TechSpot

MBAM repeatedly blocking outgoing svchost.exe process

By MobiTec
Aug 6, 2012
  1. Hello,

    Every few minutes MBAM is repeatedly blocking SVCHOST.exe Outgoing Process which I think is linked to an Infection located within "SysWOW64" but I cannot seem to get rid of the infection..

    So as a final resort I'm posting for help here.. hope someone can help.

    ##### Logs Below #####

    ##### MBAM #####
    Malwarebytes Anti-Malware (PRO) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.05.08

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Richard :: STUDIO-15 [administrator]

    Protection: Enabled

    06/08/2012 18:46:30
    mbam-log-2012-08-06 (18-46-30).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 218188
    Time elapsed: 3 minute(s), 41 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ##### DDS Log #####
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
    Run by Richard at 19:17:48 on 2012-08-06
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.5981.3017 [GMT 1:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\USB Safely Remove\USBSRService.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\CDBurnerXP\NMSAccessU.exe
    C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
    C:\Program Files\Windows Server\Bin\WhsMcClient.exe
    C:\Program Files\Windows Server\Bin\WSConnectorUpdate.exe
    C:\Program Files\Windows Server\Bin\LANConfigSvc.exe
    C:\Program Files\Windows Server\Bin\ProviderRegistryService.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
    C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Windows Server\Bin\Launchpad.exe
    C:\Program Files\TuneClone\TuneClone.exe
    C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
    C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\Windows Server\Bin\Microsoft.HomeServer.Archive.TransferService.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Richard\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\notepad.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyServer = webcache.virginmedia.com:8080
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.euro.dell.com/systemprofiler/SysProExe.CAB
    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.13.0.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{3C4445F2-EDC0-4B93-B6B3-FB1AC4DEF8F9} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{3C4445F2-EDC0-4B93-B6B3-FB1AC4DEF8F9}\2456C6B696E6F5035454535414 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{3C4445F2-EDC0-4B93-B6B3-FB1AC4DEF8F9}\35B4952363133353 : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{3C4445F2-EDC0-4B93-B6B3-FB1AC4DEF8F9}\44D2C496E6B62313 : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{530E8702-1F1F-4907-B313-500AC6C361A2} : DhcpNameServer = 192.168.1.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: SmartSelect - No File
    TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
    mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\jtbf6dxd.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
    FF - Ext: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - %profile%\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}
    FF - Ext: Plain Text Links: {ec268e28-22c6-4a6c-ac22-635cabee283c} - %profile%\extensions\{ec268e28-22c6-4a6c-ac22-635cabee283c}
    FF - Ext: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - %profile%\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
    FF - Ext: Fast Youtube Downloader: fastYoutubeDownloader@yevgenyandrov.net - %profile%\extensions\fastYoutubeDownloader@yevgenyandrov.net
    FF - Ext: YouTube to MP3: youtube2mp3@mondayx.de - %profile%\extensions\youtube2mp3@mondayx.de
    FF - Ext: RapidShare DownloadHelper: rsDownloadHelper@yevgenyandrov.net - %profile%\extensions\rsDownloadHelper@yevgenyandrov.net
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: MegaUpload DownloadHelper: mgDownloadHelper@yevgenyandrov.net - %profile%\extensions\mgDownloadHelper@yevgenyandrov.net
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Hide IP Easy: support@easy-hideip.com - %profile%\extensions\support@easy-hideip.com
    FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
    FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: Deal Finder Community Toolbar: {f37831ec-6919-42aa-ba2a-aceddf5ee262} - %profile%\extensions\{f37831ec-6919-42aa-ba2a-aceddf5ee262}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 hotcore3;hc3ServiceName;C:\Windows\system32\DRIVERS\hotcore3.sys --> C:\Windows\system32\DRIVERS\hotcore3.sys [?]
    R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R0 tclondrv;tclondrv;C:\Windows\system32\DRIVERS\tclondrv.sys --> C:\Windows\system32\DRIVERS\tclondrv.sys [?]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
    R1 GizmoDrv;Gizmo Device Driver;C:\Windows\system32\drivers\GizmoDrv.sys --> C:\Windows\system32\drivers\GizmoDrv.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
    R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe [2010-4-29 89600]
    R2 arXfrSvc;Windows Server Media Center TV Archive Transfer Service;C:\Program Files\Windows Server\Bin\Microsoft.HomeServer.Archive.TransferService.exe [2011-3-2 79744]
    R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
    R2 Dokan;Dokan;\??\C:\Windows\system32\drivers\dokan.sys --> C:\Windows\system32\drivers\dokan.sys [?]
    R2 DokanMounter;DokanMounter;C:\Program Files (x86)\Dokan\DokanLibrary\mounter.exe [2010-7-5 11776]
    R2 HealthAlertsSvc;Windows Server Health Service;C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [2011-3-2 30592]
    R2 LANConfig;Windows Server LAN Configuration;C:\Program Files\Windows Server\Bin\LANConfigSvc.exe [2011-3-2 27520]
    R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-1-31 375208]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2011-9-16 15928]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDriver.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-31 655944]
    R2 NotificationsProviderSvc;Windows Server Notifications Provider Service;C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [2011-3-2 30592]
    R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-8-12 87040]
    R2 providers_system;Windows Server Download Service;C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [2011-3-2 30592]
    R2 ServiceProviderRegistry;Windows Server Service Provider Registry;C:\Program Files\Windows Server\Bin\ProviderRegistryService.exe [2012-1-12 40832]
    R2 SqmProviderSvc;Windows Server SQM Service;C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [2011-3-2 30592]
    R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-3-9 92592]
    R2 UsbClientService;UsbClientService;C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [2011-2-18 245760]
    R2 USBSafelyRemoveService;USB Safely Remove Assistant;C:\Program Files (x86)\USB Safely Remove\USBSRService.exe [2010-7-14 523576]
    R2 WhsMcClient;Windows Server Media Center Client Service;C:\Program Files\Windows Server\Bin\WhsMcClient.exe [2011-3-2 111488]
    R2 WSConnectorUpdate;Windows Server Connector Update;C:\Program Files\Windows Server\Bin\WSConnectorUpdate.exe [2011-3-2 228736]
    R2 WSS_ComputerBackupProviderSvc;Windows Server Client Computer Backup Provider Service;C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [2011-3-2 30592]
    R3 BackupReader;BackupReader;C:\Windows\system32\DRIVERS\BackupReader.sys --> C:\Windows\system32\DRIVERS\BackupReader.sys [?]
    R3 busenum;Synology Virtual USB Hub;C:\Windows\system32\DRIVERS\busenum.sys --> C:\Windows\system32\DRIVERS\busenum.sys [?]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;C:\Windows\system32\drivers\IntcHdmi.sys --> C:\Windows\system32\drivers\IntcHdmi.sys [?]
    R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);C:\Windows\system32\drivers\WsAudio_DeviceS(1).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(1).sys [?]
    R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);C:\Windows\system32\drivers\WsAudio_DeviceS(2).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(2).sys [?]
    R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);C:\Windows\system32\drivers\WsAudio_DeviceS(3).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(3).sys [?]
    R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);C:\Windows\system32\drivers\WsAudio_DeviceS(4).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(4).sys [?]
    R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);C:\Windows\system32\drivers\WsAudio_DeviceS(5).sys --> C:\Windows\system32\drivers\WsAudio_DeviceS(5).sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 initMonitor;Windows Server Initialization Service;C:\Program Files\Windows Server\Bin\SharedServiceHost.exe [2011-3-2 30592]
    S3 HTCAND64;HTC Device Driver;C:\Windows\system32\Drivers\ANDROIDUSB.sys --> C:\Windows\system32\Drivers\ANDROIDUSB.sys [?]
    S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\system32\DRIVERS\htcnprot.sys --> C:\Windows\system32\DRIVERS\htcnprot.sys [?]
    S3 jumi;%Jumi%;C:\Windows\system32\DRIVERS\jumi.sys --> C:\Windows\system32\DRIVERS\jumi.sys [?]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
    S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
    S3 nmwcdnsucx64;Nokia USB Flashing Generic;C:\Windows\system32\drivers\nmwcdnsucx64.sys --> C:\Windows\system32\drivers\nmwcdnsucx64.sys [?]
    S3 nmwcdnsux64;Nokia USB Flashing Phone Parent;C:\Windows\system32\drivers\nmwcdnsux64.sys --> C:\Windows\system32\drivers\nmwcdnsux64.sys [?]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
    S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2012-08-05 17:31:409133488----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B2F01C2B-74D7-4055-9A8B-B28CBD0272C7}\mpengine.dll
    2012-08-05 01:33:309133488----a-w-C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-31 13:29:46--------d-sh--w-C:\$RECYCLE.BIN
    2012-07-31 13:05:081915904----a-w-C:\Windows\SysWow64\mqrdim.dll
    2012-07-11 18:00:133148800----a-w-C:\Windows\System32\win32k.sys
    2012-07-11 17:05:44--------d-----w-C:\Users\Richard\AppData\Roaming\Downloaded Installations
    2012-07-11 09:34:22--------d-----w-C:\Program Files\LinkShellExtension
    2012-07-11 05:42:532004480----a-w-C:\Windows\System32\msxml6.dll
    2012-07-08 17:52:59150392----a-w-C:\Windows\junction.exe
    2012-07-08 17:16:35270912----a-w-C:\Windows\System32\drivers\dtsoftbus01.sys
    .
    ==================== Find3M ====================
    .
    2012-07-12 11:55:1087488----a-w-C:\Windows\System32\LMIRfsClientNP.dll
    2012-07-12 11:55:1080800----a-w-C:\Windows\System32\LMIinit.dll
    2012-07-12 11:55:1034720----a-w-C:\Windows\System32\LMIport.dll
    2012-07-03 12:46:4424904----a-w-C:\Windows\System32\drivers\mbam.sys
    2012-06-25 15:04:241394248----a-w-C:\Windows\SysWow64\msxml4.dll
    2012-06-06 06:06:161881600----a-w-C:\Windows\System32\msxml3.dll
    2012-06-06 06:02:541133568----a-w-C:\Windows\System32\cdosys.dll
    2012-06-06 05:05:521390080----a-w-C:\Windows\SysWow64\msxml6.dll
    2012-06-06 05:05:521236992----a-w-C:\Windows\SysWow64\msxml3.dll
    2012-06-06 05:03:06805376----a-w-C:\Windows\SysWow64\cdosys.dll
    2012-06-02 22:15:312622464----a-w-C:\Windows\System32\wucltux.dll
    2012-06-02 22:15:0899840----a-w-C:\Windows\System32\wudriver.dll
    2012-06-02 14:19:42186752----a-w-C:\Windows\System32\wuwebv.dll
    2012-06-02 14:15:1236864----a-w-C:\Windows\System32\wuapp.exe
    2012-06-02 12:12:172311680----a-w-C:\Windows\System32\jscript9.dll
    2012-06-02 12:05:281392128----a-w-C:\Windows\System32\wininet.dll
    2012-06-02 12:04:501494528----a-w-C:\Windows\System32\inetcpl.cpl
    2012-06-02 12:01:40173056----a-w-C:\Windows\System32\ieUnatt.exe
    2012-06-02 11:57:082382848----a-w-C:\Windows\System32\mshtml.tlb
    2012-06-02 08:33:251800192----a-w-C:\Windows\SysWow64\jscript9.dll
    2012-06-02 08:25:081129472----a-w-C:\Windows\SysWow64\wininet.dll
    2012-06-02 08:25:031427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
    2012-06-02 08:20:33142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
    2012-06-02 08:16:522382848----a-w-C:\Windows\SysWow64\mshtml.tlb
    2012-06-02 05:50:10458704----a-w-C:\Windows\System32\drivers\cng.sys
    2012-06-02 05:48:1695600----a-w-C:\Windows\System32\drivers\ksecdd.sys
    2012-06-02 05:48:16151920----a-w-C:\Windows\System32\drivers\ksecpkg.sys
    2012-06-02 05:45:31340992----a-w-C:\Windows\System32\schannel.dll
    2012-06-02 05:44:21307200----a-w-C:\Windows\System32\ncrypt.dll
    2012-06-02 04:40:4222016----a-w-C:\Windows\SysWow64\secur32.dll
    2012-06-02 04:40:39225280----a-w-C:\Windows\SysWow64\schannel.dll
    2012-06-02 04:39:10219136----a-w-C:\Windows\SysWow64\ncrypt.dll
    2012-06-02 04:34:0996768----a-w-C:\Windows\SysWow64\sspicli.dll
    2012-05-21 14:20:3087456----a-w-C:\Windows\System32\LMIRfsClientNP.dll.000.bak
    .
    ============= FINISH: 19:18:34.29 ===============
    ##### GMER - NO LOG #####
    Thanks.
     
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Hi!

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
     
  3. MobiTec

    MobiTec TS Rookie Topic Starter Posts: 18

    ComboFix downloaded as svchost.exe to Desktop but has changed back to ComboFix.exe is that normal?

    ## Log attached ##
     

    Attached Files:

  4. MobiTec

    MobiTec TS Rookie Topic Starter Posts: 18

    Is there any other Scans I need to do? Did ComboFix tell you anything?
     
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Do you recognize this proxy:
    webcache.virginmedia.com:8080

    ?

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
     
  6. MobiTec

    MobiTec TS Rookie Topic Starter Posts: 18

    Yes the VM Web Proxy is fine (its a backup proxy for VirginMedia VIP customers)

    ## Log Below ##

    ComboFix 12-08-07.03 - Richard 07/08/2012 21:09:54.3.2 - x64
    Microsoft Windows 7 Ultimate 6.1.7601.1.1252.44.1033.18.5981.4323 [GMT 1:00]
    Running from: c:\users\Richard\Desktop\ComboFix.exe
    Command switches used :: c:\users\Richard\Desktop\CFScript.txt.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-07 to 2012-08-07 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-07 21:06 . 2012-08-07 21:06--------d-----w-c:\users\Emma\AppData\Local\temp
    2012-08-07 21:06 . 2012-08-07 21:06--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-07 14:53 . 2012-08-07 14:53--------d-----w-c:\program files (x86)\MagicISO
    2012-08-07 11:54 . 2012-08-07 11:54--------d-----w-c:\program files (x86)\theRenamer
    2012-08-07 11:05 . 2012-08-07 11:05--------d-----w-c:\users\Richard\AppData\Local\TransMac
    2012-08-07 11:05 . 2012-08-07 11:05--------d-----w-c:\program files (x86)\TransMac
    2012-08-06 21:18 . 2012-06-29 10:049133488----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{53B85756-6852-4584-8EAC-CE9D2F0EC32C}\mpengine.dll
    2012-08-05 17:31 . 2012-06-29 10:049133488----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-07-31 13:05 . 2012-07-31 13:051915904----a-w-c:\windows\SysWow64\mqrdim.dll
    2012-07-11 18:00 . 2012-06-12 03:083148800----a-w-c:\windows\system32\win32k.sys
    2012-07-11 17:05 . 2012-07-11 17:05--------d-----w-c:\users\Richard\AppData\Roaming\Downloaded Installations
    2012-07-11 09:34 . 2012-07-11 09:34--------d-----w-c:\program files\LinkShellExtension
    2012-07-11 05:42 . 2012-06-06 06:062004480----a-w-c:\windows\system32\msxml6.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-12 11:55 . 2012-02-09 11:3734720----a-w-c:\windows\system32\LMIport.dll
    2012-07-12 11:55 . 2012-02-09 11:3787488----a-w-c:\windows\system32\LMIRfsClientNP.dll
    2012-07-12 11:55 . 2012-02-09 11:3780800----a-w-c:\windows\system32\LMIinit.dll
    2012-07-11 08:54 . 2010-02-11 23:3259701280----a-w-c:\windows\system32\MRT.exe
    2012-07-08 17:16 . 2012-07-08 17:16270912----a-w-c:\windows\system32\drivers\dtsoftbus01.sys
    2012-07-03 12:46 . 2010-02-12 01:0124904----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-29 10:04 . 2012-08-07 21:199133488----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E36DA4F0-D21A-4E1B-BDA1-B6DA741F1B62}\mpengine.dll
    2012-06-25 15:04 . 2012-06-25 15:041394248----a-w-c:\windows\SysWow64\msxml4.dll
    2012-06-02 22:19 . 2012-06-19 00:3138424----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-19 00:312428952----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-19 00:3157880----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-19 00:3144056----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-19 00:31701976----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-19 00:312622464----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-19 00:3199840----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 14:19 . 2012-06-19 00:31186752----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 14:15 . 2012-06-19 00:3136864----a-w-c:\windows\system32\wuapp.exe
    2012-05-21 14:20 . 2012-02-09 11:3787456----a-w-c:\windows\system32\LMIRfsClientNP.dll.000.bak
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-08-06_20.47.37 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-02-14 20:51 . 2012-08-07 21:1063244 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-08-07 21:1047016 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-02-11 23:42 . 2012-08-07 21:1019178 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1378451052-918935142-3024469531-1001_UserData.bin
    + 2011-10-16 13:16 . 2012-08-07 12:2016384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-10-16 13:16 . 2012-08-06 19:3016384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-02-11 23:10 . 2012-08-07 12:2032768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-02-11 23:10 . 2012-08-06 19:3032768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-07 12:2016384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-08-06 19:3016384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-08-07 21:08 . 2012-08-07 21:082048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-08-06 20:45 . 2012-08-06 20:452048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-07 21:08 . 2012-08-07 21:082048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-08-06 20:45 . 2012-08-06 20:452048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-06 14:26 . 2012-08-07 21:07390092 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2012-08-06 14:26 . 2012-08-06 20:43390092 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-08-06 14:26 . 2012-08-07 21:075463252 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1378451052-918935142-3024469531-1001-8192.dat
    - 2012-08-06 14:26 . 2012-08-06 20:435463252 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1378451052-918935142-3024469531-1001-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:3694208----a-w-c:\users\Richard\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:3694208----a-w-c:\users\Richard\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:3694208----a-w-c:\users\Richard\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-04-04 36760]
    "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-04-04 815512]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 DokanMounter;DokanMounter;c:\program files (x86)\Dokan\DokanLibrary\mounter.exe [2010-07-05 11776]
    R2 HealthAlertsSvc;Windows Server Health Service;c:\program files\Windows Server\Bin\SharedServiceHost.exe [2011-03-02 30592]
    R2 initMonitor;Windows Server Initialization Service;c:\program files\Windows Server\Bin\SharedServiceHost.exe [2011-03-02 30592]
    R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-01 33736]
    R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
    R3 jumi;%Jumi%;c:\windows\system32\DRIVERS\jumi.sys [2010-06-03 15160]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 nmwcdnsucx64;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsucx64.sys [2010-07-26 12800]
    R3 nmwcdnsux64;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsux64.sys [2010-07-26 171008]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
    R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-04-25 52736]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-28 1255736]
    S0 hotcore3;hc3ServiceName;c:\windows\system32\DRIVERS\hotcore3.sys [2011-08-29 37456]
    S0 tclondrv;tclondrv;c:\windows\system32\DRIVERS\tclondrv.sys [2012-02-24 26856]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-07-08 270912]
    S1 GizmoDrv;Gizmo Device Driver; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe [2009-03-03 89600]
    S2 arXfrSvc;Windows Server Media Center TV Archive Transfer Service;c:\program files\Windows Server\Bin\Microsoft.HomeServer.Archive.TransferService.exe [2011-03-02 79744]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2010-11-09 21992]
    S2 Dokan;Dokan;c:\windows\system32\drivers\dokan.sys [2010-07-06 106888]
    S2 LANConfig;Windows Server LAN Configuration;c:\program files\Windows Server\Bin\LANConfigSvc.exe [2011-03-02 27520]
    S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-07-12 375208]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2011-09-16 15928]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    S2 NotificationsProviderSvc;Windows Server Notifications Provider Service;c:\program files\Windows Server\Bin\SharedServiceHost.exe [2011-03-02 30592]
    S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-08-12 87040]
    S2 providers_system;Windows Server Download Service;c:\program files\Windows Server\Bin\SharedServiceHost.exe [2011-03-02 30592]
    S2 ServiceProviderRegistry;Windows Server Service Provider Registry;c:\program files\Windows Server\Bin\ProviderRegistryService.exe [2012-01-12 40832]
    S2 SqmProviderSvc;Windows Server SQM Service;c:\program files\Windows Server\Bin\SharedServiceHost.exe [2011-03-02 30592]
    S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2011-03-09 92592]
    S2 UsbClientService;UsbClientService;c:\program files (x86)\Synology\Assistant\UsbClientService.exe [2011-02-18 245760]
    S2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files (x86)\USB Safely Remove\USBSRService.exe [2010-05-07 523576]
    S2 WhsMcClient;Windows Server Media Center Client Service;c:\program files\Windows Server\Bin\WhsMcClient.exe [2011-03-02 111488]
    S2 WSConnectorUpdate;Windows Server Connector Update;c:\program files\Windows Server\Bin\WSConnectorUpdate.exe [2011-03-02 228736]
    S2 WSS_ComputerBackupProviderSvc;Windows Server Client Computer Backup Provider Service;c:\program files\Windows Server\Bin\SharedServiceHost.exe [2011-03-02 30592]
    S3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [2011-03-02 63872]
    S3 busenum;Synology Virtual USB Hub;c:\windows\system32\DRIVERS\busenum.sys [2011-02-18 56160]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2010-03-15 145408]
    S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2011-10-25 425000]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-12-19 29288]
    S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-12-19 29288]
    S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-12-19 29288]
    S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-12-19 29288]
    S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-12-19 29288]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1378451052-918935142-3024469531-1001Core.job
    - c:\users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-12 16:17]
    .
    2012-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1378451052-918935142-3024469531-1001UA.job
    - c:\users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-12 16:17]
    .
    2012-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1378451052-918935142-3024469531-1005Core.job
    - c:\users\Emma\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-29 19:42]
    .
    2012-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1378451052-918935142-3024469531-1005UA.job
    - c:\users\Emma\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-29 19:42]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:3697792----a-w-c:\users\Richard\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:3697792----a-w-c:\users\Richard\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:3697792----a-w-c:\users\Richard\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:3697792----a-w-c:\users\Richard\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HardLinkMenu]
    @="{0A479751-02BC-11d3-A855-0004AC2568AA}"
    [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568AA}]
    2012-05-27 19:50522440----a-w-c:\program files\LinkShellExtension\HardlinkShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHardLink]
    @="{0A479751-02BC-11d3-A855-0004AC2568DD}"
    [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568DD}]
    2012-05-27 19:50522440----a-w-c:\program files\LinkShellExtension\HardlinkShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlaySymbolicLink]
    @="{0A479751-02BC-11d3-A855-0004AC2568EE}"
    [HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568EE}]
    2012-05-27 19:50522440----a-w-c:\program files\LinkShellExtension\HardlinkShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-01-21 487424]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
    "AutoRearm"="c:\windows\AutoRearm\AutoRearm.exe" [2011-05-19 529408]
    "LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-09-16 57928]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2012-04-01 5712896]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    "Launchpad"="c:\program files (x86)\Windows Server\Bin\Launchpad.exe" [BU]
    "TuneClone"="c:\program files\TuneClone\TuneClone.exe" [2012-02-24 4550656]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = %SystemRoot%\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyServer = webcache.virginmedia.com:8080
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\jtbf6dxd.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: MultirowBookmarksToolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
    FF - Ext: QuickRestart: {F645A8C9-E969-42D9-B3F3-F325537222FD} - %profile%\extensions\{F645A8C9-E969-42D9-B3F3-F325537222FD}
    FF - Ext: Plain Text Links: {ec268e28-22c6-4a6c-ac22-635cabee283c} - %profile%\extensions\{ec268e28-22c6-4a6c-ac22-635cabee283c}
    FF - Ext: Right-Click-Link: {AA6F0803-145A-4200-8E5E-68898D02B5B3} - %profile%\extensions\{AA6F0803-145A-4200-8E5E-68898D02B5B3}
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
    FF - Ext: Fast Youtube Downloader: fastYoutubeDownloader@yevgenyandrov.net - %profile%\extensions\fastYoutubeDownloader@yevgenyandrov.net
    FF - Ext: YouTube to MP3: youtube2mp3@mondayx.de - %profile%\extensions\youtube2mp3@mondayx.de
    FF - Ext: RapidShare DownloadHelper: rsDownloadHelper@yevgenyandrov.net - %profile%\extensions\rsDownloadHelper@yevgenyandrov.net
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: MegaUpload DownloadHelper: mgDownloadHelper@yevgenyandrov.net - %profile%\extensions\mgDownloadHelper@yevgenyandrov.net
    FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
    FF - Ext: Hide IP Easy: support@easy-hideip.com - %profile%\extensions\support@easy-hideip.com
    FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
    FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
    FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
    FF - Ext: Deal Finder Community Toolbar: {f37831ec-6919-42aa-ba2a-aceddf5ee262} - %profile%\extensions\{f37831ec-6919-42aa-ba2a-aceddf5ee262}
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1378451052-918935142-3024469531-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{313B3583-18DC-8687-3B94-21F4EA1A64D7}*]
    @Allowed: (Read) (RestrictedCode)
    "paccdmpplbckaelhajgjfblmhpgioagm"=hex:6b,61,6f,62,68,6d,69,65,67,6a,6d,69,63,
    70,6f,64,6a,6d,70,68,64,6f,00,00
    "oamcjojcnfoohhfkgcpknhcmnnfpdn"=hex:6a,61,6f,62,68,6d,69,65,67,6a,6f,69,65,61,
    67,6d,6e,64,67,6b,00,f5
    "paccdmpplbckaelhajgjfblmhpfijajl"=hex:6a,61,6f,62,69,6d,6a,6c,70,69,6f,67,61,
    6e,64,6b,6a,69,65,6f,00,f5
    "oamcjojcnfoohhfkgcpknhcmknkoec"=hex:6a,61,6f,62,68,6d,69,65,62,6a,62,69,61,66,
    6c,68,6b,6d,6d,70,00,f5
    "paccdmpplbckaelhajgjfblmhpeiaagk"=hex:69,61,64,62,6e,6f,65,62,63,61,64,66,63,
    68,69,6f,6f,6d,00,00
    "oamcjojcnfoohhfkgcpknhcmlnponn"=hex:69,61,64,62,6e,6f,65,62,63,61,64,66,63,68,
    69,6f,6f,6d,00,00
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\CDBurnerXP\NMSAccessU.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-07 22:38:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-07 21:38
    ComboFix2.txt 2012-08-06 21:16
    .
    Pre-Run: 4,875,853,824 bytes free
    Post-Run: 4,824,829,952 bytes free
    .
    - - End Of File - - A044528B1FA39ACA7500233BFACA4DBE
     
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Cool! Just wanted to be sure! (y)

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  8. MobiTec

    MobiTec TS Rookie Topic Starter Posts: 18

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=8f00692dd34811458bbfa948491543dd
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-08-08 11:49:57
    # local_time=2012-08-08 12:49:57 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode=5893 16776574 66 85 45073838 96884540 0 0
    # compatibility_mode=8192 67108863 100 0 153 153 0 0
    # scanned=272261
    # found=2
    # cleaned=2
    # scan_time=7107
    C:\Windows\System32\mqrdim.dlla variant of Win32/Delf.OGP trojan (cleaned by deleting (after the next restart) - quarantined)00000000000000000000000000000000C
    D:\#Website\Wordpress Theme\nicestars.1\NiceStars\NiceStars\header.phpPHP/Kryptik.AB trojan (cleaned by deleting - quarantined)00000000000000000000000000000000C


    ## Have Restarted PC to Remove Quarantined Items ##
     
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Cool!

    Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete
    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
     
  10. MobiTec

    MobiTec TS Rookie Topic Starter Posts: 18

    Completed the Following...
    • Cleaned System Restore
    • Ran OTC
    • Ran TFC
    • Ran Security Check
    • Created New System Restore
    ## Log Below ##

    Results of screen317's Security Check version 0.99.43
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.62.0.1300
    JavaFX 2.1.1
    Java(TM) 7 Update 5
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Reader X (10.1.3)
    Mozilla Firefox (3.6.17) Firefox out of Date!
    Google Chrome 21.0.1180.60
    Google Chrome 21.0.1180.75
    Google Chrome VisualElementsManifest.xml..
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
     
  11. MobiTec

    MobiTec TS Rookie Topic Starter Posts: 18

    Not seen anymore MBAM alerts for blocking svchost.exe service as yet... so its looking good :)
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Update Firefox

    Firefox is out of date. Firefox is a very popular web browser, and if it is out of date, it is very vulnerable to security bugs, and other holes. To update it now, click Help > Check for Updates or Help > About > Check for Updates.


    Adobe Flash Player Update!

    Please download the newest version of Adobe Flash Player from Adobe.com

    Before installing: it is important to remove older versions of Flash Player since it does not do so automatically and old versions still leave you vulnerable.
    Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
    Search in the list for all previous installed versions of Adobe Flash Player. Uninstall/Remove each of them.

    Once old versions are gone, please install the newest version.

    Personal Tips on Preventing Malware

    See this page for more info about malware and prevention.

    Any other questions before I mark this topic solved?
     
  13. MobiTec

    MobiTec TS Rookie Topic Starter Posts: 18

    All updated and running the way it should..

    Thank you for your time and help :)
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,282   +49

    Excellent! Marked as solved. √
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...