Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WhiteSmoke infection, Please help


  • This topic is locked This topic is locked
7 replies to this topic

#1 Lekota

Lekota

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 20 September 2013 - 04:36 AM

Hello,

I was working with Condobloke and Noknojon and was referred to this section for expert help with my pc infection.

 

Symptoms:

- Periodically unable to open email, slow, numerous popups, keyboard locked up,  unable to run any downloads get the "Error 5" window when attempted.

- Unable to run Security Check program,

Security Check does start but stops and a notepad error window opens,

"Unsupported Operating System! Aborted"

 

Link to prior post: http://www.bleepingcomputer.com/forums/t/508091/infected-multiple-symptoms-and-malware-detected-please-help/

 

DDS Text

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.25.2
Run by Lakota at 2:32:59 on 2013-09-20
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3819.1883 [GMT -6:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\CxAudMsg64.exe
C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Program Files (x86)\Launch Manager\LMutilps32.exe
C:\Program Files (x86)\Ginger\GingerUpdateService\GingerUpdateService.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files\Tablet\Pen\WacomHost.exe
C:\Windows\system32\svchost.exe -k bthaudiosvc
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Windows\System32\tcpsvcs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\Speech\Common\sapisvr.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\System32\snmp.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Tether\TBService.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\System32\alg.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler64.exe
C:\Program Files (x86)\Ginger\GingerServices\GingerServices.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Nuance\PaperPort\NuanceWDS.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uProxyServer = localhost:6544
uProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com
BHO: Ginger Grammar & Spell Checker: {0877c1fc-19c6-4fe2-8e3d-699d8edb2964} - C:\Program Files (x86)\Ginger\GingerIEAddin\adxloader.dll
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\bin\PlusIEContextMenu.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Define: {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
uRun: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
uRun: [AVG-Secure-Search-Update_0913a] C:\Users\Steve\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 59de11f02b7847d1a9616939b255f88a-ba648b64677212f111262ed6a285113eb730b215 --CMPID 0913a
uRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [IndexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe"
mRun: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe"
mRun: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:60
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Open with PDF Viewer Plus - C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: CM_AdvancedCAB - hxxps://www.gs.reyrey.com/common/ClientCheck/CM_AdvancedCAB.CAB
DPF: PrintTemplateViewerCab - hxxps://cr.gs.reyrey.com/clientdll/printtemplateviewer.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.in.honda.com/Rraaapps/RRAAsec/Codebase/RRAAINAX/RYXAINAX_LandscapePrintingActiveX.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {297DE2B6-509A-4B36-93C5-A65276606900} - hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{2536D80B-EA39-4582-AA1A-E93FB389B953} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{2536D80B-EA39-4582-AA1A-E93FB389B953}\05053434027457563747 : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{2536D80B-EA39-4582-AA1A-E93FB389B953}\0556E627F63756F5D41696E6F584F63707964716C6F57457563747 : DHCPNameServer = 205.171.3.65 205.171.2.65
TCP: Interfaces\{2536D80B-EA39-4582-AA1A-E93FB389B953}\3435D23547574656E647 : DHCPNameServer = 209.244.0.3 209.244.0.4
TCP: Interfaces\{2536D80B-EA39-4582-AA1A-E93FB389B953}\3547642716E6369637F584F63707964716C6F57457563747 : DHCPNameServer = 205.171.3.65 205.171.2.65
TCP: Interfaces\{2536D80B-EA39-4582-AA1A-E93FB389B953}\542796E67237029407E6F6E656 : DHCPNameServer = 172.26.38.1 172.26.38.2
TCP: Interfaces\{2536D80B-EA39-4582-AA1A-E93FB389B953}\6596C6C616765694E6E6 : DHCPNameServer = 206.130.16.27 198.6.1.4
TCP: Interfaces\{2536D80B-EA39-4582-AA1A-E93FB389B953}\84F4D454D203344483 : DHCPNameServer = 75.75.75.75 75.75.76.76
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Ginger Grammar & Spell Checker: {0877c1fc-19c6-4fe2-8e3d-699d8edb2964} - C:\Program Files (x86)\Ginger\GingerIEAddin\adxloader64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll
x64-TB: <No Name>: {ae07101b-46d4-4a98-af68-0333ea26e113} - LocalServer32 - <no file>
x64-Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\lyvs9pgr.default-1374302290047\
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-09-09 07:25; firefox@gingersoftware.com; C:\Program Files (x86)\Ginger\Mozilla\firefox@gingersoftware.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-7-20 71480]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-7-20 311608]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-7-1 116536]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-9-5 45880]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-8-12 56208]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-7-20 246072]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-7-20 206648]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-3-21 240952]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-10-5 283200]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-3-28 241152]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2013-7-4 4939312]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-7-23 283136]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 CxAudMsg;Conexant Audio Message Service;C:\Windows\System32\CxAudMsg64.exe [2011-7-30 198784]
R2 DragonSvc;Dragon Service;C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe [2010-7-23 296808]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-6-28 352336]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-7-30 868224]
R2 GingerUpdateService;GingerUpdateService;C:\Program Files (x86)\Ginger\GingerUpdateService\GingerUpdateService.exe [2013-9-2 279848]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 29696]
R2 HFGService;Handsfree Headset Service;C:\Windows\System32\svchost.exe -k bthaudiosvc [2009-7-13 27136]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2012-9-7 255376]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [2011-8-2 145256]
R2 PenCommService;Livescribe Pulse Smartpen Service;C:\Program Files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [2011-10-27 470528]
R2 RS_Service;Raw Socket Service;C:\Program Files (x86)\Acer\Acer VCM\RS_Service.exe [2011-6-28 260640]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R2 Tether;Tether;C:\Program Files (x86)\Tether\TBService.exe [2011-11-14 52664]
R2 WTabletServiceCon;Wacom Consumer Service;C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [2013-7-15 619904]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-2-14 96768]
R3 BthAudioHF;BthAudioHF Service;C:\Windows\System32\drivers\BthAudioHF.sys [2009-12-21 52224]
R3 BthAvrcp;Bluetooth AVRCP Profile;C:\Windows\System32\drivers\BthAvrcp.sys [2009-8-13 29184]
R3 csr_a2dp;Bluetooth AV Profile;C:\Windows\System32\drivers\bthav.sys [2009-12-21 78848]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-6-28 77424]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-7-30 44672]
R3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
S2 WiseBootAssistant;Wise Boot Assistant;C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe [2012-7-29 580648]
S3 Blackberry Device Manager;Blackberry Device Manager;C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [2013-1-18 577536]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2012-8-26 266240]
S3 FsUsbExDisk;FsUsbExDisk;C:\Windows\SysWOW64\FsUsbExDisk.Sys [2013-5-14 37344]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 hidkmdf;KMDF Driver;C:\Windows\System32\drivers\hidkmdf.sys [2013-7-15 13728]
S3 PulseUsb;Livescribe Smartpen USB Driver;C:\Windows\System32\drivers\PulseUsb.sys [2011-10-27 26112]
S3 qrkis;Tether Miniport;C:\Windows\System32\drivers\qrkis.sys [2011-10-17 50856]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-6-28 250984]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 tapklink;Klink Virtual Network Adapter;C:\Windows\System32\drivers\tapklink.sys [2011-10-23 31232]
S3 TFsExDisk;TFsExDisk;C:\Windows\System32\drivers\TFsExDisk.sys [2012-3-25 16448]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WacHidRouter;Wacom Hid Router;C:\Windows\System32\drivers\wachidrouter.sys [2013-7-15 81824]
S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\System32\drivers\wacmoumonitor.sys [2013-7-15 18288]
S3 wacomrouterfilter;Wacom Router Filter Driver;C:\Windows\System32\drivers\wacomrouterfilter.sys [2013-7-15 15776]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-10-15 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== File Associations ===============
.
FileExt: .js: jsfile="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\Dreamweaver.exe","%1"
ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS6\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2013-09-20 01:09:25 -------- d-----w- C:\MoTemp
2013-09-19 19:28:54 -------- d-----w- C:\Users\Steve\AppData\Roaming\com.adobe.WidgetBrowser
2013-09-19 19:23:58 -------- d-----w- C:\Users\Steve\AppData\Roaming\Zeon
2013-09-18 20:21:21 -------- d-----w- C:\Program Files\Nuance
2013-09-18 20:20:07 -------- d-----w- C:\ProgramData\zeon
2013-09-18 20:16:55 -------- d-----w- C:\Program Files (x86)\Common Files\ScanSoft Shared
2013-09-18 09:50:20 -------- d-----w- C:\Program Files (x86)\Brother Industries, Ltd
2013-09-18 09:29:59 -------- d-sh--w- C:\$RECYCLE.BIN
2013-09-18 09:22:43 -------- d-s---w- C:\ComboFix
2013-09-18 09:12:09 -------- d-----w- C:\ProgramData\Max Secure
2013-09-17 05:29:48 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-09-17 04:55:45 -------- d-----w- C:\AdwCleaner
2013-09-17 02:06:07 -------- d-----w- C:\Users\Steve\AppData\Roaming\GetRightToGo
2013-09-17 01:34:31 -------- d-----w- C:\sh4ldr
2013-09-16 17:57:14 -------- d-----w- C:\ProgramData\Deskshare
2013-09-16 17:57:09 -------- d-----w- C:\Users\Steve\AppData\Local\DeskShare Data
2013-09-16 17:56:56 -------- d-----w- C:\Users\Steve\AppData\Local\Spoon
2013-09-16 17:56:34 -------- d-----w- C:\Program Files (x86)\Deskshare
2013-09-16 16:44:53 -------- d-----w- C:\Program Files (x86)\SweetPacks
2013-09-16 07:38:09 -------- d-----w- C:\Program Files (x86)\naturalsoft
2013-09-16 07:36:22 -------- d-----w- C:\ProgramData\NaturalSoft
2013-09-16 02:22:09 -------- d-----w- C:\Program Files (x86)\Free PDF Unlocker
2013-09-16 01:28:00 -------- d-----w- C:\Users\Steve\AppData\Roaming\chc
2013-09-15 01:59:38 -------- d-----w- C:\Users\Steve\AppData\Roaming\SmartDraw
2013-09-15 01:54:01 -------- d-----w- C:\Program Files (x86)\SmartDraw 2013
2013-09-14 23:23:59 -------- d-----w- C:\Users\Steve\AppData\Roaming\Open Download Manager
2013-09-14 23:22:39 -------- d-----w- C:\Program Files (x86)\monetomi
2013-09-14 21:27:23 -------- d-----w- C:\Users\Steve\AppData\Roaming\Balabolka
2013-09-14 21:26:59 -------- d-----w- C:\Program Files (x86)\Balabolka
2013-09-14 07:46:14 -------- d-----w- C:\ProgramData\BitGuard
2013-09-14 07:45:57 -------- d-----w- C:\ProgramData\DSearchLink
2013-09-14 03:55:56 -------- d-----w- C:\Program Files (x86)\Edraw Max
2013-09-14 03:31:22 -------- d-----w- C:\Program Files (x86)\lucky leap
2013-09-14 02:45:41 -------- d-----w- C:\Program Files (x86)\Solve Elec 2.5
2013-09-12 01:52:41 52171 ----a-w- C:\Windows\RFC4DPluginUninstall.exe
2013-09-09 13:27:31 -------- d-----w- C:\Users\Steve\AppData\Roaming\Acapela Group
2013-09-09 13:25:41 -------- d-----w- C:\Program Files (x86)\Ginger
2013-09-08 22:51:00 -------- d-----w- C:\Program Files (x86)\Edraw Mind Map
2013-09-08 22:30:11 -------- d-----w- C:\Users\Steve\.freemind
2013-09-08 17:20:13 -------- d-----w- C:\Users\Steve\AppData\Roaming\Austhink Software
2013-09-08 17:18:26 102400 ----a-w- C:\Windows\SysWow64\tsccvid.dll
2013-09-08 17:18:15 -------- d-----w- C:\ProgramData\Austhink Software
2013-09-08 17:18:10 -------- d-----w- C:\Program Files (x86)\Rationale
2013-09-08 09:49:57 -------- d-----w- C:\Users\Steve\AppData\Roaming\Texthelp
2013-09-08 05:57:50 -------- d-----w- C:\Program Files (x86)\Dr Essay
2013-09-08 05:07:05 -------- d-----w- C:\writeitnow4
2013-09-08 04:35:08 109782 ----a-w- C:\Windows\CopernicSummarizerUninstall.exe
2013-09-08 04:35:08 -------- d-----w- C:\Program Files (x86)\Copernic Summarizer
2013-09-05 07:43:42 45880 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2013-08-25 07:30:29 306688 ----a-w- C:\Windows\IsUninst.exe
2013-08-23 04:15:15 -------- d-----w- C:\ProgramData\SafeNet Sentinel
2013-08-23 04:12:41 -------- d-----w- C:\ProgramData\Vision Objects
2013-08-23 04:12:41 -------- d-----w- C:\Program Files (x86)\Vision Objects
2013-08-23 01:26:31 -------- d-----w- C:\Users\Steve\AppData\Local\Livescribe
2013-08-23 01:24:19 -------- d-----w- C:\ProgramData\Livescribe
2013-08-23 01:24:04 -------- d-----w- C:\Users\Steve\AppData\Roaming\com.livescribe.LivescribeConnect
2013-08-23 01:23:31 -------- d-----w- C:\Program Files (x86)\Common Files\Livescribe
2013-08-23 01:23:03 -------- d-----w- C:\Program Files (x86)\Livescribe
.
==================== Find3M  ====================
.
2013-09-07 03:41:19 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-07 03:41:19 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-08-10 05:22:18 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-08-10 05:20:59 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-08-10 05:20:55 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-08-10 05:20:55 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-08-10 03:59:10 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-08-10 03:58:09 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-08-10 03:58:06 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-08-10 03:58:06 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-08-10 03:17:38 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-08-10 03:07:50 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-08-10 02:27:59 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-08-10 02:17:19 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-08-08 01:20:43 3155456 ----a-w- C:\Windows\System32\win32k.sys
2013-08-05 02:25:45 155584 ----a-w- C:\Windows\System32\drivers\ataport.sys
2013-08-02 02:23:53 5550528 ----a-w- C:\Windows\System32\ntoskrnl.exe
2013-08-02 02:15:44 1732032 ----a-w- C:\Windows\System32\ntdll.dll
2013-08-02 02:15:03 362496 ----a-w- C:\Windows\System32\wow64win.dll
2013-08-02 02:15:03 243712 ----a-w- C:\Windows\System32\wow64.dll
2013-08-02 02:15:03 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2013-08-02 02:14:57 215040 ----a-w- C:\Windows\System32\winsrv.dll
2013-08-02 02:14:11 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2013-08-02 02:13:34 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2013-08-02 01:59:30 3968960 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2013-08-02 01:59:30 3913664 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2013-08-02 01:51:23 1292192 ----a-w- C:\Windows\SysWow64\ntdll.dll
2013-08-02 01:50:42 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2013-08-02 01:50:42 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2013-08-02 01:09:17 338432 ----a-w- C:\Windows\System32\conhost.exe
2013-08-02 00:59:09 112640 ----a-w- C:\Windows\System32\smss.exe
2013-08-02 00:45:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2013-08-02 00:45:36 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2013-08-02 00:45:35 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2013-08-02 00:45:34 2048 ----a-w- C:\Windows\SysWow64\user.exe
2013-08-02 00:43:05 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2013-07-25 09:25:54 1888768 ----a-w- C:\Windows\System32\WMVDECOD.DLL
2013-07-25 08:57:27 1620992 ----a-w- C:\Windows\SysWow64\WMVDECOD.DLL
2013-07-20 07:51:00 311608 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2013-07-20 07:50:56 71480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2013-07-20 07:50:56 246072 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2013-07-20 07:50:50 206648 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2013-07-19 01:58:42 2048 ----a-w- C:\Windows\System32\tzres.dll
2013-07-19 01:41:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2013-07-09 21:53:25 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-09 21:53:24 867240 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-07-09 21:53:24 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-07-09 05:52:52 224256 ----a-w- C:\Windows\System32\wintrust.dll
2013-07-09 05:51:16 1217024 ----a-w- C:\Windows\System32\rpcrt4.dll
2013-07-09 05:46:20 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-07-09 05:46:20 1472512 ----a-w- C:\Windows\System32\crypt32.dll
2013-07-09 05:46:20 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-07-09 04:52:33 663552 ----a-w- C:\Windows\SysWow64\rpcrt4.dll
2013-07-09 04:52:10 175104 ----a-w- C:\Windows\SysWow64\wintrust.dll
2013-07-09 04:46:31 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-07-06 06:03:53 1910208 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-07-01 07:45:28 116536 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2013-06-27 01:21:50 23208 ----a-w- C:\Windows\System32\drivers\Sftvollh.sys
2013-06-27 01:21:48 28840 ----a-w- C:\Windows\System32\drivers\Sftredirlh.sys
2013-06-27 01:21:46 273576 ----a-w- C:\Windows\System32\drivers\Sftplaylh.sys
2013-06-27 01:21:46 1777320 ----a-w- C:\Windows\System32\sftldr.dll
2013-06-27 01:21:46 1130664 ----a-w- C:\Windows\SysWow64\sftldr_wow64.dll
2013-06-27 01:21:44 767144 ----a-w- C:\Windows\System32\drivers\Sftfslh.sys
2013-06-25 09:42:59 173568 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-06-25 09:42:59 13824 ----a-w- C:\Windows\System32\mshta.exe
2013-06-25 09:42:58 51200 ----a-w- C:\Windows\System32\imgutil.dll
2013-06-25 09:42:58 135680 ----a-w- C:\Windows\System32\IEAdvpack.dll
2013-06-25 09:42:57 92160 ----a-w- C:\Windows\System32\SetIEInstalledDate.exe
2013-06-25 09:42:57 48640 ----a-w- C:\Windows\System32\mshtmler.dll
2013-06-25 09:42:55 77312 ----a-w- C:\Windows\System32\tdc.ocx
.
============= FINISH:  2:35:38.57 ===============

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 20 September 2013 - 04:53 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Lekota

Lekota
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 20 September 2013 - 01:36 PM

Hello,

thank you for help, below are the results of the scan.

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-20 12:18:52
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543225A7A384 rev.ESBOA90B 232.89GB
Running: mqo9zk77.exe; Driver: C:\Users\Steve\AppData\Local\Temp\kwldapog.sys

---- Threads - GMER 2.1 ----

Thread    [676:1040]                                                                                                    0000000077bbaef0
Thread    [676:1052]                                                                                                    000007fefecda808
Thread    [676:5080]                                                                                                    0000000077bbfbf0
Thread   C:\Windows\System32\svchost.exe [1072:1268]                                                                    000007fefae7f2f4
Thread   C:\Windows\System32\svchost.exe [1072:1284]                                                                    000007fefb296204
Thread   C:\Windows\System32\svchost.exe [1072:1472]                                                                    000007fefa392070
Thread   C:\Windows\System32\svchost.exe [1072:1544]                                                                    000007fef9f35428
Thread   C:\Windows\System32\svchost.exe [1072:4112]                                                                    000007fefd85c608
Thread   C:\Windows\System32\svchost.exe [1072:4648]                                                                    000007feece16b8c
Thread   C:\Windows\System32\svchost.exe [1072:4788]                                                                    000007feece11d88
Thread   C:\Windows\System32\svchost.exe [1072:6396]                                                                    000007fef7dc5fd0
Thread   C:\Windows\system32\svchost.exe [1192:4248]                                                                    000007fef0e8506c
Thread   C:\Windows\system32\svchost.exe [1192:3448]                                                                    000007fef6835124
Thread   C:\Windows\system32\svchost.exe [1192:5816]                                                                    000007fef86d5170
Thread   C:\Windows\system32\svchost.exe [1192:3252]                                                                    000007feecb2cb70
Thread   C:\Windows\system32\svchost.exe [1192:4628]                                                                    000007fef86d5170
Thread   C:\Windows\system32\svchost.exe [1192:3420]                                                                    000007feecb2cb70
Thread   C:\Windows\system32\svchost.exe [1192:4700]                                                                    000007fef0891ab0
Thread    [1372:1424]                                                                                                   0000000077bbaef0
Thread    [1372:6132]                                                                                                   0000000077bbfbf0
Thread   C:\Windows\System32\spoolsv.exe [1876:2792]                                                                    000007fef96d10c8
Thread   C:\Windows\System32\spoolsv.exe [1876:2940]                                                                    000007fef8546144
Thread   C:\Windows\System32\spoolsv.exe [1876:2944]                                                                    000007fef7dc5fd0
Thread   C:\Windows\System32\spoolsv.exe [1876:3000]                                                                    000007fef92f3438
Thread   C:\Windows\System32\spoolsv.exe [1876:3028]                                                                    000007fef7dc63ec
Thread   C:\Windows\System32\spoolsv.exe [1876:2472]                                                                    000007fef92f3438
Thread   C:\Windows\System32\spoolsv.exe [1876:2468]                                                                    000007fef7dc63ec
Thread   C:\Windows\System32\spoolsv.exe [1876:3056]                                                                    000007fef9da5e5c
Thread   C:\Windows\System32\spoolsv.exe [1876:3104]                                                                    000007fef9765074
Thread   C:\Windows\System32\spoolsv.exe [1876:3364]                                                                    000007fef9728760
Thread   C:\Windows\SysWOW64\ntdll.dll [1124:1184]                                                                      00000000012e5fc9
Thread   C:\Windows\SysWOW64\ntdll.dll [2200:2204]                                                                      00000000013c5e0f
Thread   C:\Windows\SysWOW64\ntdll.dll [2364:2368]                                                                      0000000000054611
Thread   C:\Windows\SysWOW64\ntdll.dll [2364:2400]                                                                      000000000004bd70
Thread   C:\Windows\SysWOW64\ntdll.dll [2364:2404]                                                                      000000000004bd70
Thread   C:\Windows\SysWOW64\ntdll.dll [2364:2692]                                                                      0000000000053990
Thread   C:\Windows\system32\taskhost.exe [2524:2656]                                                                   000007fef9e62740
Thread   C:\Windows\system32\taskhost.exe [2524:2660]                                                                   000007fef9e41f38
Thread   C:\Windows\system32\taskhost.exe [2524:2712]                                                                   000007fefa8d1010
Thread   C:\Windows\system32\taskhost.exe [2524:5028]                                                                   000007fef86d5170
Thread   C:\Windows\SysWOW64\ntdll.dll [2860:2864]                                                                      00000000008c37f8
Thread   C:\Windows\SysWOW64\ntdll.dll [2860:2908]                                                                      00000000008c2a20
Thread   C:\Windows\SysWOW64\ntdll.dll [2756:2780]                                                                      000000000043af8d
Thread   C:\Windows\SysWOW64\ntdll.dll [2756:2776]                                                                      00000000004013a0
Thread   C:\Windows\SysWOW64\ntdll.dll [2756:3124]                                                                      000000000041bcd0
Thread   C:\Windows\SysWOW64\ntdll.dll [2756:3128]                                                                      000000000041bcd0
Thread   C:\Windows\SysWOW64\ntdll.dll [2756:3152]                                                                      0000000010009f70
Thread   C:\Windows\SysWOW64\ntdll.dll [2756:3188]                                                                      0000000010009f70
Thread   C:\Windows\SysWOW64\ntdll.dll [2756:3204]                                                                      000000000041c020
Thread   C:\Windows\SysWOW64\ntdll.dll [2756:3224]                                                                      0000000000411c60
Thread   C:\Windows\SysWOW64\ntdll.dll [2756:3552]                                                                      00000000729e62ee
Thread   C:\Windows\Speech\Common\sapisvr.exe [3632:4576]                                                               000007fefb296204
Thread   C:\Windows\Speech\Common\sapisvr.exe [3632:5024]                                                               000007fef1bde670
Thread   C:\Windows\Speech\Common\sapisvr.exe [3632:200]                                                                000007fef404d7cc
Thread   C:\Windows\SysWOW64\ntdll.dll [3960:3964]                                                                      0000000000f0233b
Thread   C:\Windows\SysWOW64\ntdll.dll [4144:4148]                                                                      00000000001a8296
Thread   C:\Windows\SysWOW64\ntdll.dll [4144:4468]                                                                      000000006f1c6358
Thread   C:\Windows\SysWOW64\ntdll.dll [4144:4572]                                                                      000000006ec5f71d
Thread   C:\Windows\SysWOW64\ntdll.dll [4144:4704]                                                                      000000006ec5f71d
Thread   C:\Windows\SysWOW64\ntdll.dll [4144:4712]                                                                      000000006ec55b1a
Thread   C:\Windows\SysWOW64\ntdll.dll [4144:4736]                                                                      000000006f170b14
Thread    [4856:4924]                                                                                                   00000000749a1020
Thread   C:\Windows\SysWOW64\ntdll.dll [5136:5140]                                                                      000000002d7ea4cb
Thread   C:\Windows\SysWOW64\ntdll.dll [5136:5172]                                                                      00000000745b4c7c
Thread    [5192:5208]                                                                                                   000007fefecda808
Thread    [5192:5212]                                                                                                   0000000077bbaef0
Thread    [5192:6116]                                                                                                   0000000077bbfbf0
Thread   C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [5516:3804]                                       0000000035007d70
Thread   C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [5516:5292]                                       0000000035008350
Thread   C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [5516:1884]                                       0000000071db786a
Thread   C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [5516:5100]                                       0000000072fda3e0
Thread   C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [5516:6748]                                       0000000057db9d10
Thread   C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [5516:6740]                                       00000000754c17a4
Thread   C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [5516:4528]                                       00000000724046fa
Thread   C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE [5516:3724]                                       00000000769ff35a
Thread   C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [7912:1448]                                         0000000077dd3e85
Thread   C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [7912:2124]                                         0000000075847587
Thread   C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [7912:6212]                                         0000000073d90cb3
Thread   C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [7912:1384]                                         0000000077dd2e65
Thread   C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [7912:7220]                                         0000000077dd3e85
---- Processes - GMER 2.1 ----

Library  c:\64b9321f4c5a0441a20daf4764\Setup.exe (*** suspicious ***) @ c:\64b9321f4c5a0441a20daf4764\Setup.exe [8056]  0000000001360000

---- EOF - GMER 2.1 ----



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 21 September 2013 - 05:39 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe


When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 Lekota

Lekota
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 21 September 2013 - 01:28 PM

I Initiated combofix, first try would not complete, rebooted computer then ran combofix again. The second time combofix fully completed the scan the log is posted below.

----------------------------------

 

ComboFix 13-09-19.01 - Lakota 09/21/2013  11:51:16.4.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3819.2354 [GMT -6:00]
Running from: c:\users\Lakota\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\DSearchLink
c:\programdata\DSearchLink\DSearchLink.exe
c:\users\Lakota\AppData\Roaming\Microsoft\Windows\Recent\Thumbs.db
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-21 to 2013-09-21  )))))))))))))))))))))))))))))))
.
.
2013-09-21 18:11 . 2013-09-21 18:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-09-21 18:11 . 2013-09-21 18:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-20 01:09 . 2013-09-21 08:23 -------- d-----w- C:\MoTemp
2013-09-19 19:28 . 2013-09-19 19:28 -------- d-----w- c:\users\Lakota\AppData\Roaming\com.adobe.WidgetBrowser
2013-09-19 19:23 . 2013-09-19 19:23 -------- d-----w- c:\users\Lakota\AppData\Roaming\Zeon
2013-09-18 20:21 . 2013-09-18 20:21 -------- d-----w- c:\program files\Nuance
2013-09-18 20:20 . 2013-09-18 20:20 -------- d-----w- c:\programdata\zeon
2013-09-18 20:17 . 2013-09-18 20:18 -------- d-----w- c:\programdata\ScanSoft
2013-09-18 20:16 . 2013-09-18 20:17 -------- d-----w- c:\program files (x86)\Common Files\ScanSoft Shared
2013-09-18 09:50 . 2013-09-18 09:50 -------- d-----w- c:\program files (x86)\Brother Industries, Ltd
2013-09-18 09:12 . 2013-09-18 09:13 -------- d-----w- c:\programdata\Max Secure
2013-09-17 05:29 . 2013-09-17 19:27 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-09-17 04:55 . 2013-09-18 07:37 -------- d-----w- C:\AdwCleaner
2013-09-17 02:06 . 2013-09-17 02:06 -------- d-----w- c:\users\Lakota\AppData\Roaming\GetRightToGo
2013-09-17 01:34 . 2013-09-17 01:35 -------- d-----w- C:\sh4ldr
2013-09-16 17:57 . 2013-09-18 11:06 -------- d-----w- c:\programdata\Deskshare
2013-09-16 17:57 . 2013-09-16 17:57 -------- d-----w- c:\users\Lakota\AppData\Local\DeskShare Data
2013-09-16 17:56 . 2013-09-16 17:56 -------- d-----w- c:\users\Lakota\AppData\Local\Spoon
2013-09-16 17:56 . 2013-09-16 17:56 -------- d-----w- c:\program files (x86)\Deskshare
2013-09-16 16:44 . 2013-09-16 19:53 -------- d-----w- c:\program files (x86)\SweetPacks
2013-09-16 07:38 . 2013-09-16 07:38 -------- d-----w- c:\program files (x86)\naturalsoft
2013-09-16 07:36 . 2013-09-16 19:53 -------- d-----w- c:\programdata\NaturalSoft
2013-09-16 02:22 . 2013-09-18 11:07 -------- d-----w- c:\program files (x86)\Free PDF Unlocker
2013-09-16 01:28 . 2013-09-16 01:28 -------- d-----w- c:\users\Lakota\AppData\Roaming\chc
2013-09-15 01:59 . 2013-09-18 11:06 -------- d-----w- c:\users\Lakota\AppData\Roaming\SmartDraw
2013-09-15 01:54 . 2013-09-18 11:07 -------- d-----w- c:\program files (x86)\SmartDraw 2013
2013-09-14 23:23 . 2013-09-14 23:30 -------- d-----w- c:\users\Lakota\AppData\Roaming\Open Download Manager
2013-09-14 23:22 . 2013-09-16 19:53 -------- d-----w- c:\program files (x86)\monetomi
2013-09-14 21:27 . 2013-09-18 11:06 -------- d-----w- c:\users\Lakota\AppData\Roaming\Balabolka
2013-09-14 21:26 . 2013-09-18 11:07 -------- d-----w- c:\program files (x86)\Balabolka
2013-09-14 07:46 . 2013-09-18 11:07 -------- d-----w- c:\programdata\BitGuard
2013-09-14 03:55 . 2013-09-18 10:59 -------- d-----w- c:\program files (x86)\Edraw Max
2013-09-14 03:31 . 2013-09-18 11:07 -------- d-----w- c:\program files (x86)\lucky leap
2013-09-14 02:45 . 2013-09-18 10:59 -------- d-----w- c:\program files (x86)\Solve Elec 2.5
2013-09-13 16:07 . 2013-08-10 05:21 19246592 ----a-w- c:\windows\system32\mshtml.dll
2013-09-12 01:52 . 2013-09-12 01:52 52171 ----a-w- c:\windows\RFC4DPluginUninstall.exe
2013-09-09 13:27 . 2013-09-09 13:27 -------- d-----w- c:\users\Lakota\AppData\Roaming\Acapela Group
2013-09-09 13:25 . 2013-09-18 11:07 -------- d-----w- c:\program files (x86)\Ginger
2013-09-08 22:51 . 2013-09-08 22:51 -------- d-----w- c:\program files (x86)\Edraw Mind Map
2013-09-08 22:30 . 2013-09-08 22:48 -------- d-----w- c:\users\Lakota\.freemind
2013-09-08 17:20 . 2013-09-08 17:20 -------- d-----w- c:\users\Lakota\AppData\Roaming\Austhink Software
2013-09-08 17:18 . 2005-06-15 09:00 102400 ----a-w- c:\windows\SysWow64\tsccvid.dll
2013-09-08 17:18 . 2013-09-08 17:18 -------- d-----w- c:\programdata\Austhink Software
2013-09-08 17:18 . 2013-09-08 17:18 -------- d-----w- c:\program files (x86)\Rationale
2013-09-08 09:49 . 2013-09-08 09:49 -------- d-----w- c:\users\Lakota\AppData\Roaming\Texthelp
2013-09-08 05:57 . 2013-09-08 05:57 -------- d-----w- c:\program files (x86)\Dr Essay
2013-09-08 05:07 . 2013-09-10 03:06 -------- d-----w- C:\writeitnow4
2013-09-08 04:35 . 2013-09-08 04:37 -------- d-----w- c:\program files (x86)\Copernic Summarizer
2013-09-08 04:35 . 2001-07-11 21:09 109782 ----a-w- c:\windows\CopernicSummarizerUninstall.exe
2013-09-05 07:43 . 2013-09-05 07:43 45880 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
2013-08-25 07:30 . 1998-10-29 22:45 306688 ----a-w- c:\windows\IsUninst.exe
2013-08-23 04:15 . 2013-08-23 04:15 -------- d-----w- c:\programdata\SafeNet Sentinel
2013-08-23 04:12 . 2013-08-23 04:12 -------- d-----w- c:\programdata\Vision Objects
2013-08-23 04:12 . 2013-08-23 04:12 -------- d-----w- c:\program files (x86)\Vision Objects
2013-08-23 01:26 . 2013-08-23 02:13 -------- d-----w- c:\users\Lakota\AppData\Local\Livescribe
2013-08-23 01:24 . 2013-08-23 01:24 -------- d-----w- c:\programdata\Livescribe
2013-08-23 01:24 . 2013-08-25 07:21 -------- d-----w- c:\users\Lakota\AppData\Roaming\com.livescribe.LivescribeConnect
2013-08-23 01:23 . 2013-08-23 01:23 -------- d-----w- c:\program files (x86)\Common Files\Livescribe
2013-08-23 01:23 . 2013-08-23 01:23 -------- d-----w- c:\program files (x86)\Livescribe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-13 16:00 . 2011-10-20 22:55 79143768 ----a-w- c:\windows\system32\MRT.exe
2013-09-07 03:41 . 2012-04-24 05:01 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-07 03:41 . 2011-07-30 23:11 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-02 01:48 . 2013-09-12 16:17 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-07-25 09:25 . 2013-08-15 04:53 1888768 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-25 08:57 . 2013-08-15 04:53 1620992 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL
2013-07-20 07:51 . 2013-07-20 07:51 311608 ----a-w- c:\windows\system32\drivers\avgloga.sys
2013-07-20 07:50 . 2013-07-20 07:50 71480 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2013-07-20 07:50 . 2013-07-20 07:50 246072 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys
2013-07-20 07:50 . 2013-07-20 07:50 206648 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2013-07-19 01:58 . 2013-08-15 04:54 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-19 01:41 . 2013-08-15 04:54 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2013-07-09 21:53 . 2013-07-09 21:53 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-07-09 21:53 . 2012-09-13 22:49 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-07-09 21:53 . 2012-09-13 22:49 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-07-09 05:52 . 2013-08-15 04:56 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 05:51 . 2013-08-15 04:53 1217024 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 05:46 . 2013-08-15 04:56 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 05:46 . 2013-08-15 04:56 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 05:46 . 2013-08-15 04:56 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-07-09 04:52 . 2013-08-15 04:53 663552 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2013-07-09 04:52 . 2013-08-15 04:56 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-07-09 04:46 . 2013-08-15 04:56 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-07-09 04:46 . 2013-08-15 04:56 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-07-09 04:46 . 2013-08-15 04:56 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
2013-07-06 06:03 . 2013-08-15 04:53 1910208 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-07-01 07:45 . 2013-07-01 07:45 116536 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2013-06-27 01:21 . 2013-06-27 01:21 23208 ----a-w- c:\windows\system32\drivers\Sftvollh.sys
2013-06-27 01:21 . 2013-06-27 01:21 28840 ----a-w- c:\windows\system32\drivers\Sftredirlh.sys
2013-06-27 01:21 . 2013-06-27 01:21 273576 ----a-w- c:\windows\system32\drivers\Sftplaylh.sys
2013-06-27 01:21 . 2013-06-27 01:21 1777320 ----a-w- c:\windows\system32\sftldr.dll
2013-06-27 01:21 . 2013-06-27 01:21 1130664 ----a-w- c:\windows\SysWow64\sftldr_wow64.dll
2013-06-27 01:21 . 2013-06-27 01:21 767144 ----a-w- c:\windows\system32\drivers\Sftfslh.sys
2013-06-25 09:43 . 2013-06-25 09:43 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2013-06-25 09:43 . 2013-06-25 09:43 226304 ----a-w- c:\windows\system32\elshyph.dll
2013-06-25 09:43 . 2013-06-25 09:43 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2013-06-25 09:43 . 2013-06-25 09:43 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2013-06-25 09:43 . 2013-06-25 09:43 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2013-06-25 09:43 . 2013-06-25 09:43 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2013-06-25 09:43 . 2013-06-25 09:43 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2013-06-25 09:43 . 2013-06-25 09:43 523264 ----a-w- c:\windows\SysWow64\vbscript.dll
2013-06-25 09:43 . 2013-06-25 09:43 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2013-06-25 09:43 . 2013-06-25 09:43 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2013-06-25 09:43 . 2013-06-25 09:43 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2013-06-25 09:43 . 2013-06-25 09:43 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2013-06-25 09:43 . 2013-06-25 09:43 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2013-06-25 09:43 . 2013-06-25 09:43 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2013-06-25 09:43 . 2013-06-25 09:43 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2013-06-25 09:43 . 2013-06-25 09:43 361984 ----a-w- c:\windows\SysWow64\html.iec
2013-06-25 09:43 . 2013-06-25 09:43 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2013-06-25 09:43 . 2013-06-25 09:43 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2013-06-25 09:43 . 2013-06-25 09:43 197120 ----a-w- c:\windows\system32\msrating.dll
2013-06-25 09:43 . 2013-06-25 09:43 441856 ----a-w- c:\windows\system32\html.iec
2013-06-25 09:43 . 2013-06-25 09:43 216064 ----a-w- c:\windows\system32\msls31.dll
2013-06-25 09:43 . 2013-06-25 09:43 81408 ----a-w- c:\windows\system32\icardie.dll
2013-06-25 09:43 . 2013-06-25 09:43 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2013-06-25 09:43 . 2013-06-25 09:43 452096 ----a-w- c:\windows\system32\dxtmsft.dll
2013-06-25 09:43 . 2013-06-25 09:43 281600 ----a-w- c:\windows\system32\dxtrans.dll
2013-06-25 09:43 . 2013-06-25 09:43 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2013-06-25 09:43 . 2013-06-25 09:43 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2013-06-25 09:43 . 2013-06-25 09:43 235008 ----a-w- c:\windows\system32\url.dll
2013-06-25 09:43 . 2013-06-25 09:43 270848 ----a-w- c:\windows\system32\iedkcs32.dll
2013-06-25 09:43 . 2013-06-25 09:43 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2013-06-25 09:43 . 2013-06-25 09:43 97280 ----a-w- c:\windows\system32\mshtmled.dll
2013-06-25 09:43 . 2013-06-25 09:43 27648 ----a-w- c:\windows\system32\licmgr10.dll
2013-06-25 09:43 . 2013-06-25 09:43 247296 ----a-w- c:\windows\system32\webcheck.dll
2013-06-25 09:43 . 2013-06-25 09:43 102912 ----a-w- c:\windows\system32\inseng.dll
2013-06-25 09:43 . 2013-06-25 09:43 599552 ----a-w- c:\windows\system32\vbscript.dll
2013-06-25 09:43 . 2013-06-25 09:43 167424 ----a-w- c:\windows\system32\iexpress.exe
2013-06-25 09:43 . 2013-06-25 09:43 144896 ----a-w- c:\windows\system32\wextract.exe
2013-06-25 09:42 . 2013-06-25 09:42 62976 ----a-w- c:\windows\system32\pngfilt.dll
2013-06-25 09:42 . 2013-06-25 09:42 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2013-06-25 09:42 . 2013-06-25 09:42 149504 ----a-w- c:\windows\system32\occache.dll
2013-06-25 09:42 . 2013-06-25 09:42 13824 ----a-w- c:\windows\system32\mshta.exe
2013-06-25 09:42 . 2013-06-25 09:42 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2013-06-25 09:42 . 2013-06-25 09:42 51200 ----a-w- c:\windows\system32\imgutil.dll
2013-06-25 09:42 . 2013-06-25 09:42 136192 ----a-w- c:\windows\system32\iepeers.dll
2013-06-25 09:42 . 2013-06-25 09:42 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2013-06-25 09:42 . 2013-06-25 09:42 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2013-06-25 09:42 . 2013-06-25 09:42 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2013-06-25 09:42 . 2013-06-25 09:42 48640 ----a-w- c:\windows\system32\mshtmler.dll
2013-06-25 09:42 . 2013-06-25 09:42 77312 ----a-w- c:\windows\system32\tdc.ocx
2013-06-25 09:39 . 2013-06-25 09:39 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2013-06-25 09:39 . 2013-06-25 09:39 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2013-06-25 09:39 . 2013-06-25 09:39 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2013-06-25 09:39 . 2013-06-25 09:39 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-06-25 09:39 . 2013-06-25 09:39 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 44544]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2012-11-09 222496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2013-08-15 4411440]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2011-03-14 1081424]
"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2011-08-02 46952]
"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2011-08-02 30568]
"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 73216]
.
c:\users\Lakota\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-6-25 228552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"StartNowToolbarHelper"="c:\program files (x86)\StartNow Toolbar\ToolbarHelper.exe"
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe;c:\program files (x86)\AVG\AVG2013\avgidsagent.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 WiseBootAssistant;Wise Boot Assistant;c:\program files (x86)\Wise\Wise Care 365\BootTime.exe;c:\program files (x86)\Wise\Wise Care 365\BootTime.exe [x]
R3 Blackberry Device Manager;Blackberry Device Manager;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [x]
R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys;c:\windows\SYSNATIVE\drivers\dgderdrv.sys [x]
R3 easytether;easytether;c:\windows\system32\DRIVERS\easytthr.sys;c:\windows\SYSNATIVE\DRIVERS\easytthr.sys [x]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\SysWOW64\FsUsbExDisk.SYS;c:\windows\SysWOW64\FsUsbExDisk.SYS [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 hidkmdf;KMDF Driver;c:\windows\system32\DRIVERS\hidkmdf.sys;c:\windows\SYSNATIVE\DRIVERS\hidkmdf.sys [x]
R3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\DRIVERS\PulseUsb.sys;c:\windows\SYSNATIVE\DRIVERS\PulseUsb.sys [x]
R3 qrkis;Tether Miniport;c:\windows\system32\DRIVERS\qrkis.sys;c:\windows\SYSNATIVE\DRIVERS\qrkis.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 tapklink;Klink Virtual Network Adapter;c:\windows\system32\DRIVERS\tapklink.sys;c:\windows\SYSNATIVE\DRIVERS\tapklink.sys [x]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys;c:\windows\SYSNATIVE\Drivers\TFsExDisk.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WacHidRouter;Wacom Hid Router;c:\windows\system32\DRIVERS\wachidrouter.sys;c:\windows\SYSNATIVE\DRIVERS\wachidrouter.sys [x]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys;c:\windows\SYSNATIVE\DRIVERS\wacmoumonitor.sys [x]
R3 wacomrouterfilter;Wacom Router Filter Driver;c:\windows\system32\DRIVERS\wacomrouterfilter.sys;c:\windows\SYSNATIVE\DRIVERS\wacomrouterfilter.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]
S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [x]
S2 GingerUpdateService;GingerUpdateService;c:\program files (x86)\Ginger\GingerUpdateService\GingerUpdateService.exe;c:\program files (x86)\Ginger\GingerUpdateService\GingerUpdateService.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe;c:\program files (x86)\Acer\Registration\GREGsvc.exe [x]
S2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 Live Updater Service;Live Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]
S2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe;c:\program files (x86)\Common Files\Livescribe\PenComm\PenCommService.exe [x]
S2 RS_Service;Raw Socket Service;c:\program files (x86)\Acer\Acer VCM\RS_Service.exe;c:\program files (x86)\Acer\Acer VCM\RS_Service.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 Tether;Tether;c:\program files (x86)\Tether\TBService.exe;c:\program files (x86)\Tether\TBService.exe [x]
S2 WTabletServiceCon;Wacom Consumer Service;c:\program files\Tablet\Pen\WTabletServiceCon.exe;c:\program files\Tablet\Pen\WTabletServiceCon.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 BthAudioHF;BthAudioHF Service;c:\windows\system32\DRIVERS\BthAudioHF.sys;c:\windows\SYSNATIVE\DRIVERS\BthAudioHF.sys [x]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys;c:\windows\SYSNATIVE\DRIVERS\BthAvrcp.sys [x]
S3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys;c:\windows\SYSNATIVE\drivers\bthav.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys;c:\windows\SYSNATIVE\DRIVERS\WSDScan.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 03:41]
.
2013-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-04 19:26]
.
2013-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-04 19:26]
.
2013-09-08 c:\windows\Tasks\MixPadReminder.job
- c:\program files (x86)\NCH Software\MixPad\mixpad.exe [2012-08-09 19:58]
.
2013-05-24 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files (x86)\NCH Software\VideoPad\videopad.exe [2012-08-09 19:55]
.
2013-09-08 c:\windows\Tasks\WavePadReminder.job
- c:\program files (x86)\NCH Software\WavePad\wavepad.exe [2012-08-11 05:40]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2011-01-28 862088]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyServer = localhost:6544
uInternet Settings,ProxyOverride = <local>;*.local
uSearchAssistant = hxxp://www.google.com
IE: Open with PDF Viewer Plus - c:\program files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
Trusted Zone: appspot.com\textyserver
Trusted Zone: honda.com\www.in
Trusted Zone: reyrey.com\cr.gs
Trusted Zone: reyrey.com\www.gs
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: CM_AdvancedCAB - hxxps://www.gs.reyrey.com/common/ClientCheck/CM_AdvancedCAB.CAB
DPF: PrintTemplateViewerCab - hxxps://cr.gs.reyrey.com/clientdll/printtemplateviewer.cab
FF - ProfilePath - c:\users\Lakota\AppData\Roaming\Mozilla\Firefox\Profiles\lyvs9pgr.default-1374302290047\
FF - ExtSQL: 2013-09-09 07:25; firefox@gingersoftware.com; c:\program files (x86)\Ginger\Mozilla\firefox@gingersoftware.com
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} - c:\users\Lakota\AppData\Local\DefineExt\temp.dat
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-AVG-Secure-Search-Update_0913a - c:\users\Lakota\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
   89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
   91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{724D43A0-0D85-11D4-9908-00400523E39A}"=hex:51,66,7a,6c,4c,1d,38,12,ce,40,5e,
   76,b7,43,ba,54,e6,1e,43,00,00,7d,a7,8e
"{5911488E-9D1E-40EC-8CBB-06B231CC153F}"=hex:51,66,7a,6c,4c,1d,38,12,e0,4b,02,
   5d,2c,d3,82,05,f3,ad,45,f2,34,92,51,2b
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA}"=hex:51,66,7a,6c,4c,1d,38,12,81,2d,20,
   35,ad,85,e1,00,d0,fd,90,4e,9f,38,f2,ae
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
   38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{6E13D095-45C3-4271-9475-F3B48227DD9F}"=hex:51,66,7a,6c,4c,1d,38,12,fb,d3,00,
   6a,f1,0b,1f,07,eb,63,b0,f4,87,79,99,8b
"{724D43A9-0D85-11D4-9908-00400523E39A}"=hex:51,66,7a,6c,4c,1d,38,12,c7,40,5e,
   76,b7,43,ba,54,e6,1e,43,00,00,7d,a7,8e
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
   d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{98889811-442D-49DD-99D7-DC866BE87DBC}"=hex:51,66,7a,6c,4c,1d,38,12,7f,9b,9b,
   9c,1f,0a,b3,0c,e6,c1,9f,c6,6e,b6,39,a8
"{2EECD738-5844-4A99-B4B6-146BF802613B}"=hex:51,66,7a,6c,4c,1d,38,12,56,d4,ff,
   2a,76,16,f7,0f,cb,a0,57,2b,fd,5c,25,2f
"{4D2D3B0F-69BE-477A-90F5-FDDB05357975}"=hex:51,66,7a,6c,4c,1d,38,12,61,38,3e,
   49,8c,27,14,02,ef,e3,be,9b,00,6b,3d,61
"{9E131A93-EED7-4BEB-B015-A0ADB30B5646}"=hex:51,66,7a,6c,4c,1d,38,12,fd,19,00,
   9a,e5,a0,85,0e,cf,03,e3,ed,b6,55,12,52
"{000F18F2-09EB-4A59-82B2-5AE4184C39C3}"=hex:51,66,7a,6c,4c,1d,38,12,9c,1b,1c,
   04,d9,47,37,0f,fd,a4,19,a4,1d,12,7d,d7
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,c1,77,88,58,76,6e,45,8a,0e,f2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b4,c1,77,88,58,76,6e,45,8a,0e,f2,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-21  12:16:19
ComboFix-quarantined-files.txt  2013-09-21 18:16
ComboFix2.txt  2013-07-20 08:04
ComboFix3.txt  2013-07-20 06:21
.
Pre-Run: 25,725,251,584 bytes free
Post-Run: 25,642,360,832 bytes free
.
- - End Of File - - 3F84B4A9E04AFC43588FA5D54B644C06
A36C5E4F47E84449FF07ED3517B43A31


Edited by Lekota, 22 September 2013 - 10:46 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 23 September 2013 - 07:15 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 Lekota

Lekota
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 25 September 2013 - 11:52 AM

Sorry for the delay in my reply, I will run the program and post the log when complete.



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 AM

Posted 30 September 2013 - 07:50 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users