63E16945)
Partition 1: (Active) - (Size=2 GB) - (Type=06)
 
==================== End Of Log ============================


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:25 PM

Posted 01 July 2013 - 02:27 PM

Please do the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
Save it on your desktop as fixlist.txt

(if you saved FRST to a different folder and not your desktop originally, then save fixlist.txt to the same location as FRST was saved)


start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess
HKCR\...0c966feabec1\InprocServer32: [Default-shell32] %SystemRoot%\system32\shell32.dll ATTENTION! ====> ZeroAccess?
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] %SystemRoot%\system32\shell32.dll ATTENTION! ====> ZeroAccess?
S1 grdexkvn; \??\C:\Windows\system32\drivers\grdexkvn.sys [x]
C:\$Recycle.Bin\S-1-5-21-2884768940-1047703118-1905161095-1000\$37743d76880b2ec2ab2f0115f70f1fd8
C:\$Recycle.Bin\S-1-5-18\$37743d76880b2ec2ab2f0115f70f1fd8
C:\Users\GAP\g2ax_customer_downloadhelper_win32_x86.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
end
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please attach that log to your reply.

Note: FixList.txt and FRST must be saved to the same location or the fix will not work

Reboot Normally.



NEXT


Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE
  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt
~~~~~~~~~~~~~~~~~~~~~~~

Note:
If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
Internet access
Windows Update
Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit located in the mbar\plugins folder and reboot.
Verify that your system is now functioning normally.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 knowenough

knowenough
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 July 2013 - 03:12 PM

Hi, I followed your instructions and things seem to be getting better.  I can now download!  That's a big relief, thanks a ton.

 

Here are the two logs you mentioned (one of them had a slightly different name but it was the only other log I could find):

 

 

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.01.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16618
GAP :: OFFICE2 [administrator]

7/1/2013 1:00:52 PM
-log-2013-07-01 (13-00-52).txt

Scan type: Quick scan
Scan options enabled: PUM | P2P
Scan options disabled: Anti-Rootkit | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP
Objects scanned: 0
Time elapsed:

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

 

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 10.0.9200.16618

Java version: 1.6.0_33

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 3.059000 GHz
Memory total: 3488792576, free: 2239963136

Initializing...
------------ Kernel report ------------
     07/01/2013 13:00:47
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECI.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\e1k6232.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\lmimirr.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\psadd.sys
\SystemRoot\system32\DRIVERS\Tvti2c.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\ADIHdAud.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
\??\C:\Windows\system32\drivers\LMIRfsDriver.sys
\??\C:\Windows\System32\Drivers\LxrSII1d.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\urlmon.dll
\Windows\System32\lpk.dll
\Windows\System32\usp10.dll
\Windows\System32\ws2_32.dll
\Windows\System32\shell32.dll
\Windows\System32\user32.dll
\Windows\System32\msctf.dll
\Windows\System32\nsi.dll
\Windows\System32\iertutil.dll
\Windows\System32\normaliz.dll
\Windows\System32\advapi32.dll
\Windows\System32\psapi.dll
\Windows\System32\wininet.dll
\Windows\System32\difxapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\setupapi.dll
\Windows\System32\sechost.dll
\Windows\System32\ole32.dll
\Windows\System32\kernel32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\imm32.dll
\Windows\System32\gdi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\oleaut32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\imagehlp.dll
\Windows\System32\comdlg32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\devobj.dll
\Windows\System32\crypt32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff87b3c388
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000072\
Lower Device Object: 0xffffffff87b94600
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8635fa88
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-4\
Lower Device Object: 0xffffffff85e85030
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8635fa88, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8635f768, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8635fa88, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85eacc10, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85e85030, DeviceName: \Device\Ide\IdeDeviceP2T0L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C951BC6

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 2457600
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2459648  Numsec = 953831416

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 956291072  Numsec = 20480000

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff87b3c388, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8726cd10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff87b3c388, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff87b94600, DeviceName: \Device\00000072\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 63E16945

Partition information:

    Partition 0 type is Other (0x6)
    Partition is ACTIVE.
    Partition starts at LBA: 32  Numsec = 3882976
    Partition file system is FAT
    Partition is not bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 1988100096 bytes
Sector size: 512 bytes

Done!
=======================================

Removal queue found; removal started
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_1_0_32_i.mbam...
Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_1_r.mbam...
Removal finished



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:25 PM

Posted 01 July 2013 - 03:20 PM

good, I am glad you are seeing improvements.

There are a couple more scans I would like you to run in case there are any leftovers, we will start with ComboFix,

Please run the following:

Refer to the ComboFix User's Guide
  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 knowenough

knowenough
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 July 2013 - 04:38 PM

ComboFix 13-06-30.01 - GAP 07/01/2013  14:19:25.1.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3327.2205 [GMT -7:00]
Running from: c:\users\GAP\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\swtools\APPS\CBED\CBE\ACTIVATION_104\_desktop.ini
c:\swtools\APPS\CBED\CBE\ACTIVATION_104\BIN\_desktop.ini
c:\users\GAP\AppData\Local\Lexar Media\LxrAutorun.exe
c:\windows\system32\Thumbs.db
Q:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-01 to 2013-07-01  )))))))))))))))))))))))))))))))
.
.
2013-07-01 21:23 . 2013-07-01 21:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-01 20:18 . 2013-07-01 20:18 60872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7DBC2095-E2FB-4222-9CCE-78D8BA6F9F36}\offreg.dll
2013-07-01 20:18 . 2013-07-01 20:18 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7DBC2095-E2FB-4222-9CCE-78D8BA6F9F36}\MpKsl822b50a9.sys
2013-07-01 20:11 . 2013-06-12 04:18 7068072 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7DBC2095-E2FB-4222-9CCE-78D8BA6F9F36}\mpengine.dll
2013-07-01 20:00 . 2013-07-01 20:06 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-01 20:00 . 2013-07-01 20:00 -------- d-----w- c:\programdata\Malwarebytes
2013-07-01 18:23 . 2013-07-01 19:56 -------- d-----w- C:\FRST
2013-07-01 14:46 . 2013-07-01 14:46 -------- d-----w- c:\windows\ERUNT
2013-07-01 14:45 . 2013-07-01 14:45 -------- d-----w- C:\JRT
2013-06-28 18:41 . 2013-06-28 18:41 -------- d--h--w- c:\windows\PIF
2013-06-28 17:20 . 2013-06-28 17:21 -------- d-----w- C:\Backup
2013-06-27 22:12 . 2013-06-27 22:12 -------- d-----w- c:\users\GAP\AppData\Roaming\RealNetworks
2013-06-27 20:10 . 2013-06-12 04:18 7068072 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-06-21 10:30 . 2013-06-21 10:30 724464 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8A90B2EA-7143-4FE0-A22C-6C17005A5690}\gapaengine.dll
2013-06-12 10:01 . 2013-06-08 11:41 218112 ------w- c:\program files\Internet Explorer\sqmapi.dll
2013-06-12 10:01 . 2013-06-08 11:13 2706432 ------w- c:\windows\system32\mshtml.tlb
2013-06-12 00:38 . 2013-04-25 23:30 1505280 ------w- c:\windows\system32\d3d11.dll
2013-06-12 00:38 . 2013-04-26 04:55 492544 ------w- c:\windows\system32\win32spl.dll
2013-06-12 00:37 . 2013-05-10 03:20 24576 ------w- c:\windows\system32\cryptdlg.dll
2013-06-12 00:37 . 2013-05-13 04:45 140288 ------w- c:\windows\system32\cryptsvc.dll
2013-06-12 00:37 . 2013-05-13 04:45 1160192 ------w- c:\windows\system32\crypt32.dll
2013-06-12 00:37 . 2013-05-13 04:45 103936 ------w- c:\windows\system32\cryptnet.dll
2013-06-12 00:37 . 2013-05-13 03:08 903168 ------w- c:\windows\system32\certutil.exe
2013-06-12 00:37 . 2013-05-13 03:08 43008 ------w- c:\windows\system32\certenc.dll
2013-06-12 00:32 . 2013-04-17 07:02 1230336 ------w- c:\windows\system32\WindowsCodecs.dll
2013-06-12 00:32 . 2013-05-06 05:06 3968872 ------w- c:\windows\system32\ntkrnlpa.exe
2013-06-12 00:32 . 2013-05-06 05:06 3913576 ------w- c:\windows\system32\ntoskrnl.exe
2013-06-12 00:27 . 2013-05-08 05:38 1293672 ------w- c:\windows\system32\drivers\tcpip.sys
2013-06-03 18:46 . 2013-06-03 18:46 -------- d-----w- c:\users\GAP\AppData\Roaming\Softplicity
2013-06-03 18:46 . 2013-06-03 18:47 -------- d-----w- c:\program files\PDF Combine
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-24 16:57 . 2013-03-22 22:44 71048 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-24 16:57 . 2013-03-22 22:44 692104 ------w- c:\windows\system32\FlashPlayerApp.exe
2013-06-07 23:04 . 2012-04-10 18:36 53064 ------w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2013-06-07 23:04 . 2012-04-10 18:36 86888 ------w- c:\windows\system32\LMIRfsClientNP.dll
2013-06-07 23:04 . 2012-04-10 18:36 31560 ------w- c:\windows\system32\LMIport.dll
2013-06-07 23:04 . 2012-04-10 18:36 92488 ------w- c:\windows\system32\LMIinit.dll
2013-05-27 23:04 . 2012-04-10 18:36 86888 ------w- c:\windows\system32\LMIRfsClientNP.dll.001.bak
2013-05-21 10:32 . 2012-06-12 15:20 724464 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-05-16 15:05 . 2010-06-24 19:33 22240 ------w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 15:28 . 2012-04-02 15:35 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45 . 2013-05-15 20:40 474624 ------w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 20:40 2176512 ------w- c:\windows\apppatch\AcGenral.dll
2013-04-12 23:01 . 2013-04-12 23:01 420472 ------r- c:\users\GAP\AppData\Roaming\Microsoft\Installer\{D5D4B726-BD36-46E9-BFBA-D329F8F259F8}\ARPPRODUCTICON.exe
2013-04-12 13:45 . 2013-04-24 10:41 1211752 ------w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18 . 2013-05-15 20:34 728424 ------w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18 . 2013-05-15 20:34 218984 ------w- c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14 . 2013-05-15 20:45 2347520 ------w- c:\windows\system32\win32k.sys
2013-04-05 10:03 . 2013-04-05 10:03 745472 ------w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-04-05 10:03 . 2013-04-05 10:03 523264 ------w- c:\windows\system32\vbscript.dll
2013-04-05 10:03 . 2013-04-05 10:03 185344 ------w- c:\windows\system32\elshyph.dll
2013-04-05 10:03 . 2013-04-05 10:03 158720 ------w- c:\windows\system32\msls31.dll
2013-04-05 10:03 . 2013-04-05 10:03 150528 ------w- c:\windows\system32\iexpress.exe
2013-04-05 10:03 . 2013-04-05 10:03 138752 ------w- c:\windows\system32\wextract.exe
2013-04-05 10:03 . 2013-04-05 10:03 73728 ------w- c:\windows\system32\SetIEInstalledDate.exe
2013-04-05 10:03 . 2013-04-05 10:03 719360 ------w- c:\windows\system32\mshtmlmedia.dll
2013-04-05 10:03 . 2013-04-05 10:03 61952 ------w- c:\windows\system32\tdc.ocx
2013-04-05 10:03 . 2013-04-05 10:03 48640 ------w- c:\windows\system32\mshtmler.dll
2013-04-05 10:03 . 2013-04-05 10:03 38400 ------w- c:\windows\system32\imgutil.dll
2013-04-05 10:03 . 2013-04-05 10:03 361984 ------w- c:\windows\system32\html.iec
2013-04-05 10:03 . 2013-04-05 10:03 137216 ------w- c:\windows\system32\ieUnatt.exe
2013-04-05 10:03 . 2013-04-05 10:03 12800 ------w- c:\windows\system32\mshta.exe
2013-04-05 10:03 . 2013-04-05 10:03 110592 ------w- c:\windows\system32\IEAdvpack.dll
2013-04-05 10:03 . 2013-04-05 10:03 23040 ------w- c:\windows\system32\licmgr10.dll
2013-04-05 10:03 . 2013-04-05 10:03 1441280 ------w- c:\windows\system32\inetcpl.cpl
2013-04-05 10:02 . 2013-04-05 10:02 9728 ---h--w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-04-05 10:02 . 2013-04-05 10:02 906240 ------w- c:\windows\system32\FntCache.dll
2013-04-05 10:02 . 2013-04-05 10:02 5632 ---h--w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-04-05 10:02 . 2013-04-05 10:02 5632 ---h--w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-04-05 10:02 . 2013-04-05 10:02 417792 ------w- c:\windows\system32\WMPhoto.dll
2013-04-05 10:02 . 2013-04-05 10:02 4096 ---h--w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-04-05 10:02 . 2013-04-05 10:02 364544 ------w- c:\windows\system32\XpsGdiConverter.dll
2013-04-05 10:02 . 2013-04-05 10:02 3584 ---h--w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-04-05 10:02 . 2013-04-05 10:02 3072 ---h--w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-04-05 10:02 . 2013-04-05 10:02 3072 ---h--w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-04-05 10:02 . 2013-04-05 10:02 2560 ---h--w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-04-05 10:02 . 2013-04-05 10:02 249856 ------w- c:\windows\system32\d3d10_1core.dll
2013-04-05 10:02 . 2013-04-05 10:02 2284544 ------w- c:\windows\system32\msmpeg2vdec.dll
2013-04-05 10:02 . 2013-04-05 10:02 220160 ------w- c:\windows\system32\d3d10core.dll
2013-04-05 10:02 . 2013-04-05 10:02 207872 ------w- c:\windows\system32\WindowsCodecsExt.dll
2013-04-05 10:02 . 2013-04-05 10:02 1247744 ------w- c:\windows\system32\DWrite.dll
2013-04-05 10:02 . 2013-04-05 10:02 1158144 ------w- c:\windows\system32\XpsPrint.dll
2013-04-05 10:02 . 2013-04-05 10:02 1080832 ------w- c:\windows\system32\d3d10.dll
2013-04-05 10:02 . 2013-04-05 10:02 10752 ---h--w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-04-05 10:02 . 2013-04-05 10:02 161792 ------w- c:\windows\system32\d3d10_1.dll
2013-04-05 10:02 . 2013-04-05 10:02 604160 ------w- c:\windows\system32\d3d10level9.dll
2013-04-05 10:02 . 2013-04-05 10:02 3419136 ------w- c:\windows\system32\d2d1.dll
2013-04-05 10:02 . 2013-04-05 10:02 293376 ------w- c:\windows\system32\dxgi.dll
2013-04-05 10:02 . 2013-04-05 10:02 1988096 ------w- c:\windows\system32\d3d10warp.dll
2013-04-05 10:02 . 2013-04-05 10:02 187392 ------w- c:\windows\system32\UIAnimation.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 51712]
"Steam"="c:\program files\Steam\steam.exe" [2013-05-03 1635752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-20 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-20 151064]
"Daemon for Mouse Suite"="c:\program files\Lenovo\Lenovo Mouse Suite\ICO.EXE" [2010-07-28 69632]
"Power Manager Power Agenda"="c:\progra~1\ThinkPad\UTILIT~1\DPMHost.exe" [2010-07-29 75064]
"Lenovo Registration"="c:\program files\Lenovo Registration\LenovoReg.exe" [2011-07-14 4351712]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2012-02-26 1044992]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2007-08-02 106496]
"SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2007-08-02 32768]
"TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2007-08-02 57344]
"FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2007-07-26 692224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-06-14 296056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\GAP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-1-8 228448]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2012-11-01 16:19 610448 ------w- c:\program files\Citrix\GoToAssist Remote Support Customer\461\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\461\g2ax_service.exe Start=service [x]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-27 25088]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2012-12-08 23040]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 295232]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-10 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S1 MpKsl822b50a9;MpKsl822b50a9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7DBC2095-E2FB-4222-9CCE-78D8BA6F9F36}\MpKsl822b50a9.sys [2013-07-01 29904]
S2 HTCMonitorService;HTCMonitorService;c:\program files\HTC\HTC Sync Manager\HSMServiceEntry.exe [2012-12-13 87368]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2013-06-07 375120]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-05-27 13624]
S2 LxrSII1d;Secure II Driver;c:\windows\System32\Drivers\LxrSII1d.sys [2009-12-30 63448]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [2012-12-08 167424]
S2 PelService;Session Launcher Service;c:\program files\Lenovo\Lenovo Mouse Suite\PelService.exe [2010-04-22 184320]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-07-29 70968]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-07-21 2066968]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-06-22 202408]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-07-02 38336]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-22 16:57]
.
2013-07-01 c:\windows\Tasks\Indexing Task - GAP - test.job
- c:\program files\Sharp\Sharpdesk\IndexTask.exe [2007-08-02 09:17]
.
2013-07-01 c:\windows\Tasks\Indexing Task - GAP.job
- c:\program files\Sharp\Sharpdesk\IndexTask.exe [2007-08-02 09:17]
.
2013-06-11 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 22:04]
.
2013-07-01 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 22:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
uInternet Settings,ProxyOverride = 192.168.1.*;127.0.0.*;10.0.0.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
TCP: Interfaces\{0A235966-DAAE-4693-AF44-B771991D8288}: NameServer = 184.16.4.22,184.16.33.54
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-LxrAutorun - c:\users\GAP\AppData\Local\Lexar Media\LxrAutorun.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5212)
c:\program files\PC-Doctor\ATLPcdToolbar580224.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\FileZilla Server\FileZilla Server.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\taskhost.exe
c:\program files\HTC\HTC Sync Manager\HTC Sync\adb.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Sharp\SHARPD~1\Indexer.exe
c:\program files\Microsoft Office\Office14\ONENOTEM.EXE
c:\program files\Sharp\Sharpdesk\nsapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Lenovo\Lenovo Mouse Suite\PelElvDm.exe
c:\windows\system32\sppsvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
.
**************************************************************************
.
Completion time: 2013-07-01  14:32:41 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-01 21:32
.
Pre-Run: 396,728,033,280 bytes free
Post-Run: 397,633,970,176 bytes free
.
- - End Of File - - B1E801968278DBEA55C5CC84066F8570
2382820191FB203CFB398EFB641FB4CF
 



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:25 PM

Posted 01 July 2013 - 05:48 PM

looking better :)

Please run the following:

Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply
NEXT
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 knowenough

knowenough
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 02 July 2013 - 04:07 PM

I wasn't able to get ESET's online scanner to work.  But here are the first three logs:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Home Premium x86
Ran by GAP on Tue 07/02/2013 at 10:29:48.86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 07/02/2013 at 10:30:39.36
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

# AdwCleaner v2.303 - Logfile created 07/02/2013 at 10:33:28
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : GAP - OFFICE2
# Boot Mode : Normal
# Running from : C:\Users\GAP\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16611

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [679 octets] - [01/07/2013 07:39:26]
AdwCleaner[S2].txt - [570 octets] - [02/07/2013 10:33:28]

########## EOF - C:\AdwCleaner[S2].txt - [629 octets] ##########

 

 

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.02.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16618
GAP :: OFFICE2 [administrator]

7/2/2013 10:39:33 AM
mbar-log-2013-07-02 (10-39-33).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 211034
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:25 PM

Posted 02 July 2013 - 08:22 PM

try deleting the browser history and deleting cookies and give it another shot, or use a different browser

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 knowenough

knowenough
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 05 July 2013 - 12:46 PM

I got the ESET scan done.  Here are the results:

 

C:\Users\GAP\AppData\Local\Temp\72DD.tmp Win32/Olmarik.AYY trojan
C:\Users\GAP\AppData\Local\Temp\75BB.tmp Win32/Olmarik.AYY trojan
C:\Users\GAP\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab Win32/OpenCandy application
C:\Users\GAP\Downloads\cbsidlm-tr1_13-PDF_Combine-SEO-10429191.exe Win32/DownloadAdmin.G application
 

 



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:25 PM

Posted 05 July 2013 - 03:31 PM

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\GAP\AppData\Local\Temp\72DD.tmp
C:\Users\GAP\AppData\Local\Temp\75BB.tmp 
C:\Users\GAP\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab 
C:\Users\GAP\Downloads\cbsidlm-tr1_13-PDF_Combine-SEO-10429191.exe 

ClearJavaCache::
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

CFScriptB-4.gif
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version XI)
Having the latest updates ensures there are no security vulnerabilities in your system.
Decline any additional installs that may be offered.

NEXT

javaicon.jpg
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and Save it to your Desktop.
  • Scroll down to where it says Java SE 7u25
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u25-windows-i586.exe to install the newest version.
  • Decline any additional installs that may be offered.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are three options in the window to clear the cache - Leave these two Checked

      • Trace and Log Files
        Cached Applications and Applets
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.
NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 knowenough

knowenough
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 05 July 2013 - 05:35 PM

Hi I followed your instructions but I don't think it worked.  There was no log either.  The error said:

 

"Scanning for infected files . . .

The syntax of the command is incorrect."

 

After that I could not access the internet and had to reboot.

 

I also had an error window which popped up prior to the above error:

 

"Windows cannot find 'NIRKMD'.  Make sure you typed the name correctly, and then try again."

 

I'm not sure if these two messages are connected or what went wrong but I did the ComboFix update and checked the CFScript to make sure it matched the one you typed.  I tried it again (from the point where I copy and paste the code into notepad and drag that to combofix.exe 

Thanks,



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:25 PM

Posted 05 July 2013 - 09:39 PM

Please delete the copy of ComboFix that you have on your desktop and download another copy:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
make sure you use notepad to make the CFScript and start with the word File::

make sure you save CFScript to your desktop as well


then please do the following.

Press the Win Key +R to open a run box > copy and paste the following command into the open run box > press enter:

"%userprofile%\Desktop\ComboFix.exe" "%userprofile%\Desktop\CFScript.txt"


please post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 knowenough

knowenough
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 08 July 2013 - 04:21 PM

Ok.  I followed your instructions and downloaded a new copy of ComboFix.exe but for some reason I have now lost internet access.  My computer keeps going to the blue screen and automatically restarting...  Not sure what the relation is here or if you can tell, but i'd like some help figuring out the connectivity issue if possible.

 

Here's the log from CFScript.txt:

 

 

ComboFix 13-07-08.03 - GAP 07/08/2013  14:05:05.2.2 - x86
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3327.2280 [GMT -7:00]
Running from: D:\ComboFix.exe
Command switches used :: c:\users\GAP\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\GAP\AppData\Local\Temp\72DD.tmp"
"c:\users\GAP\AppData\Local\Temp\75BB.tmp"
"c:\users\GAP\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-us.cab"
"c:\users\GAP\Downloads\cbsidlm-tr1_13-PDF_Combine-SEO-10429191.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\GAP\Downloads\cbsidlm-tr1_13-PDF_Combine-SEO-10429191.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-08 to 2013-07-08  )))))))))))))))))))))))))))))))
.
.
2013-07-08 21:09 . 2013-07-08 21:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-07-08 20:47 . 2013-07-08 20:47 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55BCD27C-9DCD-4BA1-9004-7F51D3DDE86B}\MpKsl6f1cfa42.sys
2013-07-08 20:43 . 2013-07-08 20:43 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55BCD27C-9DCD-4BA1-9004-7F51D3DDE86B}\MpKsl6d53030c.sys
2013-07-08 20:27 . 2013-07-08 20:47 60872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55BCD27C-9DCD-4BA1-9004-7F51D3DDE86B}\offreg.dll
2013-07-08 20:26 . 2013-07-08 20:26 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55BCD27C-9DCD-4BA1-9004-7F51D3DDE86B}\MpKsl05bfdf68.sys
2013-07-08 20:26 . 2013-06-12 04:18 7068072 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55BCD27C-9DCD-4BA1-9004-7F51D3DDE86B}\mpengine.dll
2013-07-08 18:33 . 2013-07-08 18:33 -------- d-----w- c:\users\Default\AppData\Roaming\Apple Computer
2013-07-08 18:33 . 2013-07-08 18:33 -------- d-----w- c:\users\Default\AppData\Local\Apple Computer
2013-07-08 18:33 . 2013-07-08 18:33 -------- d-----w- c:\users\Default\AppData\Local\HTC MediaHub
2013-07-05 15:54 . 2013-07-05 15:54 -------- d-----w- c:\program files\ESET
2013-07-03 17:47 . 2013-06-12 04:18 7068072 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-07-01 20:00 . 2013-07-02 20:45 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-01 20:00 . 2013-07-01 20:00 -------- d-----w- c:\programdata\Malwarebytes
2013-07-01 18:23 . 2013-07-01 19:56 -------- d-----w- C:\FRST
2013-07-01 14:46 . 2013-07-01 14:46 -------- d-----w- c:\windows\ERUNT
2013-07-01 14:45 . 2013-07-02 17:29 -------- d-----w- C:\JRT
2013-06-28 18:41 . 2013-06-28 18:41 -------- d--h--w- c:\windows\PIF
2013-06-28 17:20 . 2013-06-28 17:21 -------- d-----w- C:\Backup
2013-06-27 22:12 . 2013-06-27 22:12 -------- d-----w- c:\users\GAP\AppData\Roaming\RealNetworks
2013-06-21 10:30 . 2013-06-21 10:30 724464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8A90B2EA-7143-4FE0-A22C-6C17005A5690}\gapaengine.dll
2013-06-12 10:01 . 2013-06-08 11:41 218112 ------w- c:\program files\Internet Explorer\sqmapi.dll
2013-06-12 10:01 . 2013-06-08 11:13 2706432 ------w- c:\windows\system32\mshtml.tlb
2013-06-12 00:38 . 2013-04-25 23:30 1505280 ------w- c:\windows\system32\d3d11.dll
2013-06-12 00:38 . 2013-04-26 04:55 492544 ------w- c:\windows\system32\win32spl.dll
2013-06-12 00:37 . 2013-05-10 03:20 24576 ------w- c:\windows\system32\cryptdlg.dll
2013-06-12 00:37 . 2013-05-13 04:45 140288 ------w- c:\windows\system32\cryptsvc.dll
2013-06-12 00:37 . 2013-05-13 04:45 1160192 ------w- c:\windows\system32\crypt32.dll
2013-06-12 00:37 . 2013-05-13 04:45 103936 ------w- c:\windows\system32\cryptnet.dll
2013-06-12 00:37 . 2013-05-13 03:08 903168 ------w- c:\windows\system32\certutil.exe
2013-06-12 00:37 . 2013-05-13 03:08 43008 ------w- c:\windows\system32\certenc.dll
2013-06-12 00:32 . 2013-04-17 07:02 1230336 ------w- c:\windows\system32\WindowsCodecs.dll
2013-06-12 00:32 . 2013-05-06 05:06 3968872 ------w- c:\windows\system32\ntkrnlpa.exe
2013-06-12 00:32 . 2013-05-06 05:06 3913576 ------w- c:\windows\system32\ntoskrnl.exe
2013-06-12 00:27 . 2013-05-08 05:38 1293672 ------w- c:\windows\system32\drivers\tcpip.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-24 16:57 . 2013-03-22 22:44 71048 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-24 16:57 . 2013-03-22 22:44 692104 ------w- c:\windows\system32\FlashPlayerApp.exe
2013-06-07 23:04 . 2012-04-10 18:36 53064 ------w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2013-06-07 23:04 . 2012-04-10 18:36 86888 ------w- c:\windows\system32\LMIRfsClientNP.dll
2013-06-07 23:04 . 2012-04-10 18:36 31560 ------w- c:\windows\system32\LMIport.dll
2013-06-07 23:04 . 2012-04-10 18:36 92488 ------w- c:\windows\system32\LMIinit.dll
2013-05-27 23:04 . 2012-04-10 18:36 86888 ------w- c:\windows\system32\LMIRfsClientNP.dll.001.bak
2013-05-21 10:32 . 2012-06-12 15:20 724464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-05-16 15:05 . 2010-06-24 19:33 22240 ------w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-05-02 15:28 . 2012-04-02 15:35 238872 ----a-w- c:\windows\system32\MpSigStub.exe
2013-04-13 04:45 . 2013-05-15 20:40 474624 ------w- c:\windows\apppatch\AcSpecfc.dll
2013-04-13 04:45 . 2013-05-15 20:40 2176512 ------w- c:\windows\apppatch\AcGenral.dll
2013-04-12 23:01 . 2013-04-12 23:01 420472 ------r- c:\users\GAP\AppData\Roaming\Microsoft\Installer\{D5D4B726-BD36-46E9-BFBA-D329F8F259F8}\ARPPRODUCTICON.exe
2013-04-12 13:45 . 2013-04-24 10:41 1211752 ------w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 05:18 . 2013-05-15 20:34 728424 ------w- c:\windows\system32\drivers\dxgkrnl.sys
2013-04-10 05:18 . 2013-05-15 20:34 218984 ------w- c:\windows\system32\drivers\dxgmms1.sys
2013-04-10 03:14 . 2013-05-15 20:45 2347520 ------w- c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 51712]
"Steam"="c:\program files\Steam\steam.exe" [2013-06-06 1641896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-08-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-08-20 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-08-20 151064]
"Daemon for Mouse Suite"="c:\program files\Lenovo\Lenovo Mouse Suite\ICO.EXE" [2010-07-28 69632]
"Power Manager Power Agenda"="c:\progra~1\ThinkPad\UTILIT~1\DPMHost.exe" [2010-07-29 75064]
"Lenovo Registration"="c:\program files\Lenovo Registration\LenovoReg.exe" [2011-07-14 4351712]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2012-02-26 1044992]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-09-16 63048]
"IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2007-08-02 106496]
"SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2007-08-02 32768]
"TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2007-08-02 57344]
"FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2007-07-26 692224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-06-14 296056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\GAP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-1-8 228448]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2012-11-01 16:19 610448 ------w- c:\program files\Citrix\GoToAssist Remote Support Customer\461\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl6d53030c;MpKsl6d53030c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55BCD27C-9DCD-4BA1-9004-7F51D3DDE86B}\MpKsl6d53030c.sys [2013-07-08 29904]
R2 PelService;Session Launcher Service;c:\program files\Lenovo\Lenovo Mouse Suite\PelService.exe [2010-04-22 184320]
R3 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\461\g2ax_service.exe Start=service [x]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-27 25088]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2012-12-08 23040]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 100328]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 295232]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-08-05 1124848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-10 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S1 MpKsl05bfdf68;MpKsl05bfdf68;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55BCD27C-9DCD-4BA1-9004-7F51D3DDE86B}\MpKsl05bfdf68.sys [2013-07-08 29904]
S1 MpKsl6f1cfa42;MpKsl6f1cfa42;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55BCD27C-9DCD-4BA1-9004-7F51D3DDE86B}\MpKsl6f1cfa42.sys [2013-07-08 29904]
S2 HTCMonitorService;HTCMonitorService;c:\program files\HTC\HTC Sync Manager\HSMServiceEntry.exe [2012-12-13 87368]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2013-06-07 375120]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-05-27 13624]
S2 LxrSII1d;Secure II Driver;c:\windows\System32\Drivers\LxrSII1d.sys [2009-12-30 63448]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [2012-12-08 167424]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-07-29 70968]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-07-21 2066968]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-06-22 202408]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-07-02 38336]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL6F1CFA42
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-05 15:47 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-22 16:57]
.
2013-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-05 15:45]
.
2013-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-05 15:45]
.
2013-07-05 c:\windows\Tasks\Indexing Task - GAP - test.job
- c:\program files\Sharp\Sharpdesk\IndexTask.exe [2007-08-02 09:17]
.
2013-07-05 c:\windows\Tasks\Indexing Task - GAP.job
- c:\program files\Sharp\Sharpdesk\IndexTask.exe [2007-08-02 09:17]
.
2013-06-11 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 22:04]
.
2013-07-08 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\uaclauncher.exe [2011-03-31 22:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
uInternet Settings,ProxyOverride = 192.168.1.*;127.0.0.*;10.0.0.*
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-08  14:11:21
ComboFix-quarantined-files.txt  2013-07-08 21:11
ComboFix2.txt  2013-07-08 17:08
ComboFix3.txt  2013-07-01 21:32
.
Pre-Run: 396,926,894,080 bytes free
Post-Run: 396,713,988,096 bytes free
.
- - End Of File - - 975B0BDCBA7CD629B9D67BAFFFD74B09
2382820191FB203CFB398EFB641FB4CF





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users