Solved GAC_64 desktop.ini and Win:64.a(?) infection

djhitman · Sep 5, 2012

Not sure what my son downloaded, but it's not pretty. I have run Malwarebytes, Superantispyware, and system has avg internet security. Still cannot remove these viruses. Also, a windows\system32\services.exe file keeps coming up on multiple threat detections.
Any help would be appreciated!

djhitman · Sep 5, 2012

I have a compaq running windows 7, if that helps!

djhitman · Sep 5, 2012

This is what malwarebytes found. But my AVG resident shield keeps finding other trojans and viruses!

djhitman · Sep 5, 2012

Sorry, this is what the MBAM log says:
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.09.05.10
Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Hitman :: HITMAN-HP [administrator]
Protection: Enabled
9/5/2012 3:56:42 PM
mbam-log-2012-09-05 (15-56-42).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215566
Time elapsed: 13 minute(s), 29 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\000000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
(end)

Broni · Sep 5, 2012

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=========================================

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes in your reply.

I'll expect two logs:
- FRST.txt
- Search.txt

djhitman · Sep 5, 2012

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Hitman at 19:40:53 on 2012-09-05
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1979.789 [GMT -4:00]
.
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
AV: AVG Internet Security 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
FW: AVG Internet Security 2012 *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\ProgramData\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\brwmngr.exe
C:\ProgramData\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\brwmngr.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe
C:\Program Files (x86)\AVG\AVG2012\avgfws.exe
"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com/
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: FreeWorkz Games: {d1ecd019-8423-43de-98d1-7892af2da309} - C:\Users\Hitman\AppData\Local\FreeWorkz\FreeWorkzIE.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - C:\Program Files (x86)\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll
TB: {D0F4A166-B8D4-48b8-9D63-80849FE137CB} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
TB: {0CC09160-108C-4759-BAB1-5C12C216E005} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
uRun: [Facebook Update] "C:\Users\Hitman\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
uRun: [PC Speed Maximizer] "C:\Program Files (x86)\PC Speed Maximizer\SPMStarter.exe"
uRun: [SPMTray] "C:\Program Files (x86)\PC Speed Maximizer\SPMTray.exe"
uRun: [Google Update] "C:\Users\Hitman\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [Bing Bar] "C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [WinampAgent] C:\Program Files (x86)\Winamp\winampa.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9980562D-1032-44AB-A486-681219EA5379} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9980562D-1032-44AB-A486-681219EA5379}\2456C6B696E6E233646313 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{9980562D-1032-44AB-A486-681219EA5379}\350756E6365627 : DhcpNameServer = 192.168.1.1 208.95.136.5 208.95.136.6
TCP: Interfaces\{9980562D-1032-44AB-A486-681219EA5379}\35471627273516C6F6E6 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{9980562D-1032-44AB-A486-681219EA5379}\A4F586F6D656F5573756 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{9980562D-1032-44AB-A486-681219EA5379}\B696E646275646 : DhcpNameServer = 97.64.209.36 97.64.168.13
TCP: Interfaces\{9980562D-1032-44AB-A486-681219EA5379}\C45656075627 : DhcpNameServer = 208.95.136.5 208.95.136.6 208.95.136.4
TCP: Interfaces\{9980562D-1032-44AB-A486-681219EA5379}\C4F65746350727573656D27657563747 : DhcpNameServer = 172.16.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.6\ViProtocol.dll
AppInit_DLLs: c:\progra~3\browse~1\22580~1.182\{16cdf~1\brwmngr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll
BHO-X64: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll
BHO-X64: Searchqu Toolbar - No File
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: FreeWorkz Games: {D1ECD019-8423-43de-98D1-7892AF2DA309} - C:\Users\Hitman\AppData\Local\FreeWorkz\FreeWorkzIE.dll
BHO-X64: FreeWorkz Games - No File
BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
BHO-X64: Yontoo Layers - No File
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
TB-X64: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\12.2.5.32\AVG Secure Search_toolbar.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll
TB-X64: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~2\SEARCH~1\Datamngr\ToolBar\searchqudtx.dll
TB-X64: {D0F4A166-B8D4-48b8-9D63-80849FE137CB} - No File
TB-X64: {0CC09160-108C-4759-BAB1-5C12C216E005} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [Bing Bar] "C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe"
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [WinampAgent] C:\Program Files (x86)\Winamp\winampa.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
AppInit_DLLs-X64: c:\progra~3\browse~1\22580~1.182\{16cdf~1\brwmngr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Hitman\AppData\Roaming\Mozilla\Firefox\Profiles\zly12i6x.default\
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110396&tt=201208_mnt_n_3412_6&babsrc=KW_ss&mntrId=eebd28f90000000000001c659d04fb3e&q=
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110396&tt=201208_mnt_n_3412_6&babsrc=KW_ss&mntrId=eebd28f90000000000001c659d04fb3e&q=
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=110396&tt=201208_mnt_n_3412_6&babsrc=HP_ss&mntrId=eebd28f90000000000001c659d04fb3e
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110396&tt=201208_mnt_n_3412_6&babsrc=KW_ss&mntrId=eebd28f90000000000001c659d04fb3e&q=
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Free Ride Games\npExentCtl.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Hitman\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Hitman\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=eebd28f90000000000001c659d04fb3e&q=
FF - user.js: extensions.BabylonToolbar.id - eebd28f90000000000001c659d04fb3e
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15578
FF - user.js: extensions.BabylonToolbar.vrsn - 1.6.9.12
FF - user.js: extensions.BabylonToolbar.vrsni - 1.6.9.12
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.6.9.1212:30:48
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110396&tt=201208_mnt_n_3412_6
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
.
.
.
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS [?]
R1 Avgfwfd;AVG network filter service;C:\Windows\system32\DRIVERS\avgfwd6a.sys --> C:\Windows\system32\DRIVERS\avgfwd6a.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 avgtp;avgtp;\??\C:\Windows\system32\drivers\avgtpx64.sys --> C:\Windows\system32\drivers\avgtpx64.sys [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [2012-6-5 1160824]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20120605.001\IDSviA64.sys [2012-6-5 488568]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1207020.003\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1207020.003\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-8-17 98208]
R2 avgfws;AVG Firewall;C:\Program Files (x86)\AVG\AVG2012\avgfws.exe [2012-3-23 2321520]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 Browser Manager;Browser Manager;C:\ProgramData\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\brwmngr.exe [2012-8-26 1695776]
R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-5-21 140272]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-6-18 103992]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-9 26680]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-3 655944]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe [2012-6-11 130008]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 RtVOsdService;RtVOsdService Installer;C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [2010-4-19 315392]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-8-13 3064000]
R2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [2012-9-3 722528]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\Windows\system32\DRIVERS\rtl8192se.sys --> C:\Windows\system32\DRIVERS\rtl8192se.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-4-30 5106744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-6-5 250056]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-6-5 129976]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
.
=============== Created Last 30 ================
.
2012-09-04 03:18:56 31080 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2012-09-04 02:21:15 -------- d-----w- C:\Program Files (x86)\blekkotb_soc
2012-09-04 00:48:21 -------- d-----w- C:\Users\Hitman\AppData\Roaming\Malwarebytes
2012-09-04 00:48:11 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-09-04 00:48:11 -------- d-----w- C:\ProgramData\Malwarebytes
2012-09-04 00:48:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-03 18:58:36 -------- d-----w- C:\Windows\SysWow64\searchplugins
2012-09-03 18:58:36 -------- d-----w- C:\Windows\SysWow64\Extensions
2012-09-03 15:28:11 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2012-09-03 15:22:56 -------- d-----w- C:\ProgramData\781287A802B36D01D0823CC64F147CE7
2012-09-01 18:09:34 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B9BDDE8E-F89D-4311-870B-0FBFF70C5ACF}\offreg.dll
2012-09-01 00:30:07 9310152 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B9BDDE8E-F89D-4311-870B-0FBFF70C5ACF}\mpengine.dll
2012-08-26 17:02:38 -------- d-----w- C:\ProgramData\Tarma Installer
2012-08-26 17:02:35 -------- d-----w- C:\ProgramData\IBUpdaterService
2012-08-26 17:02:02 666272 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_514\uninstall.exe
2012-08-26 17:02:00 -------- d-----w- C:\Program Files (x86)\Conduit
2012-08-26 17:01:57 -------- d-----w- C:\Users\Hitman\AppData\Local\Conduit
2012-08-26 17:01:53 666272 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_569\uninstall.exe
2012-08-26 17:01:43 -------- d-----w- C:\ProgramData\Browser Manager
2012-08-26 16:31:10 651360 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_532\uninstall.exe
2012-08-26 16:30:12 651360 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_358\uninstall.exe
2012-08-26 16:30:11 666272 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_342\uninstall.exe
2012-08-26 16:30:03 -------- d-----w- C:\Users\Hitman\AppData\Roaming\PerformerSoft
2012-08-26 16:30:01 651360 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_568\uninstall.exe
2012-08-26 16:29:57 19000 ----a-w- C:\Windows\System32\roboot64.exe
2012-08-26 16:29:52 666272 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_343\uninstall.exe
2012-08-26 16:29:36 651360 ----a-w- C:\Program Files (x86)\Uninstall Information\ib_uninst_0\uninstall.exe
2012-08-17 07:02:59 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-08-15 20:29:05 -------- d-----w- C:\ProgramData\WEBREG
2012-08-15 20:26:59 248320 ----a-w- C:\Windows\System32\Spool\prtprocs\x64\hpfpp70v.dll
2012-08-15 20:24:39 9826504 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-08-15 20:20:24 -------- d-----w- C:\Program Files (x86)\Coupons
2012-08-15 20:19:52 -------- d-----w- C:\Users\Hitman\AppData\Roaming\HpUpdate
2012-08-15 20:06:14 -------- d-----w- C:\Users\Hitman\AppData\Roaming\SUPERAntiSpyware.com
2012-08-15 20:05:41 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-08-15 20:05:41 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-08-15 19:59:18 -------- d-----w- C:\Program Files (x86)\Common Files\HP
2012-08-15 19:59:07 -------- d-----w- C:\Program Files (x86)\Common Files\Hewlett-Packard
2012-08-15 19:57:59 136704 ----a-w- C:\Windows\System32\hpf3l70v.dll
2012-08-15 19:56:05 -------- d-----w- C:\Program Files\HP
2012-08-15 19:46:04 880640 ----a-w- C:\Windows\System32\hposwia_p02c.dll
2012-08-15 19:46:04 642360 ----a-w- C:\Windows\System32\hpzids40.dll
2012-08-15 19:46:04 551424 ----a-w- C:\Windows\System32\hppldcoi.dll
2012-08-15 19:46:04 1403904 ----a-w- C:\Windows\System32\hpost_p02c.dll
2012-08-15 19:46:03 515072 ----a-w- C:\Windows\System32\hposc_p02a.dll
2012-08-15 02:29:32 67584 ----a-w- C:\Windows\splwow64.exe
2012-08-15 02:29:30 751104 ----a-w- C:\Windows\System32\win32spl.dll
2012-08-15 02:29:30 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2012-08-15 02:29:30 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-08-15 02:26:06 503808 ----a-w- C:\Windows\System32\srcore.dll
2012-08-15 02:26:06 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2012-08-15 02:25:15 58880 ----a-w- C:\Windows\System32\browcli.dll
2012-08-15 02:25:15 41472 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-08-15 02:25:15 136704 ----a-w- C:\Windows\System32\browser.dll
2012-08-15 02:25:08 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-08-15 02:24:25 956416 ----a-w- C:\Windows\System32\localspl.dll
.
==================== Find3M ====================
.
2012-08-15 20:25:02 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-08-15 20:25:01 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-21 02:04:51 215336 ----a-w- C:\Windows\System32\SynTPAPI.dll
2012-07-21 02:04:51 147752 ----a-w- C:\Windows\System32\SynTPCo4.dll
2012-07-21 02:04:51 1390640 ----a-w- C:\Windows\System32\drivers\SynTP.sys
2012-07-21 02:04:51 107816 ----a-w- C:\Windows\SysWow64\SynTPCOM.dll
2012-07-21 02:04:50 400168 ----a-w- C:\Windows\System32\SynCOM.dll
2012-07-21 02:04:50 271144 ----a-w- C:\Windows\System32\SynCtrl.dll
2012-07-21 02:04:50 214312 ----a-w- C:\Windows\SysWow64\SynCtrl.dll
2012-07-21 02:04:50 173352 ----a-w- C:\Windows\SysWow64\SynCOM.dll
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 19:42:55.38 ===============

djhitman · Sep 5, 2012

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 10/6/2010 7:43:25 PM
System Uptime: 9/5/2012 4:23:15 PM (3 hours ago)
.
Motherboard: Hewlett-Packard | | 1605
Processor: Intel(R) Celeron(R) CPU 900 @ 2.20GHz | CPU | 2194/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 216 GiB total, 157.664 GiB free.
D: is FIXED (NTFS) - 16 GiB total, 2.33 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP90: 8/24/2012 6:49:50 PM - Windows Update
RP91: 8/25/2012 2:35:12 PM - Installed Network64
RP92: 8/26/2012 12:55:24 PM - Installed Call of Duty(R) 4 - Modern Warfare(TM) Demo
RP93: 8/26/2012 12:55:41 PM - PC Performer Sun, Aug 26, 12 12:55
RP94: 8/26/2012 12:59:26 PM - Installed DirectX
RP95: 8/28/2012 7:14:06 AM - Windows Update
RP96: 8/31/2012 8:28:37 PM - Windows Update
RP97: 9/3/2012 10:29:07 PM - Removed WeatherBug
RP98: 9/3/2012 10:37:00 PM - Removed BabylonObjectInstaller
RP99: 9/3/2012 10:37:38 PM - Removed Call of Duty(R) 4 - Modern Warfare(TM) Demo
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.2 MUI
Adobe Shockwave Player 11.5
Bejeweled 2 Deluxe
Bing Bar
Bing Bar Platform
Blackhawk Striker 2
BufferChm
Build-a-lot 2
C4700
Chuzzle Deluxe
CinemaNow Media Manager
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Coupon Printer for Windows
CyberLink DVD Suite
CyberLink MediaShow
CyberLink PowerDVD 9
CyberLink YouCam
Destinations
DeviceDiscovery
Diner Dash 2 Restaurant Rescue
Dora's Carnival Adventure
Energy Star Digital Logo
Escape Rosecliff Island
ESU for Microsoft Windows 7
Facebook Video Calling 1.2.0.159
FATE
Final Drive Nitro
Google Chrome
GPBaseService2
Heroes of Hellas 2 - Olympia
Hewlett-Packard ACLM.NET v1.1.2.0
HP Advisor
HP Customer Experience Enhancements
HP Documentation
HP Games
HP MediaSmart CinemaNow 2.0
HP Photo Creations
HP Power Manager
HP Quick Launch
HP Setup
HP Software Framework
HP Support Assistant
HP Update
HPPhotoGadget
HPProductAssistant
HPSSupply
Intel(R) Control Center
Intel(R) Graphics Media Accelerator Driver
Intel(R) Rapid Storage Technology
Java Auto Updater
Java(TM) 6 Update 31
Jewel Quest 3
Jewel Quest Solitaire 2
Junk Mail filter update
LabelPrint
LightScribe System Software
Malwarebytes Anti-Malware version 1.62.0.1300
MarketResearch
Microsoft Choice Guard
Microsoft Default Manager
Microsoft Office 2010
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft WSE 3.0 Runtime
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Internet Security
Norton Online Backup
PC Speed Maximizer v3.0
Penguins!
PhotoNow!
Plants vs. Zombies
Poker Superstars III
Polar Bowler
Polar Golfer
Power2Go
PowerDirector
PS_AIO_06_C4700_SW_Min
QuickTransfer
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
REALTEK Wireless LAN Software
Recovery Manager
RollerCoaster Tycoon 3: Platinum
Roxio CinemaNow 2.0
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Show Presenter
Skype Click to Call
Skype™ 5.10
SmartWebPrinting
SolutionCenter
Status
Toolbox
TrayApp
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update Installer for WildTangent Games App
Virtual Families
Virtual Villagers - The Secret City
Visual Studio 2008 x64 Redistributables
WebReg
Wheel of Fortune 2
WildTangent Games
WildTangent Games App
Winamp (remove only)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Wizard101
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
9/5/2012 8:55:17 AM, Error: Service Control Manager [7043] - The AVGIDSAgent service did not shut down properly after receiving a preshutdown control.
9/5/2012 7:43:00 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
9/5/2012 7:29:25 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
9/5/2012 7:29:25 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
9/5/2012 4:24:03 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
9/5/2012 4:24:01 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
9/5/2012 4:22:08 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avgwd service.
9/4/2012 6:47:00 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the RtVOsdService service.
9/3/2012 8:41:33 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
9/3/2012 8:41:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/3/2012 8:41:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
9/3/2012 8:41:28 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/3/2012 8:41:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/3/2012 8:40:13 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx64 Avgmfx64 BHDrvx64 discache eeCtrl IDSVia64 SASDIFSV SASKUTIL spldr SRTSPX SymIRON SymNetS Wanarpv6
9/3/2012 8:40:12 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
9/3/2012 5:12:27 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPWMISVC service.
9/3/2012 10:17:36 PM, Error: Service Control Manager [7024] - The AVGIDSAgent service terminated with service-specific error %%-536753636.
9/3/2012 10:06:10 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
9/2/2012 9:29:12 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
9/2/2012 4:30:22 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
9/2/2012 2:03:06 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.
9/2/2012 1:16:41 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} and APPID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user Hitman-HP\Hitman SID (S-1-5-21-3215210023-636172019-1926784146-1002) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
9/1/2012 12:47:23 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HPSLPSVC service.
8/29/2012 8:58:23 PM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
.
==== End Of File ===========================

djhitman · Sep 5, 2012

Thanks Broni for the post! I did as instructed, and here are the results.
Scan result of Farbar Recovery Scan Tool (x64) Version: 05-09-2012
Ran by SYSTEM at 05-09-2012 23:06:34
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001
==================== Registry (Whitelisted) ===================
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2281256 2012-07-20] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6245408 2010-05-25] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Bing Bar] "C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe" [243544 2010-04-13] (Microsoft Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [WinampAgent] C:\Program Files (x86)\Winamp\winampa.exe [35328 2006-06-21] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2587008 2012-04-05] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [947808 2012-09-03] ()
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Hitman\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-05-19] (Hewlett-Packard Company)
HKU\Hitman\...\Run: [Facebook Update] "C:\Users\Hitman\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)
HKU\Hitman\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)
HKU\Hitman\...\Run: [PC Speed Maximizer] "C:\Program Files (x86)\PC Speed Maximizer\SPMStarter.exe" [x]
HKU\Hitman\...\Run: [SPMTray] "C:\Program Files (x86)\PC Speed Maximizer\SPMTray.exe" [x]
HKU\Hitman\...\Run: [Google Update] "C:\Users\Hitman\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-05-20] (Google Inc.)
HKU\Hitman\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5661056 2012-09-05] (SUPERAntiSpyware.com)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
AppInit_DLLs:
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
==================== Services ====================
2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [140672 2011-08-11] (SUPERAntiSpyware.com)
2 avgfws; "C:\Program Files (x86)\AVG\AVG2012\avgfws.exe" [2321520 2012-03-23] (AVG Technologies CZ, s.r.o.)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe" [5106744 2012-04-30] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
2 Browser Manager; C:\ProgramData\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\brwmngr.exe [1695776 2012-08-26] ()
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 vToolbarUpdater12.2.6; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [722528 2012-09-03] ()
==================== Drivers =================================
1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [48992 2011-05-22] (AVG Technologies CZ, s.r.o.)
3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [289872 2012-02-22] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [383808 2012-03-19] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [31080 2012-09-03] (AVG Technologies)
1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [1160824 2012-04-02] (Symantec Corporation)
1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-05-31] (Symantec Corporation)
1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20120605.001\IDSvia64.sys [488568 2012-04-27] (Symantec Corporation)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20120605.020\ENG64.SYS [120440 2012-05-16] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20120605.020\EX64.SYS [2068600 2012-05-16] (Symantec Corporation)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)
0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
3 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-04-07] (Symantec Corporation)
1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)
==================== NetSvcs (Whitelisted) =================

==================== One Month Created Files and Folders ======================
2012-09-05 23:04 - 2012-09-05 23:04 - 00000000 ____D C:\FRST
2012-09-05 15:35 - 2012-09-05 15:35 - 00607260 ____R (Swearware) C:\Users\Hitman\Desktop\dds.com
2012-09-05 12:19 - 2012-09-05 12:20 - 00302592 ____A C:\Users\Hitman\Desktop\67x870q6.exe
2012-09-05 11:43 - 2012-09-05 12:15 - 00001185 ____A C:\Users\Hitman\Desktop\New Text Document.txt
2012-09-04 01:05 - 2012-09-04 01:05 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe
2012-09-04 01:05 - 2012-09-04 01:05 - 00000000 ____D C:\users\Administrator
2012-09-03 19:18 - 2012-09-03 19:18 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-09-03 18:21 - 2012-09-03 18:21 - 00000000 ____D C:\Program Files (x86)\blekkotb_soc
2012-09-03 16:48 - 2012-09-03 16:48 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-03 16:48 - 2012-09-03 16:48 - 00000000 ____D C:\Users\Hitman\AppData\Roaming\Malwarebytes
2012-09-03 16:48 - 2012-09-03 16:48 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-09-03 16:48 - 2012-09-03 16:48 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-03 16:48 - 2012-07-03 09:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-03 10:58 - 2012-09-03 10:58 - 00000000 ____D C:\Windows\SysWOW64\searchplugins
2012-09-03 10:58 - 2012-09-03 10:58 - 00000000 ____D C:\Windows\SysWOW64\Extensions
2012-09-03 07:28 - 2012-09-03 07:28 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-09-03 07:22 - 2012-09-03 07:24 - 00000000 ____D C:\Users\All Users\781287A802B36D01D0823CC64F147CE7
2012-08-26 09:02 - 2012-08-26 09:02 - 00000009 ____A C:\END
2012-08-26 09:02 - 2012-08-26 09:02 - 00000000 ____D C:\Users\All Users\IBUpdaterService
2012-08-26 09:02 - 2012-08-26 09:02 - 00000000 ____D C:\Program Files (x86)\Conduit
2012-08-26 09:01 - 2012-09-03 18:19 - 00000000 ____D C:\Users\Hitman\AppData\Local\Conduit
2012-08-26 09:01 - 2012-08-26 09:01 - 00000000 ____D C:\Users\All Users\Browser Manager
2012-08-26 08:59 - 2012-08-26 08:59 - 00000336 ____A C:\Windows\game.ini
2012-08-26 08:30 - 2012-09-03 18:33 - 00000000 ____D C:\Users\Hitman\AppData\Roaming\PerformerSoft
2012-08-26 08:29 - 2012-03-14 11:47 - 00019000 ____A (PerformerSoft LLC) C:\Windows\System32\roboot64.exe
2012-08-16 23:03 - 2012-06-28 19:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-16 23:03 - 2012-06-28 19:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-16 23:03 - 2012-06-28 19:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-16 23:03 - 2012-06-28 19:47 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-16 23:03 - 2012-06-28 19:43 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-16 23:03 - 2012-06-28 19:42 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-16 23:03 - 2012-06-28 19:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-16 23:03 - 2012-06-28 19:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-16 23:03 - 2012-06-28 19:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-16 23:03 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-16 23:03 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-16 23:03 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-16 23:03 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-16 23:03 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-16 23:03 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-16 23:03 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-16 23:03 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-16 23:03 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-16 23:02 - 2012-06-28 20:55 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-16 23:02 - 2012-06-28 20:09 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-16 23:02 - 2012-06-28 19:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-16 23:02 - 2012-06-28 19:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-16 23:02 - 2012-06-28 19:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-16 23:02 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-16 23:02 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-16 23:02 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-16 23:02 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-16 23:02 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 12:29 - 2012-08-15 12:29 - 00000000 ____D C:\Users\All Users\WEBREG
2012-08-15 12:24 - 2012-08-15 12:24 - 09826504 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-15 12:21 - 2012-08-15 12:29 - 00000000 ____D C:\Users\Hitman\AppData\Roaming\HP
2012-08-15 12:20 - 2012-08-15 12:20 - 00000000 ____D C:\Program Files (x86)\Coupons
2012-08-15 12:19 - 2012-09-01 10:34 - 00000000 ____D C:\Users\Hitman\AppData\Roaming\HpUpdate
2012-08-15 12:18 - 2012-08-15 12:18 - 00001121 ____A C:\Users\Public\Desktop\Shop for HP Supplies.lnk
2012-08-15 12:06 - 2012-08-15 12:06 - 00000000 ____D C:\Users\Hitman\AppData\Roaming\SUPERAntiSpyware.com
2012-08-15 12:05 - 2012-09-05 04:58 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2012-08-15 12:05 - 2012-08-15 12:05 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-08-15 12:05 - 2012-08-15 12:05 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-08-15 12:00 - 2012-08-15 12:00 - 00001275 ____A C:\Users\Public\Desktop\HP Solution Center.lnk
2012-08-15 12:00 - 2012-08-15 12:00 - 00000000 ____D C:\Users\All Users\HP Product Assistant
2012-08-15 11:57 - 2009-04-16 10:08 - 00136704 ____A (Hewlett-Packard Company) C:\Windows\System32\hpf3l70v.dll
2012-08-15 11:56 - 2012-08-15 11:56 - 00000000 ____D C:\Program Files\HP
2012-08-15 11:55 - 2012-08-15 12:31 - 00208080 ____A C:\Windows\hpoins43.dat
2012-08-15 11:55 - 2012-08-15 12:31 - 00001607 ____A C:\Users\All Users\hpzinstall.log
2012-08-15 11:55 - 2010-01-30 05:11 - 00000601 ____N C:\Windows\hpomdl43.dat
2012-08-15 11:46 - 2012-08-15 12:29 - 00000000 ____D C:\Users\All Users\HP
2012-08-15 11:46 - 2009-04-16 03:53 - 00642360 ____A (Hewlett-Packard) C:\Windows\System32\hpzids40.dll
2012-08-15 11:46 - 2009-02-11 03:03 - 01403904 ____A (Hewlett-Packard Co.) C:\Windows\System32\hpost_p02c.dll
2012-08-15 11:46 - 2009-02-11 03:03 - 00880640 ____A (Hewlett-Packard) C:\Windows\System32\hposwia_p02c.dll
2012-08-15 11:46 - 2009-02-11 03:03 - 00515072 ____A (Hewlett-Packard Co.) C:\Windows\System32\hposc_p02a.dll
2012-08-15 11:46 - 2008-10-28 16:27 - 00551424 ____A (Hewlett-Packard) C:\Windows\System32\hppldcoi.dll
2012-08-14 18:29 - 2012-02-10 22:36 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-14 18:29 - 2012-02-10 22:29 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-14 18:29 - 2012-02-10 22:29 - 00067584 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-14 18:29 - 2012-02-10 21:44 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-08-14 18:26 - 2012-05-05 00:30 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-14 18:26 - 2012-05-04 23:44 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-14 18:25 - 2012-07-18 09:31 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-14 18:25 - 2012-07-04 14:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-14 18:25 - 2012-07-04 14:01 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-14 18:25 - 2012-07-04 14:01 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-14 18:25 - 2012-07-04 13:26 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-14 18:25 - 2012-07-04 13:23 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-14 18:24 - 2012-05-13 21:20 - 00956416 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
==================== 3 Months Modified Files ================================
2012-09-05 18:57 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-05 18:57 - 2009-07-13 20:51 - 00078080 ____A C:\Windows\setupact.log
2012-09-05 18:24 - 2012-06-05 08:26 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-05 18:20 - 2012-05-20 09:58 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3215210023-636172019-1926784146-1002UA.job
2012-09-05 17:57 - 2012-04-13 12:35 - 00000932 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3215210023-636172019-1926784146-1002UA.job
2012-09-05 17:57 - 2012-04-13 12:35 - 00000910 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3215210023-636172019-1926784146-1002Core.job
2012-09-05 15:35 - 2012-09-05 15:35 - 00607260 ____R (Swearware) C:\Users\Hitman\Desktop\dds.com
2012-09-05 12:32 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-05 12:32 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-05 12:20 - 2012-09-05 12:19 - 00302592 ____A C:\Users\Hitman\Desktop\67x870q6.exe
2012-09-05 12:15 - 2012-09-05 11:43 - 00001185 ____A C:\Users\Hitman\Desktop\New Text Document.txt
2012-09-05 09:20 - 2012-05-20 09:58 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3215210023-636172019-1926784146-1002Core.job
2012-09-05 06:49 - 2010-10-06 21:37 - 00035314 ____A C:\Windows\PFRO.log
2012-09-03 19:18 - 2012-09-03 19:18 - 00031080 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2012-09-03 16:48 - 2012-09-03 16:48 - 00001069 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-09-03 07:22 - 2010-08-17 00:34 - 01386530 ____A C:\Windows\WindowsUpdate.log
2012-08-31 16:25 - 2011-04-01 17:17 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-08-26 09:02 - 2012-08-26 09:02 - 00000009 ____A C:\END
2012-08-26 09:01 - 2010-07-10 18:07 - 00258194 ____A C:\Windows\DirectX.log
2012-08-26 08:59 - 2012-08-26 08:59 - 00000336 ____A C:\Windows\game.ini
2012-08-26 08:30 - 2012-05-19 10:54 - 00001893 ____A C:\user.js
2012-08-25 09:58 - 2012-05-04 17:05 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleForHitman.job
2012-08-16 23:27 - 2009-07-13 20:45 - 00286168 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-16 15:47 - 2012-03-09 09:32 - 00001974 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-08-15 12:31 - 2012-08-15 11:55 - 00208080 ____A C:\Windows\hpoins43.dat
2012-08-15 12:31 - 2012-08-15 11:55 - 00001607 ____A C:\Users\All Users\hpzinstall.log
2012-08-15 12:27 - 2009-07-13 21:13 - 00726316 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-15 12:27 - 2009-07-13 18:34 - 00000438 ____A C:\Windows\win.ini
2012-08-15 12:25 - 2012-06-05 08:26 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-15 12:25 - 2012-03-09 10:42 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-15 12:24 - 2012-08-15 12:24 - 09826504 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-08-15 12:21 - 2010-10-06 14:49 - 00063032 ____A C:\Users\Hitman\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-15 12:18 - 2012-08-15 12:18 - 00001121 ____A C:\Users\Public\Desktop\Shop for HP Supplies.lnk
2012-08-15 12:05 - 2012-08-15 12:05 - 00001808 ____A C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2012-08-15 12:00 - 2012-08-15 12:00 - 00001275 ____A C:\Users\Public\Desktop\HP Solution Center.lnk
2012-07-27 16:40 - 2012-06-01 13:52 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2012-07-20 18:06 - 2012-07-20 18:06 - 00000085 ____A C:\SYNTPAD.LOG
2012-07-20 18:06 - 2010-08-17 00:31 - 00008974 ____A C:\Windows\DPINST.LOG
2012-07-20 18:04 - 2012-07-20 18:05 - 01390640 ____A (Synaptics Incorporated) C:\Windows\System32\Drivers\SynTP.sys
2012-07-20 18:04 - 2012-07-20 18:05 - 00400168 ____A (Synaptics Incorporated) C:\Windows\System32\SynCOM.dll
2012-07-20 18:04 - 2012-07-20 18:05 - 00271144 ____A (Synaptics Incorporated) C:\Windows\System32\SynCtrl.dll
2012-07-20 18:04 - 2012-07-20 18:05 - 00215336 ____A (Synaptics Incorporated) C:\Windows\System32\SynTPAPI.dll
2012-07-20 18:04 - 2012-07-20 18:05 - 00214312 ____A (Synaptics Incorporated) C:\Windows\SysWOW64\SynCtrl.dll
2012-07-20 18:04 - 2012-07-20 18:05 - 00173352 ____A (Synaptics Incorporated) C:\Windows\SysWOW64\SynCOM.dll
2012-07-20 18:04 - 2012-07-20 18:05 - 00147752 ____A (Synaptics Incorporated) C:\Windows\System32\SynTPCo4.dll
2012-07-20 18:04 - 2012-07-20 18:05 - 00107816 ____A (Synaptics Incorporated) C:\Windows\SysWOW64\SynTPCOM.dll
2012-07-18 09:31 - 2012-08-14 18:25 - 03146752 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-04 14:04 - 2012-08-14 18:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 14:01 - 2012-08-14 18:25 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 14:01 - 2012-08-14 18:25 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 13:26 - 2012-08-14 18:25 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 13:23 - 2012-08-14 18:25 - 00041472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-03 09:46 - 2012-09-03 16:48 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-28 20:55 - 2012-08-16 23:02 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 20:09 - 2012-08-16 23:02 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 19:56 - 2012-08-16 23:03 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 19:49 - 2012-08-16 23:03 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 19:49 - 2012-08-16 23:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 19:48 - 2012-08-16 23:03 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 19:47 - 2012-08-16 23:03 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 19:45 - 2012-08-16 23:02 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 19:44 - 2012-08-16 23:02 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 19:43 - 2012-08-16 23:03 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 19:42 - 2012-08-16 23:03 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 19:40 - 2012-08-16 23:03 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 19:39 - 2012-08-16 23:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 19:35 - 2012-08-16 23:03 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-28 16:52 - 2012-08-16 23:02 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-28 16:27 - 2012-08-16 23:02 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-28 16:16 - 2012-08-16 23:02 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-28 16:09 - 2012-08-16 23:03 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-28 16:09 - 2012-08-16 23:03 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-28 16:08 - 2012-08-16 23:03 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-28 16:07 - 2012-08-16 23:03 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-28 16:06 - 2012-08-16 23:02 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-28 16:04 - 2012-08-16 23:03 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-28 16:04 - 2012-08-16 23:02 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-28 16:01 - 2012-08-16 23:03 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-28 16:01 - 2012-08-16 23:03 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-28 16:00 - 2012-08-16 23:03 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-28 15:57 - 2012-08-16 23:03 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-26 08:55 - 2009-07-13 21:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-19 03:45 - 2012-06-19 03:45 - 00000040 ____A C:\Windows\System32\?¾
2012-06-13 23:15 - 2012-03-09 09:20 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-08 21:30 - 2012-07-11 08:18 - 14165504 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:46 - 2012-07-11 08:18 - 12868608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

ZeroAccess:
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\L
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\L\00000004.@
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\L\201d3dde
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\00000004.@
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\00000008.@
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\000000cb.@
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\80000000.@
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\80000032.@
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\80000064.@
ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini
ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini
==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points =========================
Restore point made on: 2012-08-24 14:50:22
Restore point made on: 2012-08-25 10:35:38
Restore point made on: 2012-08-26 08:55:51
Restore point made on: 2012-08-26 08:57:37
Restore point made on: 2012-08-26 08:59:43
Restore point made on: 2012-08-28 03:14:41
Restore point made on: 2012-08-31 16:28:59
Restore point made on: 2012-09-03 18:29:34
Restore point made on: 2012-09-03 18:37:07
Restore point made on: 2012-09-03 18:38:10
==================== Memory info ===========================
Percentage of memory in use: 30%
Total physical RAM: 1978.93 MB
Available physical RAM: 1372.13 MB
Total Pagefile: 1978.93 MB
Available Pagefile: 1374.61 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
==================== Partitions ============================
1 Drive c: () (Fixed) (Total:216.44 GB) (Free:157.39 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:16.14 GB) (Free:2.33 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
5 Drive h: () (Removable) (Total:3.76 GB) (Free:3.22 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Disk 1 Online 3854 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 216 GB 200 MB
Partition 3 Primary 16 GB 216 GB
Partition 4 Primary 103 MB 232 GB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy
==================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 216 GB Healthy
==================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 16 GB Healthy
==================================================================================
Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3853 MB 31 KB
==================================================================================
Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H FAT32 Removable 3853 MB Healthy
==================================================================================
Last Boot: 2012-09-04 14:29
==================== End Of Log =============================

djhitman · Sep 5, 2012

Also, I did the re-run of frst and typed services.exe in the search box... It didn't post a log on my hard drive (search.txt)

Broni · Sep 5, 2012

It creates a log on your USB drive.

djhitman · Sep 6, 2012

Sorry, I must have clicked scan instead of search!

Farbar Recovery Scan Tool (x64) Version: 05-09-2012
Ran by SYSTEM at 2012-09-06 15:07:25
Running from H:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC
====== End Of Search ======

Broni · Sep 7, 2012

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

djhitman · Sep 9, 2012

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-09-2012
Ran by SYSTEM at 2012-09-08 12:45:30 Run:1
Running from H:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====

djhitman · Sep 9, 2012

Rkill 2.3.10 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 09/09/2012 08:27:04 PM in x64 mode.
Windows Version: Windows 7 Home Premium
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]
Backup Registry file created at:
C:\Users\Hitman\Desktop\rkill\rkill-09-09-2012-08-27-05.reg
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity:
* Base Filtering Engine (BFE) is not Running.
Startup Type set to: Automatic
* DHCP Client (Dhcp) is not Running.
Startup Type set to: Automatic
* DNS Client (Dnscache) is not Running.
Startup Type set to: Automatic
* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Automatic
* Network Connections (Netman) is not Running.
Startup Type set to: Manual
* Network Store Interface Service (nsi) is not Running.
Startup Type set to: Automatic
* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic (Delayed Start)
* Windows Update (wuauserv) is not Running.
Startup Type set to: Automatic (Delayed Start)
* Ancillary Function Driver for Winsock (AFD) is not Running.
Startup Type set to: System
* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual
* NetBT (NetBT) is not Running.
Startup Type set to: System
* NSI proxy service driver. (nsiproxy) is not Running.
Startup Type set to: System
* NetIO Legacy TDI Support Driver (tdx) is not Running.
Startup Type set to: System
* MpsSvc [Missing Service]
* SharedAccess [Missing ImagePath]
Searching for Missing Digital Signatures:
* No issues found.
Program finished at: 09/09/2012 08:27:06 PM
Execution time: 0 hours(s), 0 minute(s), and 2 seconds(s)

djhitman · Sep 9, 2012

ComboFix 12-09-09.02 - Hitman 09/09/2012 20:30:36.5.1 - x64 MINIMAL
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1979.1267 [GMT -4:00]
Running from: c:\users\Hitman\Desktop\Dave_Starr.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-- Previous Run --
.
c:\windows\SysWow64\Drivers\atapi.sys . . . is infected!!
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2012-08-10 to 2012-09-10 )))))))))))))))))))))))))))))))
.
.
2012-09-06 07:04 . 2012-09-06 07:04 -------- d-----w- C:\FRST
2012-09-04 09:05 . 2012-09-04 09:05 -------- d-----w- c:\users\Administrator
2012-09-04 03:18 . 2012-09-04 03:18 31080 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2012-09-04 02:21 . 2012-09-04 02:21 -------- d-----w- c:\program files (x86)\blekkotb_soc
2012-09-04 00:48 . 2012-09-04 00:48 -------- d-----w- c:\users\Hitman\AppData\Roaming\Malwarebytes
2012-09-04 00:48 . 2012-09-04 00:48 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-09-04 00:48 . 2012-09-04 00:48 -------- d-----w- c:\programdata\Malwarebytes
2012-09-04 00:48 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-03 18:58 . 2012-09-03 18:58 -------- d-----w- c:\windows\SysWow64\searchplugins
2012-09-03 18:58 . 2012-09-03 18:58 -------- d-----w- c:\windows\SysWow64\Extensions
2012-09-03 15:28 . 2012-09-03 15:28 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-09-03 15:22 . 2012-09-03 15:24 -------- d-----w- c:\programdata\781287A802B36D01D0823CC64F147CE7
2012-09-01 00:30 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B9BDDE8E-F89D-4311-870B-0FBFF70C5ACF}\mpengine.dll
2012-08-26 17:02 . 2012-09-04 02:28 -------- d-----w- c:\programdata\Tarma Installer
2012-08-26 17:02 . 2012-08-26 17:02 -------- d-----w- c:\programdata\IBUpdaterService
2012-08-26 17:02 . 2012-08-26 16:52 666272 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_514\uninstall.exe
2012-08-26 17:02 . 2012-08-26 17:02 -------- d-----w- c:\program files (x86)\Conduit
2012-08-26 17:01 . 2012-09-04 02:19 -------- d-----w- c:\users\Hitman\AppData\Local\Conduit
2012-08-26 17:01 . 2012-08-26 16:52 666272 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_569\uninstall.exe
2012-08-26 17:01 . 2012-08-26 17:01 -------- d-----w- c:\programdata\Browser Manager
2012-08-26 16:31 . 2012-08-26 16:28 651360 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_532\uninstall.exe
2012-08-26 16:30 . 2012-08-26 16:28 651360 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_358\uninstall.exe
2012-08-26 16:30 . 2012-08-26 16:52 666272 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_342\uninstall.exe
2012-08-26 16:30 . 2012-09-04 02:33 -------- d-----w- c:\users\Hitman\AppData\Roaming\PerformerSoft
2012-08-26 16:30 . 2012-08-26 16:28 651360 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_568\uninstall.exe
2012-08-26 16:29 . 2012-03-14 19:47 19000 ----a-w- c:\windows\system32\roboot64.exe
2012-08-26 16:29 . 2012-08-26 16:52 666272 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_343\uninstall.exe
2012-08-26 16:29 . 2012-08-26 16:28 651360 ----a-w- c:\program files (x86)\Uninstall Information\ib_uninst_0\uninstall.exe
2012-08-17 07:02 . 2012-06-29 03:49 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-08-15 20:29 . 2012-08-15 20:29 -------- d-----w- c:\programdata\WEBREG
2012-08-15 20:26 . 2009-04-16 18:08 248320 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp70v.dll
2012-08-15 20:21 . 2012-08-15 20:29 -------- d-----w- c:\users\Hitman\AppData\Roaming\HP
2012-08-15 20:20 . 2012-08-15 20:20 -------- d-----w- c:\program files (x86)\Coupons
2012-08-15 20:19 . 2012-09-01 18:34 -------- d-----w- c:\users\Hitman\AppData\Roaming\HpUpdate
2012-08-15 20:06 . 2012-08-15 20:06 -------- d-----w- c:\users\Hitman\AppData\Roaming\SUPERAntiSpyware.com
2012-08-15 20:05 . 2012-09-05 12:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-08-15 20:05 . 2012-08-15 20:05 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-08-15 20:00 . 2012-08-15 20:00 -------- d-----w- c:\programdata\HP Product Assistant
2012-08-15 19:59 . 2012-08-15 19:59 -------- d-----w- c:\program files (x86)\Common Files\HP
2012-08-15 19:59 . 2012-08-15 19:59 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard
2012-08-15 19:57 . 2009-04-16 18:08 136704 ----a-w- c:\windows\system32\hpf3l70v.dll
2012-08-15 19:56 . 2012-08-15 19:56 -------- d-----w- c:\program files\HP
2012-08-15 19:46 . 2012-08-15 20:29 -------- d-----w- c:\programdata\HP
2012-08-15 19:46 . 2009-04-16 11:53 642360 ----a-w- c:\windows\system32\hpzids40.dll
2012-08-15 19:46 . 2009-02-11 11:03 880640 ----a-w- c:\windows\system32\hposwia_p02c.dll
2012-08-15 19:46 . 2009-02-11 11:03 1403904 ----a-w- c:\windows\system32\hpost_p02c.dll
2012-08-15 19:46 . 2008-10-29 00:27 551424 ----a-w- c:\windows\system32\hppldcoi.dll
2012-08-15 19:46 . 2009-02-11 11:03 515072 ----a-w- c:\windows\system32\hposc_p02a.dll
2012-08-15 02:29 . 2012-02-11 06:29 67584 ----a-w- c:\windows\splwow64.exe
2012-08-15 02:29 . 2012-02-11 06:36 751104 ----a-w- c:\windows\system32\win32spl.dll
2012-08-15 02:29 . 2012-02-11 06:29 559104 ----a-w- c:\windows\system32\spoolsv.exe
2012-08-15 02:29 . 2012-02-11 05:44 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2012-08-15 02:26 . 2012-05-05 08:30 503808 ----a-w- c:\windows\system32\srcore.dll
2012-08-15 02:26 . 2012-05-05 07:44 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2012-08-15 02:25 . 2012-07-04 22:04 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-08-15 02:25 . 2012-07-04 22:01 58880 ----a-w- c:\windows\system32\browcli.dll
2012-08-15 02:25 . 2012-07-04 22:01 136704 ----a-w- c:\windows\system32\browser.dll
2012-08-15 02:25 . 2012-07-04 21:23 41472 ----a-w- c:\windows\SysWow64\browcli.dll
2012-08-15 02:25 . 2012-07-18 17:31 3146752 ----a-w- c:\windows\system32\win32k.sys
2012-08-15 02:24 . 2012-05-14 05:20 956416 ----a-w- c:\windows\system32\localspl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 20:25 . 2012-06-05 16:26 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-15 20:25 . 2012-03-09 18:42 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-21 02:04 . 2012-07-21 02:05 147752 ----a-w- c:\windows\system32\SynTPCo4.dll
2012-07-21 02:04 . 2012-07-21 02:05 107816 ----a-w- c:\windows\SysWow64\SynTPCOM.dll
2012-07-21 02:04 . 2012-07-21 02:05 215336 ----a-w- c:\windows\system32\SynTPAPI.dll
2012-07-21 02:04 . 2012-07-21 02:05 1390640 ----a-w- c:\windows\system32\drivers\SynTP.sys
2012-07-21 02:04 . 2012-07-21 02:05 400168 ----a-w- c:\windows\system32\SynCOM.dll
2012-07-21 02:04 . 2012-07-21 02:05 271144 ----a-w- c:\windows\system32\SynCtrl.dll
2012-07-21 02:04 . 2012-07-21 02:05 214312 ----a-w- c:\windows\SysWow64\SynCtrl.dll
2012-07-21 02:04 . 2012-07-21 02:05 173352 ----a-w- c:\windows\SysWow64\SynCOM.dll
2012-06-14 07:15 . 2012-03-09 17:20 58957832 ----a-w- c:\windows\system32\MRT.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
"Facebook Update"="c:\users\Hitman\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-12 138096]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-09-05 5661056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Bing Bar"="c:\program files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe" [2010-04-14 243544]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"WinampAgent"="c:\program files (x86)\Winamp\winampa.exe" [2006-06-21 35328]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~3\BROWSE~1\22580~1.182\{16CDF~1\brwmngr.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [2011-04-21 386168]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
R2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [2011-04-17 130008]
R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [2010-04-20 315392]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-07-28 52584]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976]
R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-31 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-09-04 31080]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 Browser Manager;Browser Manager;c:\programdata\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\brwmngr.exe [2012-08-26 1695776]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-05-21 140272]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
S2 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [2012-09-04 722528]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-03-23 347680]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-02-05 1093152]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 17:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-05 20:25]
.
2012-09-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3215210023-636172019-1926784146-1002Core.job
- c:\users\Hitman\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-13 01:52]
.
2012-09-09 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3215210023-636172019-1926784146-1002UA.job
- c:\users\Hitman\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-13 01:52]
.
2012-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3215210023-636172019-1926784146-1002Core.job
- c:\users\Hitman\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-20 17:57]
.
2012-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3215210023-636172019-1926784146-1002UA.job
- c:\users\Hitman\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-20 17:57]
.
2012-09-08 c:\windows\Tasks\HPCeeScheduleForHitman.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 02:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-05-26 6245408]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\users\Hitman\AppData\Roaming\Mozilla\Firefox\Profiles\zly12i6x.default\
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110396&tt=201208_mnt_n_3412_6&babsrc=KW_ss&mntrId=eebd28f90000000000001c659d04fb3e&q=
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110396&tt=201208_mnt_n_3412_6&babsrc=KW_ss&mntrId=eebd28f90000000000001c659d04fb3e&q=
FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?affID=110396&tt=201208_mnt_n_3412_6&babsrc=HP_ss&mntrId=eebd28f90000000000001c659d04fb3e
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110396&tt=201208_mnt_n_3412_6&babsrc=KW_ss&mntrId=eebd28f90000000000001c659d04fb3e&q=
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=eebd28f90000000000001c659d04fb3e&q=
FF - user.js: extensions.BabylonToolbar.id - eebd28f90000000000001c659d04fb3e
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15578
FF - user.js: extensions.BabylonToolbar.vrsn - 1.6.9.12
FF - user.js: extensions.BabylonToolbar.vrsni - 1.6.9.12
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.6.9.1212:30
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110396&tt=201208_mnt_n_3412_6
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{0cc09160-108c-4759-bab1-5c12c216e005} - (no file)
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
BHO-{D1ECD019-8423-43de-98D1-7892AF2DA309} - c:\users\Hitman\AppData\Local\FreeWorkz\FreeWorkzIE.dll
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
Toolbar-10 - (no file)
Toolbar-{0cc09160-108c-4759-bab1-5c12c216e005} - (no file)
Wow6432Node-HKCU-Run-PC Speed Maximizer - c:\program files (x86)\PC Speed Maximizer\SPMStarter.exe
Wow6432Node-HKCU-Run-SPMTray - c:\program files (x86)\PC Speed Maximizer\SPMTray.exe
Toolbar-10 - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
WebBrowser-{0CC09160-108C-4759-BAB1-5C12C216E005} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-NIS - c:\program files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\18.7.2.3\InstStub.exe
AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\SysWOW64\schtasks.exe
.
**************************************************************************
.
Completion time: 2012-09-09 20:50:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-10 00:50
.
Pre-Run: 175,134,965,760 bytes free
Post-Run: 174,757,634,048 bytes free
.
- - End Of File - - 0B91DC7AF121D900244E1BC7B2F4DC36

Broni · Sep 9, 2012

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

Double-click SystemLook.exe to run it.
Vista users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box and paste it into the main textfield:
Code:
```
:filefind
atapi.sys
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

djhitman · Sep 9, 2012

SystemLook 30.07.11 by jpshortstuff
Log created at 23:24 on 09/09/2012 by Hitman
Administrator - Elevation successful
========== filefind ==========
Searching for "atapi.sys"
C:\Windows\erdnt\cache64\atapi.sys --a---- 24128 bytes [00:48 10/09/2012] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\System32\drivers\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_0dbde3119acb22ca\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_dab2e93700ba2683\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16552_none_394a8c733b252fb9\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16593_none_39204d0d3b44b8d4\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.20669_none_39d05b5854449cd5\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.20713_none_3a006b1e5421763d\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys --a---- 24128 bytes [23:19 13/07/2009] [01:52 14/07/2009] 02062C0B390B7729EDC9E69C680A6F3C
-= EOF =-

Broni · Sep 10, 2012

All files have very same MD5.
I don't see any replacement.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\System32\drivers\atapi.sys
If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

djhitman · Sep 10, 2012

I changed the folder options, like instructed.. but when I open up the virustotal web site, the hidden files do not show up when I browse for them, so I can't select the file to scan!

Broni · Sep 10, 2012

Are you sure you enabled SYSTEM files view?

djhitman · Sep 10, 2012

Yes, I did both steps.. Those files show up in windows explorer, just not when I have to browse from the site.

Broni · Sep 10, 2012

Copy the file to to your desktop and upload it from there.

djhitman · Sep 11, 2012

SHA256: 0261683c6dc2706dce491a1cdc954ac9c9e649376ec30760bb4e225e18dc5273
SHA1: 954d59eaeadc36cb19a224a5dddfa1edcfdc49ce
MD5: 02062c0b390b7729edc9e69c680a6f3c
File size: 23.6 KB ( 24128 bytes )
File name: atapi.sys
File type: unknown
Detection ratio: 0 / 41
Analysis date: 2012-09-11 19:46:18 UTC ( 0 minutes ago )
[RIGHT][RIGHT]

[/RIGHT]
[RIGHT][RIGHT]0[/RIGHT]
[RIGHT] [/RIGHT][/RIGHT]
[RIGHT][RIGHT]0[/RIGHT]
[RIGHT] [/RIGHT][/RIGHT][/RIGHT]
More details
AntivirusResultUpdate
AhnLab-V3 - 20120910
AntiVir - 20120910
Antiy-AVL - 20120910
Avast - 20120910
AVG - 20120910
BitDefender - 20120910
ByteHero - 20120907
CAT-QuickHeal - 20120910
ClamAV - 20120910
Commtouch - 20120909
Comodo - 20120910
DrWeb - 20120910
Emsisoft - 20120910
eSafe - 20120907
ESET-NOD32 - 20120910
F-Prot - 20120909
F-Secure - 20120910
Fortinet - 20120830
GData - 20120910
Ikarus - 20120910
Jiangmin - 20120910
K7AntiVirus - 20120907
Kaspersky - 20120910
McAfee - 20120910
McAfee-GW-Edition - 20120910
Microsoft - 20120910
Norman - 20120909
nProtect - 20120910
Panda - 20120910
Rising - 20120910
Sophos - 20120910
SUPERAntiSpyware - 20120910
Symantec - 20120910
TheHacker - 20120910
TotalDefense - 20120910
TrendMicro - 20120910
TrendMicro-HouseCall - 20120910
VBA32 - 20120910
VIPRE - 20120910
ViRobot - 20120910
VirusBuster - 20120910

Broni · Sep 11, 2012

Very well.
It looks like Combofix was wrong.

How is computer doing?

===============================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

djhitman · Sep 11, 2012

OTL logfile created on: 9/11/2012 8:23:36 PM - Run 2
OTL by OldTimer - Version 3.2.61.3 Folder = C:\Users\Hitman\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 0.84 Gb Available Physical Memory | 43.71% Memory free
3.87 Gb Paging File | 2.59 Gb Available in Paging File | 66.89% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 216.44 Gb Total Space | 163.46 Gb Free Space | 75.52% Space Free | Partition Type: NTFS
Drive D: | 16.14 Gb Total Space | 2.33 Gb Free Space | 14.43% Space Free | Partition Type: NTFS
Drive F: | 3.76 Gb Total Space | 3.22 Gb Free Space | 85.65% Space Free | Partition Type: FAT32

Computer Name: HITMAN-HP | User Name: Hitman | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/11 20:10:02 | 000,600,064 | ---- | M] (OldTimer Tools) -- C:\Users\Hitman\Desktop\OTL.exe
PRC - [2012/09/03 23:18:53 | 000,722,528 | ---- | M] () -- C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe
PRC - [2012/08/26 13:01:45 | 001,695,776 | ---- | M] () -- C:\ProgramData\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\brwmngr.exe
PRC - [2012/08/13 13:33:30 | 003,064,000 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/03/28 17:07:50 | 000,094,264 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
PRC - [2010/11/09 15:20:36 | 000,586,296 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
PRC - [2010/11/09 15:20:34 | 000,026,680 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
PRC - [2010/11/02 00:34:33 | 000,179,712 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\schtasks.exe
PRC - [2010/05/21 04:28:36 | 000,140,272 | ---- | M] (CinemaNow, Inc.) -- C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
PRC - [2010/04/13 23:13:52 | 000,243,544 | ---- | M] (Microsoft Corp.) -- C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\mswinext.exe
PRC - [2006/06/21 13:14:50 | 000,035,328 | ---- | M] () -- C:\Program Files (x86)\Winamp\winampa.exe

========== Modules (No Company Name) ==========

MOD - [2012/08/26 13:01:45 | 002,046,496 | ---- | M] () -- C:\ProgramData\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\brwmngr.dll
MOD - [2012/08/26 13:01:45 | 001,695,776 | ---- | M] () -- C:\ProgramData\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\brwmngr.exe
MOD - [2006/06/21 13:14:50 | 000,035,328 | ---- | M] () -- C:\Program Files (x86)\Winamp\winampa.exe

========== Services (SafeList) ==========

SRV:64bit: - [2011/08/11 19:38:04 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:64bit: - [2010/06/18 19:26:18 | 000,103,992 | ---- | M] (Hewlett-Packard Company) [Auto | Stopped] -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe -- (HP Wireless Assistant Service)
SRV:64bit: - [2010/04/19 21:55:18 | 000,315,392 | ---- | M] (Realtek Semiconductor Corp.) [Auto | Stopped] -- C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe -- (RtVOsdService)
SRV:64bit: - [2009/11/17 22:14:26 | 000,098,208 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2012/09/03 23:18:53 | 000,722,528 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe -- (vToolbarUpdater12.2.6)
SRV - [2012/08/26 13:01:45 | 001,695,776 | ---- | M] () [Auto | Running] -- C:\ProgramData\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\brwmngr.exe -- (Browser Manager)
SRV - [2012/08/15 16:25:04 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Start_Pending] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/08/13 13:33:30 | 003,064,000 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/07/03 13:19:28 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/04/20 21:19:00 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2011/09/09 17:10:28 | 000,086,072 | ---- | M] (Hewlett-Packard Company) [Auto | Stopped] -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe -- (HP Support Assistant Service)
SRV - [2011/04/16 20:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe -- (NIS)
SRV - [2011/03/28 17:07:50 | 000,094,264 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe -- (HPDrvMntSvc.exe)
SRV - [2010/11/09 15:20:34 | 000,026,680 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe -- (HPWMISVC)
SRV - [2010/10/22 13:08:18 | 001,039,360 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2010/10/12 13:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
SRV - [2010/05/21 04:28:36 | 000,140,272 | ---- | M] (CinemaNow, Inc.) [Auto | Running] -- C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe -- (CinemaNow Service)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/09/03 23:18:56 | 000,031,080 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtpx64.sys -- (avgtp)
DRV:64bit: - [2012/07/20 22:04:51 | 001,390,640 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2012/07/03 13:46:44 | 000,024,904 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2012/03/01 02:54:38 | 000,022,896 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/07/28 18:37:10 | 000,052,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d)
DRV:64bit: - [2011/07/22 12:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 17:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/04/20 21:37:49 | 000,386,168 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\NISx64\1207020.003\symnets.sys -- (SymNetS)
DRV:64bit: - [2011/03/11 02:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 02:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/08/25 20:36:04 | 010,611,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/04/13 12:44:22 | 000,540,696 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2010/03/22 21:57:20 | 000,347,680 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2010/02/04 23:06:00 | 001,093,152 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rtl8192se.sys -- (rtl8192se)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 19:31:10 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/06/10 17:01:11 | 001,485,312 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTDPV6.SYS -- (SrvHsfV92)
DRV:64bit: - [2009/06/10 17:01:11 | 000,740,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTCNXT6.SYS -- (SrvHsfWinac)
DRV:64bit: - [2009/06/10 17:01:11 | 000,292,864 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VSTAZL6.SYS -- (SrvHsfHDA)
DRV:64bit: - [2009/06/10 16:35:33 | 000,389,120 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/06/10 16:35:28 | 005,434,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netw5v64.sys -- (netw5v64)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2007/05/14 16:06:18 | 000,027,520 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQNOT/1
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE:64bit: - HKLM\..\SearchScopes\{8FD99F57-AC6B-4458-B491-9B90252659DD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=101&systemid=406&sr=0&q={searchTerms}
IE:64bit: - HKLM\..\SearchScopes\{A54EC669-549C-4465-83AD-8010043F618D}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE:64bit: - HKLM\..\SearchScopes\{B8E26E4F-704C-45BD-86E0-5E73DF87830B}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
IE:64bit: - HKLM\..\SearchScopes\{FF083B22-79EE-41DE-ABC4-39C6B961DF19}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscql
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQNOT/1
IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
IE - HKLM\..\SearchScopes\{8FD99F57-AC6B-4458-B491-9B90252659DD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=101&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{A54EC669-549C-4465-83AD-8010043F618D}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE - HKLM\..\SearchScopes\{B8E26E4F-704C-45BD-86E0-5E73DF87830B}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
IE - HKLM\..\SearchScopes\{FF083B22-79EE-41DE-ABC4-39C6B961DF19}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscql

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\URLSearchHook: - No CLSID value found
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes,DefaultScope = {45B8B8C8-FF91-400B-B28C-B7FDA1A8269D}
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searc...SP_ss&mntrId=eebd28f90000000000001c659d04fb3e
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekkosearch.mystart.com/ble...120520D7CE4FC6B8BCC4AECA7D503C&q={searchTerms}
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{45B8B8C8-FF91-400B-B28C-B7FDA1A8269D}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3227980
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{8FD99F57-AC6B-4458-B491-9B90252659DD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CPNTDF&pc=CPNTDF&src=IE-SearchBox
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={...2f7094a6156&lang=en&ds=AVG&pr=pr&d=2012-06-19 07:41:52&v=11.1.0.7&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=101&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{A54EC669-549C-4465-83AD-8010043F618D}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{B8E26E4F-704C-45BD-86E0-5E73DF87830B}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPNTDF
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{D7A16101-E9C7-4369-BC7B-A9030ED8C0CB}: "URL" = http://start.funmoods.com/results.php?f=4&a=ironto&q={searchTerms}
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\..\SearchScopes\{FF083B22-79EE-41DE-ABC4-39C6B961DF19}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscql
IE - HKU\S-1-5-21-3215210023-636172019-1926784146-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.type: 0
FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=11..._ss&mntrId=eebd28f90000000000001c659d04fb3e&q="
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=11..._ss&mntrId=eebd28f90000000000001c659d04fb3e&q="
FF - prefs.js..browser.startup.homepage: "http://search.babylon.com/?affID=11...HP_ss&mntrId=eebd28f90000000000001c659d04fb3e"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=11..._ss&mntrId=eebd28f90000000000001c659d04fb3e&q="
FF - prefs.js..keyword.URL: "http://www.google.com/search?btnI=I'm+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q="

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\12.2.6\\npsitesafety.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpWinExt,version=5.0: C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\npwinext.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Hitman\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Hitman\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Hitman\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\msntoolbar@msn.com: C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1438.0\Firefox [2010/08/17 04:56:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/08/17 04:56:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files (x86)\AVG\AVG2012\Firefox4\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\12.2.5.32\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\IPSFFPlgn\
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\coFFPlgn_2011_7_12_1
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/08/15 16:19:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/06/05 11:22:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012/08/15 16:19:18 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\specialsavings@superfish.com: C:\Users\Hitman\AppData\Roaming\Mozilla\Firefox\Profiles/zly12i6x.default\extensions\specialsavings@superfish.com [2012/08/26 12:29:45 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{b64982b1-d112-42b5-b1e4-d3867c4533f8}: C:\ProgramData\Browser Manager\2.2.580.182\{16cdff19-861d-48e3-a751-d99a27784753}\FirefoxExtension [2012/08/26 13:01:45 | 000,000,000 | ---D | M]

[2012/05/19 14:54:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hitman\AppData\Roaming\Mozilla\Extensions
[2012/09/03 22:28:28 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hitman\AppData\Roaming\Mozilla\Firefox\Profiles\zly12i6x.default\Extensions
[2012/09/03 22:21:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hitman\AppData\Roaming\Mozilla\Firefox\Profiles\zly12i6x.default\Extensions\{7d9e1adc-7db1-4eaf-b6c7-7e062074e6be}
[2012/08/26 12:30:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hitman\AppData\Roaming\Mozilla\Firefox\Profiles\zly12i6x.default\Extensions\ffxtlbr@babylon.com
[2012/08/26 12:29:45 | 000,000,000 | ---D | M] (SpecialSavings) -- C:\Users\Hitman\AppData\Roaming\Mozilla\Firefox\Profiles\zly12i6x.default\Extensions\specialsavings@superfish.com
[2012/08/26 12:30:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Hitman\AppData\Roaming\Mozilla\Firefox\Profiles\zly12i6x.default\Extensions\staged
[2012/06/05 11:22:56 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
File not found (No name found) -- C:\PROGRAMDATA\AVG SECURE SEARCH\11.1.0.7\
[2012/04/20 21:19:34 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2012/09/03 23:18:37 | 000,003,769 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml
[2012/08/26 12:30:37 | 000,002,362 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2012/04/20 21:18:25 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
[2012/04/20 21:18:25 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

Solved GAC_64 desktop.ini and Win:64.a(?) infection

Posts: 37 +0

Posts: 37 +0

Posts: 37 +0

Attachments

Posts: 37 +0

Posts: 56,041 +516

Posts: 37 +0

Posts: 37 +0

Posts: 37 +0

Posts: 37 +0

Posts: 56,041 +516

Posts: 37 +0

Posts: 56,041 +516

Attachments

Posts: 37 +0

Posts: 37 +0

Posts: 37 +0

Posts: 56,041 +516

Posts: 37 +0

Posts: 56,041 +516

Posts: 37 +0

Posts: 56,041 +516

Posts: 37 +0

Posts: 56,041 +516

Posts: 37 +0

Posts: 56,041 +516

Posts: 37 +0

Similar threads