captainiom
Posts: 21 +0
I have a Vista problem which I suspect is registry related. Any attempt to start the task manager fails with a path not found error. That includes ctrl alt del, run command, navigating to \Windows\system32 and moving a copy to \temp. However, renamin the copy to fred.exe does work which suggests that there is a block on the name in the registry.
I have followed the malware 5 steps very carefully and paste below the results as requested.
I considered usin max reistry cleaner but it apparently 'found' so many errors on its scan that i baulked.
If you can point me in the riht direction I would be very pleased. I have some 40 years computer experience so even in retirement I want to solve this attack.
Kind regards from the Isle of Man, British Isles!
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.02.03
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
User :: JSM-LATOP [administrator]
02/03/2012 16:41:46
mbam-log-2012-03-02 (16-41-46).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 282829
Time elapsed: 9 minute(s), 49 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-03-02 16:58:22
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005a WDC_WD16 rev.11.0
Running: fth2ip73.exe; Driver: C:\Users\User\AppData\Local\Temp\kwrdrpow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 19/10/2009 02:31:29
System Uptime: 02/03/2012 09:11:19 (8 hours ago)
.
Motherboard: MEDION | | WAM2070
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-53 | U1 | 1700/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 130 GiB total, 57.268 GiB free.
D: is FIXED (NTFS) - 20 GiB total, 0.002 GiB free.
E: is CDROM ()
G: is FIXED (NTFS) - 149 GiB total, 60.378 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player Plugin
Adobe Reader X (10.1.1)
Apple Application Support
Apple Software Update
ArcSoft Software Suite
Bing Bar
Britannica CD 2000
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco Network Magic
Cisco PEAP Module
Classic Client 5.2 Patch1
Coupon Printer for Windows
Crossword Maestro
Defraggler
Dev-C++ 5 beta 9 release (4.9.9.2)
Dynamic Report Decoder 1.04.00.02
eSigner 3x
FileZilla Client 3.5.3
Fix RegCleaner v1.0
Google Earth
Google Update Helper
Gpg4win (2.1.0)
Hardware Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet 1050 J410 series Basic Device Software
HP Deskjet 1050 J410 series Help
HP Photo Creations
HP Update
IEEE 802.11a-b-g Wireless LAN Utility
IEEE 802.11g Wireless LAN driver
Java Auto Updater
Java(TM) 6 Update 29
Launch Manager V1.4.0
Legacy 7.5
LightScribe 1.4.124.1
Malwarebytes Anti-Malware version 1.60.1.1000
Max Registry Cleaner
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network Magic
NVIDIA Drivers
NZMapConv
OpenOffice.org 3.3
Opera 11.51
Penguin Hutchinson Reference Suite
POPFile 1.1.1
POPFile Data (User)
Pure Networks Platform
QuickShadow 2.4.0.0
QuickTime
Ralink RT2870 Wireless LAN Card
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Sibelius 6
Sibelius 6.2.0.88
Skype Click to Call
Skype™ 5.5
Speccy
SuyinCam
Synaptics Pointing Device Driver
Total Immersion D'Fusion @Home Web Plug-In
Turnpike Six
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
WebEx
WebEx Support Manager for Internet Explorer
Windows Live ID Sign-in Assistant
WinZip
.
==== Event Viewer Messages From Past Week ========
.
29/02/2012 14:47:33, Error: Microsoft-Windows-SharedAccess_NAT [30005] - The DHCP allocator has detected a DHCP server with IP address 192.168.0.1 on the same network as the interface with IP address 192.168.0.6. The allocator has disabled itself on the interface to avoid confusing DHCP clients.
29/02/2012 14:42:43, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
29/02/2012 09:31:13, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
29/02/2012 09:30:45, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP Deskjet 6980 series with shared resource name HP Deskjet 6980 series. Error 2114. The printer cannot be used by others on the network.
29/02/2012 09:30:30, Error: EventLog [6008] - The previous system shutdown at 09:15:55 on 29/02/2012 was unexpected.
29/02/2012 09:28:36, Error: Service Control Manager [7023] -
28/02/2012 11:11:46, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
28/02/2012 11:01:32, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
02/03/2012 17:02:07, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume BOOT.
02/03/2012 17:00:19, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
02/03/2012 16:58:58, Error: Microsoft-Windows-SharedAccess_NAT [30009] - The DHCP allocator encountered a network error while attempting to reply on IP address 0.0.0.0 to a request from a client. The data is the error code.
02/03/2012 16:58:58, Error: Microsoft-Windows-SharedAccess_NAT [30005] - The DHCP allocator has detected a DHCP server with IP address 192.168.0.1 on the same network as the interface with IP address 192.168.0.3. The allocator has disabled itself on the interface to avoid confusing DHCP clients.
02/03/2012 16:58:53, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 0016D383F625 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
02/03/2012 12:09:15, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.4 for the Network Card with network address 0060B3384B84 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
02/03/2012 10:02:01, Error: Microsoft-Windows-SharedAccess_NAT [34001] - The ICS_IPV6 failed to configure IPv6 stack.
02/03/2012 09:12:36, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mailKmd
02/03/2012 09:12:36, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
02/03/2012 09:11:56, Error: EventLog [6008] - The previous system shutdown at 08:48:43 on 02/03/2012 was unexpected.
01/03/2012 10:34:16, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
01/03/2012 10:33:39, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.6 for the Network Card with network address 0016D383F625 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
01/03/2012 10:33:35, Error: EventLog [6008] - The previous system shutdown at 10:23:33 on 01/03/2012 was unexpected.
.
==== End Of File ===========================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by User at 17:00:46 on 2012-03-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.565 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\QuicklyTech\QuickShadow.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\atashost.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\Gemalto\Classic Client\BIN\GslShmSrvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Launch Manager\WisLMSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Synaptics\SynTP\SynMedion.exe
C:\Program Files\Gemalto\Classic Client\BIN\RegTool.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PHRS\LibMan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\PROGRA~1\POPFile\popfileib.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Max Registry Cleaner\RCVistaService.exe
C:\temp\fred.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.manx.net/
uDefault_Page_URL = hxxp://www.msn.com
mDefault_Page_URL = hxxp://www.medion.com/
uInternet Settings,ProxyOverride = hxxp://localhost;
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LaunchAp] "c:\program files\launch manager\LaunchAp.exe"
mRun: [HotkeyApp] "c:\program files\launch manager\HotkeyApp.exe"
mRun: [LMgrOSD] "c:\program files\launch manager\OSD.exe"
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [RegTool] c:\program files\gemalto\classic client\bin\RegTool.exe
mRun: [TaskTray]
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [RCAutoLiveUpdate] c:\program files\max registry cleaner\MaxLURC.exe -AUTO
mRun: [RCSystemTray] c:\program files\max registry cleaner\MaxRCSystemTray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANAAxADMAOQA3ADgAMgAyADMALQBCADMALQBUAEIAOQArADIALQBGAEwAKwA5AC0ARgA5AE0ANwBCACsANQA"&"prod=90"&"ver=9.0.872
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\runpop~1.lnk - c:\program files\popfile\runpopfile.exe
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\wkcalrem.lnk - c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wplink~1.lnk - c:\program files\phrs\LibMan.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: barclayswealth.com\www
Trusted Zone: bacs.co.uk\paymentservices
Trusted Zone: barclays.com\ams
Trusted Zone: barclays.com\ibank1.bib
Trusted Zone: barclays.com\www.iceb
Trusted Zone: iplservices.voca.com
Trusted Zone: paymentservices.fpsdca.co.uk
Trusted Zone: tradeonlineservices.com\europe
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FAB2BB9D-91E9-457E-9D42-75A7FCCBBC00} - hxxp://www.hodder.co.uk/paintedcavesar/plugin/DFusionHomeWebPlugIn.Installer.exe
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{C61D10ED-25E2-4D77-B092-B6662874A5EF} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F254966D-B4BC-43CF-BDFD-844E16CE01A1} : DhcpNameServer = 192.168.0.1
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IFEO: taskmgr.exe - "c:\users\user\appdata\local\microsoft\windows\temporary internet files\content.ie5\nmi62ys7\PROCEXP.EXE"
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 64952]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2011-4-20 20376]
R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2011-3-2 224256]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-11-12 21504]
R2 GslShmSrvc;GSL Share Memory;c:\program files\gemalto\classic client\bin\GslShmSrvc.exe [2009-2-26 69632]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2011-10-21 185632]
R2 RCVistaSvc;RCVistaSvc;c:\program files\max registry cleaner\RCVistaService.exe [2012-3-2 1076880]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-29 904192]
R3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [2009-8-10 89600]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 WisLMSvc;WisLMSvc;c:\program files\launch manager\WisLMSvc.exe [2007-7-17 118784]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-3 136176]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\drivers\athru6.sys [2011-5-1 871936]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-3 136176]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2011-10-21 822272]
S3 NtiEnc;NtiEnc;c:\windows\system32\drivers\NtiEnc.sys [2010-3-30 156928]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-02 16:59:53 6552120 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b43508cc-eed2-46bb-a153-acc7a6285b7f}\mpengine.dll
2012-03-02 16:39:40 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
2012-03-02 16:39:25 -------- d-----w- c:\programdata\Malwarebytes
2012-03-02 16:39:23 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-02 16:39:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-02 12:11:44 -------- d-----w- c:\programdata\Max Secure
2012-03-02 12:11:18 151472 ----a-w- c:\windows\system32\GetHardDiskNo.dll
2012-03-02 12:11:07 -------- d-----w- c:\windows\MaxSecureBackup
2012-03-02 12:11:07 -------- d-----w- c:\program files\Max Registry Cleaner
2012-03-02 11:39:59 -------- d-----w- c:\program files\Fix RegCleaner
2012-02-28 13:22:11 -------- d-----w- c:\program files\Pure Networks
2012-02-28 13:17:48 8892928 ----a-w- c:\programdata\atscie.msi
2012-02-28 13:16:22 26672 ----a-w- c:\windows\system32\drivers\pnarp.sys
2012-02-28 13:15:09 27696 ----a-w- c:\windows\system32\drivers\purendis.sys
2012-02-28 13:14:35 -------- d-----w- c:\program files\common files\Pure Networks Shared
2012-02-28 13:14:11 -------- d-----w- c:\programdata\Pure Networks
2012-02-25 09:02:33 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-02-15 07:09:46 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 07:09:44 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 07:09:42 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-02-10 09:55:32 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{eab30799-6846-4a5f-bd52-ac0c2f90e658}\gapaengine.dll
2012-02-06 19:23:19 784144 ----a-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
.
==================== Find3M ====================
.
2012-02-20 09:52:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 17:01:38.70 ===============
I have followed the malware 5 steps very carefully and paste below the results as requested.
I considered usin max reistry cleaner but it apparently 'found' so many errors on its scan that i baulked.
If you can point me in the riht direction I would be very pleased. I have some 40 years computer experience so even in retirement I want to solve this attack.
Kind regards from the Isle of Man, British Isles!
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.02.03
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
User :: JSM-LATOP [administrator]
02/03/2012 16:41:46
mbam-log-2012-03-02 (16-41-46).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 282829
Time elapsed: 9 minute(s), 49 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-03-02 16:58:22
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005a WDC_WD16 rev.11.0
Running: fth2ip73.exe; Driver: C:\Users\User\AppData\Local\Temp\kwrdrpow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 19/10/2009 02:31:29
System Uptime: 02/03/2012 09:11:19 (8 hours ago)
.
Motherboard: MEDION | | WAM2070
Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-53 | U1 | 1700/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 130 GiB total, 57.268 GiB free.
D: is FIXED (NTFS) - 20 GiB total, 0.002 GiB free.
E: is CDROM ()
G: is FIXED (NTFS) - 149 GiB total, 60.378 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player Plugin
Adobe Reader X (10.1.1)
Apple Application Support
Apple Software Update
ArcSoft Software Suite
Bing Bar
Britannica CD 2000
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco Network Magic
Cisco PEAP Module
Classic Client 5.2 Patch1
Coupon Printer for Windows
Crossword Maestro
Defraggler
Dev-C++ 5 beta 9 release (4.9.9.2)
Dynamic Report Decoder 1.04.00.02
eSigner 3x
FileZilla Client 3.5.3
Fix RegCleaner v1.0
Google Earth
Google Update Helper
Gpg4win (2.1.0)
Hardware Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet 1050 J410 series Basic Device Software
HP Deskjet 1050 J410 series Help
HP Photo Creations
HP Update
IEEE 802.11a-b-g Wireless LAN Utility
IEEE 802.11g Wireless LAN driver
Java Auto Updater
Java(TM) 6 Update 29
Launch Manager V1.4.0
Legacy 7.5
LightScribe 1.4.124.1
Malwarebytes Anti-Malware version 1.60.1.1000
Max Registry Cleaner
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network Magic
NVIDIA Drivers
NZMapConv
OpenOffice.org 3.3
Opera 11.51
Penguin Hutchinson Reference Suite
POPFile 1.1.1
POPFile Data (User)
Pure Networks Platform
QuickShadow 2.4.0.0
QuickTime
Ralink RT2870 Wireless LAN Card
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Sibelius 6
Sibelius 6.2.0.88
Skype Click to Call
Skype™ 5.5
Speccy
SuyinCam
Synaptics Pointing Device Driver
Total Immersion D'Fusion @Home Web Plug-In
Turnpike Six
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
WebEx
WebEx Support Manager for Internet Explorer
Windows Live ID Sign-in Assistant
WinZip
.
==== Event Viewer Messages From Past Week ========
.
29/02/2012 14:47:33, Error: Microsoft-Windows-SharedAccess_NAT [30005] - The DHCP allocator has detected a DHCP server with IP address 192.168.0.1 on the same network as the interface with IP address 192.168.0.6. The allocator has disabled itself on the interface to avoid confusing DHCP clients.
29/02/2012 14:42:43, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
29/02/2012 09:31:13, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
29/02/2012 09:30:45, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer HP Deskjet 6980 series with shared resource name HP Deskjet 6980 series. Error 2114. The printer cannot be used by others on the network.
29/02/2012 09:30:30, Error: EventLog [6008] - The previous system shutdown at 09:15:55 on 29/02/2012 was unexpected.
29/02/2012 09:28:36, Error: Service Control Manager [7023] -
28/02/2012 11:11:46, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
28/02/2012 11:01:32, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
02/03/2012 17:02:07, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume BOOT.
02/03/2012 17:00:19, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
02/03/2012 16:58:58, Error: Microsoft-Windows-SharedAccess_NAT [30009] - The DHCP allocator encountered a network error while attempting to reply on IP address 0.0.0.0 to a request from a client. The data is the error code.
02/03/2012 16:58:58, Error: Microsoft-Windows-SharedAccess_NAT [30005] - The DHCP allocator has detected a DHCP server with IP address 192.168.0.1 on the same network as the interface with IP address 192.168.0.3. The allocator has disabled itself on the interface to avoid confusing DHCP clients.
02/03/2012 16:58:53, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 0016D383F625 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
02/03/2012 12:09:15, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.4 for the Network Card with network address 0060B3384B84 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
02/03/2012 10:02:01, Error: Microsoft-Windows-SharedAccess_NAT [34001] - The ICS_IPV6 failed to configure IPv6 stack.
02/03/2012 09:12:36, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mailKmd
02/03/2012 09:12:36, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
02/03/2012 09:11:56, Error: EventLog [6008] - The previous system shutdown at 08:48:43 on 02/03/2012 was unexpected.
01/03/2012 10:34:16, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
01/03/2012 10:33:39, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.6 for the Network Card with network address 0016D383F625 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
01/03/2012 10:33:35, Error: EventLog [6008] - The previous system shutdown at 10:23:33 on 01/03/2012 was unexpected.
.
==== End Of File ===========================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by User at 17:00:46 on 2012-03-02
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1918.565 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\QuicklyTech\QuickShadow.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\atashost.exe
C:\Program Files\GNU\GnuPG\dirmngr.exe
C:\Program Files\Gemalto\Classic Client\BIN\GslShmSrvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Ralink\Common\RaRegistry.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Launch Manager\WisLMSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Synaptics\SynTP\SynMedion.exe
C:\Program Files\Gemalto\Classic Client\BIN\RegTool.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PHRS\LibMan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\microsoft shared\Works Shared\WkCalRem.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\PROGRA~1\POPFile\popfileib.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Max Registry Cleaner\RCVistaService.exe
C:\temp\fred.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11f_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.manx.net/
uDefault_Page_URL = hxxp://www.msn.com
mDefault_Page_URL = hxxp://www.medion.com/
uInternet Settings,ProxyOverride = hxxp://localhost;
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LaunchAp] "c:\program files\launch manager\LaunchAp.exe"
mRun: [HotkeyApp] "c:\program files\launch manager\HotkeyApp.exe"
mRun: [LMgrOSD] "c:\program files\launch manager\OSD.exe"
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [RegTool] c:\program files\gemalto\classic client\bin\RegTool.exe
mRun: [TaskTray]
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [RCAutoLiveUpdate] c:\program files\max registry cleaner\MaxLURC.exe -AUTO
mRun: [RCSystemTray] c:\program files\max registry cleaner\MaxRCSystemTray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYASwBQAEMAQgAtADYAQgBXAEYATQAtAFQAUgBMAFEAUgAtAEIAUgBVAEgAUAAtAEMAUAA4ADYARwA"&"inst=NwA3AC0ANAAxADMAOQA3ADgAMgAyADMALQBCADMALQBUAEIAOQArADIALQBGAEwAKwA5AC0ARgA5AE0ANwBCACsANQA"&"prod=90"&"ver=9.0.872
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\runpop~1.lnk - c:\program files\popfile\runpopfile.exe
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\wkcalrem.lnk - c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wplink~1.lnk - c:\program files\phrs\LibMan.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: barclayswealth.com\www
Trusted Zone: bacs.co.uk\paymentservices
Trusted Zone: barclays.com\ams
Trusted Zone: barclays.com\ibank1.bib
Trusted Zone: barclays.com\www.iceb
Trusted Zone: iplservices.voca.com
Trusted Zone: paymentservices.fpsdca.co.uk
Trusted Zone: tradeonlineservices.com\europe
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FAB2BB9D-91E9-457E-9D42-75A7FCCBBC00} - hxxp://www.hodder.co.uk/paintedcavesar/plugin/DFusionHomeWebPlugIn.Installer.exe
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{C61D10ED-25E2-4D77-B092-B6662874A5EF} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F254966D-B4BC-43CF-BDFD-844E16CE01A1} : DhcpNameServer = 192.168.0.1
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IFEO: taskmgr.exe - "c:\users\user\appdata\local\microsoft\windows\temporary internet files\content.ie5\nmi62ys7\PROCEXP.EXE"
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 64952]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2011-4-20 20376]
R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2011-3-2 224256]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-11-12 21504]
R2 GslShmSrvc;GSL Share Memory;c:\program files\gemalto\classic client\bin\GslShmSrvc.exe [2009-2-26 69632]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2011-10-21 185632]
R2 RCVistaSvc;RCVistaSvc;c:\program files\max registry cleaner\RCVistaService.exe [2012-3-2 1076880]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-29 904192]
R3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [2009-8-10 89600]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
R3 WisLMSvc;WisLMSvc;c:\program files\launch manager\WisLMSvc.exe [2007-7-17 118784]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-3 136176]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\drivers\athru6.sys [2011-5-1 871936]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-3 136176]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2011-10-21 822272]
S3 NtiEnc;NtiEnc;c:\windows\system32\drivers\NtiEnc.sys [2010-3-30 156928]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-02 16:59:53 6552120 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b43508cc-eed2-46bb-a153-acc7a6285b7f}\mpengine.dll
2012-03-02 16:39:40 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
2012-03-02 16:39:25 -------- d-----w- c:\programdata\Malwarebytes
2012-03-02 16:39:23 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-02 16:39:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-02 12:11:44 -------- d-----w- c:\programdata\Max Secure
2012-03-02 12:11:18 151472 ----a-w- c:\windows\system32\GetHardDiskNo.dll
2012-03-02 12:11:07 -------- d-----w- c:\windows\MaxSecureBackup
2012-03-02 12:11:07 -------- d-----w- c:\program files\Max Registry Cleaner
2012-03-02 11:39:59 -------- d-----w- c:\program files\Fix RegCleaner
2012-02-28 13:22:11 -------- d-----w- c:\program files\Pure Networks
2012-02-28 13:17:48 8892928 ----a-w- c:\programdata\atscie.msi
2012-02-28 13:16:22 26672 ----a-w- c:\windows\system32\drivers\pnarp.sys
2012-02-28 13:15:09 27696 ----a-w- c:\windows\system32\drivers\purendis.sys
2012-02-28 13:14:35 -------- d-----w- c:\program files\common files\Pure Networks Shared
2012-02-28 13:14:11 -------- d-----w- c:\programdata\Pure Networks
2012-02-25 09:02:33 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-02-25 09:02:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-02-15 07:09:46 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 07:09:44 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 07:09:42 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-02-10 09:55:32 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{eab30799-6846-4a5f-bd52-ac0c2f90e658}\gapaengine.dll
2012-02-06 19:23:19 784144 ----a-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
.
==================== Find3M ====================
.
2012-02-20 09:52:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 17:01:38.70 ===============