Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some sort of browser hijack that I can't find with multiple Malware progs.


  • This topic is locked This topic is locked
22 replies to this topic

#1 naut

naut

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 17 July 2013 - 05:30 AM

I've tried 3 different antivirus/malware programs to find this thing and remove it with no luck.  Randomly a new tab will open and bring me to a site for a game called Wizard 101.  Also I get advertisment popups on random sites which I have adblock for the mean time.  In addition to all that it seems to pick out words on pages and turn them into hyper links for ads. 

 

I'd appreciate greatly any help you guys could give me.

 

Here's my HiJackThis log.

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 5:24:05 AM, on 7/17/2013
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)

FIREFOX: 22.0 (en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\puush\puush.exe
C:\Users\Mike\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Users\Mike\Downloads\Adaware_Installer.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_224.exe
C:\Users\Mike\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-search.com/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 87.248.203.254 cdn-patch.swtor.com
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
O4 - HKLM\..\Run: [IObit Malware Fighter] "C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe" /autostart
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKLM\..\Run: [Ad-Aware Antivirus] "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [puush] C:\Program Files (x86)\puush\puush.exe
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\Mike\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKCU\..\Run: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
O4 - HKCU\..\Run: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
O4 - HKCU\..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\RunOnce: [adawarebp] reg.exe delete "HKCU\Software\AppDataLow\Software\adawarebp" /f
O4 - HKCU\..\RunOnce: [adawarebp_XP] reg.exe delete "HKCU\Software\adawarebp" /f
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-778387792-1012281853-1459691719-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-778387792-1012281853-1459691719-1003\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: CurseClientStartup.ccip
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\syswow64\nvinit.dll
O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: IMF Service (IMFservice) - IObit - C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: GFI VIPRE Antivirus Service (SBAMSvc) - GFI Software - C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 8 (TeamViewer8) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9589 bytes
 

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 17 July 2013 - 07:18 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

 

 

 

Scan with OTL

  • Download OTL by OldTimer and save it to your desktop.
  • Double click on the OTL.exe icon on your desktop. If you are using Vista, please right-click and select run as administrator
  • Click the "Scan All Users" checkbox.


    Note: If you are using a Windows 64bit machine, please make sure the checkbox next to Include 64Bit Scans is checked. It will be checked by default.

  • Push the runscanbutton.png button.
  • It will now begin to scan, please be paitent while it scans.
  • Two reports will open once it's done.
  • Please copy and paste them in your next reply:
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 naut

naut
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 17 July 2013 - 12:10 PM

Well that's very strange, I seem to be unable to save my log from Gmer.  I followed the directions exactly and then even tried reinstalling the program, restarting the computer and scanning multiple times, but for some reason when I click the Save button nothing happens.  I sat there and waited for 3 minutes at one point and there's just no response from the Save button.  I took a screen shot of the results but I imagine you need a more detailed log.

3FaMw.jpg

 

 

 

Here's the OTL.txt results:

 

OTL logfile created on: 7/17/2013 12:03:38 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Mike\Desktop
64bit- Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
11.90 Gb Total Physical Memory | 9.75 Gb Available Physical Memory | 81.95% Memory free
23.79 Gb Paging File | 21.48 Gb Available in Paging File | 90.28% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 213.66 Gb Total Space | 11.81 Gb Free Space | 5.53% Space Free | Partition Type: NTFS
Drive E: | 100.00 Mb Total Space | 69.96 Mb Free Space | 69.96% Space Free | Partition Type: NTFS
Drive F: | 465.66 Gb Total Space | 29.58 Gb Free Space | 6.35% Space Free | Partition Type: NTFS
 
Computer Name: MIKE-PC | User Name: Mike | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2013/07/17 12:02:56 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Mike\Desktop\OTL.exe
PRC - [2013/07/17 00:17:44 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2013/06/13 02:27:38 | 001,236,336 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe
PRC - [2013/06/13 02:27:36 | 018,834,784 | ---- | M] (Lavasoft Limited) -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAware.exe
PRC - [2013/05/23 15:17:00 | 001,106,288 | ---- | M] (Samsung) -- C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
PRC - [2013/05/23 15:16:56 | 000,311,152 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
PRC - [2013/05/23 15:16:52 | 001,561,968 | ---- | M] (Samsung) -- C:\Program Files (x86)\Samsung\Kies\Kies.exe
PRC - [2013/05/20 16:43:44 | 000,076,888 | ---- | M] () -- C:\Windows\SysWOW64\PnkBstrA.exe
PRC - [2013/05/15 10:17:34 | 000,554,408 | ---- | M] (Lavasoft) -- C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
PRC - [2013/05/03 07:11:22 | 001,105,408 | ---- | M] (Spotify Ltd) -- C:\Users\Mike\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
PRC - [2013/03/15 00:53:06 | 001,266,464 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2013/03/15 00:07:46 | 000,383,264 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2013/03/06 10:30:43 | 003,560,288 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
PRC - [2012/09/20 05:39:12 | 003,677,000 | ---- | M] (GFI Software) -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2013/07/17 00:17:44 | 003,285,912 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2013/06/18 02:12:43 | 017,632,256 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\3989b4ca6cf904061992daec9e7d5644\PresentationFramework.ni.dll
MOD - [2013/05/21 23:56:47 | 000,220,672 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceProce#\6e7f1bdc845816dfc797f8002b76b5e8\System.ServiceProcess.ni.dll
MOD - [2013/05/21 23:55:48 | 001,776,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\035910922f160d304fb834aae41f45a6\System.Xaml.ni.dll
MOD - [2013/05/21 16:47:22 | 011,057,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\3963e9ce8d44f50e8367e92a8e3e42e6\PresentationCore.ni.dll
MOD - [2013/05/21 16:47:16 | 003,779,072 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\d17606e813f01376bd0def23726ecc62\WindowsBase.ni.dll
MOD - [2013/05/21 16:47:13 | 005,571,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\e997d0200c25f7db6bd32313d50b729d\System.Xml.ni.dll
MOD - [2013/05/21 16:47:11 | 000,973,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ac18c2dcd06bd2a0589bac94ccae5716\System.Configuration.ni.dll
MOD - [2013/05/21 16:47:10 | 007,025,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\713647b987b140a17e3c4ffe4c721f85\System.Core.ni.dll
MOD - [2013/05/21 16:47:05 | 009,000,960 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\964da027ebca3b263a05cadb8eaa20a3\System.ni.dll
MOD - [2013/05/21 16:47:02 | 014,415,872 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\246f1a5abb686b9dcdf22d3505b08cea\mscorlib.ni.dll
MOD - [2013/03/15 00:53:06 | 000,004,096 | ---- | M] () -- C:\Program Files (x86)\NVIDIA Corporation\coprocmanager\detoured.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2013/07/17 00:17:44 | 000,117,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/06/21 09:53:36 | 000,162,408 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013/06/13 02:27:38 | 001,236,336 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareService.exe -- (Ad-Aware Service)
SRV - [2013/06/11 16:47:10 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/05/20 16:43:44 | 000,076,888 | ---- | M] () [Auto | Running] -- C:\Windows\SysWOW64\PnkBstrA.exe -- (PnkBstrA)
SRV - [2013/04/19 16:10:50 | 000,543,656 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2013/03/15 00:53:06 | 001,266,464 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2013/03/15 00:07:46 | 000,383,264 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2013/03/06 10:30:43 | 003,560,288 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe -- (TeamViewer8)
SRV - [2012/09/20 05:39:12 | 003,677,000 | ---- | M] (GFI Software) [Auto | Running] -- C:\Program Files (x86)\Ad-Aware Antivirus\SBAMSvc.exe -- (SBAMSvc)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2013/07/17 05:19:55 | 000,014,456 | ---- | M] (GFI Software) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\gfibto.sys -- (gfibto)
DRV:64bit: - [2013/05/01 23:23:50 | 000,203,672 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudmdm.sys -- (ssudmdm)
DRV:64bit: - [2013/05/01 23:23:50 | 000,103,064 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudbus.sys -- (dg_ssudbus)
DRV:64bit: - [2013/04/21 04:12:34 | 000,283,200 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:64bit: - [2013/04/11 11:06:54 | 000,039,504 | ---- | M] (ThreatTrack Security) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\gfiark.sys -- (gfiark)
DRV:64bit: - [2012/12/19 00:41:52 | 000,194,488 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2012/09/12 20:19:38 | 000,082,872 | ---- | M] (GFI Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\sbapifs.sys -- (sbapifs)
DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2011/08/23 08:57:24 | 000,565,352 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:47:48 | 000,023,104 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-search.com/home
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 10 7B 63 6C FA 2F CE 01  [binary data]
IE - HKCU\..\URLSearchHook: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledAddons: giorgio%40gilestro.tk:1.0.6
FF - prefs.js..extensions.enabledAddons: %7B3d7eb24f-2740-49df-8937-200b1cc08f8a%7D:1.5.17
FF - prefs.js..extensions.enabledAddons: %7BE19DF523-EFFD-48d2-95A2-883CB3BA32A4%7D:1.6.0.12
FF - prefs.js..extensions.enabledAddons: LDSI_plashcor%40gmail.com:0.9.4
FF - prefs.js..extensions.enabledAddons: %7B5e594888-3e8e-47da-b2c6-b0b545112f84%7D:1.3.14
FF - prefs.js..extensions.enabledAddons: savefileto%40mozdev.org:2.5
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:22.0
FF - prefs.js..network.proxy.autoconfig_url: "http://client.hola.org/proxy.pac?browser=firefox&ver=1.1.338&uuid=0883254ffb3146498debc51442437dbe&stamp=1"
FF - prefs.js..network.proxy.type: 2
FF - prefs.js..browser.startup.homepage: "http://www.delta-search.com/home"
 
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@esn.me/esnsonar,version=0.70.4: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@esn/esnlaunch,version=2.1.4: C:\Program Files (x86)\Battlelog Web Plugins\2.1.4\npesnlaunch.dll (ESN Social Software AB)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.17.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@raidcall.en/RCplugin: C:\Users\Mike\AppData\Roaming\raidcall\plugins\nprcplugin.dll (Raidcall)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.5: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/07/17 05:21:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 22.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
 
[2013/04/02 18:44:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Extensions
[2013/07/17 05:09:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions
[2013/04/17 01:26:27 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2013/04/02 17:38:23 | 000,077,652 | ---- | M] () (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\giorgio@gilestro.tk.xpi
[2013/07/16 23:35:58 | 000,374,006 | ---- | M] () (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\jid1-4P0kohSJxU1qGg@jetpack.xpi
[2013/04/02 17:51:40 | 000,401,328 | ---- | M] () (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
[2013/06/14 23:51:08 | 000,097,083 | ---- | M] () (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\LDSI_plashcor@gmail.com.xpi
[2013/07/17 05:09:59 | 000,117,978 | ---- | M] () (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\savefileto@mozdev.org.xpi
[2013/07/17 00:21:37 | 000,080,610 | ---- | M] () (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\{5e594888-3e8e-47da-b2c6-b0b545112f84}.xpi
[2013/05/08 23:07:40 | 000,870,680 | ---- | M] () (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013/04/17 01:26:27 | 000,071,552 | ---- | M] () (No name found) -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\{E19DF523-EFFD-48d2-95A2-883CB3BA32A4}.xpi
[2013/04/08 20:52:11 | 000,001,294 | ---- | M] () -- C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\searchplugins\delta.xml
[2013/07/17 00:17:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2013/07/17 00:17:44 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR - plugin: VLC Web Plugin (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
CHR - Extension: Google Docs = C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Hola Unblocker = C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio\1.1.67_1\
CHR - Extension: Gmail = C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
 
O1 HOSTS File: ([2013/07/17 05:08:46 | 000,000,871 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 87.248.203.254 cdn-patch.swtor.com
O2:64bit: - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [Ad-Aware Antivirus] C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher.exe (Lavasoft Limited)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKCU..\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe (Samsung)
O4 - HKCU..\Run: [KiesAirMessage] C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup File not found
O4 - HKCU..\Run: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe (Samsung)
O4 - HKCU..\Run: [puush] C:\Program Files (x86)\puush\puush.exe ()
O4 - HKCU..\Run: [Spotify Web Helper] C:\Users\Mike\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Spotify Ltd)
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D816ABA9-0A62-4AD7-93B1-9CF9A159B53B}: DhcpNameServer = 209.18.47.61 209.18.47.62
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\nvinitx.dll) - C:\Windows\SysNative\nvinitx.dll (NVIDIA Corporation)
O20 - AppInit_DLLs: (c:\windows\syswow64\nvinit.dll) - c:\Windows\SysWOW64\nvinit.dll (NVIDIA Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - F:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{9b375550-a4a7-11e2-8acc-bc5ff43547f9}\Shell - "" = AutoRun
O33 - MountPoints2\{9b375550-a4a7-11e2-8acc-bc5ff43547f9}\Shell\AutoRun\command - "" = G:\Setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/07/17 12:02:56 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Mike\Desktop\OTL.exe
[2013/07/17 05:32:16 | 000,039,504 | ---- | C] (ThreatTrack Security) -- C:\Windows\SysNative\drivers\gfiark.sys
[2013/07/17 05:31:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Antivirus
[2013/07/17 05:30:31 | 000,000,000 | ---D | C] -- C:\Users\Mike\AppData\Roaming\LavasoftStatistics
[2013/07/17 05:21:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ad-Aware Antivirus
[2013/07/17 05:21:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2013/07/17 05:21:33 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ad-Aware Antivirus
[2013/07/17 05:21:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Downloaded Installations
[2013/07/17 05:21:28 | 000,000,000 | ---D | C] -- C:\ProgramData\blekko toolbars
[2013/07/17 05:21:28 | 000,000,000 | ---D | C] -- C:\Users\Mike\AppData\Local\adawarebp
[2013/07/17 05:21:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Ad-Aware Browsing Protection
[2013/07/17 05:21:25 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\adawaretb
[2013/07/17 05:21:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Toolbar Cleaner
[2013/07/17 05:19:55 | 000,047,496 | ---- | C] (GFI Software) -- C:\Windows\SysNative\sbbd.exe
[2013/07/17 05:19:55 | 000,014,456 | ---- | C] (GFI Software) -- C:\Windows\SysNative\drivers\gfibto.sys
[2013/07/17 05:19:55 | 000,000,000 | ---D | C] -- C:\Users\Mike\AppData\Roaming\Ad-Aware Antivirus
[2013/07/17 05:11:04 | 000,000,000 | ---D | C] -- C:\Users\Mike\Desktop\RK_Quarantine
[2013/07/17 03:44:19 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Data
[2013/07/17 01:48:07 | 000,000,000 | ---D | C] -- C:\ProgramData\IObit
[2013/07/17 01:47:53 | 000,000,000 | ---D | C] -- C:\Users\Mike\AppData\Roaming\IObit
[2013/07/17 01:47:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit
[2013/07/17 00:57:31 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
[2013/07/17 00:17:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2013/07/17 00:15:07 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2013/06/18 02:18:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MyFree Codec
[2013/06/18 02:18:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MyFree Codec
[2013/06/18 02:18:29 | 000,000,000 | ---D | C] -- C:\Users\Mike\Documents\SelfMV
[2013/06/18 02:16:03 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\NativeFus_Log
[2013/06/18 02:16:03 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\CrashDump
[2013/06/18 02:16:01 | 000,000,000 | ---D | C] -- C:\Users\Mike\Documents\samsung
[2013/06/18 02:16:01 | 000,000,000 | ---D | C] -- C:\Users\Mike\AppData\Roaming\Samsung
[2013/06/18 02:16:01 | 000,000,000 | ---D | C] -- C:\Users\Mike\AppData\Local\Samsung
[2013/06/18 02:15:16 | 001,490,656 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WdfCoInstaller01007.dll
[2013/06/18 02:15:16 | 000,708,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WinUSBCoInstaller.dll
[2013/06/18 02:15:16 | 000,203,672 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\SysNative\drivers\ssudmdm.sys
[2013/06/18 02:15:16 | 000,103,064 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\Windows\SysNative\drivers\ssudbus.sys
[2013/06/18 02:13:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung
[2013/06/18 02:13:30 | 004,659,712 | ---- | C] (Dmitry Streblechenko) -- C:\Windows\SysWow64\Redemption.dll
[2013/06/18 02:13:27 | 000,821,824 | ---- | C] (Devguru Co., Ltd.) -- C:\Windows\SysWow64\dgderapi.dll
[2013/06/18 02:13:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Samsung
[2013/06/18 02:13:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Samsung
[2013/06/18 02:11:46 | 000,000,000 | ---D | C] -- C:\Users\Mike\AppData\Local\Downloaded Installations
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/07/17 12:02:56 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Mike\Desktop\OTL.exe
[2013/07/17 11:47:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/07/17 11:32:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/17 05:37:11 | 000,726,316 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/07/17 05:37:11 | 000,623,940 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/07/17 05:37:11 | 000,106,316 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/07/17 05:36:20 | 000,014,192 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/07/17 05:36:20 | 000,014,192 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/07/17 05:33:24 | 000,000,866 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/07/17 05:31:30 | 000,000,890 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/17 05:31:26 | 000,001,868 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
[2013/07/17 05:31:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/07/17 05:19:55 | 000,014,456 | ---- | M] (GFI Software) -- C:\Windows\SysNative\drivers\gfibto.sys
[2013/07/17 05:09:59 | 000,000,002 | ---- | M] () -- C:\END
[2013/07/17 00:57:31 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\SysNative\bootdelete.exe
[2013/07/17 00:19:46 | 000,005,162 | ---- | M] () -- C:\Windows\SysNative\.crusader
[2013/06/18 02:16:16 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_Kernel_WinUsb_01007.Wdf
[2013/06/18 02:13:31 | 000,002,026 | ---- | M] () -- C:\Users\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\Samsung Kies (Lite).lnk
[2013/06/18 02:13:31 | 000,002,016 | ---- | M] () -- C:\Users\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk
[2013/06/17 18:21:56 | 000,025,767 | ---- | M] () -- C:\Users\Mike\Desktop\BSo0WV2.png
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/07/17 05:21:34 | 000,001,868 | ---- | C] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
[2013/07/17 00:19:46 | 000,005,162 | ---- | C] () -- C:\Windows\SysNative\.crusader
[2013/06/18 02:16:16 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_Kernel_WinUsb_01007.Wdf
[2013/06/18 02:13:31 | 000,002,026 | ---- | C] () -- C:\Users\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\Samsung Kies (Lite).lnk
[2013/06/18 02:13:31 | 000,002,016 | ---- | C] () -- C:\Users\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\Samsung Kies.lnk
[2013/06/17 18:21:56 | 000,025,767 | ---- | C] () -- C:\Users\Mike\Desktop\BSo0WV2.png
[2013/05/22 20:43:52 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2013/05/22 20:43:48 | 000,974,848 | ---- | C] () -- C:\Windows\SysWow64\cis-2.4.dll
[2013/05/22 20:43:48 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\issacapi_bs-2.3.dll
[2013/05/22 20:43:48 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\issacapi_pe-2.3.dll
[2013/05/22 20:43:48 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\issacapi_se-2.3.dll
[2013/04/03 13:38:44 | 000,291,088 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrB.exe
[2013/04/03 13:38:43 | 000,076,888 | ---- | C] () -- C:\Windows\SysWow64\PnkBstrA.exe
[2013/04/02 20:21:24 | 000,001,509 | ---- | C] () -- C:\Users\Mike\AppData\Roaming\MPQEditor.ini
[2012/09/28 14:45:06 | 000,247,296 | ---- | C] () -- C:\Windows\SysWow64\rtvcvfw32.dll
[2011/09/28 17:44:14 | 000,179,271 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat
 
========== ZeroAccess Check ==========
 
[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2009/07/13 20:41:54 | 014,161,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2009/07/13 20:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/13 20:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >
 

 

 

Here's the Extras.txt results:
 

OTL Extras logfile created on: 7/17/2013 12:03:38 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Mike\Desktop
64bit- Ultimate Edition  (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
11.90 Gb Total Physical Memory | 9.75 Gb Available Physical Memory | 81.95% Memory free
23.79 Gb Paging File | 21.48 Gb Available in Paging File | 90.28% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 213.66 Gb Total Space | 11.81 Gb Free Space | 5.53% Space Free | Partition Type: NTFS
Drive E: | 100.00 Mb Total Space | 69.96 Mb Free Space | 69.96% Space Free | Partition Type: NTFS
Drive F: | 465.66 Gb Total Space | 29.58 Gb Free Space | 6.35% Space Free | Partition Type: NTFS
 
Computer Name: MIKE-PC | User Name: Mike | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htafile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\SysWow64\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htafile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\SysWow64\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files (x86)\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{101EC6D4-4FBC-47AA-B2A5-E5C680C74DA8}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{1C1A5B6F-AED8-4B9A-8FBC-6C459F847EDE}" = lport=139 | protocol=6 | dir=in | app=system |
"{2275508A-95BD-48EF-896D-D0184269AE08}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{37B4EAB4-25DC-47A8-9383-C0DE8E8B6E51}" = rport=445 | protocol=6 | dir=out | app=system |
"{41BDED6B-4887-4855-A23A-B4CF2AD452AF}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{45D4FDDD-7D05-4753-97C3-56D8A6591843}" = rport=10243 | protocol=6 | dir=out | app=system |
"{5B153736-53C9-41E7-8424-1DDF8B8DE9B6}" = lport=138 | protocol=17 | dir=in | app=system |
"{856429D7-296C-4AAD-A4AF-BA3AA47FD8CC}" = lport=2869 | protocol=6 | dir=in | app=system |
"{928EB9F8-2D96-406C-A6EF-DB59992C1356}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{92E1B19F-C47A-4DDE-A140-BFC7320EC34E}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{9BD811B5-4F7B-4588-A505-069F9072826A}" = rport=138 | protocol=17 | dir=out | app=system |
"{9D3A9174-734C-4D5D-BA8D-3C2D6C20B494}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A1DA08B5-15C2-43D6-A7EF-A4DCA7926225}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A780B4CE-4319-4D67-89CF-0F321B28966B}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{A81EBCD3-F983-49A9-99D8-B9BB1D41760B}" = rport=137 | protocol=17 | dir=out | app=system |
"{AC0EB367-C84F-441D-8779-8200BF12C349}" = lport=445 | protocol=6 | dir=in | app=system |
"{B8574C63-FA53-4086-8AD8-C397BD103F26}" = lport=137 | protocol=17 | dir=in | app=system |
"{C2DE38A9-B34A-4B55-8F94-1298F025838B}" = rport=139 | protocol=6 | dir=out | app=system |
"{CDD9393B-DB9D-41AC-AE55-0AE41D18767A}" = lport=10243 | protocol=6 | dir=in | app=system |
"{CF6C398E-4CB6-4859-BA2D-F640BBEDE17B}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{E1D0146F-4522-4E69-8CCF-D6C789D88E67}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01951B72-FECB-4816-B33D-68C26C594D6C}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{0540DAE5-1D59-470A-9FCB-26E03AFCB6F7}" = protocol=6 | dir=in | app=c:\users\mike\appdata\local\apps\2.0\g8nvo844.4k7\gmp51xco.klr\curs..tion_9e9e83ddf3ed3ead_0005.0001_dcfaec929722f6ac\curseclient.exe |
"{058A677F-0311-4025-AE1E-61F4AD36A67C}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{081FF286-6DB8-4A6D-8681-EC3723D4173A}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{111A951B-EDD0-4978-8EC8-FD487F068947}" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.1544\agent.exe |
"{1888F926-6A7F-4EAF-B154-0FB02677AB15}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe |
"{1C684CA3-B73A-4AA8-954A-920A065F87C3}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{1F202224-F22E-46FF-8DA8-F4417E3AD249}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{1FFD842E-A702-4AC3-951E-C5108CBA51F7}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
"{24A39DB6-B542-42A5-B9C0-7D9A14B66F55}" = protocol=17 | dir=in | app=c:\users\mike\appdata\roaming\dropbox\bin\dropbox.exe |
"{274B4A2B-E554-44A4-ADBF-E94F29FB78E5}" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.1544\agent.exe |
"{2A0DB8F5-2341-4756-82AE-15B5C657185A}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{2A3ED4D1-0024-4BF5-83C9-E405DC9178AA}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{2BD97C59-77EB-4708-B197-68E652D0C1B4}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{2D023097-706B-4CEC-AE74-D55A1C3AC4B2}" = protocol=17 | dir=in | app=c:\users\mike\appdata\roaming\spotify\spotify.exe |
"{2DB5124F-C4DA-4FF8-BDAF-E3A64FEDC849}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\godmode\bin\godmode.exe |
"{2E70AF41-E3BC-40C1-B362-FEC88855974E}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |
"{2ED6402E-5690-47BF-88F0-CADCBA9F2978}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{320AB9BA-B781-4017-A84B-01BCEC7A4E60}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{379AE892-5DA3-4B29-A1FD-192F89203762}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{3CF3A333-83C6-4C81-A792-9DAD9E538C27}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version8\teamviewer.exe |
"{3FE45223-C738-43CB-9D9B-C46490E77978}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{41250F1E-D0C1-4352-9D7B-AD82C38DBD1E}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{4198A22E-0A12-49D5-ABF2-D316058B96FE}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars-the old republic\swtor\retailclient\swtor.exe |
"{444E9DEE-E4CA-4023-8DEA-B5D360512C08}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{464F3B14-D63C-43E7-B443-6F68254D97E9}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\counter-strike global offensive\csgo.exe |
"{47BEA33B-CF14-496F-8295-F0CEE8ECE0D5}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\grand theft auto iv\gtaiv\launchgtaiv.exe |
"{48863AC4-47C2-4312-AFE0-AE725936AB60}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{4D368804-BDD3-40A5-9122-3C72C30D3DCE}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars-the old republic\launcher.exe |
"{4E45715B-8352-4299-9BA4-0CE085AD76A3}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dota 2 beta\dota.exe |
"{4E59C835-24D9-45EB-AA9D-F2794E443CB4}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\rift\riftpatchlive.exe |
"{4F748761-227F-474A-A387-CAA42D2223F5}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{58502E3D-CFBE-4154-A86D-CD5D22A3DF30}" = protocol=17 | dir=in | app=c:\program files (x86)\raptr\raptr.exe |
"{5DA7DF21-D816-40EF-B0B4-BD6FE89C1152}" = protocol=6 | dir=in | app=c:\program files (x86)\raptr\raptr.exe |
"{60F5CBB4-50A7-4F99-A240-A805669DBE8B}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{674FA949-0036-4478-9FDC-6C73491E5912}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars-the old republic\swtor\retailclient\swtor.exe |
"{693E69D0-2314-4361-A7DE-01D9F8D76625}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{6A2D7430-5274-4DDA-85B7-C314658F5CA1}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\borderlands 2\binaries\win32\borderlands2.exe |
"{6A371003-C1EE-4FDE-AA05-237EDD9FF2CA}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\portal 2\portal2.exe |
"{6B2D7734-5D8F-4BDC-9D52-27D078307CEE}" = protocol=17 | dir=in | app=c:\users\mike\appdata\local\apps\2.0\g8nvo844.4k7\gmp51xco.klr\curs..tion_9e9e83ddf3ed3ead_0005.0001_dcfaec929722f6ac\curseclient.exe |
"{71A3976C-0E10-40A9-A4EE-F45209E2C11E}" = protocol=6 | dir=out | app=system |
"{7F6B472F-3F03-4728-9DF9-27724885765F}" = protocol=17 | dir=in | app=c:\program files (x86)\battlelog web plugins\sonar\0.70.4\sonarhost.exe |
"{80CB0126-1100-40AF-AE97-2437832F4AA0}" = protocol=6 | dir=in | app=c:\programdata\battle.net\agent\agent.1675\agent.exe |
"{834C049E-353F-494E-A196-65695D62EF6B}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
"{860620DB-3AC5-4521-8ABD-8381F8ADFFC4}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars-the old republic\launcher.exe |
"{8C6ABD53-6F98-42FF-8D29-7135E40A9238}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\grand theft auto iv episodes from liberty city\eflc\launcheflc.exe |
"{90BCCB13-39EB-4811-A1D8-AD23B7231323}" = protocol=17 | dir=in | app=c:\program files (x86)\raptr\raptr_im.exe |
"{9281DFBB-5C43-4BBD-BEFF-1FBAAC544D5E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{92FD5097-2880-4BCB-BE7B-08AA102BB6B3}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstrb.exe |
"{98C5DF02-0746-4A27-9185-C1A1087EFB79}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\killingfloor\system\killingfloor.exe |
"{99D04044-D9CE-46A1-B1AD-7F5D8A3BD236}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\grand theft auto iv episodes from liberty city\eflc\launcheflc.exe |
"{9D7CCB03-38B5-4BF2-8DCC-8431009D3C3D}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars-the old republic\swtor\retailclient\swtor.exe |
"{A0F57B02-C373-4DE5-B42D-2FE637E61B18}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\portal 2\portal2.exe |
"{A1451E5F-E823-4BBE-8D45-8A8279BE6100}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A2433C81-6890-4E7A-8AB2-3C21E56DE82F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\dota 2 beta\dota.exe |
"{A4C0CDDE-ADCA-41A9-8AAC-AA4B2158C8A5}" = protocol=17 | dir=in | app=c:\programdata\battle.net\agent\agent.1675\agent.exe |
"{A86453A0-5142-4072-B062-B3288D299A8D}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\godmode\bin\godmode.exe |
"{A9D05054-D0D7-47E5-983C-99C2B35D9437}" = protocol=6 | dir=in | app=c:\users\mike\appdata\roaming\dropbox\bin\dropbox.exe |
"{AC6D9CD4-5088-4FCE-9EDC-8F6E1F531EFB}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars-the old republic\swtor\retailclient\swtor.exe |
"{AC7D42FB-01DE-45EC-98E6-B594F8610511}" = protocol=6 | dir=in | app=c:\users\mike\appdata\roaming\spotify\spotify.exe |
"{B674B171-F9D0-4E7B-B982-A869E6A454CF}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version8\teamviewer.exe |
"{B846AF0D-DA27-45D6-B9D3-6F7FBF2E673A}" = protocol=6 | dir=in | app=c:\program files (x86)\battlelog web plugins\sonar\0.70.4\sonarhost.exe |
"{B8999E67-BBAF-4FB4-A0F9-7ADAAB47A79F}" = protocol=17 | dir=in | app=c:\program files (x86)\origin games\battlefield 3\bf3.exe |
"{BA6782A4-1233-4724-9861-424049A20806}" = protocol=6 | dir=in | app=c:\program files (x86)\raptr\raptr_im.exe |
"{BB7596CD-C326-4B80-AB9A-E506E178B9FD}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\borderlands 2\binaries\win32\launcher.exe |
"{BBCCB686-596A-441B-B343-2963D38CCCFF}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{C0FE7EB3-CA8F-407C-B7BF-039F7FD27D14}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{C939F3F1-240A-456E-A743-597C9E894FE3}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\borderlands 2\binaries\win32\launcher.exe |
"{C9C86C3A-F958-45DE-9A74-1835CBC6102B}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{CA8ED158-E684-41CA-AFB3-B340D104C42F}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\killingfloor\system\killingfloor.exe |
"{D06B3356-91C4-4C31-B5CA-00707E1F4301}" = protocol=17 | dir=in | app=c:\program files (x86)\steam\steamapps\common\rift\riftpatchlive.exe |
"{D13F94AA-AC6E-428F-B0A6-ACB1A53EEBCB}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steamapps\common\borderlands 2\binaries\win32\borderlands2.exe |
"{D2CE441C-1BD5-4E70-A29E-741312481464}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{D4C40617-E755-4F9C-95ED-BE2ADED3C631}" = protocol=6 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars-the old republic\launcher.exe |
"{D664BD80-AF66-4C5C-B732-7A0CB2A6A9A9}" = protocol=6 | dir=in | app=c:\program files (x86)\steam\steam.exe |
"{D8FEFAB4-6AE5-4159-8A81-BD704F41E206}" = protocol=17 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
"{DA12685D-38B7-470B-A7DE-40645D3EC026}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{DA51814A-A2F3-4952-92E9-126CBC7733D5}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version8\teamviewer_service.exe |
"{DC82203F-3E17-4049-ADC3-93A8BE5B1E72}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{DDF6E111-B323-43FA-918C-89F210148566}" = protocol=6 | dir=in | app=c:\windows\syswow64\pnkbstra.exe |
"{E6E02874-1E1B-4A75-8377-58C360238344}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{F2E11315-5B5D-4994-BDD4-AC71E59FAF04}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version8\teamviewer_service.exe |
"{F976410E-9155-440B-99CD-0C0E38843916}" = protocol=6 | dir=in | app=c:\program files (x86)\origin games\battlefield 3\bf3.exe |
"{FF5175E1-AA3C-4CDD-B27D-DA4ADC707541}" = protocol=17 | dir=in | app=c:\program files (x86)\electronic arts\bioware\star wars-the old republic\launcher.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0225AD21-F3E2-4916-BFF3-65D3F9052582}" = iTunes
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)
"{26A24AE4-039D-4CA4-87B4-2F86417021FF}" = Java 7 Update 21 (64-bit)
"{2F72F540-1F60-4266-9506-952B21D6640D}" = Apple Mobile Device Support
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{9B48B0AC-C813-4174-9042-476A887592C7}" = Windows Live ID Sign-in Assistant
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 314.22
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 314.22
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 314.22
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 314.22
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.1031
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.12.12
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD Audio Driver 1.3.23.1
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"CCleaner" = CCleaner
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21AF2C88-A2D7-436D-A261-017865640E84}" = Imgur Uploader
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{3B11D799-48E0-48ED-BFD7-EA655676D8BB}" = Star Wars: The Old Republic
"{41785C66-90F2-40CE-8CB5-1C94BFC97280}" = Microsoft Chart Controls for Microsoft .NET Framework 3.5
"{45C56AA7-ED1B-4800-A97F-EDDF3F3520B1}" = Apple Application Support
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.6
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"{76285C16-411A-488A-BCE3-C83CB933D8CF}" = Battlefield 3™
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}" = NVIDIA PhysX
"{944167EA-7F89-4705-8DCD-1D63B53141B0}" = Ad-Aware Antivirus
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{B4E343DD-BAAB-4D59-AD9C-DEA0AFE09DF1}" = Mumble 1.2.3
"{C3592426-531E-4110-911D-BFECE2CE284B}" = puush
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"5513-1208-7298-9440" = JDownloader 0.9
"Ad-Aware Browsing Protection" = Ad-Aware Browsing Protection
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Afterburner" = MSI Afterburner 2.3.1
"Battlelog Web Plugins" = Battlelog Web Plugins
"DAEMON Tools Lite" = DAEMON Tools Lite
"ESN Sonar-0.70.4" = ESN Sonar
"Fraps" = Fraps
"Google Chrome" = Google Chrome
"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies
"LinuxLive USB Creator" = LinuxLive USB Creator
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Mozilla Firefox 22.0 (x86 en-US)" = Mozilla Firefox 22.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"Neverwinter" = Neverwinter
"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver
"Open Broadcaster Software" = Open Broadcaster Software
"OpenAL" = OpenAL
"Origin" = Origin
"PunkBusterSvc" = PunkBuster Services
"RaidCall" = RaidCall
"Rockstar Games Social Club" = Rockstar Games Social Club
"SpeedFan" = SpeedFan (remove only)
"Steam App 12210" = Grand Theft Auto IV
"Steam App 12220" = Grand Theft Auto: Episodes from Liberty City
"Steam App 1250" = Killing Floor
"Steam App 39120" = RIFT™
"Steam App 49520" = Borderlands 2
"Steam App 570" = Dota 2
"Steam App 620" = Portal 2
"Steam App 730" = Counter-Strike: Global Offensive
"TeamViewer 8" = TeamViewer 8
"Tombraider_is1" = Tombraider
"uTorrent" = µTorrent
"VLC media player" = VLC media player 2.0.5
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"101a9f93b8f0bb6f" = Curse Client
"Dropbox" = Dropbox
"Flux" = F.lux
"MyFreeCodec" = MyFreeCodec
"Spotify" = Spotify
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"WinDirStat" = WinDirStat 1.1.2
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 5/29/2013 7:02:16 PM | Computer Name = Mike-PC | Source = Application Error | ID = 1000
Description = Faulting application name: bf3.exe, version: 1.6.0.0, time stamp:
0x511c9356  Faulting module name: ltc_game32-68721.dll_unloaded, version: 0.0.0.0,
 time stamp: 0x50a6e4c0  Exception code: 0xc0000005  Fault offset: 0x5e5401c3  Faulting
 process id: 0x70c  Faulting application start time: 0x01ce5cc082a10783  Faulting application
 path: C:\Program Files (x86)\Origin Games\Battlefield 3\bf3.exe  Faulting module
path: ltc_game32-68721.dll  Report Id: cdbd503a-c8b3-11e2-92c1-bc5ff43547f9
 
Error - 6/15/2013 2:58:00 PM | Computer Name = Mike-PC | Source = Application Error | ID = 1000
Description = Faulting application name: WinToFlash.exe, version: 0.7.54.0, time
 stamp: 0x5033a14a  Faulting module name: ole32.dll, version: 6.1.7600.16385, time
 stamp: 0x4a5bdac7  Exception code: 0xc0000005  Fault offset: 0x00054cbe  Faulting process
 id: 0x2654  Faulting application start time: 0x01ce69f98a66493c  Faulting application
 path: F:\Users\Mike\Downloads\Novicorp WinToFlash 0.7.0054 beta\WinToFlash.exe  Faulting
 module path: C:\Windows\syswow64\ole32.dll  Report Id: 7fa0ef67-d5ed-11e2-8423-bc5ff43547f9
 
Error - 6/15/2013 3:04:25 PM | Computer Name = Mike-PC | Source = Application Error | ID = 1000
Description = Faulting application name: WinToFlash.exe, version: 0.7.57.0, time
 stamp: 0x5150a524  Faulting module name: ntdll.dll, version: 6.1.7600.16385, time
 stamp: 0x4a5bdb3b  Exception code: 0xc0000005  Fault offset: 0x0002e23e  Faulting process
 id: 0x1fc8  Faulting application start time: 0x01ce69faa8e429d1  Faulting application
 path: C:\Users\Mike\Desktop\novicorp wintoflash 0.7.0057 beta\WinToFlash.exe  Faulting
 module path: C:\Windows\SysWOW64\ntdll.dll  Report Id: 64a1ec16-d5ee-11e2-8423-bc5ff43547f9
 
Error - 6/15/2013 3:15:02 PM | Computer Name = Mike-PC | Source = Application Error | ID = 1000
Description = Faulting application name: WinToFlash.exe, version: 0.7.57.0, time
 stamp: 0x5150a524  Faulting module name: ntdll.dll, version: 6.1.7600.16385, time
 stamp: 0x4a5bdb3b  Exception code: 0xc0000005  Fault offset: 0x0002e727  Faulting process
 id: 0x1ea4  Faulting application start time: 0x01ce69fb2d50f9db  Faulting application
 path: C:\Users\Mike\Desktop\novicorp wintoflash 0.7.0057 beta\WinToFlash.exe  Faulting
 module path: C:\Windows\SysWOW64\ntdll.dll  Report Id: e09b7f19-d5ef-11e2-8423-bc5ff43547f9
 
Error - 6/17/2013 7:04:17 AM | Computer Name = Mike-PC | Source = Application Error | ID = 1000
Description = Faulting application name: plugin-container.exe, version: 21.0.0.4879,
 time stamp: 0x518ec367  Faulting module name: mozalloc.dll, version: 21.0.0.4879,
 time stamp: 0x518eaa4a  Exception code: 0x80000003  Fault offset: 0x00001988  Faulting
 process id: 0xa98  Faulting application start time: 0x01ce6b4766a04c15  Faulting application
 path: C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe  Faulting module
 path: C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll  Report Id: a6ff5198-d73d-11e2-88bc-bc5ff43547f9
 
Error - 6/17/2013 7:04:17 AM | Computer Name = Mike-PC | Source = Application Hang | ID = 1002
Description = The program firefox.exe version 21.0.0.4879 stopped interacting with
 Windows and was closed. To see if more information about the problem is available,
 check the problem history in the Action Center control panel.    Process ID: c40    Start
 Time: 01ce6b47666e281e    Termination Time: 30    Application Path: C:\Program Files (x86)\Mozilla
 Firefox\firefox.exe    Report Id: a6298af5-d73d-11e2-88bc-bc5ff43547f9  
 
Error - 6/17/2013 7:41:12 AM | Computer Name = Mike-PC | Source = Application Hang | ID = 1002
Description = The program recuva64.exe version 1.47.0.948 stopped interacting with
 Windows and was closed. To see if more information about the problem is available,
 check the problem history in the Action Center control panel.    Process ID: 12bc    Start
 Time: 01ce6b4eb434f829    Termination Time: 10    Application Path: C:\Program Files\Recuva\recuva64.exe

Report
 Id: ce20f295-d742-11e2-bb0b-bc5ff43547f9  
 
Error - 6/18/2013 3:15:28 AM | Computer Name = Mike-PC | Source = .NET Runtime Optimization Service | ID = 1101
Description =
 
Error - 6/18/2013 3:15:28 AM | Computer Name = Mike-PC | Source = .NET Runtime Optimization Service | ID = 1101
Description =
 
Error - 7/17/2013 12:52:54 PM | Computer Name = Mike-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Skype.exe, version: 6.6.0.106, time stamp:
 0x51c414b3  Faulting module name: mshtml.dll, version: 8.0.7600.16385, time stamp:
 0x4a5bda8a  Exception code: 0xc0000005  Fault offset: 0x001f430d  Faulting process id:
 0x1268  Faulting application start time: 0x01ce830d985c28ae  Faulting application path:
 C:\Program Files (x86)\Skype\Phone\Skype.exe  Faulting module path: C:\Windows\SysWOW64\mshtml.dll
Report
 Id: 5268a84d-ef01-11e2-95a6-bc5ff43547f9
 
[ System Events ]
Error - 6/17/2013 7:15:23 AM | Computer Name = Mike-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the ShellHWDetection service.
 
Error - 6/17/2013 7:15:54 AM | Computer Name = Mike-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the ShellHWDetection service.
 
Error - 6/17/2013 7:16:24 AM | Computer Name = Mike-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the WSearch service.
 
Error - 6/17/2013 7:16:54 AM | Computer Name = Mike-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the WSearch service.
 
Error - 6/17/2013 7:17:33 AM | Computer Name = Mike-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the WSearch service.
 
Error - 6/17/2013 7:23:12 AM | Computer Name = Mike-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the WSearch service.
 
Error - 6/17/2013 7:23:58 AM | Computer Name = Mike-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
 response from the WSearch service.
 
Error - 7/17/2013 1:20:58 AM | Computer Name = Mike-PC | Source = Service Control Manager | ID = 7024
Description = The HitmanPro 3.7 Crusader (Boot) service terminated with service-specific
 error %%0.
 
Error - 7/17/2013 6:09:55 AM | Computer Name = Mike-PC | Source = Service Control Manager | ID = 7034
Description = The FastFreeConverterUpdt service terminated unexpectedly.  It has
 done this 1 time(s).
 
Error - 7/17/2013 6:21:21 AM | Computer Name = Mike-PC | Source = volsnap | ID = 393252
Description = The shadow copies of volume C: were aborted because the shadow copy
 storage could not grow due to a user imposed limit.
 
 
< End of report >
 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 18 July 2013 - 01:32 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 naut

naut
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 18 July 2013 - 11:11 AM

ComboFix is telling me the Ad-Aware monitor is still running despite it not showing in the tray or in my processes list in task manager.

 

3FX3Z.png

 

Here is the ComboFix log:

 

ComboFix 13-07-18.02 - Mike 07/18/2013  11:05:43.1.4 - x64
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.12184.8724 [GMT -5:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
AV: Lavasoft Ad-Aware *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
SP: Lavasoft Ad-Aware *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\frapsvid.dll
c:\windows\SysWow64\muzapp.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-18 to 2013-07-18  )))))))))))))))))))))))))))))))
.
.
2013-07-17 17:38 . 2013-07-17 17:38    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-07-17 17:38 . 2013-07-17 17:38    --------    d-----r-    c:\program files (x86)\Skype
2013-07-17 10:32 . 2013-04-11 16:06    39504    ----a-w-    c:\windows\system32\drivers\gfiark.sys
2013-07-17 10:30 . 2013-07-17 10:30    --------    d-----w-    c:\users\Mike\AppData\Roaming\LavasoftStatistics
2013-07-17 10:21 . 2013-07-17 10:32    --------    d-----w-    c:\program files (x86)\Ad-Aware Antivirus
2013-07-17 10:21 . 2013-07-17 10:21    --------    d-----w-    c:\programdata\Lavasoft
2013-07-17 10:21 . 2013-07-17 10:21    --------    d-----w-    c:\programdata\Downloaded Installations
2013-07-17 10:21 . 2013-07-17 10:21    --------    d-----w-    c:\users\Mike\AppData\Local\adawarebp
2013-07-17 05:15 . 2013-07-17 05:20    --------    d-----w-    c:\programdata\HitmanPro
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-11 21:47 . 2013-04-02 23:34    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-11 21:47 . 2013-04-02 23:34    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-29 23:02 . 2013-04-03 18:41    291088    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2013-05-29 23:02 . 2013-04-03 18:38    291088    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
2013-05-29 23:02 . 2013-04-03 18:38    280904    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2013-05-23 01:43 . 2013-05-23 01:43    90112    ----a-w-    c:\windows\MAMCityDownload.ocx
2013-05-23 01:43 . 2013-05-23 01:43    30568    ----a-w-    c:\windows\MusiccityDownload.exe
2013-05-23 01:43 . 2013-05-23 01:43    330240    ----a-w-    c:\windows\MASetupCaller.dll
2013-05-23 01:43 . 2013-05-23 01:43    974848    ----a-w-    c:\windows\SysWow64\cis-2.4.dll
2013-05-23 01:43 . 2013-05-23 01:43    81920    ----a-w-    c:\windows\SysWow64\issacapi_bs-2.3.dll
2013-05-23 01:43 . 2013-05-23 01:43    65536    ----a-w-    c:\windows\SysWow64\issacapi_pe-2.3.dll
2013-05-23 01:43 . 2013-05-23 01:43    57344    ----a-w-    c:\windows\SysWow64\MTXSYNCICON.dll
2013-05-23 01:43 . 2013-05-23 01:43    57344    ----a-w-    c:\windows\SysWow64\MK_Lyric.dll
2013-05-23 01:43 . 2013-05-23 01:43    57344    ----a-w-    c:\windows\SysWow64\issacapi_se-2.3.dll
2013-05-23 01:43 . 2013-05-23 01:43    569344    ----a-w-    c:\windows\SysWow64\muzdecode.ax
2013-05-23 01:43 . 2013-05-23 01:43    491520    ----a-w-    c:\windows\SysWow64\muzapp.dll
2013-05-23 01:43 . 2013-05-23 01:43    49152    ----a-w-    c:\windows\SysWow64\MaJGUILib.dll
2013-05-23 01:43 . 2013-05-23 01:43    45320    ----a-w-    c:\windows\SysWow64\MAMACExtract.dll
2013-05-23 01:43 . 2013-05-23 01:43    45056    ----a-w-    c:\windows\SysWow64\MaXMLProto.dll
2013-05-23 01:43 . 2013-05-23 01:43    45056    ----a-w-    c:\windows\SysWow64\MACXMLProto.dll
2013-05-23 01:43 . 2013-05-23 01:43    40960    ----a-w-    c:\windows\SysWow64\MTTELECHIP.dll
2013-05-23 01:43 . 2013-05-23 01:43    352256    ----a-w-    c:\windows\SysWow64\MSLUR71.dll
2013-05-23 01:43 . 2013-05-23 01:43    258048    ----a-w-    c:\windows\SysWow64\muzoggsp.ax
2013-05-23 01:43 . 2013-05-23 01:43    245760    ----a-w-    c:\windows\SysWow64\MSCLib.dll
2013-05-23 01:43 . 2013-05-23 01:43    24576    ----a-w-    c:\windows\SysWow64\MASetupCleaner.exe
2013-05-23 01:43 . 2013-05-23 01:43    200704    ----a-w-    c:\windows\SysWow64\muzwmts.dll
2013-05-23 01:43 . 2013-05-23 01:43    155648    ----a-w-    c:\windows\SysWow64\MSFLib.dll
2013-05-23 01:43 . 2013-05-23 01:43    143360    ----a-w-    c:\windows\SysWow64\3DAudio.ax
2013-05-23 01:43 . 2013-05-23 01:43    135168    ----a-w-    c:\windows\SysWow64\muzaf1.dll
2013-05-23 01:43 . 2013-05-23 01:43    131072    ----a-w-    c:\windows\SysWow64\muzmpgsp.ax
2013-05-23 01:43 . 2013-05-23 01:43    122880    ----a-w-    c:\windows\SysWow64\muzeffect.ax
2013-05-23 01:43 . 2013-05-23 01:43    118784    ----a-w-    c:\windows\SysWow64\MaDRM.dll
2013-05-23 01:43 . 2013-05-23 01:43    110592    ----a-w-    c:\windows\SysWow64\muzmp4sp.ax
2013-05-23 01:43 . 2013-06-18 07:13    821824    ----a-w-    c:\windows\SysWow64\dgderapi.dll
2013-05-23 01:33 . 2013-06-18 07:13    4659712    ----a-w-    c:\windows\SysWow64\Redemption.dll
2013-05-20 21:43 . 2013-04-03 18:38    76888    ----a-w-    c:\windows\SysWow64\PnkBstrA.exe
2013-05-06 16:00 . 2013-05-06 16:00    971680    ----a-w-    c:\windows\system32\deployJava1.dll
2013-05-06 16:00 . 2013-05-06 16:00    311200    ----a-w-    c:\windows\system32\javaws.exe
2013-05-06 16:00 . 2013-05-06 16:00    1092512    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-05-06 16:00 . 2013-05-06 16:00    188832    ----a-w-    c:\windows\system32\javaw.exe
2013-05-06 16:00 . 2013-05-06 16:00    188320    ----a-w-    c:\windows\system32\java.exe
2013-05-06 16:00 . 2013-05-06 16:00    108448    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2013-05-02 04:23 . 2013-06-18 07:15    708168    ----a-w-    c:\windows\system32\WinUSBCoInstaller.dll
2013-05-02 04:23 . 2013-06-18 07:15    203672    ----a-w-    c:\windows\system32\drivers\ssudmdm.sys
2013-05-02 04:23 . 2013-06-18 07:15    1490656    ----a-w-    c:\windows\system32\WdfCoInstaller01007.dll
2013-05-02 04:23 . 2013-06-18 07:15    103064    ----a-w-    c:\windows\system32\drivers\ssudbus.sys
2013-04-30 18:05 . 2009-08-18 17:49    564632    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2013-04-30 18:05 . 2009-08-18 16:24    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-30 17:53 . 2013-04-30 17:53    178800    ----a-w-    c:\windows\SysWow64\CmdLineExt_x64.dll
2013-04-21 09:12 . 2013-04-21 09:12    283200    ----a-w-    c:\windows\system32\drivers\dtsoftbus01.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-07-10 1672616]
"puush"="c:\program files (x86)\puush\puush.exe" [2013-07-17 567880]
"Spotify Web Helper"="c:\users\Mike\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-05-03 1105408]
"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-05-23 1561968]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-06-21 19875432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-05-23 311152]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2013-05-15 554408]
.
c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2013-4-2 0]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
3;4 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys;c:\windows\SYSNATIVE\drivers\gfiark.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys;c:\windows\SYSNATIVE\drivers\gfibto.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [x]
S2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [x]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys;c:\windows\SYSNATIVE\DRIVERS\sbapifs.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GFIARK
*NewlyCreated* - GFIBTO
*NewlyCreated* - KXLDYPOW
*NewlyCreated* - SBAPIFS
*Deregistered* - kxldypow
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-17 04:34    1173456    ----a-w-    c:\program files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-02 21:47]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-23 18:44]
.
2013-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-23 18:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.delta-search.com/home
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\
FF - prefs.js: network.proxy.type - 2
FF - ExtSQL: 2013-06-13 05:20; {5e594888-3e8e-47da-b2c6-b0b545112f84}; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\{5e594888-3e8e-47da-b2c6-b0b545112f84}.xpi
FF - ExtSQL: 2013-06-13 05:23; savefileto@mozdev.org; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\savefileto@mozdev.org.xpi
FF - ExtSQL: 2013-06-13 05:25; LDSI_plashcor@gmail.com; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\LDSI_plashcor@gmail.com.xpi
FF - ExtSQL: 2013-07-17 12:17; jid1-xUfzOsOFlzSOXg@jetpack; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - c0fb20cd000000000000bc5ff43547f9
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15804
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.020:52
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef -
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6c97a91e-4524-4019-86af-2aa2d567bf5c} - (no file)
Wow6432Node-HKCU-Run-KiesAirMessage - c:\program files (x86)\Samsung\Kies\KiesAirMessage.exe
AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-778387792-1012281853-1459691719-1000\Software\SecuROM\License information*]
"datasecu"=hex:a6,95,25,d8,ba,c7,15,97,74,23,9f,42,38,42,74,4a,7f,02,54,b6,aa,
   df,a3,eb,7c,01,3b,c6,07,d9,77,c9,28,40,fa,25,39,2f,16,e5,a6,67,30,c6,27,15,\
"rkeysecu"=hex:89,01,0f,34,c2,54,5d,b6,3f,18,a0,7d,7d,e6,e1,fc
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-18  11:10:21
ComboFix-quarantined-files.txt  2013-07-18 16:10
.
Pre-Run: 16,197,521,408 bytes free
Post-Run: 16,122,621,952 bytes free
.
- - End Of File - - 88F980781A3BD1EFCCB56D1D6C22E67F
A36C5E4F47E84449FF07ED3517B43A31
 


Edited by naut, 18 July 2013 - 11:14 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 18 July 2013 - 11:41 PM

Please uninstall IObit Malware Fighter as well as any other software from IObit because it contains pirated code.

Report when done.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 naut

naut
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 19 July 2013 - 12:18 AM

Done.



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 19 July 2013 - 12:29 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 naut

naut
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 19 July 2013 - 11:13 AM

ComboFix 13-07-18.04 - Mike 07/19/2013  11:07:29.2.4 - x64
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.12184.9107 [GMT -5:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
Command switches used :: c:\users\Mike\Desktop\CFScript.txt
AV: Lavasoft Ad-Aware *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
SP: Lavasoft Ad-Aware *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-19 to 2013-07-19  )))))))))))))))))))))))))))))))
.
.
2013-07-19 16:11 . 2013-07-19 16:11    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-07-19 16:11 . 2013-07-19 16:11    --------    d-----w-    c:\users\hedev\AppData\Local\temp
2013-07-19 16:11 . 2013-07-19 16:11    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-19 03:00 . 2013-07-19 03:31    --------    d-----w-    c:\program files (x86)\Diablo III
2013-07-17 17:38 . 2013-07-17 17:38    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-07-17 17:38 . 2013-07-17 17:38    --------    d-----r-    c:\program files (x86)\Skype
2013-07-17 10:32 . 2013-04-11 16:06    39504    ----a-w-    c:\windows\system32\drivers\gfiark.sys
2013-07-17 10:30 . 2013-07-17 10:30    --------    d-----w-    c:\users\Mike\AppData\Roaming\LavasoftStatistics
2013-07-17 10:21 . 2013-07-17 10:32    --------    d-----w-    c:\program files (x86)\Ad-Aware Antivirus
2013-07-17 10:21 . 2013-07-17 10:21    --------    d-----w-    c:\programdata\Lavasoft
2013-07-17 10:21 . 2013-07-17 10:21    --------    d-----w-    c:\programdata\Downloaded Installations
2013-07-17 10:21 . 2013-07-17 10:21    --------    d-----w-    c:\users\Mike\AppData\Local\adawarebp
2013-07-17 05:15 . 2013-07-17 05:20    --------    d-----w-    c:\programdata\HitmanPro
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-19 02:10 . 2013-04-03 18:41    290184    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2013-07-19 02:10 . 2013-04-03 18:38    290184    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
2013-07-19 02:10 . 2013-04-03 18:38    280904    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2013-06-11 21:47 . 2013-04-02 23:34    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-11 21:47 . 2013-04-02 23:34    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-23 01:43 . 2013-05-23 01:43    90112    ----a-w-    c:\windows\MAMCityDownload.ocx
2013-05-23 01:43 . 2013-05-23 01:43    30568    ----a-w-    c:\windows\MusiccityDownload.exe
2013-05-23 01:43 . 2013-05-23 01:43    330240    ----a-w-    c:\windows\MASetupCaller.dll
2013-05-23 01:43 . 2013-05-23 01:43    974848    ----a-w-    c:\windows\SysWow64\cis-2.4.dll
2013-05-23 01:43 . 2013-05-23 01:43    81920    ----a-w-    c:\windows\SysWow64\issacapi_bs-2.3.dll
2013-05-23 01:43 . 2013-05-23 01:43    65536    ----a-w-    c:\windows\SysWow64\issacapi_pe-2.3.dll
2013-05-23 01:43 . 2013-05-23 01:43    57344    ----a-w-    c:\windows\SysWow64\MTXSYNCICON.dll
2013-05-23 01:43 . 2013-05-23 01:43    57344    ----a-w-    c:\windows\SysWow64\MK_Lyric.dll
2013-05-23 01:43 . 2013-05-23 01:43    57344    ----a-w-    c:\windows\SysWow64\issacapi_se-2.3.dll
2013-05-23 01:43 . 2013-05-23 01:43    569344    ----a-w-    c:\windows\SysWow64\muzdecode.ax
2013-05-23 01:43 . 2013-05-23 01:43    491520    ----a-w-    c:\windows\SysWow64\muzapp.dll
2013-05-23 01:43 . 2013-05-23 01:43    49152    ----a-w-    c:\windows\SysWow64\MaJGUILib.dll
2013-05-23 01:43 . 2013-05-23 01:43    45320    ----a-w-    c:\windows\SysWow64\MAMACExtract.dll
2013-05-23 01:43 . 2013-05-23 01:43    45056    ----a-w-    c:\windows\SysWow64\MaXMLProto.dll
2013-05-23 01:43 . 2013-05-23 01:43    45056    ----a-w-    c:\windows\SysWow64\MACXMLProto.dll
2013-05-23 01:43 . 2013-05-23 01:43    40960    ----a-w-    c:\windows\SysWow64\MTTELECHIP.dll
2013-05-23 01:43 . 2013-05-23 01:43    352256    ----a-w-    c:\windows\SysWow64\MSLUR71.dll
2013-05-23 01:43 . 2013-05-23 01:43    258048    ----a-w-    c:\windows\SysWow64\muzoggsp.ax
2013-05-23 01:43 . 2013-05-23 01:43    245760    ----a-w-    c:\windows\SysWow64\MSCLib.dll
2013-05-23 01:43 . 2013-05-23 01:43    24576    ----a-w-    c:\windows\SysWow64\MASetupCleaner.exe
2013-05-23 01:43 . 2013-05-23 01:43    200704    ----a-w-    c:\windows\SysWow64\muzwmts.dll
2013-05-23 01:43 . 2013-05-23 01:43    155648    ----a-w-    c:\windows\SysWow64\MSFLib.dll
2013-05-23 01:43 . 2013-05-23 01:43    143360    ----a-w-    c:\windows\SysWow64\3DAudio.ax
2013-05-23 01:43 . 2013-05-23 01:43    135168    ----a-w-    c:\windows\SysWow64\muzaf1.dll
2013-05-23 01:43 . 2013-05-23 01:43    131072    ----a-w-    c:\windows\SysWow64\muzmpgsp.ax
2013-05-23 01:43 . 2013-05-23 01:43    122880    ----a-w-    c:\windows\SysWow64\muzeffect.ax
2013-05-23 01:43 . 2013-05-23 01:43    118784    ----a-w-    c:\windows\SysWow64\MaDRM.dll
2013-05-23 01:43 . 2013-05-23 01:43    110592    ----a-w-    c:\windows\SysWow64\muzmp4sp.ax
2013-05-23 01:43 . 2013-06-18 07:13    821824    ----a-w-    c:\windows\SysWow64\dgderapi.dll
2013-05-23 01:33 . 2013-06-18 07:13    4659712    ----a-w-    c:\windows\SysWow64\Redemption.dll
2013-05-20 21:43 . 2013-04-03 18:38    76888    ----a-w-    c:\windows\SysWow64\PnkBstrA.exe
2013-05-06 16:00 . 2013-05-06 16:00    971680    ----a-w-    c:\windows\system32\deployJava1.dll
2013-05-06 16:00 . 2013-05-06 16:00    311200    ----a-w-    c:\windows\system32\javaws.exe
2013-05-06 16:00 . 2013-05-06 16:00    1092512    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-05-06 16:00 . 2013-05-06 16:00    188832    ----a-w-    c:\windows\system32\javaw.exe
2013-05-06 16:00 . 2013-05-06 16:00    188320    ----a-w-    c:\windows\system32\java.exe
2013-05-06 16:00 . 2013-05-06 16:00    108448    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2013-05-02 04:23 . 2013-06-18 07:15    708168    ----a-w-    c:\windows\system32\WinUSBCoInstaller.dll
2013-05-02 04:23 . 2013-06-18 07:15    203672    ----a-w-    c:\windows\system32\drivers\ssudmdm.sys
2013-05-02 04:23 . 2013-06-18 07:15    1490656    ----a-w-    c:\windows\system32\WdfCoInstaller01007.dll
2013-05-02 04:23 . 2013-06-18 07:15    103064    ----a-w-    c:\windows\system32\drivers\ssudbus.sys
2013-04-30 18:05 . 2009-08-18 17:49    564632    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2013-04-30 18:05 . 2009-08-18 16:24    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-30 17:53 . 2013-04-30 17:53    178800    ----a-w-    c:\windows\SysWow64\CmdLineExt_x64.dll
2013-04-21 09:12 . 2013-04-21 09:12    283200    ----a-w-    c:\windows\system32\drivers\dtsoftbus01.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-07-10 1672616]
"puush"="c:\program files (x86)\puush\puush.exe" [2013-07-17 567880]
"Spotify Web Helper"="c:\users\Mike\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-05-03 1105408]
"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-05-23 1561968]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-06-21 19875432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-05-23 311152]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2013-05-15 554408]
.
c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2013-4-2 0]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
3;4 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys;c:\windows\SYSNATIVE\drivers\gfiark.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys;c:\windows\SYSNATIVE\drivers\gfibto.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [x]
S2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [x]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys;c:\windows\SYSNATIVE\DRIVERS\sbapifs.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S3 RTCore64;RTCore64;c:\program files (x86)\MSI Afterburner\RTCore64.sys;c:\program files (x86)\MSI Afterburner\RTCore64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GFIARK
*NewlyCreated* - GFIBTO
*NewlyCreated* - KXLDYPOW
*NewlyCreated* - RTCORE64
*NewlyCreated* - SBAPIFS
*Deregistered* - kxldypow
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-17 04:34    1173456    ----a-w-    c:\program files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-02 21:47]
.
2013-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-23 18:44]
.
2013-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-23 18:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\
FF - ExtSQL: 2013-06-13 05:20; {5e594888-3e8e-47da-b2c6-b0b545112f84}; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\{5e594888-3e8e-47da-b2c6-b0b545112f84}.xpi
FF - ExtSQL: 2013-06-13 05:23; savefileto@mozdev.org; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\savefileto@mozdev.org.xpi
FF - ExtSQL: 2013-06-13 05:25; LDSI_plashcor@gmail.com; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\LDSI_plashcor@gmail.com.xpi
FF - ExtSQL: 2013-07-17 12:17; jid1-xUfzOsOFlzSOXg@jetpack; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - c0fb20cd000000000000bc5ff43547f9
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15804
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.020:52
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef -
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-778387792-1012281853-1459691719-1000\Software\SecuROM\License information*]
"datasecu"=hex:a6,95,25,d8,ba,c7,15,97,74,23,9f,42,38,42,74,4a,7f,02,54,b6,aa,
   df,a3,eb,7c,01,3b,c6,07,d9,77,c9,28,40,fa,25,39,2f,16,e5,a6,67,30,c6,27,15,\
"rkeysecu"=hex:89,01,0f,34,c2,54,5d,b6,3f,18,a0,7d,7d,e6,e1,fc
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-19  11:12:16
ComboFix-quarantined-files.txt  2013-07-19 16:12
ComboFix2.txt  2013-07-18 16:10
.
Pre-Run: 17,363,111,936 bytes free
Post-Run: 17,324,453,888 bytes free
.
- - End Of File - - 53D0C1D12990404E9C251F33A6230E56
A36C5E4F47E84449FF07ED3517B43A31
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 20 July 2013 - 04:48 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 naut

naut
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 20 July 2013 - 10:34 AM

ComboFix 13-07-20.02 - Mike 07/20/2013  10:26:34.3.4 - x64
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.1.1033.18.12184.9270 [GMT -5:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
Command switches used :: c:\users\Mike\Desktop\CFScript.txt
AV: Lavasoft Ad-Aware *Enabled/Updated* {E0D97DD4-42BA-B3F2-A5A7-22E9ACE81FC7}
FW: Lavasoft Ad-Aware *Disabled* {D8E2FCF1-08D5-B2AA-8EF8-8BDC523B58BC}
SP: Lavasoft Ad-Aware *Enabled/Updated* {5BB89C30-6480-BC7C-9F17-199BD76F557A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-20 to 2013-07-20  )))))))))))))))))))))))))))))))
.
.
2013-07-20 15:30 . 2013-07-20 15:30    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-07-20 15:30 . 2013-07-20 15:30    --------    d-----w-    c:\users\hedev\AppData\Local\temp
2013-07-20 15:30 . 2013-07-20 15:30    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-07-19 03:00 . 2013-07-19 03:31    --------    d-----w-    c:\program files (x86)\Diablo III
2013-07-17 17:38 . 2013-07-17 17:38    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-07-17 17:38 . 2013-07-17 17:38    --------    d-----r-    c:\program files (x86)\Skype
2013-07-17 10:32 . 2013-04-11 16:06    39504    ----a-w-    c:\windows\system32\drivers\gfiark.sys
2013-07-17 10:30 . 2013-07-17 10:30    --------    d-----w-    c:\users\Mike\AppData\Roaming\LavasoftStatistics
2013-07-17 10:21 . 2013-07-17 10:32    --------    d-----w-    c:\program files (x86)\Ad-Aware Antivirus
2013-07-17 10:21 . 2013-07-17 10:21    --------    d-----w-    c:\programdata\Lavasoft
2013-07-17 10:21 . 2013-07-17 10:21    --------    d-----w-    c:\programdata\Downloaded Installations
2013-07-17 10:21 . 2013-07-17 10:21    --------    d-----w-    c:\users\Mike\AppData\Local\adawarebp
2013-07-17 05:15 . 2013-07-17 05:20    --------    d-----w-    c:\programdata\HitmanPro
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-19 02:10 . 2013-04-03 18:41    290184    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2013-07-19 02:10 . 2013-04-03 18:38    290184    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
2013-07-19 02:10 . 2013-04-03 18:38    280904    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2013-06-11 21:47 . 2013-04-02 23:34    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-11 21:47 . 2013-04-02 23:34    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-05-23 01:43 . 2013-05-23 01:43    90112    ----a-w-    c:\windows\MAMCityDownload.ocx
2013-05-23 01:43 . 2013-05-23 01:43    30568    ----a-w-    c:\windows\MusiccityDownload.exe
2013-05-23 01:43 . 2013-05-23 01:43    330240    ----a-w-    c:\windows\MASetupCaller.dll
2013-05-23 01:43 . 2013-05-23 01:43    974848    ----a-w-    c:\windows\SysWow64\cis-2.4.dll
2013-05-23 01:43 . 2013-05-23 01:43    81920    ----a-w-    c:\windows\SysWow64\issacapi_bs-2.3.dll
2013-05-23 01:43 . 2013-05-23 01:43    65536    ----a-w-    c:\windows\SysWow64\issacapi_pe-2.3.dll
2013-05-23 01:43 . 2013-05-23 01:43    57344    ----a-w-    c:\windows\SysWow64\MTXSYNCICON.dll
2013-05-23 01:43 . 2013-05-23 01:43    57344    ----a-w-    c:\windows\SysWow64\MK_Lyric.dll
2013-05-23 01:43 . 2013-05-23 01:43    57344    ----a-w-    c:\windows\SysWow64\issacapi_se-2.3.dll
2013-05-23 01:43 . 2013-05-23 01:43    569344    ----a-w-    c:\windows\SysWow64\muzdecode.ax
2013-05-23 01:43 . 2013-05-23 01:43    491520    ----a-w-    c:\windows\SysWow64\muzapp.dll
2013-05-23 01:43 . 2013-05-23 01:43    49152    ----a-w-    c:\windows\SysWow64\MaJGUILib.dll
2013-05-23 01:43 . 2013-05-23 01:43    45320    ----a-w-    c:\windows\SysWow64\MAMACExtract.dll
2013-05-23 01:43 . 2013-05-23 01:43    45056    ----a-w-    c:\windows\SysWow64\MaXMLProto.dll
2013-05-23 01:43 . 2013-05-23 01:43    45056    ----a-w-    c:\windows\SysWow64\MACXMLProto.dll
2013-05-23 01:43 . 2013-05-23 01:43    40960    ----a-w-    c:\windows\SysWow64\MTTELECHIP.dll
2013-05-23 01:43 . 2013-05-23 01:43    352256    ----a-w-    c:\windows\SysWow64\MSLUR71.dll
2013-05-23 01:43 . 2013-05-23 01:43    258048    ----a-w-    c:\windows\SysWow64\muzoggsp.ax
2013-05-23 01:43 . 2013-05-23 01:43    245760    ----a-w-    c:\windows\SysWow64\MSCLib.dll
2013-05-23 01:43 . 2013-05-23 01:43    24576    ----a-w-    c:\windows\SysWow64\MASetupCleaner.exe
2013-05-23 01:43 . 2013-05-23 01:43    200704    ----a-w-    c:\windows\SysWow64\muzwmts.dll
2013-05-23 01:43 . 2013-05-23 01:43    155648    ----a-w-    c:\windows\SysWow64\MSFLib.dll
2013-05-23 01:43 . 2013-05-23 01:43    143360    ----a-w-    c:\windows\SysWow64\3DAudio.ax
2013-05-23 01:43 . 2013-05-23 01:43    135168    ----a-w-    c:\windows\SysWow64\muzaf1.dll
2013-05-23 01:43 . 2013-05-23 01:43    131072    ----a-w-    c:\windows\SysWow64\muzmpgsp.ax
2013-05-23 01:43 . 2013-05-23 01:43    122880    ----a-w-    c:\windows\SysWow64\muzeffect.ax
2013-05-23 01:43 . 2013-05-23 01:43    118784    ----a-w-    c:\windows\SysWow64\MaDRM.dll
2013-05-23 01:43 . 2013-05-23 01:43    110592    ----a-w-    c:\windows\SysWow64\muzmp4sp.ax
2013-05-23 01:43 . 2013-06-18 07:13    821824    ----a-w-    c:\windows\SysWow64\dgderapi.dll
2013-05-23 01:33 . 2013-06-18 07:13    4659712    ----a-w-    c:\windows\SysWow64\Redemption.dll
2013-05-20 21:43 . 2013-04-03 18:38    76888    ----a-w-    c:\windows\SysWow64\PnkBstrA.exe
2013-05-06 16:00 . 2013-05-06 16:00    971680    ----a-w-    c:\windows\system32\deployJava1.dll
2013-05-06 16:00 . 2013-05-06 16:00    311200    ----a-w-    c:\windows\system32\javaws.exe
2013-05-06 16:00 . 2013-05-06 16:00    1092512    ----a-w-    c:\windows\system32\npDeployJava1.dll
2013-05-06 16:00 . 2013-05-06 16:00    188832    ----a-w-    c:\windows\system32\javaw.exe
2013-05-06 16:00 . 2013-05-06 16:00    188320    ----a-w-    c:\windows\system32\java.exe
2013-05-06 16:00 . 2013-05-06 16:00    108448    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2013-05-02 04:23 . 2013-06-18 07:15    708168    ----a-w-    c:\windows\system32\WinUSBCoInstaller.dll
2013-05-02 04:23 . 2013-06-18 07:15    203672    ----a-w-    c:\windows\system32\drivers\ssudmdm.sys
2013-05-02 04:23 . 2013-06-18 07:15    1490656    ----a-w-    c:\windows\system32\WdfCoInstaller01007.dll
2013-05-02 04:23 . 2013-06-18 07:15    103064    ----a-w-    c:\windows\system32\drivers\ssudbus.sys
2013-04-30 18:05 . 2009-08-18 17:49    564632    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2013-04-30 18:05 . 2009-08-18 16:24    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-04-30 17:53 . 2013-04-30 17:53    178800    ----a-w-    c:\windows\SysWow64\CmdLineExt_x64.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    130736    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-07-10 1672616]
"puush"="c:\program files (x86)\puush\puush.exe" [2013-07-17 567880]
"Spotify Web Helper"="c:\users\Mike\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-07-19 1104384]
"KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-05-23 1561968]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-06-21 19875432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files (x86)\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-05-23 311152]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2013-05-15 554408]
.
c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2013-4-2 0]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
3;4 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys;c:\windows\SYSNATIVE\drivers\gfiark.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys;c:\windows\SYSNATIVE\drivers\gfibto.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe;c:\program files (x86)\Ad-Aware Antivirus\AdAwareService.exe [x]
S2 SBAMSvc;Ad-Aware;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe;c:\program files (x86)\Ad-Aware Antivirus\SBAMSvc.exe [x]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys;c:\windows\SYSNATIVE\DRIVERS\sbapifs.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GFIARK
*NewlyCreated* - GFIBTO
*NewlyCreated* - KXLDYPOW
*NewlyCreated* - SBAPIFS
*Deregistered* - kxldypow
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-17 04:34    1173456    ----a-w-    c:\program files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-02 21:47]
.
2013-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-23 18:44]
.
2013-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-23 18:44]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-04-04 22:12    164016    ----a-w-    c:\users\Mike\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\
FF - ExtSQL: 2013-06-13 05:20; {5e594888-3e8e-47da-b2c6-b0b545112f84}; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\{5e594888-3e8e-47da-b2c6-b0b545112f84}.xpi
FF - ExtSQL: 2013-06-13 05:23; savefileto@mozdev.org; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\savefileto@mozdev.org.xpi
FF - ExtSQL: 2013-06-13 05:25; LDSI_plashcor@gmail.com; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\LDSI_plashcor@gmail.com.xpi
FF - ExtSQL: 2013-07-17 12:17; jid1-xUfzOsOFlzSOXg@jetpack; c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - c0fb20cd000000000000bc5ff43547f9
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15804
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.020:52
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef -
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-778387792-1012281853-1459691719-1000\Software\SecuROM\License information*]
"datasecu"=hex:a6,95,25,d8,ba,c7,15,97,74,23,9f,42,38,42,74,4a,7f,02,54,b6,aa,
   df,a3,eb,7c,01,3b,c6,07,d9,77,c9,28,40,fa,25,39,2f,16,e5,a6,67,30,c6,27,15,\
"rkeysecu"=hex:89,01,0f,34,c2,54,5d,b6,3f,18,a0,7d,7d,e6,e1,fc
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-07-20  10:31:21
ComboFix-quarantined-files.txt  2013-07-20 15:31
ComboFix2.txt  2013-07-19 16:12
ComboFix3.txt  2013-07-18 16:10
.
Pre-Run: 15,016,062,976 bytes free
Post-Run: 14,962,937,856 bytes free
.
- - End Of File - - F27AC7A15450273BD9931A3AD1C47F57
A36C5E4F47E84449FF07ED3517B43A31
 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 21 July 2013 - 08:04 AM

Scan with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe.
  • Hit delete.
  • When the run is finished, it will open up a text file.
  • Please post its contents within your next reply.
  • You´ll find the log file at C:\AdwCleaner[S1].txt also.

 

Are you still facing browser issues?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 naut

naut
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 21 July 2013 - 10:42 AM

The browser issues are all gone aside from one little annoyance.  Occasionally a page wont load the first time, I'll have to wait for it to fail loading and then refresh.  I don't know if it's directly related to the infection or if it's just a coincidence the issue started around the same time. 

3Idbq.png

 

# AdwCleaner v2.306 - Logfile created 07/21/2013 at 10:33:56
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Ultimate  (64 bits)
# User : Mike - MIKE-PC
# Boot Mode : Normal
# Running from : C:\Users\Mike\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Program Files (x86)\adawaretb
Deleted on reboot : C:\ProgramData\blekko toolbars
Deleted on reboot : C:\ProgramData\Tarma Installer
Deleted on reboot : C:\Users\Mike\AppData\LocalLow\adawaretb
Deleted on reboot : C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\adawaretb
Deleted on reboot : C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\jetpack
File Deleted : C:\END
File Deleted : C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\searchplugins\delta.xml

***** [Registry] *****

Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\86888bb63cbf15
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{3A188115-B81B-48F2-A958-F974C8F3F309}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\SMBarBroker.EXE
Key Deleted : HKLM\SOFTWARE\Classes\SMBarBroker.SMBarDealer
Key Deleted : HKLM\SOFTWARE\Classes\SMBarBroker.SMBarDealer.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2D9B1B31-D034-4738-8F6E-40F0AFCC742C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\86888bb63cbf15
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{43769158-3B03-4932-8D8A-8F0F344BF024}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{78CE34FD-F6D4-4866-B79C-A37268D06A04}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{80904944-C726-4C7D-A452-3FFF2A882095}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{78CE34FD-F6D4-4866-B79C-A37268D06A04}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{80904944-C726-4C7D-A452-3FFF2A882095}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16385

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\prefs.js

C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\6iqnu45w.default\user.js ... Deleted !

Deleted : user_pref("extensions.delta.admin", false);
Deleted : user_pref("extensions.delta.aflt", "babsst");
Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Deleted : user_pref("extensions.delta.autoRvrt", "false");
Deleted : user_pref("extensions.delta.dfltLng", "en");
Deleted : user_pref("extensions.delta.excTlbr", false);
Deleted : user_pref("extensions.delta.id", "c0fb20cd000000000000bc5ff43547f9");
Deleted : user_pref("extensions.delta.instlDay", "15804");
Deleted : user_pref("extensions.delta.instlRef", "");
Deleted : user_pref("extensions.delta.newTab", false);
Deleted : user_pref("extensions.delta.prdct", "delta");
Deleted : user_pref("extensions.delta.prtnrId", "delta");
Deleted : user_pref("extensions.delta.rvrt", "false");
Deleted : user_pref("extensions.delta.smplGrp", "none");
Deleted : user_pref("extensions.delta.tlbrId", "base");
Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Deleted : user_pref("extensions.delta.vrsn", "1.8.10.0");
Deleted : user_pref("extensions.delta.vrsnTs", "1.8.10.020:52:11");
Deleted : user_pref("extensions.delta.vrsni", "1.8.10.0");
Deleted : user_pref("searchreset.backup.browser.startup.homepage", "hxxp://www.delta-search.com/home");

-\\ Google Chrome v28.0.1500.72

File : C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [4328 octets] - [21/07/2013 10:33:56]

########## EOF - C:\AdwCleaner[S1].txt - [4388 octets] ##########
 


Edited by naut, 21 July 2013 - 12:32 PM.


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:09 AM

Posted 21 July 2013 - 11:31 PM

after you ran adwcleaner now, is the issue still there?


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 naut

naut
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 21 July 2013 - 11:35 PM

My post was immediatly after the clean.  Since then I haven't had an issue yet.  Thanks a ton for the help so far.

 

Just happened again.  It seems to only happen with new websites I visit.


Edited by naut, 22 July 2013 - 02:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users