TechSpot

Virus identified Win64/Patched.A can't be removed with AVG

Solved
By Dendi
Jun 22, 2013
  1. Hi Guys,

    since yesterday, I keep receiving AVG virus alters on my PC and they are being cleaned except for the one that says

    Virus identified Win64/Patched.A


    I have searched through the forum for solutions but I would like to make sure that I do not do something that would ruin my system.

    Appreciate if anyone could help.

    Regards
     
  2. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Here are the results from Farbar

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-06-2013
    Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)
    Internet Explorer Version 10
    Boot Mode: Normal

    ==================== Processes (Whitelisted) =================

    (Huawei Technologies Co., Ltd.) C:\ProgramData\DatacardService\DCSHelper.exe
    (Pokki) C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe
    (IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
    (Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
    (Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (SoftEther Project at University of Tsukuba, Japan.) C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe
    (Samsung) C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
    (Dropbox, Inc.) C:\Users\dendi\AppData\Roaming\Dropbox\bin\Dropbox.exe
    (Visagesoft) C:\Program Files (x86)\Avanquest\Expert PDF 8 Professional\vspdfprsrv.exe
    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgui.exe
    (Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
    (BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Agent.exe
    (Zemana Ltd.) C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe
    (Pokki) C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe
    (Pokki) C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe
    (Pokki) C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-05-27] (IDT, Inc.)
    HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" [627360 2011-05-20] (Atheros Commnucations)
    HKLM\...\Run: [AthBtTray] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe" [379552 2011-05-20] (Atheros Commnucations)
    HKLM\...\Run: [SoftEther VPN Client UI Helper] "C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe" /uihelp [4267064 2013-04-27] (SoftEther Project at University

    of Tsukuba, Japan.)
    HKLM-x32\...\Runonce: [WD Smartware Upgrader - Uninstall] cmd /c MsiExec.exe /X{3890215D-D18A-43EF-AE0C-0C6B084F652D} /qn [x]
    HKCU\...\Run: [Facebook Update] "C:\Users\dendi\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2013-02-15] (Facebook Inc.)
    HKCU\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18678376 2013-04-19] (Skype Technologies S.A.)
    HKCU\...\Run: [openvpntray.EXE] C:\Users\dendi\AppData\Roaming\Hotspot Shield\bin\openvpntray.EXE -nonadmin [x]
    HKCU\...\Run: [Mobile Partner] C:\Program Files (x86)\Qtel Mobile Broadband\Qtel Mobile Broadband.exe [515072 2013-04-15] ()
    HKCU\...\Run: [Pokki] C:\Windows\system32\rundll32.exe "%LOCALAPPDATA%\Pokki\Engine\LaunchDeskband.dll",RunLaunchDeskband [x]
    HKCU\...\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [1106288 2013-03-28] (Samsung)
    MountPoints2: F - "F:\WD Drive Unlock.exe" autoplay=true
    MountPoints2: G - "G:\WD Drive Unlock.exe" autoplay=true
    MountPoints2: H - H:\AutoRun.exe
    MountPoints2: {0da1c840-a657-11e2-8218-ca5426c6984a} - I:\AutoRun.exe /s
    MountPoints2: {8f088e77-a8d9-11e2-8603-c7e321c0e347} - F:\AutoRun.exe
    MountPoints2: {9381be26-abd7-11e2-987f-efe378551f59} - F:\AutoRun.exe
    MountPoints2: {93c3d6b6-a1a5-11e2-a75c-00ac778b001b} - F:\AutoRun.exe /s
    MountPoints2: {93c3d6cd-a1a5-11e2-a75c-00ac778b001b} - F:\AutoRun.exe /s
    MountPoints2: {93d8decf-a4c2-11e2-83d0-00ac778b001b} - F:\AutoRun.exe
    MountPoints2: {93d8dee5-a4c2-11e2-83d0-00ac778b001b} - F:\AutoRun.exe
    MountPoints2: {93d8df06-a4c2-11e2-83d0-00ac778b001b} - F:\AutoRun.exe
    MountPoints2: {9aac018e-86e9-11e2-870c-e42f57de7c53} - F:\AutoRun.exe
    MountPoints2: {9aac01d8-86e9-11e2-870c-e42f57de7c53} - F:\AutoRun.exe
    MountPoints2: {9aac081a-86e9-11e2-870c-e42f57de7c53} - F:\AutoRun.exe
    MountPoints2: {cdf5a621-7342-11e2-ae63-00ac778b001b} - G:\LaunchU3.exe -a
    MountPoints2: {e82726c8-5a1c-11e2-a341-7845c4a33b5a} - "F:\WD Drive Unlock.exe" autoplay=true
    HKLM-x32\...\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey [5164624 2012-11-30] (Microsoft Corporation)
    HKLM-x32\...\Run: [vspdfprsrv.exe] C:\Program Files (x86)\Avanquest\Expert PDF 8 Professional\vspdfprsrv.exe --background [6078464 2012-04-23] (Visagesoft)
    HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-29] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [WD Quick View] C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5237256 2012-12-20] (Western Digital Technologies, Inc.)
    HKLM-x32\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [310640 2013-03-28] (Samsung Electronics Co., Ltd.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-05] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [BlueStacks Agent] C:\Program Files (x86)\BlueStacks\HD-Agent.exe [601928 2013-05-13] (BlueStack Systems, Inc.)
    HKLM-x32\...\Run: [ZALFree] "C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe" /MINIMIZED [12995376 2013-05-24] (Zemana Ltd.)
    AppInit_DLLs: C:\PROGRA~2\KEYCRY~1\KEYCRY~4.DLL [89936 2013-05-24] (Zemana Ltd.)
    AppInit_DLLs-x32: C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL [82696 2013-05-24] (Zemana Ltd.)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\vpngui.exe.lnk
    ShortcutTarget: vpngui.exe.lnk -> C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe (No File)
    Startup: C:\Users\dendi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> C:\Users\dendi\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

    ==================== Internet (Whitelisted) ====================

    ProxyServer: nhq-proxy:8080
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uae.msn.com/?rd=1&ucc=QA&dcc=QA&opt=1&ocid=iehp&tc=0
    BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
    BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
    DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    Handler: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll No File
    Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
    Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
    Winsock: Catalog5 06 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
    Winsock: Catalog9 01 mswsock.dll File Not found ()
    Winsock: Catalog9 02 mswsock.dll File Not found ()
    Winsock: Catalog9 03 mswsock.dll File Not found ()
    Winsock: Catalog9 04 mswsock.dll File Not found ()
    Winsock: Catalog9 05 mswsock.dll File Not found ()
    Winsock: Catalog9 06 mswsock.dll File Not found ()
    Winsock: Catalog9 07 mswsock.dll File Not found ()
    Winsock: Catalog9 08 mswsock.dll File Not found ()
    Winsock: Catalog9 09 mswsock.dll File Not found ()
    Winsock: Catalog9 10 mswsock.dll File Not found ()
    Winsock: Catalog9 11 mswsock.dll File Not found ()
    Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
    Winsock: Catalog5-x64 06 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
    Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 06 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 07 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 08 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 09 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 10 mswsock.dll File Not found ()
    Winsock: Catalog9-x64 11 mswsock.dll File Not found ()
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    Tcpip\..\Interfaces\{3B634AEE-6BB1-478B-9E4E-35FBEC5D2DD2}: [NameServer]212.77.192.59 212.77.192.60
    Tcpip\..\Interfaces\{A4E60143-839F-4212-8694-2C4921D717CC}: [NameServer]212.77.192.59 212.77.192.60

    FireFox:
    ========
    FF ProfilePath: C:\Users\dendi\AppData\Roaming\Mozilla\Firefox\Profiles\rlolupo8.default
    FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
    FF Plugin: @microsoft.com/GENUINE - disabled No File
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
    FF Plugin-x32: google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF Plugin-x32: @java.com/DTPlugin,version=10.11.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
    FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF Extension: ???????? HTTP ?????????? - C:\Users\dendi\AppData\Roaming\Mozilla\Firefox\Profiles\rlolupo8.default\Extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}

    Chrome:
    =======
    CHR HomePage: hxxp://www.google.com/
    CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:eek:riginalQueryForSuggestion}{google:assistedQueryStats}

    {google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
    CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey=

    {google:suggestAPIKeyParameter}
    CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll ()
    CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
    CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll ()
    CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\pdf.dll ()
    CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
    CHR Plugin: (Java(TM) Platform SE 7 U11) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll No File
    CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\dendi\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
    CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll No File
    CHR Plugin: (Java Deployment Toolkit 7.0.110.22) - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    CHR Extension: (Bejeweled) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\adpkifcfcacgmnggcbpbjbkdijciiigm\2_0
    CHR Extension: (Google Docs) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
    CHR Extension: (Google Drive) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
    CHR Extension: (YouTube) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
    CHR Extension: (Google Search) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
    CHR Extension: (AdBlock) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.65_0
    CHR Extension: (Cut the Rope) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkddaofiamhgfjmaccfcfpfolpgbeomj\15_0
    CHR Extension: (Expenses.co.in) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gplpdfhoildmmfmchmhhfgigfhehjdbn\1.0.0.0_0
    CHR Extension: (CouponsHelper) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpeepoceboiddajjkgdccddjkmmiigdh\1.3_0
    CHR Extension: (Poppit) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0
    CHR Extension: (Google Mail Checker) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\4.4.0_0
    CHR Extension: (Booking.com) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pficdecjkdlnacnnbkociacmdbpmhdoc\1.0.0.6_0
    CHR Extension: (Gmail) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

    ==================== Services (Whitelisted) =================

    R2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [146592 2011-05-20] (Atheros)
    R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-14] (AVG Technologies CZ, s.r.o.)
    R2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
    S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [393032 2013-05-13] (BlueStack Systems, Inc.)
    R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [384840 2013-05-13] (BlueStack Systems, Inc.)
    R2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] ()
    R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
    R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
    R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
    S2 Qtel Mobile Broadband. RunOuc; C:\Program Files (x86)\Qtel Mobile Broadband\UpdateDog\ouc.exe [655712 2012-06-14] ()
    R2 SEVPNCLIENT; C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe [4267064 2013-04-27] (SoftEther Project at University of Tsukuba, Japan.)
    R2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [15680000 2012-08-15] ()
    R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1155088 2012-12-20] (Western Digital )
    R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [248840 2012-12-20] (Western Digital)
    R2 WDRulesService; C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [1178128 2012-12-20] (Western Digital )

    ==================== Drivers (Whitelisted) ====================

    R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-29] (AVG Technologies CZ, s.r.o.)
    R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-21] (AVG Technologies CZ, s.r.o.)
    R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [70984 2013-05-13] (BlueStack Systems)
    R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [70984 2013-05-13] (BlueStack Systems)
    R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
    R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
    R3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt64.sys [26080 2013-05-24] (Zemana Ltd.)
    R3 Neo_VPN; C:\Windows\System32\DRIVERS\Neo_0118.sys [29312 2013-01-26] (SoftEther Corporation)
    S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
    R0 vsock; C:\Windows\System32\drivers\vsock.sys [70256 2012-07-06] (VMware, Inc.)
    S3 massfilter_lte; \??\C:\Windows\system32\drivers\massfilter_lte.sys [x]
    S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
    S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
    S3 VGPU; System32\drivers\rdvgkmd.sys [x]
    S3 zgdcat; system32\DRIVERS\zgdcat.sys [x]
    S3 zgdcdiag; system32\DRIVERS\zgdcdiag.sys [x]
    S3 zgdcmdm; system32\DRIVERS\zgdcmdm.sys [x]
    S3 zgdcnet; system32\DRIVERS\zgdcnet.sys [x]
    S3 zgdcnmea; system32\DRIVERS\zgdcnmea.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-06-22 16:30 - 2013-06-22 16:30 - 00000000 ____D C:\FRST
    2013-06-22 16:17 - 2013-06-22 16:17 - 02347384 ____A (ESET) C:\Users\dendi\Downloads\esetsmartinstaller_enu.exe
    2013-06-22 16:17 - 2013-06-22 16:17 - 00000000 ____D C:\Program Files (x86)\ESET
    2013-06-22 16:16 - 2013-06-22 16:16 - 01931364 ____A (Farbar) C:\Users\dendi\Downloads\FRST64.exe
    2013-06-20 22:45 - 2013-06-20 22:45 - 00000000 ____D C:\Program Files (x86)\Twitter
    2013-06-20 22:43 - 2013-06-20 22:44 - 14643200 ____A C:\Users\dendi\Downloads\TweetDeck.msi
    2013-06-20 22:16 - 2013-06-22 15:44 - 00000000 ____D C:\Users\dendi\AppData\Local\AntiLogger Free
    2013-06-20 22:07 - 2013-06-20 22:07 - 00000000 ____D C:\Program Files (x86)\Zemana AntiLogger Free
    2013-06-20 22:07 - 2013-06-20 22:07 - 00000000 ____D C:\Program Files (x86)\KeyCryptSDK
    2013-06-20 22:07 - 2013-05-24 17:08 - 00026080 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\KeyCrypt64.sys
    2013-06-20 22:06 - 2013-06-20 22:06 - 04316560 ____A (Zemana Ltd. ) C:\Users\dendi\Downloads

    \AntiLoggerFree_Setup_1.6.2.226.exe
    2013-06-19 10:53 - 2013-06-19 10:53 - 26981471 ____A C:\Users\dendi\Downloads\homepage_personal_20130619.psd
    2013-06-19 10:44 - 2013-06-19 10:44 - 26981471 ____A C:\Users\dendi\Downloads\homepage_personal.psd
    2013-06-19 10:21 - 2013-06-19 10:22 - 99012171 ____A C:\Users\dendi\Downloads\Ramadan Charity.rar
    2013-06-18 12:11 - 2013-06-18 12:11 - 00020941 ____A C:\Users\dendi\Desktop\Copy of QODP DB Credentials Cross env's v1 2 (6).xlsx
    2013-06-16 08:48 - 2013-06-16 15:49 - 00009477 ____A C:\Users\dendi\Desktop\Hours - June QTL10.xlsx
    2013-06-13 14:15 - 2013-06-13 14:15 - 01418352 ____A (Juniper Networks, Inc.) C:\Users\dendi\Downloads\JuniperSetupClientInstaller.exe
    2013-06-13 12:48 - 2013-06-13 12:48 - 03502400 ____A (RealVNC Ltd) C:\Users\dendi\Downloads\VNC-Viewer-5.0.5-Windows-64bit.exe
    2013-06-08 23:06 - 2013-06-09 15:07 - 00000141 ____A C:\Users\dendi\Desktop\Numbers.txt
    2013-06-02 16:02 - 2013-06-02 16:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-05-31 23:55 - 2013-05-31 23:55 - 00272531 ____A C:\Users\dendi\Downloads\contacts.csv
    2013-05-31 22:43 - 2013-05-31 22:43 - 00851007 ____A C:\Users\dendi\Downloads\00001.vcf
    2013-05-28 23:46 - 2013-05-29 00:08 - 00000000 ____D C:\Program Files (x86)\SmartBear
    2013-05-28 23:46 - 2013-05-28 23:46 - 00002273 ____A C:\Users\Public\Desktop\soapUI 4.5.2.lnk
    2013-05-28 23:26 - 2013-05-28 23:44 - 143916176 ____A (SmartBear Software) C:\Users\dendi\Downloads\soapUI-x32-4.5.2.exe
    2013-05-23 10:54 - 2013-05-23 10:54 - 00000000 ____D C:\Program Files (x86)\BlueStacks
    2013-05-23 10:53 - 2013-05-23 10:58 - 00000000 ____D C:\ProgramData\BlueStacksSetup
    2013-05-23 10:53 - 2013-05-23 10:54 - 00000000 ____D C:\ProgramData\BlueStacks
    2013-05-23 10:53 - 2013-05-23 10:53 - 11995256 ____A (BlueStack Systems Inc.) C:\Users\dendi\Downloads\BlueStacks-SplitInstaller_native.exe

    ==================== One Month Modified Files and Folders =======

    2013-06-22 16:30 - 2013-06-22 16:30 - 00000000 ____D C:\FRST
    2013-06-22 16:25 - 2013-01-09 09:10 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-06-22 16:22 - 2013-01-18 03:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-06-22 16:17 - 2013-06-22 16:17 - 02347384 ____A (ESET) C:\Users\dendi\Downloads\esetsmartinstaller_enu.exe
    2013-06-22 16:17 - 2013-06-22 16:17 - 00000000 ____D C:\Program Files (x86)\ESET
    2013-06-22 16:16 - 2013-06-22 16:16 - 01931364 ____A (Farbar) C:\Users\dendi\Downloads\FRST64.exe
    2013-06-22 16:15 - 2009-07-14 07:45 - 00015488 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-06-22 16:15 - 2009-07-14 07:45 - 00015488 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-06-22 16:11 - 2013-01-09 11:14 - 00000000 ____D C:\Users\dendi\AppData\Roaming\Dropbox
    2013-06-22 16:10 - 2013-01-09 08:37 - 00000000 ____D C:\Users\dendi\AppData\Roaming\Skype
    2013-06-22 16:08 - 2013-01-09 16:12 - 00000000 ____D C:\Users\dendi\Tracing
    2013-06-22 16:06 - 2013-04-06 17:01 - 00000000 ____D C:\Program Files\SoftEther VPN Client
    2013-06-22 16:06 - 2013-01-09 09:10 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-06-22 16:05 - 2013-03-18 00:14 - 00026936 ____A C:\Windows\setupact.log
    2013-06-22 16:05 - 2013-03-14 10:34 - 00000000 ____D C:\ProgramData\VMware
    2013-06-22 16:05 - 2009-07-14 08:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-06-22 15:59 - 2013-03-21 23:33 - 00000000 ____D C:\ProgramData\MFAData
    2013-06-22 15:51 - 2013-02-15 02:00 - 00000962 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1085031214-343818398-725345543-12728Core.job
    2013-06-22 15:44 - 2013-06-20 22:16 - 00000000 ____D C:\Users\dendi\AppData\Local\AntiLogger Free
    2013-06-22 15:44 - 2013-02-15 02:00 - 00000984 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1085031214-343818398-725345543-12728UA.job
    2013-06-22 01:07 - 2013-04-12 15:12 - 00000000 ____D C:\Users\dendi\AppData\Roaming\vlc
    2013-06-22 00:45 - 2013-04-04 21:34 - 00000000 ____D C:\Users\dendi\AppData\Roaming\uTorrent
    2013-06-21 20:56 - 2013-04-19 21:03 - 00000000 ____D C:\Users\dendi\AppData\Local\Pokki
    2013-06-20 22:45 - 2013-06-20 22:45 - 00000000 ____D C:\Program Files (x86)\Twitter
    2013-06-20 22:44 - 2013-06-20 22:43 - 14643200 ____A C:\Users\dendi\Downloads\TweetDeck.msi
    2013-06-20 22:07 - 2013-06-20 22:07 - 00000000 ____D C:\Program Files (x86)\Zemana AntiLogger Free
    2013-06-20 22:07 - 2013-06-20 22:07 - 00000000 ____D C:\Program Files (x86)\KeyCryptSDK
    2013-06-20 22:06 - 2013-06-20 22:06 - 04316560 ____A (Zemana Ltd. ) C:\Users\dendi\Downloads

    \AntiLoggerFree_Setup_1.6.2.226.exe
    2013-06-20 11:10 - 2013-01-23 08:48 - 00000000 ____D C:\Users\dendi\Desktop\Temporary
    2013-06-19 14:22 - 2013-01-14 18:53 - 00002188 ___AH C:\Users\dendi\Documents\Default.rdp
    2013-06-19 10:53 - 2013-06-19 10:53 - 26981471 ____A C:\Users\dendi\Downloads\homepage_personal_20130619.psd
    2013-06-19 10:44 - 2013-06-19 10:44 - 26981471 ____A C:\Users\dendi\Downloads\homepage_personal.psd
    2013-06-19 10:22 - 2013-06-19 10:21 - 99012171 ____A C:\Users\dendi\Downloads\Ramadan Charity.rar
    2013-06-18 21:40 - 2013-02-12 22:44 - 00000132 ____A C:\Users\dendi\AppData\Roaming\Adobe PNG Format CS5 Prefs
    2013-06-18 21:39 - 2013-02-09 13:20 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
    2013-06-18 21:11 - 2009-07-14 08:13 - 00730528 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-06-18 12:11 - 2013-06-18 12:11 - 00020941 ____A C:\Users\dendi\Desktop\Copy of QODP DB Credentials Cross env's v1 2 (6).xlsx
    2013-06-17 09:10 - 2013-02-05 22:09 - 00000000 ____D C:\Users\dendi\Desktop\Personal
    2013-06-16 15:49 - 2013-06-16 08:48 - 00009477 ____A C:\Users\dendi\Desktop\Hours - June QTL10.xlsx
    2013-06-13 14:15 - 2013-06-13 14:15 - 01418352 ____A (Juniper Networks, Inc.) C:\Users\dendi\Downloads\JuniperSetupClientInstaller.exe
    2013-06-13 12:48 - 2013-06-13 12:48 - 03502400 ____A (RealVNC Ltd) C:\Users\dendi\Downloads\VNC-Viewer-5.0.5-Windows-64bit.exe
    2013-06-12 10:22 - 2013-01-18 03:13 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-06-12 10:22 - 2013-01-18 03:13 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-06-12 08:54 - 2013-01-13 15:45 - 00000000 ____D C:\Users\dendi\Documents\My Received Files
    2013-06-09 15:07 - 2013-06-08 23:06 - 00000141 ____A C:\Users\dendi\Desktop\Numbers.txt
    2013-06-03 08:00 - 2013-01-08 15:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-06-02 16:02 - 2013-06-02 16:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-06-02 08:04 - 2013-03-21 23:53 - 00042728 ____A C:\Windows\PFRO.log
    2013-05-31 23:55 - 2013-05-31 23:55 - 00272531 ____A C:\Users\dendi\Downloads\contacts.csv
    2013-05-31 22:43 - 2013-05-31 22:43 - 00851007 ____A C:\Users\dendi\Downloads\00001.vcf
    2013-05-29 00:08 - 2013-05-28 23:46 - 00000000 ____D C:\Program Files (x86)\SmartBear
    2013-05-29 00:08 - 2013-01-08 11:25 - 00000000 ____D C:\users\iHorizons
    2013-05-28 23:46 - 2013-05-28 23:46 - 00002273 ____A C:\Users\Public\Desktop\soapUI 4.5.2.lnk
    2013-05-28 23:44 - 2013-05-28 23:26 - 143916176 ____A (SmartBear Software) C:\Users\dendi\Downloads\soapUI-x32-4.5.2.exe
    2013-05-26 10:00 - 2013-04-25 13:13 - 00237056 ____A C:\Users\dendi\Desktop\Octopus_Issue_Feedback_Post_Go_Live_v1 0_2013-23-05.xls
    2013-05-24 17:08 - 2013-06-20 22:07 - 00026080 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\KeyCrypt64.sys
    2013-05-23 10:58 - 2013-05-23 10:53 - 00000000 ____D C:\ProgramData\BlueStacksSetup
    2013-05-23 10:54 - 2013-05-23 10:54 - 00000000 ____D C:\Program Files (x86)\BlueStacks
    2013-05-23 10:54 - 2013-05-23 10:53 - 00000000 ____D C:\ProgramData\BlueStacks
    2013-05-23 10:54 - 2009-07-14 06:20 - 00000000 __RHD C:\Users\Public\Libraries
    2013-05-23 10:53 - 2013-05-23 10:53 - 11995256 ____A (BlueStack Systems Inc.) C:\Users\dendi\Downloads\BlueStacks-SplitInstaller_native.exe

    ZeroAccess:
    C:\Windows\Installer\{b053bc83-39fe-543c-7b96-99a430e0365a}
    C:\Windows\Installer\{b053bc83-39fe-543c-7b96-99a430e0365a}\@

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

    ==================== End Of Log ============================
     
  3. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    The additional log

    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 22-06-2013
    Ran by dendi at 2013-06-22 16:32:55
    Running from C:\Users\dendi\Downloads
    Boot Mode: Normal
    ==========================================================


    ==================== Installed Programs =======================

    µTorrent (x32 Version: 3.3.0.29462)
    64 Bit HP CIO Components Installer (Version: 8.2.1)
    Adobe AIR (x32 Version: 1.5.3.9120)
    Adobe Community Help (x32 Version: 3.0.0)
    Adobe Community Help (x32 Version: 3.0.0.400)
    Adobe Flash Player 11 ActiveX (x32 Version: 11.7.700.224)
    Adobe Flash Player 11 Plugin (x32 Version: 11.7.700.224)
    Adobe Photoshop CS5 (x32 Version: 12.0)
    Adobe Photoshop Lightroom 4.4 64-bit (Version: 4.4.1)
    Adobe Reader Extended Language Support Font Pack (x32 Version: 10.0.0)
    Adobe Reader X (10.1.7) (x32 Version: 10.1.7)
    AntiLogger Free version 1.6.2.226 (x32 Version: 1.6.2.226)
    AVG 2013 (Version: 13.0.3199)
    AVG 2013 (Version: 13.0.3345)
    AVG 2013 (Version: 2013.0.3345)
    BlueStacks App Player (x32 Version: 0.7.12.896)
    BlueStacks Notification Center (x32 Version: 0.7.12.896)
    Bluetooth Win7 Suite (64) (Version: 7.2.0.83)
    Bullzip PDF Printer 9.3.0.1516 (Version: 9.3.0.1516)
    Cisco Systems VPN Client 5.0.07.0290 (Version: 5.0.7)
    CSVed 2.2.3 (x32 Version: 2.2.3)
    CyberLink PhotoDirector 3 (x32 Version: 3.0.3618)
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (x32)
    Dell Resource CD (x32 Version: 1.00.0000)
    Dell WLAN and Bluetooth Client Installation (x32 Version: 9.0)
    Dropbox (HKCU Version: 2.0.22)
    ESET Online Scanner v3 (x32)
    Expert PDF 8 Professional (x32 Version: 8.0.0140.0)
    Facebook Video Calling 1.2.0.287 (x32 Version: 1.2.287)
    Google Chrome (x32 Version: 27.0.1453.116)
    Google Earth (x32 Version: 7.0.3.8542)
    Google Update Helper (x32 Version: 1.3.21.145)
    IDT Audio (x32 Version: 1.0.6341.0)
    Intel(R) Management Engine Components (x32 Version: 7.0.0.1144)
    Intel(R) Processor Graphics (x32 Version: 8.15.10.2342)
    Intel(R) Rapid Storage Technology (x32 Version: 10.1.2.1004)
    Java 7 Update 17 (x32 Version: 7.0.170)
    Java Auto Updater (x32 Version: 2.1.9.0)
    Juniper Networks Network Connect 7.1.0 (x32 Version: 7.1.0.20169)
    Juniper Networks, Inc. Setup Client (HKCU Version: 7.1.6.17115)
    Juniper Networks, Inc. Setup Client Activex Control (x32 Version: 2.1.1.1)
    loadUI 2.1.1 (x32 Version: 2.1.1)
    Microsoft .NET Framework 4 Client Profile (Version: 4.0.30320)
    Microsoft Office 2010 Service Pack 1 (SP1) (x32)
    Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Communicator 2007 R2 (x32 Version: 3.5.6907.266)
    Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Groove MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office InfoPath MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
    Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Professional Plus 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Project MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Project Professional 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Proof (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Proof (French) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
    Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Project 2010 Service Pack 1 (SP1) (x32)
    Microsoft Project Professional 2010 (x32 Version: 14.0.6029.1000)
    Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219)
    Microsoft_VC80_ATL_x86 (x32 Version: 8.0.50727.4053)
    Microsoft_VC80_ATL_x86_x64 (Version: 8.0.50727.4053)
    Microsoft_VC80_CRT_x86 (x32 Version: 8.0.50727.4053)
    Microsoft_VC80_CRT_x86_x64 (Version: 8.0.50727.4053)
    Microsoft_VC80_MFC_x86 (x32 Version: 8.0.50727.4053)
    Microsoft_VC80_MFC_x86_x64 (Version: 8.0.50727.4053)
    Microsoft_VC80_MFCLOC_x86 (x32 Version: 8.0.50727.4053)
    Microsoft_VC80_MFCLOC_x86_x64 (Version: 80.50727.4053)
    Microsoft_VC90_ATL_x86 (x32 Version: 1.00.0000)
    Microsoft_VC90_ATL_x86_x64 (Version: 1.00.0000)
    Microsoft_VC90_CRT_x86 (x32 Version: 1.00.0000)
    Microsoft_VC90_CRT_x86_x64 (Version: 1.00.0000)
    Microsoft_VC90_MFC_x86 (x32 Version: 1.00.0000)
    Microsoft_VC90_MFC_x86_x64 (Version: 1.00.0000)
    Mozilla Firefox 21.0 (x86 en-US) (x32 Version: 21.0)
    Mozilla Maintenance Service (x32 Version: 21.0)
    PDF Settings CS5 (x32 Version: 10.0)
    Photomatix Pro version 4.2.6 (Version: 4.2.6)
    Pokki (HKCU Version: 0.263.13.325)
    Qtel Mobile Broadband (x32 Version: 23.003.07.01.183)
    Realtek Ethernet Controller Driver (x32 Version: 7.45.516.2011)
    Samsung Kies (x32 Version: 2.5.2.13021_10)
    SAMSUNG USB Driver for Mobile Phones (Version: 1.5.22.0)
    Skype™ 6.3 (x32 Version: 6.3.107)
    soapUI 4.5.2 4.5.2 (x32 Version: 4.5.2)
    SoftEther VPN Client (Version: 1.00.9074)
    TeamViewer 8 (x32 Version: 8.0.18051)
    tools-freebsd (x32 Version: 9.2.0.812388)
    tools-linux (x32 Version: 9.2.0.812388)
    tools-netware (x32 Version: 9.2.0.812388)
    tools-solaris (x32 Version: 9.2.0.812388)
    tools-windows (x32 Version: 9.2.0.812388)
    tools-winPre2k (x32 Version: 9.2.0.812388)
    TweetDeck (x32 Version: 3.0.2)
    uMark 3 (x32 Version: 3.10)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1)
    Visual Studio 2010 x64 Redistributables (Version: 13.0.0.1)
    VLC media player 2.0.7 (x32 Version: 2.0.7)
    VMware Workstation (Version: 9.0.0)
    VMware Workstation (x32 Version: 9.0.0)
    WD SmartWare (Version: 1.6.5.2)
    WD Software Upgrader (x32 Version: 1.6.5.3)
    WinRAR 4.01 (32-bit) (x32 Version: 4.01.0)

    ==================== Restore Points =========================

    Could not list Restore Points.


    ==================== Hosts content: ==========================
    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    ##128.227.248.22ihwiki
    127.0.0.1 activate.adobe.com
    #127.0.0.1 localhost
    127.0.0.1 activate.adobe.com


    ==================== Scheduled Tasks (whitelisted) =============


    ==================== Faulty Device Manager Devices =============

    Name: VMware Virtual Ethernet Adapter for VMnet1
    Description: VMware Virtual Ethernet Adapter for VMnet1
    Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
    Manufacturer: VMware, Inc.
    Service: VMnetAdapter
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow

    the instructions.

    Name: VMware Virtual Ethernet Adapter for VMnet8
    Description: VMware Virtual Ethernet Adapter for VMnet8
    Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
    Manufacturer: VMware, Inc.
    Service: VMnetAdapter
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow

    the instructions.

    Name: Dell Wireless 1702 Bluetooth v3.0+HS
    Description: Dell Wireless 1702 Bluetooth v3.0+HS
    Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
    Manufacturer: Atheros Communications
    Service: BTHUSB
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow

    the instructions.

    Name: Cisco Systems VPN Adapter for 64-bit Windows
    Description: Cisco Systems VPN Adapter for 64-bit Windows
    Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
    Manufacturer: Cisco Systems
    Service: CVirtA
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow

    the instructions.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (06/22/2013 04:17:19 PM) (Source: SideBySide) (User: )
    Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows

    \WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2"

    on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
    A component version required by the application conflicts with another component version already active.
    Conflicting components are:.
    Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
    Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

    Error: (06/22/2013 04:17:15 PM) (Source: SideBySide) (User: )
    Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows

    \WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2"

    on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
    A component version required by the application conflicts with another component version already active.
    Conflicting components are:.
    Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
    Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

    Error: (06/22/2013 03:54:02 PM) (Source: RasClient) (User: )
    Description: CoId={EC98BD1A-45A5-4974-A75E-C94A9688A4AE}: The user IHORIZONS\dendi dialed a connection named Amman VPN

    which has failed. The error code returned on failure is 0.

    Error: (06/22/2013 03:53:33 PM) (Source: RasClient) (User: )
    Description: CoId={8730EBB1-1D70-403D-A2F1-D10ECD126E91}: The user IHORIZONS\dendi dialed a connection named Amman VPN

    which has failed. The error code returned on failure is 806.

    Error: (06/22/2013 03:51:36 PM) (Source: RasClient) (User: )
    Description: CoId={1A9734D0-72F2-4B94-94E7-0570D377D0B4}: The user IHORIZONS\dendi dialed a connection named Amman VPN

    which has failed. The error code returned on failure is 806.

    Error: (06/21/2013 08:02:02 PM) (Source: SideBySide) (User: )
    Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file

    "assemblyIdentity2" on line assemblyIdentity3.
    The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element

    "assemblyIdentity" is invalid.

    Error: (06/21/2013 06:44:13 PM) (Source: RasClient) (User: )
    Description: CoId={2D37D966-49C8-4C45-A06E-2EECD414D570}: The user IHORIZONS\dendi dialed a connection named Amman VPN

    which has failed. The error code returned on failure is 0.

    Error: (06/21/2013 05:32:41 PM) (Source: VSS) (User: )
    Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{f72fb8c6-59c7-11e2-81a2-

    806e6f6e6963} - 0000000000000134,0x0053c008,0000000000340840,0,000000000033F830,4096,[0]). hr = 0x80070079, The semaphore

    timeout period has expired.
    .


    Operation:
    Processing EndPrepareSnapshots

    Context:
    Execution Context: System Provider

    Error: (06/20/2013 10:50:11 AM) (Source: SideBySide) (User: )
    Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file

    "assemblyIdentity2" on line assemblyIdentity3.
    The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element

    "assemblyIdentity" is invalid.

    Error: (06/19/2013 09:38:21 AM) (Source: SideBySide) (User: )
    Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file

    "assemblyIdentity2" on line assemblyIdentity3.
    The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element

    "assemblyIdentity" is invalid.


    System errors:
    =============
    Error: (06/22/2013 04:08:55 PM) (Source: TermService) (User: )
    Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The

    following error occured: The specified domain either does not exist or could not be contacted.
    .

    Error: (06/22/2013 04:07:24 PM) (Source: Service Control Manager) (User: )
    Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to

    start because of the following error:
    %%-2147024891

    Error: (06/22/2013 04:07:24 PM) (Source: Service Control Manager) (User: )
    Description: The Function Discovery Resource Publication service terminated with the following error:
    %%-2147024891

    Error: (06/22/2013 04:07:15 PM) (Source: DCOM) (User: NT AUTHORITY)
    Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT

    AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

    Error: (06/22/2013 04:06:25 PM) (Source: Microsoft-Windows-GroupPolicy) (User: IHORIZONS)
    Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may

    be a transient condition. A success message would be generated once the machine gets connected to the domain controller and

    Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your

    administrator.

    Error: (06/22/2013 04:06:23 PM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
    Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may

    be a transient condition. A success message would be generated once the machine gets connected to the domain controller and

    Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your

    administrator.

    Error: (06/22/2013 04:05:46 PM) (Source: Service Control Manager) (User: )
    Description: The Qtel Mobile Broadband. OUC service failed to start due to the following error:
    %%1053

    Error: (06/22/2013 04:05:46 PM) (Source: Service Control Manager) (User: )
    Description: A timeout was reached (30000 milliseconds) while waiting for the Qtel Mobile Broadband. OUC service to

    connect.

    Error: (06/22/2013 04:05:46 PM) (Source: Service Control Manager) (User: )
    Description: The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

    Error: (06/22/2013 04:05:46 PM) (Source: Service Control Manager) (User: )
    Description: The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be

    installed.


    Microsoft Office Sessions:
    =========================
    Error: (06/22/2013 04:17:19 PM) (Source: SideBySide)(User: )
    Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests

    \x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\dendi

    \Downloads\esetsmartinstaller_enu.exe

    Error: (06/22/2013 04:17:15 PM) (Source: SideBySide)(User: )
    Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-

    controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests

    \x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\dendi

    \Downloads\esetsmartinstaller_enu.exe

    Error: (06/22/2013 03:54:02 PM) (Source: RasClient)(User: )
    Description: {EC98BD1A-45A5-4974-A75E-C94A9688A4AE}IHORIZONS\dendiAmman VPN0

    Error: (06/22/2013 03:53:33 PM) (Source: RasClient)(User: )
    Description: {8730EBB1-1D70-403D-A2F1-D10ECD126E91}IHORIZONS\dendiAmman VPN806

    Error: (06/22/2013 03:51:36 PM) (Source: RasClient)(User: )
    Description: {1A9734D0-72F2-4B94-94E7-0570D377D0B4}IHORIZONS\dendiAmman VPN806

    Error: (06/21/2013 08:02:02 PM) (Source: SideBySide)(User: )
    Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORC:\Program Files

    (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe

    AIR.dll3

    Error: (06/21/2013 06:44:13 PM) (Source: RasClient)(User: )
    Description: {2D37D966-49C8-4C45-A06E-2EECD414D570}IHORIZONS\dendiAmman VPN0

    Error: (06/21/2013 05:32:41 PM) (Source: VSS)(User: )
    Description: DeviceIoControl(\\?\Volume{f72fb8c6-59c7-11e2-81a2-806e6f6e6963} -

    0000000000000134,0x0053c008,0000000000340840,0,000000000033F830,4096,[0])0x80070079, The semaphore timeout period has

    expired.


    Operation:
    Processing EndPrepareSnapshots

    Context:
    Execution Context: System Provider

    Error: (06/20/2013 10:50:11 AM) (Source: SideBySide)(User: )
    Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORC:\Program Files

    (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe

    AIR.dll3

    Error: (06/19/2013 09:38:21 AM) (Source: SideBySide)(User: )
    Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORC:\Program Files

    (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe

    AIR.dll3


    CodeIntegrity Errors:
    ===================================
    Date: 2013-04-23 08:43:21.985
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\drivers\ewusbwwan.sys because file hash could not be found on the system. A recent hardware or software change

    might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

    source.

    Date: 2013-04-23 08:43:21.632
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\drivers\ewusbwwan.sys because file hash could not be found on the system. A recent hardware or software change

    might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

    source.

    Date: 2013-04-23 08:41:55.956
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\drivers\ewusbwwan.sys because file hash could not be found on the system. A recent hardware or software change

    might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

    source.

    Date: 2013-04-23 08:41:55.685
    Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\drivers\ewusbwwan.sys because file hash could not be found on the system. A recent hardware or software change

    might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown

    source.

    Date: 2013-03-21 22:55:07.937
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-03-21 22:38:23.263
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-03-21 21:53:42.502
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-03-21 21:35:38.815
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-03-21 21:27:37.556
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\sysfer.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-03-21 21:14:55.907
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows

    \System32\sysfer.dll because the set of per-page image hashes could not be found on the system.


    ==================== Memory info ===========================

    Percentage of memory in use: 65%
    Total physical RAM: 4004.27 MB
    Available physical RAM: 1364.96 MB
    Total Pagefile: 8006.74 MB
    Available Pagefile: 4520.16 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.81 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:99.9 GB) (Free:23.39 GB) NTFS (Disk=0 Partition=2)
    Drive d: () (Fixed) (Total:198.09 GB) (Free:24.62 GB) NTFS (Disk=0 Partition=3)

    ==================== MBR & Partition Table ==================

    ==================== End Of Log ============================
     
  4. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.
     
  5. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Thank you very much Broni for the prompt response. Here are the results are requested:

    Farbar Recovery Scan Tool (x64) Version: 22-06-2013
    Ran by mohamed.benmessaoud at 2013-06-23 21:43:10
    Running from C:\Users\dendi\Downloads
    Boot Mode: Normal

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-14 02:19] - [2009-07-14 04:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    C:\Windows\System32\services.exe
    [2009-07-14 02:19] - [2009-07-14 04:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

    ====== End Of Search ======
     
  6. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

    Re-run FRST one more time and post new log.
    Also let me know how computer is doing.
     

    Attached Files:

  7. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Here is the Fixlog

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-06-2013
    Ran by mohamed.benmessaoud at 2013-06-23 22:36:44 Run:1
    Running from C:\Users\dendi\Downloads
    Boot Mode: Normal
    ==============================================

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F => Key deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G => Key deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H => Key deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0da1c840-a657-11e2-8218-ca5426c6984a} => Key deleted successfully.
    HKCR\CLSID\{0da1c840-a657-11e2-8218-ca5426c6984a} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8f088e77-a8d9-11e2-8603-c7e321c0e347} => Key deleted successfully.
    HKCR\CLSID\{8f088e77-a8d9-11e2-8603-c7e321c0e347} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9381be26-abd7-11e2-987f-efe378551f59} => Key deleted successfully.
    HKCR\CLSID\{9381be26-abd7-11e2-987f-efe378551f59} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93c3d6b6-a1a5-11e2-a75c-00ac778b001b} => Key deleted successfully.
    HKCR\CLSID\{93c3d6b6-a1a5-11e2-a75c-00ac778b001b} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93c3d6cd-a1a5-11e2-a75c-00ac778b001b} => Key deleted successfully.
    HKCR\CLSID\{93c3d6cd-a1a5-11e2-a75c-00ac778b001b} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d8decf-a4c2-11e2-83d0-00ac778b001b} => Key deleted successfully.
    HKCR\CLSID\{93d8decf-a4c2-11e2-83d0-00ac778b001b} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d8dee5-a4c2-11e2-83d0-00ac778b001b} => Key deleted successfully.
    HKCR\CLSID\{93d8dee5-a4c2-11e2-83d0-00ac778b001b} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{93d8df06-a4c2-11e2-83d0-00ac778b001b} => Key deleted successfully.
    HKCR\CLSID\{93d8df06-a4c2-11e2-83d0-00ac778b001b} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9aac018e-86e9-11e2-870c-e42f57de7c53} => Key deleted successfully.
    HKCR\CLSID\{9aac018e-86e9-11e2-870c-e42f57de7c53} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9aac01d8-86e9-11e2-870c-e42f57de7c53} => Key deleted successfully.
    HKCR\CLSID\{9aac01d8-86e9-11e2-870c-e42f57de7c53} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9aac081a-86e9-11e2-870c-e42f57de7c53} => Key deleted successfully.
    HKCR\CLSID\{9aac081a-86e9-11e2-870c-e42f57de7c53} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cdf5a621-7342-11e2-ae63-00ac778b001b} => Key deleted successfully.
    HKCR\CLSID\{cdf5a621-7342-11e2-ae63-00ac778b001b} => Key not found.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e82726c8-5a1c-11e2-a341-7845c4a33b5a} => Key deleted successfully.
    HKCR\CLSID\{e82726c8-5a1c-11e2-a341-7845c4a33b5a} => Key not found.
    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\\LibraryPath Error setting value to %SystemRoot%\system32\NLAapi.dll
    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\\LibraryPath Error setting value to %SystemRoot%\System32\mswsock.dll
    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\\LibraryPath Error setting value to %SystemRoot%\system32\NLAapi.dll
    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\\LibraryPath Error setting value to %SystemRoot%\System32\mswsock.dll
    C:\Windows\Installer\{b053bc83-39fe-543c-7b96-99a430e0365a} => File/Directory not found.
    C:\Windows\assembly\GAC_32\Desktop.ini => File/Directory not found.
    C:\Windows\assembly\GAC_64\Desktop.ini => File/Directory not found.
    "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
    "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
    C:\Windows\System32\services.exe => Could not move.
    Could not replace C:\Windows\System32\services.exe.

    ==== End of Fixlog ====
     
  8. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    And here are the results of the second scan

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-06-2013
    Ran by dendi (ATTENTION: The logged in user is not administrator) on 23-06-2013 22:37:50
    Running from C:\Users\dendi\Downloads
    Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)
    Internet Explorer Version 10
    Boot Mode: Normal

    ==================== Processes (Whitelisted) =================

    (Huawei Technologies Co., Ltd.) C:\ProgramData\DatacardService\DCSHelper.exe
    (Pokki) C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe
    (IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
    (Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
    (Atheros Commnucations) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgui.exe
    (Dropbox, Inc.) C:\Users\dendi\AppData\Roaming\Dropbox\bin\Dropbox.exe
    (Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
    (Zemana Ltd.) C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe
    (Pokki) C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe
    (Pokki) C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe
    (Pokki) C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-05-27] (IDT, Inc.)
    HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" [627360 2011-05-20] (Atheros Commnucations)
    HKLM\...\Run: [AthBtTray] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe" [379552 2011-05-20] (Atheros Commnucations)
    HKLM\...\RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce [296960 2010-11-20] (Microsoft Corporation)
    HKLM-x32\...\RunOnce: [Trojan Remover] "C:\Program Files (x86)\Trojan Remover\RMVTRJAN.EXE" /restart [4975864 2013-06-20] (Simply Super Software)
    HKCU\...\Run: [Facebook Update] "C:\Users\dendi\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2013-02-15] (Facebook Inc.)
    HKCU\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun [18678376 2013-04-19] (Skype Technologies S.A.)
    HKCU\...\Run: [openvpntray.EXE] C:\Users\dendi\AppData\Roaming\Hotspot Shield\bin\openvpntray.EXE -nonadmin [x]
    HKCU\...\Run: [Mobile Partner] C:\Program Files (x86)\Qtel Mobile Broadband\Qtel Mobile Broadband.exe [515072 2013-04-15] ()
    HKCU\...\Run: [Pokki] C:\Windows\system32\rundll32.exe "%LOCALAPPDATA%\Pokki\Engine\LaunchDeskband.dll",RunLaunchDeskband [x]
    HKCU\...\Run: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [1106288 2013-03-28] (Samsung)
    HKLM-x32\...\Run: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey [5164624 2012-11-30] (Microsoft Corporation)
    HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-29] (AVG Technologies CZ, s.r.o.)
    HKLM-x32\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [310640 2013-03-28] (Samsung Electronics Co., Ltd.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-05] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [ZALFree] "C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe" /MINIMIZED [12995376 2013-05-24] (Zemana Ltd.)
    HKLM-x32\...\Run: [TrojanScanner] C:\Program Files (x86)\Trojan Remover\Trjscan.exe /boot [1653008 2013-06-23] (Simply Super Software)
    HKLM-x32\...\Run: [emsisoft anti-malware] "C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe" /d=60 [2916264 2013-05-30] (Emsisoft GmbH)
    AppInit_DLLs: C:\PROGRA~2\KEYCRY~1\KEYCRY~4.DLL [89936 2013-05-24] (Zemana Ltd.)
    AppInit_DLLs-x32: C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL [82696 2013-05-24] (Zemana Ltd.)
    Startup: C:\ProgramData\Start Menu\Programs\Startup\vpngui.exe.lnk
    ShortcutTarget: vpngui.exe.lnk -> C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe ()
    Startup: C:\Users\dendi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> C:\Users\dendi\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

    ==================== Internet (Whitelisted) ====================

    ProxyServer: nhq-proxy:8080
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uae.msn.com/?rd=1&ucc=QA&dcc=QA&opt=1&ocid=iehp&tc=0
    BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO-x32: CIESpeechBHO Class - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll (Atheros Commnucations)
    BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
    DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: HKLM-x32 {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
    Tcpip\..\Interfaces\{3B634AEE-6BB1-478B-9E4E-35FBEC5D2DD2}: [NameServer]212.77.192.59 212.77.192.60
    Tcpip\..\Interfaces\{A4E60143-839F-4212-8694-2C4921D717CC}: [NameServer]212.77.192.59 212.77.192.60

    FireFox:
    ========
    FF ProfilePath: C:\Users\dendi\AppData\Roaming\Mozilla\Firefox\Profiles\rlolupo8.default
    FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
    FF Plugin: @microsoft.com/GENUINE - disabled No File
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
    FF Plugin-x32: google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF Plugin-x32: @java.com/DTPlugin,version=10.11.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
    FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @videolan.org/vlc,version=2.0.6 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
    FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF Extension: ???????? HTTP ?????????? - C:\Users\dendi\AppData\Roaming\Mozilla\Firefox\Profiles\rlolupo8.default\Extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}

    Chrome:
    =======
    CHR HomePage: hxxp://www.google.com/
    CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:eek:riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
    CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
    CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll ()
    CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
    CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll ()
    CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\pdf.dll ()
    CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
    CHR Plugin: (Java(TM) Platform SE 7 U11) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll No File
    CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\dendi\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
    CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_171.dll No File
    CHR Plugin: (Java Deployment Toolkit 7.0.110.22) - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
    CHR Extension: (Bejeweled) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\adpkifcfcacgmnggcbpbjbkdijciiigm\2_0
    CHR Extension: (Google Docs) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
    CHR Extension: (Google Drive) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
    CHR Extension: (YouTube) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
    CHR Extension: (Google Search) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
    CHR Extension: (AdBlock) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.65_0
    CHR Extension: (Cut the Rope) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkddaofiamhgfjmaccfcfpfolpgbeomj\15_0
    CHR Extension: (Expenses.co.in) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gplpdfhoildmmfmchmhhfgigfhehjdbn\1.0.0.0_0
    CHR Extension: (CouponsHelper) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpeepoceboiddajjkgdccddjkmmiigdh\1.3_0
    CHR Extension: (Poppit) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0
    CHR Extension: (Google Mail Checker) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\4.4.0_0
    CHR Extension: (Booking.com) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pficdecjkdlnacnnbkociacmdbpmhdoc\1.0.0.6_0
    CHR Extension: (Gmail) - C:\Users\dendi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

    ==================== Services (Whitelisted) =================

    R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2626880 2013-05-30] (Emsisoft GmbH)
    R2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [146592 2011-05-20] (Atheros)
    R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-14] (AVG Technologies CZ, s.r.o.)
    R2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-18] (AVG Technologies CZ, s.r.o.)
    S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [393032 2013-05-13] (BlueStack Systems, Inc.)
    R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [384840 2013-05-13] (BlueStack Systems, Inc.)
    R2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] ()
    R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
    R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
    R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
    S2 Qtel Mobile Broadband. RunOuc; C:\Program Files (x86)\Qtel Mobile Broadband\UpdateDog\ouc.exe [655712 2012-06-14] ()
    R2 SEVPNCLIENT; C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe [4267064 2013-04-27] (SoftEther Project at University of Tsukuba, Japan.)
    S2 VMwareHostd; C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [15680000 2012-08-15] ()
    R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1155088 2012-12-20] (Western Digital )
    R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [248840 2012-12-20] (Western Digital)
    R2 WDRulesService; C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [1178128 2012-12-20] (Western Digital )

    ==================== Drivers (Whitelisted) ====================

    S3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [66320 2012-04-30] (Emsisoft GmbH)
    S3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [66320 2012-04-30] (Emsisoft GmbH)
    R1 A2DDA; C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
    R1 A2DDA; C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
    R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-29] (AVG Technologies CZ, s.r.o.)
    R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-08] (AVG Technologies CZ, s.r.o.)
    R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-21] (AVG Technologies CZ, s.r.o.)
    R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [70984 2013-05-13] (BlueStack Systems)
    R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [70984 2013-05-13] (BlueStack Systems)
    R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
    R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
    R3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt64.sys [26080 2013-05-24] (Zemana Ltd.)
    R3 Neo_VPN; C:\Windows\System32\DRIVERS\Neo_0118.sys [29312 2013-01-26] (SoftEther Corporation)
    S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
    R0 vsock; C:\Windows\System32\drivers\vsock.sys [70256 2012-07-06] (VMware, Inc.)
    S3 massfilter_lte; \??\C:\Windows\system32\drivers\massfilter_lte.sys [x]
    S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]
    S3 tsusbhub; system32\drivers\tsusbhub.sys [x]
    S3 VGPU; System32\drivers\rdvgkmd.sys [x]
    S3 zgdcat; system32\DRIVERS\zgdcat.sys [x]
    S3 zgdcdiag; system32\DRIVERS\zgdcdiag.sys [x]
    S3 zgdcmdm; system32\DRIVERS\zgdcmdm.sys [x]
    S3 zgdcnet; system32\DRIVERS\zgdcnet.sys [x]
    S3 zgdcnmea; system32\DRIVERS\zgdcnmea.sys [x]

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2013-06-23 22:19 - 2013-06-23 22:19 - 00000000 ____D C:\Users\dendi\Documents\Simply Super Software
    2013-06-23 22:17 - 2013-06-23 22:19 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
    2013-06-23 22:14 - 2013-06-23 22:15 - 00000000 ____D C:\Program Files (x86)\Trojan Remover
    2013-06-23 22:14 - 2013-06-23 22:14 - 00000000 ____D C:\ProgramData\Simply Super Software
    2013-06-23 22:14 - 2003-02-02 20:06 - 00153088 ____A C:\Windows\SysWOW64\UNRAR3.dll
    2013-06-23 22:14 - 2002-03-06 01:00 - 00075264 ____A C:\Windows\SysWOW64\unacev2.dll
    2013-06-23 22:13 - 2013-06-23 22:13 - 00000606 ____A C:\Users\dendi\Downloads\eset.txt
    2013-06-23 22:11 - 2013-06-23 22:11 - 00393040 ____A (Softonic ) C:\Users\dendi\Downloads\SoftonicDownloader_for_trojan-remover.exe
    2013-06-23 22:10 - 2013-06-23 22:15 - 187563056 ____A (Emsisoft GmbH ) C:\Users\dendi\Downloads\EmsisoftAntiMalwareSetup.exe
    2013-06-23 21:43 - 2013-06-23 21:48 - 00000669 ____A C:\Users\dendi\Downloads\Search.txt
    2013-06-23 21:42 - 2013-06-23 21:42 - 01931364 ____A (Farbar) C:\Users\dendi\Downloads\FRST64.exe
    2013-06-23 21:35 - 2013-06-23 21:35 - 02347384 ____A (ESET) C:\Users\dendi\Downloads\esetsmartinstaller_enu.exe
    2013-06-23 08:27 - 2013-06-23 08:27 - 00000056 ____A C:\Windows\setupact.log
    2013-06-23 08:27 - 2013-06-23 08:27 - 00000000 ____A C:\Windows\setuperr.log
    2013-06-22 23:34 - 2013-06-22 23:34 - 00000000 ____D C:\Program Files\CCleaner
    2013-06-22 23:33 - 2013-06-22 23:33 - 04378864 ____A (Piriform Ltd) C:\Users\dendi\Downloads\ccsetup402.exe
    2013-06-22 18:57 - 2013-06-22 23:23 - 00000000 ____D C:\ComboFix
    2013-06-22 17:14 - 2013-06-22 17:14 - 00000000 ____D C:\TDSSKiller_Quarantine
    2013-06-22 17:08 - 2013-06-22 17:09 - 00000000 ____D C:\Qoobox
    2013-06-22 17:05 - 2013-06-22 23:23 - 00000000 ____D C:\Windows\erdnt
    2013-06-22 16:52 - 2013-06-22 23:23 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-06-22 16:52 - 2013-06-22 16:52 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-06-22 16:32 - 2013-06-22 16:59 - 00023640 ____A C:\Users\dendi\Downloads\Addition.txt
    2013-06-22 16:30 - 2013-06-23 22:36 - 00000000 ____D C:\FRST
    2013-06-22 16:17 - 2013-06-22 16:17 - 00000000 ____D C:\Program Files (x86)\ESET
    2013-06-20 22:45 - 2013-06-20 22:45 - 00000000 ____D C:\Program Files (x86)\Twitter
    2013-06-20 22:43 - 2013-06-20 22:44 - 14643200 ____A C:\Users\dendi\Downloads\TweetDeck.msi
    2013-06-20 22:16 - 2013-06-22 15:44 - 00000000 ____D C:\Users\dendi\AppData\Local\AntiLogger Free
    2013-06-20 22:07 - 2013-06-22 23:23 - 00000000 ____D C:\Program Files (x86)\KeyCryptSDK
    2013-06-20 22:07 - 2013-06-20 22:07 - 00000000 ____D C:\Program Files (x86)\Zemana AntiLogger Free
    2013-06-20 22:07 - 2013-05-24 17:08 - 00026080 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\KeyCrypt64.sys
    2013-06-20 22:06 - 2013-06-20 22:06 - 04316560 ____A (Zemana Ltd. ) C:\Users\dendi\Downloads\AntiLoggerFree_Setup_1.6.2.226.exe
    2013-06-19 10:53 - 2013-06-19 10:53 - 26981471 ____A C:\Users\dendi\Downloads\homepage_personal_20130619.psd
    2013-06-19 10:44 - 2013-06-19 10:44 - 26981471 ____A C:\Users\dendi\Downloads\homepage_personal.psd
    2013-06-19 10:21 - 2013-06-19 10:22 - 99012171 ____A C:\Users\dendi\Downloads\Ramadan Charity.rar
    2013-06-18 12:11 - 2013-06-18 12:11 - 00020941 ____A C:\Users\dendi\Desktop\Copy of QODP DB Credentials Cross env's v1 2 (6).xlsx
    2013-06-16 08:48 - 2013-06-16 15:49 - 00009477 ____A C:\Users\dendi\Desktop\Hours - June QTL10.xlsx
    2013-06-13 14:15 - 2013-06-13 14:15 - 01418352 ____A (Juniper Networks, Inc.) C:\Users\dendi\Downloads\JuniperSetupClientInstaller.exe
    2013-06-13 12:48 - 2013-06-13 12:48 - 03502400 ____A (RealVNC Ltd) C:\Users\dendi\Downloads\VNC-Viewer-5.0.5-Windows-64bit.exe
    2013-06-08 23:06 - 2013-06-09 15:07 - 00000141 ____A C:\Users\dendi\Desktop\Numbers.txt
    2013-06-02 16:02 - 2013-06-22 23:19 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-05-31 23:55 - 2013-05-31 23:55 - 00272531 ____A C:\Users\dendi\Downloads\contacts.csv
    2013-05-31 22:43 - 2013-05-31 22:43 - 00851007 ____A C:\Users\dendi\Downloads\00001.vcf
    2013-05-28 23:46 - 2013-05-29 00:08 - 00000000 ____D C:\Program Files (x86)\SmartBear
    2013-05-28 23:46 - 2013-05-28 23:46 - 00002273 ____A C:\Users\Public\Desktop\soapUI 4.5.2.lnk
    2013-05-28 23:26 - 2013-05-28 23:44 - 143916176 ____A (SmartBear Software) C:\Users\dendi\Downloads\soapUI-x32-4.5.2.exe

    ==================== One Month Modified Files and Folders =======

    2013-06-23 22:36 - 2013-06-22 16:30 - 00000000 ____D C:\FRST
    2013-06-23 22:27 - 2013-03-21 23:33 - 00000000 ____D C:\ProgramData\MFAData
    2013-06-23 22:25 - 2013-01-09 09:10 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-06-23 22:22 - 2013-01-18 03:13 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2013-06-23 22:19 - 2013-06-23 22:19 - 00000000 ____D C:\Users\dendi\Documents\Simply Super Software
    2013-06-23 22:19 - 2013-06-23 22:17 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
    2013-06-23 22:15 - 2013-06-23 22:14 - 00000000 ____D C:\Program Files (x86)\Trojan Remover
    2013-06-23 22:15 - 2013-06-23 22:10 - 187563056 ____A (Emsisoft GmbH ) C:\Users\dendi\Downloads\EmsisoftAntiMalwareSetup.exe
    2013-06-23 22:14 - 2013-06-23 22:14 - 00000000 ____D C:\ProgramData\Simply Super Software
    2013-06-23 22:13 - 2013-06-23 22:13 - 00000606 ____A C:\Users\dendi\Downloads\eset.txt
    2013-06-23 22:11 - 2013-06-23 22:11 - 00393040 ____A (Softonic ) C:\Users\dendi\Downloads\SoftonicDownloader_for_trojan-remover.exe
    2013-06-23 21:48 - 2013-06-23 21:43 - 00000669 ____A C:\Users\dendi\Downloads\Search.txt
    2013-06-23 21:42 - 2013-06-23 21:42 - 01931364 ____A (Farbar) C:\Users\dendi\Downloads\FRST64.exe
    2013-06-23 21:35 - 2013-06-23 21:35 - 02347384 ____A (ESET) C:\Users\dendi\Downloads\esetsmartinstaller_enu.exe
    2013-06-23 21:25 - 2013-01-09 11:14 - 00000000 ____D C:\Users\dendi\AppData\Roaming\Dropbox
    2013-06-23 20:30 - 2013-01-09 08:37 - 00000000 ____D C:\Users\dendi\AppData\Roaming\Skype
    2013-06-23 20:29 - 2013-02-15 02:00 - 00000984 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1085031214-343818398-725345543-12728UA.job
    2013-06-23 16:10 - 2013-01-14 18:53 - 00002188 ___AH C:\Users\dendi\Documents\Default.rdp
    2013-06-23 08:37 - 2009-07-14 07:45 - 00015488 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-06-23 08:37 - 2009-07-14 07:45 - 00015488 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-06-23 08:28 - 2013-01-09 16:12 - 00000000 ____D C:\Users\dendi\Tracing
    2013-06-23 08:27 - 2013-06-23 08:27 - 00000056 ____A C:\Windows\setupact.log
    2013-06-23 08:27 - 2013-06-23 08:27 - 00000000 ____A C:\Windows\setuperr.log
    2013-06-23 08:27 - 2013-04-06 17:01 - 00000000 ____D C:\Program Files\SoftEther VPN Client
    2013-06-23 08:27 - 2013-03-14 10:34 - 00000000 ____D C:\ProgramData\VMware
    2013-06-23 08:27 - 2013-01-09 09:10 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-06-23 08:27 - 2009-07-14 08:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2013-06-22 23:37 - 2013-01-08 22:16 - 00000000 ____D C:\Windows\Panther
    2013-06-22 23:34 - 2013-06-22 23:34 - 00000000 ____D C:\Program Files\CCleaner
    2013-06-22 23:33 - 2013-06-22 23:33 - 04378864 ____A (Piriform Ltd) C:\Users\dendi\Downloads\ccsetup402.exe
    2013-06-22 23:27 - 2013-01-08 11:25 - 00000000 ____D C:\users\iHorizons
    2013-06-22 23:25 - 2013-01-08 16:45 - 00000000 ____D C:\users\dendi
    2013-06-22 23:24 - 2013-01-08 15:24 - 00000000 ____D C:\users\mohammad.marei
    2013-06-22 23:23 - 2013-06-22 18:57 - 00000000 ____D C:\ComboFix
    2013-06-22 23:23 - 2013-06-22 17:05 - 00000000 ____D C:\Windows\erdnt
    2013-06-22 23:23 - 2013-06-22 16:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-06-22 23:23 - 2013-06-20 22:07 - 00000000 ____D C:\Program Files (x86)\KeyCryptSDK
    2013-06-22 23:23 - 2013-04-27 22:31 - 00000000 ____D C:\Program Files (x86)\Mega Codec Pack
    2013-06-22 23:23 - 2013-04-12 15:12 - 00000000 ____D C:\Users\dendi\AppData\Roaming\vlc
    2013-06-22 23:23 - 2013-04-04 21:34 - 00000000 ____D C:\Users\dendi\AppData\Roaming\uTorrent
    2013-06-22 23:23 - 2009-07-14 08:32 - 00000000 ____D C:\Program Files\Windows Defender
    2013-06-22 23:23 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\registration
    2013-06-22 23:23 - 2009-07-14 06:20 - 00000000 ____D C:\Windows\AppCompat
    2013-06-22 23:20 - 2013-04-19 21:03 - 00000000 ____D C:\Users\dendi\AppData\Local\Pokki
    2013-06-22 23:19 - 2013-06-02 16:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2013-06-22 17:14 - 2013-06-22 17:14 - 00000000 ____D C:\TDSSKiller_Quarantine
    2013-06-22 17:09 - 2013-06-22 17:08 - 00000000 ____D C:\Qoobox
    2013-06-22 16:59 - 2013-06-22 16:32 - 00023640 ____A C:\Users\dendi\Downloads\Addition.txt
    2013-06-22 16:52 - 2013-06-22 16:52 - 00000000 ____D C:\ProgramData\Malwarebytes
    2013-06-22 16:17 - 2013-06-22 16:17 - 00000000 ____D C:\Program Files (x86)\ESET
    2013-06-22 15:44 - 2013-06-20 22:16 - 00000000 ____D C:\Users\dendi\AppData\Local\AntiLogger Free
    2013-06-20 22:45 - 2013-06-20 22:45 - 00000000 ____D C:\Program Files (x86)\Twitter
    2013-06-20 22:44 - 2013-06-20 22:43 - 14643200 ____A C:\Users\dendi\Downloads\TweetDeck.msi
    2013-06-20 22:07 - 2013-06-20 22:07 - 00000000 ____D C:\Program Files (x86)\Zemana AntiLogger Free
    2013-06-20 22:06 - 2013-06-20 22:06 - 04316560 ____A (Zemana Ltd. ) C:\Users\dendi\Downloads\AntiLoggerFree_Setup_1.6.2.226.exe
    2013-06-20 11:10 - 2013-01-23 08:48 - 00000000 ____D C:\Users\dendi\Desktop\Temporary
    2013-06-19 10:53 - 2013-06-19 10:53 - 26981471 ____A C:\Users\dendi\Downloads\homepage_personal_20130619.psd
    2013-06-19 10:44 - 2013-06-19 10:44 - 26981471 ____A C:\Users\dendi\Downloads\homepage_personal.psd
    2013-06-19 10:22 - 2013-06-19 10:21 - 99012171 ____A C:\Users\dendi\Downloads\Ramadan Charity.rar
    2013-06-18 21:40 - 2013-02-12 22:44 - 00000132 ____A C:\Users\dendi\AppData\Roaming\Adobe PNG Format CS5 Prefs
    2013-06-18 21:39 - 2013-02-09 13:20 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
    2013-06-18 21:11 - 2009-07-14 08:13 - 00730528 ____A C:\Windows\System32\PerfStringBackup.INI
    2013-06-18 12:11 - 2013-06-18 12:11 - 00020941 ____A C:\Users\dendi\Desktop\Copy of QODP DB Credentials Cross env's v1 2 (6).xlsx
    2013-06-17 09:10 - 2013-02-05 22:09 - 00000000 ____D C:\Users\dendi\Desktop\Personal
    2013-06-16 15:49 - 2013-06-16 08:48 - 00009477 ____A C:\Users\dendi\Desktop\Hours - June QTL10.xlsx
    2013-06-14 09:33 - 2013-02-15 02:00 - 00000962 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1085031214-343818398-725345543-12728Core.job
    2013-06-13 14:15 - 2013-06-13 14:15 - 01418352 ____A (Juniper Networks, Inc.) C:\Users\dendi\Downloads\JuniperSetupClientInstaller.exe
    2013-06-13 12:48 - 2013-06-13 12:48 - 03502400 ____A (RealVNC Ltd) C:\Users\dendi\Downloads\VNC-Viewer-5.0.5-Windows-64bit.exe
    2013-06-12 10:22 - 2013-01-18 03:13 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2013-06-12 10:22 - 2013-01-18 03:13 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2013-06-12 08:54 - 2013-01-13 15:45 - 00000000 ____D C:\Users\dendi\Documents\My Received Files
    2013-06-09 15:07 - 2013-06-08 23:06 - 00000141 ____A C:\Users\dendi\Desktop\Numbers.txt
    2013-06-03 08:00 - 2013-01-08 15:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2013-05-31 23:55 - 2013-05-31 23:55 - 00272531 ____A C:\Users\dendi\Downloads\contacts.csv
    2013-05-31 22:43 - 2013-05-31 22:43 - 00851007 ____A C:\Users\dendi\Downloads\00001.vcf
    2013-05-29 00:08 - 2013-05-28 23:46 - 00000000 ____D C:\Program Files (x86)\SmartBear
    2013-05-28 23:46 - 2013-05-28 23:46 - 00002273 ____A C:\Users\Public\Desktop\soapUI 4.5.2.lnk
    2013-05-28 23:44 - 2013-05-28 23:26 - 143916176 ____A (SmartBear Software) C:\Users\dendi\Downloads\soapUI-x32-4.5.2.exe
    2013-05-26 10:00 - 2013-04-25 13:13 - 00237056 ____A C:\Users\dendi\Desktop\Octopus_Issue_Feedback_Post_Go_Live_v1 0_2013-23-05.xls
    2013-05-24 17:08 - 2013-06-20 22:07 - 00026080 ____A (Zemana Ltd.) C:\Windows\System32\Drivers\KeyCrypt64.sys

    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== End Of Log ============================
     
  9. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    How is computer doing now?

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
    Dendi likes this.
  10. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Hi, well so far there is no strange behavior but I believe that the trojans are still there, I will execute the steps as advised and revert back with the results.

    Thanks again for taking the time to assist me.
     
  11. Broni

    Broni Malware Annihilator Posts: 47,975   +271

     
  12. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Malwarebyte Log:

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.06.23.06

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 10.0.9200.16521
    iHorizons :: BENMESSA-LAPTOP [administrator]

    6/23/2013 10:55:13 PM
    mbam-log-2013-06-23 (22-55-13).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 260853
    Time elapsed: 7 minute(s), 32 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\dendi\Downloads\wirelesskeyview-x64.zip (PUP.WirelessKeyView) -> Quarantined and deleted successfully.

    (end)
     
  13. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Log from DDS

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 10.0.9200.16521
    Run by iHorizons at 23:05:54 on 2013-06-23
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.4004.1136 [GMT 3:00]
    .
    AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    AV: Emsisoft Anti-Malware *Enabled/Updated* {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Emsisoft Anti-Malware *Enabled/Updated* {3E653F0B-EA3E-10F8-1B87-CAD78F211367}
    SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\spoolsv.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe
    C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe
    C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
    C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
    C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
    C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
    C:\ProgramData\DatacardService\HWDeviceService64.exe
    C:\ProgramData\Qtel Mobile Broadband\OnlineUpdate\ouc.exe
    C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Google\Update\1.3.21.145\GoogleCrashHandler.exe
    C:\Program Files (x86)\Google\Update\1.3.21.145\GoogleCrashHandler64.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\SysWOW64\vmnat.exe
    C:\ProgramData\DatacardService\DCSHelper.exe
    C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
    C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe
    C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
    C:\Windows\SysWOW64\vmnetdhcp.exe
    C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
    C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\rundll32.exe
    C:\Users\mohamed.benmessaoud\AppData\Local\Pokki\Engine\pokki.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
    C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\System32\WUDFHost.exe
    C:\Program Files (x86)\AVG\AVG2013\avgui.exe
    C:\Users\mohamed.benmessaoud\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
    C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Users\mohamed.benmessaoud\AppData\Local\Pokki\Engine\pokki.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Users\mohamed.benmessaoud\AppData\Local\Pokki\Engine\pokki.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Users\mohamed.benmessaoud\AppData\Local\Pokki\Engine\pokki.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\vssvc.exe
    C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
    C:\Windows\system32\taskeng.exe
    C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2guard.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mWinlogon: Userinit = userinit.exe,
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    BHO: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
    uRun: [KiesPreload] C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
    mRun: [Communicator] "C:\Program Files (x86)\Microsoft Office Communicator\communicator.exe" /fromrunkey
    mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
    mRun: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [ZALFree] "C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe" /MINIMIZED
    mRun: [TrojanScanner] C:\Program Files (x86)\Trojan Remover\Trjscan.exe /boot
    mRun: [emsisoft anti-malware] "c:\program files (x86)\emsisoft anti-malware\a2guard.exe" /d=60
    mRunOnce: [Trojan Remover] "C:\Program Files (x86)\Trojan Remover\RMVTRJAN.EXE" /restart
    mRunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    dRunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    LSP: %windir%\system32\vsocklib.dll
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{3B634AEE-6BB1-478B-9E4E-35FBEC5D2DD2} : NameServer = 212.77.192.59 212.77.192.60
    TCP: Interfaces\{A4E60143-839F-4212-8694-2C4921D717CC} : NameServer = 212.77.192.59 212.77.192.60
    TCP: Interfaces\{F5636B3B-4D9E-43CA-B511-FCC8716507BC} : DHCPNameServer = 192.168.0.1
    TCP: Interfaces\{F5636B3B-4D9E-43CA-B511-FCC8716507BC}\44A616A716962796 : DHCPNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{F5636B3B-4D9E-43CA-B511-FCC8716507BC}\A4F65697021405 : DHCPNameServer = 192.168.43.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    AppInit_DLLs= C:\PROGRA~2\KEYCRY~1\KEYCRY~3.DLL
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
    mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
    x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
    x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
    x64-Run: [AtherosBtStack] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe"
    x64-Run: [AthBtTray] "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe"
    x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
    x64-RunOnce: [*Restore] C:\Windows\System32\rstrui.exe /runonce
    x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Notify: igfxcui - igfxdev.dll
    x64-SSODL: WebCheck - <orphaned>
    x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
    Hosts: 128.227.248.22ihwiki
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-2-8 71480]
    R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-2-8 311096]
    R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-2-8 116536]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-2-8 45880]
    R0 vsock;vSockets Driver;C:\Windows\System32\drivers\vsock.sys [2013-3-14 70256]
    R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2013-6-23 26176]
    R1 a2injectiondriver;a2injectiondriver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2dix64.sys [2013-6-23 44688]
    R1 a2util;a-squared Malware-IDS utility driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2util64.sys [2013-6-23 17384]
    R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-3-29 246072]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-2-8 206136]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-3-21 240952]
    R2 a2AntiMalware;Emsisoft Anti-Malware 7.0 - Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2013-6-23 2626880]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2013-1-8 89600]
    R2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [2011-5-20 146592]
    R2 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe [2011-5-20 80032]
    R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2013-5-14 4937264]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-4-18 283136]
    R2 BstHdDrv;BlueStacks Hypervisor;C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [2013-5-13 70984]
    R2 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [2013-5-13 384840]
    R2 HWDeviceService64.exe;HWDeviceService64.exe;C:\ProgramData\DatacardService\HWDeviceService64.exe [2011-3-14 346976]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-1-8 13336]
    R2 SEVPNCLIENT;SoftEther VPN Client;C:\Program Files\SoftEther VPN Client\vpnclient_x64.exe [2013-4-6 4267064]
    R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2013-1-13 3574624]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2013-1-8 2656280]
    R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-8-1 917656]
    R2 WDBackup;WD Backup;C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [2012-12-20 1155088]
    R2 WDDriveService;WD Drive Manager;C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [2012-12-20 248840]
    R2 WDRulesService;WD Rules;C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [2012-12-20 1178128]
    R3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2013-6-23 66320]
    R3 BTATH_BUS;Atheros Bluetooth Bus;C:\Windows\System32\drivers\btath_bus.sys [2011-5-20 29344]
    R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\drivers\ew_jubusenum.sys [2013-4-23 90112]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2013-1-8 317440]
    R3 keycrypt;keycrypt;C:\Windows\System32\drivers\KeyCrypt64.sys [2013-6-20 26080]
    R3 Neo_VPN;VPN Client Device Driver - VPN;C:\Windows\System32\drivers\Neo_0118.sys [2013-1-26 29312]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
    S2 BstHdAndroidSvc;BlueStacks Android Service;C:\Program Files (x86)\BlueStacks\HD-Service.exe [2013-5-13 393032]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 Qtel Mobile Broadband. RunOuc;Qtel Mobile Broadband. OUC;C:\Program Files (x86)\Qtel Mobile Broadband\UpdateDog\ouc.exe [2013-4-15 655712]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-2-28 161384]
    S2 VMwareHostd;VMware Workstation Server;C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe [2012-8-15 15680000]
    S3 AthBTPort;Atheros Virtual Bluetooth Class;C:\Windows\System32\drivers\btath_flt.sys [2011-5-20 36000]
    S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\Windows\System32\drivers\btath_a2dp.sys [2011-5-20 298656]
    S3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\Windows\System32\drivers\btath_hcrp.sys [2011-5-20 201376]
    S3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\Windows\System32\drivers\btath_lwflt.sys [2011-5-20 55456]
    S3 BTATH_RCP;Bluetooth AVRCP Device;C:\Windows\System32\drivers\btath_rcp.sys [2011-5-20 154272]
    S3 BtFilter;BtFilter;C:\Windows\System32\drivers\btfilter.sys [2011-5-20 282272]
    S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-4-19 102936]
    S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\drivers\ew_hwusbdev.sys [2013-4-23 117248]
    S3 ew_usbenumfilter;huawei_CompositeFilter;C:\Windows\System32\drivers\ew_usbenumfilter.sys [2013-4-23 13952]
    S3 ewusbmbb;HUAWEI USB-WWAN miniport;C:\Windows\System32\drivers\ewusbwwan.sys [2013-4-23 450048]
    S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-1-13 19456]
    S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-4-19 203544]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
    S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-1-13 57856]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-1-9 1255736]
    S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
    .
    =============== Created Last 30 ================
    .
    2013-06-23 19:53:3625928----a-w-C:\Windows\System32\drivers\mbam.sys
    2013-06-23 19:17:13--------d-----w-C:\Program Files (x86)\Emsisoft Anti-Malware
    2013-06-23 19:14:0775264----a-w-C:\Windows\SysWow64\unacev2.dll
    2013-06-23 19:14:06153088----a-w-C:\Windows\SysWow64\UNRAR3.dll
    2013-06-23 19:14:05--------d-----w-C:\Users\iHorizons\AppData\Roaming\Simply Super Software
    2013-06-23 19:14:05--------d-----w-C:\ProgramData\Simply Super Software
    2013-06-23 19:14:05--------d-----w-C:\Program Files (x86)\Trojan Remover
    2013-06-22 20:34:16--------d-----w-C:\Program Files\CCleaner
    2013-06-22 15:57:55--------d-----w-C:\ComboFix
    2013-06-22 14:14:07--------d-----w-C:\TDSSKiller_Quarantine
    2013-06-22 13:53:12--------d-----w-C:\Users\iHorizons\AppData\Roaming\Malwarebytes
    2013-06-22 13:52:42--------d-----w-C:\ProgramData\Malwarebytes
    2013-06-22 13:52:41--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2013-06-22 13:30:15--------d-----w-C:\FRST
    2013-06-22 13:17:30--------d-----w-C:\Program Files (x86)\ESET
    2013-06-20 19:45:35--------d-----w-C:\Program Files (x86)\Twitter
    2013-06-20 19:07:1126080----a-w-C:\Windows\System32\drivers\KeyCrypt64.sys
    2013-06-20 19:07:11--------d-----w-C:\Program Files (x86)\KeyCryptSDK
    2013-06-20 19:07:10--------d-----w-C:\Users\iHorizons\AppData\Local\AntiLogger Free
    2013-06-20 19:07:10--------d-----w-C:\Program Files (x86)\Zemana AntiLogger Free
    2013-05-28 21:08:32--------d-----w-C:\Users\iHorizons\.loadui
    2013-05-28 20:46:34--------d-----w-C:\Users\iHorizons\tempLoadUI
    2013-05-28 20:46:22--------d-----w-C:\Program Files (x86)\SmartBear
    .
    ==================== Find3M ====================
    .
    2013-06-12 07:22:1971048----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-06-12 07:22:19692104----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2013-05-05 05:47:18524----a-w-C:\Users\iHorizons\AppData\Roaming\clean.bat
    2013-04-27 00:18:55135736----a-w-C:\Windows\System32\vpncmd.exe
    2013-03-28 23:53:48246072----a-w-C:\Windows\System32\drivers\avgidsdrivera.sys
    .
    ============= FINISH: 23:06:42.13 ===============
     
  14. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Attaching attach.txt as requested
     

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Please observe forum rules.
    ALL logs have to be pasted not attached.
     
  16. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Apologies, pasting attach.txt

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Enterprise
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/8/2013 11:25:22 AM
    System Uptime: 6/23/2013 11:40:19 AM (12 hours ago)
    .
    Motherboard: Dell Inc. | | 01HXXJ
    Processor: Intel(R) Core(TM) i3-2370M CPU @ 2.40GHz | CPU 1 | 2394/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 100 GiB total, 23.164 GiB free.
    D: is FIXED (NTFS) - 198 GiB total, 47.212 GiB free.
    E: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: VMware Virtual Ethernet Adapter for VMnet1
    Device ID: ROOT\VMWARE\0000
    Manufacturer: VMware, Inc.
    Name: VMware Virtual Ethernet Adapter for VMnet1
    PNP Device ID: ROOT\VMWARE\0000
    Service: VMnetAdapter
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: VMware Virtual Ethernet Adapter for VMnet8
    Device ID: ROOT\VMWARE\0001
    Manufacturer: VMware, Inc.
    Name: VMware Virtual Ethernet Adapter for VMnet8
    PNP Device ID: ROOT\VMWARE\0001
    Service: VMnetAdapter
    .
    Class GUID: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
    Description: Dell Wireless 1702 Bluetooth v3.0+HS
    Device ID: USB\VID_0CF3&PID_3002\6&38606CA1&0&4
    Manufacturer: Atheros Communications
    Name: Dell Wireless 1702 Bluetooth v3.0+HS
    PNP Device ID: USB\VID_0CF3&PID_3002\6&38606CA1&0&4
    Service: BTHUSB
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco Systems VPN Adapter for 64-bit Windows
    Device ID: ROOT\NET\0001
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter for 64-bit Windows
    PNP Device ID: ROOT\NET\0001
    Service: CVirtA
    .
    ==== System Restore Points ===================
    .
    RP74: 6/22/2013 11:41:53 PM - Removed BlueStacks Notification Center
    .
    ==== Installed Programs ======================
    .
    µTorrent
    64 Bit HP CIO Components Installer
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Photoshop CS5
    Adobe Photoshop Lightroom 4.4 64-bit
    Adobe Reader Extended Language Support Font Pack
    Adobe Reader X (10.1.7)
    AntiLogger Free version 1.6.2.226
    AVG 2013
    BlueStacks Notification Center
    Bluetooth Win7 Suite (64)
    Bullzip PDF Printer 9.3.0.1516
    CCleaner
    Cisco Systems VPN Client 5.0.07.0290
    CSVed 2.2.3
    CyberLink PhotoDirector 3
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Dell Resource CD
    Dell WLAN and Bluetooth Client Installation
    Emsisoft Anti-Malware
    ESET Online Scanner v3
    Expert PDF 8 Professional
    Facebook Video Calling 1.2.0.287
    Google Chrome
    Google Earth
    Google Update Helper
    Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
    IDT Audio
    Intel(R) Management Engine Components
    Intel(R) Processor Graphics
    Intel(R) Rapid Storage Technology
    Java 7 Update 17
    Java Auto Updater
    Juniper Networks Network Connect 7.1.0
    Juniper Networks, Inc. Setup Client Activex Control
    loadUI 2.1.1
    Malwarebytes Anti-Malware version 1.75.0.1300
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Communicator 2007 R2
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office Office 64-bit Components 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Project MUI (English) 2010
    Microsoft Office Project Professional 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared 64-bit MUI (English) 2010
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Project 2010 Service Pack 1 (SP1)
    Microsoft Project Professional 2010
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_ATL_x86_x64
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_CRT_x86_x64
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFC_x86_x64
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC80_MFCLOC_x86_x64
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_ATL_x86_x64
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_CRT_x86_x64
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFC_x86_x64
    Mozilla Firefox 21.0 (x86 en-US)
    Mozilla Maintenance Service
    PDF Settings CS5
    Photomatix Pro version 4.2.6
    Qtel Mobile Broadband
    Realtek Ethernet Controller Driver
    Samsung Kies
    SAMSUNG USB Driver for Mobile Phones
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
    Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2687417) 32-Bit Edition
    Security Update for Microsoft InfoPath 2010 (KB2687436) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Visio 2010 (KB2687508) 32-Bit Edition
    Security Update for Microsoft Visio Viewer 2010 (KB2598287) 32-Bit Edition
    Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
    Skype™ 6.3
    soapUI 4.5.2 4.5.2
    SoftEther VPN Client
    TeamViewer 8
    tools-freebsd
    tools-linux
    tools-netware
    tools-solaris
    tools-windows
    tools-winPre2k
    Trojan Remover 6.8.7
    uMark 3
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Visual Studio 2010 x64 Redistributables
    VLC media player 2.0.7
    VMware Workstation
    WD SmartWare
    WD Software Upgrader
    WinRAR 4.01 (32-bit)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/23/2013 8:32:27 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Run the configured recovery program) after the unexpected termination of the VMware Workstation Server service, but this action failed with the following error:
    6/23/2013 8:31:27 AM, Error: Service Control Manager [7031] - The VMware Workstation Server service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Run the configured recovery program.
    6/23/2013 8:30:23 AM, Error: Service Control Manager [7031] - The VMware Workstation Server service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/23/2013 8:30:06 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
    6/23/2013 8:28:58 AM, Error: Service Control Manager [7031] - The VMware Workstation Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/23/2013 8:28:26 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    6/23/2013 8:27:31 AM, Error: Service Control Manager [7023] - The BlueStacks Android Service service terminated with the following error: An exception occurred in the service when handling the control request.
    6/23/2013 8:27:14 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Qtel Mobile Broadband. OUC service to connect.
    6/23/2013 8:27:14 AM, Error: Service Control Manager [7000] - The Qtel Mobile Broadband. OUC service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/23/2013 5:13:01 PM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
    6/23/2013 10:58:57 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain IHORIZONS due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    6/23/2013 10:58:57 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
    6/23/2013 1:42:08 AM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
    6/22/2013 7:04:12 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    6/22/2013 6:58:00 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
    6/22/2013 6:45:57 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 5:45:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    6/22/2013 5:45:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    6/22/2013 5:45:03 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AVGIDSDriver Avgldx64 Avgtdia CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf ws2ifsl
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The VMware Workstation Server service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The Netlogon service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/22/2013 5:45:02 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    6/22/2013 5:25:49 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    6/22/2013 4:07:24 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    6/22/2013 4:07:24 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    6/22/2013 4:05:46 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    6/22/2013 4:05:46 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    6/22/2013 4:05:44 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    6/22/2013 11:26:34 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the VMware Workstation Server service to connect.
    6/22/2013 11:26:34 PM, Error: Service Control Manager [7000] - The VMware Workstation Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/22/2013 11:17:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    6/22/2013 11:16:14 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 11:15:54 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 11:14:42 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 11:14:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    6/22/2013 11:14:31 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    6/22/2013 11:13:54 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AVGIDSDriver Avgldx64 discache spldr Wanarpv6
    6/22/2013 11:13:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    6/22/2013 11:13:53 PM, Error: Service Control Manager [7023] - The WinDefend service terminated with the following error: Access is denied.
    6/22/2013 11:13:53 PM, Error: Service Control Manager [7001] - The VMware Workstation Server service depends on the VMware Authorization Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/22/2013 11:13:52 PM, Error: Service Control Manager [7001] - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/22/2013 10:56:27 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    6/22/2013 10:51:08 PM, Error: Service Control Manager [7022] - The VMware USB Arbitration Service service hung on starting.
    6/22/2013 10:51:08 PM, Error: Service Control Manager [7001] - The VMware Workstation Server service depends on the VMware USB Arbitration Service service which failed to start because of the following error: After starting, the service hung in a start-pending state.
    6/22/2013 10:51:04 PM, Error: Service Control Manager [7022] - The Internet Connection Sharing (ICS) service hung on starting.
    6/21/2013 5:32:35 PM, Error: volsnap [67] - The shadow copy of volume D: being created failed to install.
    6/19/2013 8:58:02 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TeamViewer8 service.
    6/17/2013 8:13:18 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{E315DBEB-63F1-412E-B0BC-C0F2F1E96332} because another computer on the network has the same name. The server could not start.
    6/16/2013 5:42:27 PM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The RPC server is unavailable. .
    3 is not a valid Win32 application.
    .
    ==== End Of File ===========================
     
  17. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    [​IMG] You're running two AV programs, AVG and Emisoft.
    You have to uninstall one of them.
    If AVG use AVG Remover: http://www.avg.com/us-en/utilities

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
  18. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Thank you, here is RogueKiller report

    RogueKiller V8.6.1 _x64_ [Jun 19 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website : http://tigzy.geekstogo.com/roguekiller.php
    Blog : http://tigzyrk.blogspot.com/

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : iHorizons [Admin rights]
    Mode : Remove -- Date : 06/23/2013 23:23:39
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 8 ¤¤¤
    [SUSP PATH] ouc.exe -- C:\ProgramData\Qtel Mobile Broadband\OnlineUpdate\ouc.exe [7] -> KILLED [TermProc]
    [SUSP PATH][DLL] explorer.exe -- C:\Users\dendi\AppData\Local\Pokki\ocdeskband_0.dll [x] ->
    [SUSP PATH][WHITELIST] explorer.exe -- C:\Users\dendi\AppData\Local\Pokki\ocdeskband_0.dll [x] ->
    [SUSP PATH] pokki.exe -- C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe [7] -> KILLED [TermProc]
    [SUSP PATH] pokki.exe -- C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe [7] -> KILLED [TermThr]
    [SUSP PATH] pokki.exe -- C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe [7] -> KILLED [TermThr]
    [SUSP PATH] pokki.exe -- C:\Users\dendi\AppData\Local\Pokki\Engine\pokki.exe [7] -> KILLED [TermThr]
    [SUSP PATH] _iu14D2N.tmp -- C:\Users\iHorizons\AppData\Local\temp\_iu14D2N.tmp [7] -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 11 ¤¤¤
    [RUN][SUSP PATH] HKUS\S-1-5-21-1085031214-343818398-725345543-12728\[...]\Run : openvpntray.EXE (C:\Users\dendi\AppData\Roaming\Hotspot Shield\bin\openvpntray.EXE -nonadmin [x][x]) -> DELETED
    [RUN][SUSP PATH] HKUS\S-1-5-21-1085031214-343818398-725345543-12728\[...]\Run : Pokki (C:\Windows\system32\rundll32.exe "%LOCALAPPDATA%\Pokki\Engine\LaunchDeskband.dll",RunLaunchDeskband [7][x][x]) -> DELETED
    [DNS] HKLM\[...]\CCSet\[...]\{3B634AEE-6BB1-478B-9E4E-35FBEC5D2DD2} : NameServer (212.77.192.59 212.77.192.60) -> NOT REMOVED, USE DNSFIX
    [DNS] HKLM\[...]\CCSet\[...]\{A4E60143-839F-4212-8694-2C4921D717CC} : NameServer (212.77.192.59 212.77.192.60) -> NOT REMOVED, USE DNSFIX
    [DNS] HKLM\[...]\CS001\[...]\{3B634AEE-6BB1-478B-9E4E-35FBEC5D2DD2} : NameServer (212.77.192.59 212.77.192.60) -> NOT REMOVED, USE DNSFIX
    [DNS] HKLM\[...]\CS001\[...]\{A4E60143-839F-4212-8694-2C4921D717CC} : NameServer (212.77.192.59 212.77.192.60) -> NOT REMOVED, USE DNSFIX
    [DNS] HKLM\[...]\CS002\[...]\{3B634AEE-6BB1-478B-9E4E-35FBEC5D2DD2} : NameServer (212.77.192.59 212.77.192.60) -> NOT REMOVED, USE DNSFIX
    [DNS] HKLM\[...]\CS002\[...]\{A4E60143-839F-4212-8694-2C4921D717CC} : NameServer (212.77.192.59 212.77.192.60) -> NOT REMOVED, USE DNSFIX
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts


    128.227.248.22ihwiki
    127.0.0.1 activate.adobe.com


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST320LM000 HM321HI +++++
    --- User ---
    [MBR] 7d98d8d2f5a2a11a97c8f185a8cc78a5
    [BSP] 3b9f0983535fc4afa5091833ef14f606 : Windows 7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 102300 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 209717248 | Size: 202843 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_D_06232013_232339.txt >>
    RKreport[0]_S_06232013_232254.txt
     
  19. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Mbar Log

    Malwarebytes Anti-Rootkit BETA 1.06.0.1004
    www.malwarebytes.org

    Database version: v2013.06.23.06

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 10.0.9200.16521
    iHorizons :: BENMESSA-LAPTOP [administrator]

    6/24/2013 8:34:25 AM
    mbar-log-2013-06-24 (08-34-25).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
    Scan options disabled: PUP
    Objects scanned: 284858
    Time elapsed: 11 minute(s), 20 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)
     
  20. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    System Log

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.06.0.1004

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 10.0.9200.16521

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.394000 GHz
    Memory total: 4198785024, free: 1345536000

    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.06.0.1004

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 10.0.9200.16521

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.394000 GHz
    Memory total: 4198785024, free: 2154708992

    Downloaded database version: v2013.06.23.06
    Initializing...
    ------------ Kernel report ------------
    06/23/2013 23:40:01
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\DRIVERS\vmci.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\vmbus.sys
    \SystemRoot\system32\drivers\winhv.sys
    \SystemRoot\system32\drivers\vsock.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\msahci.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\vmstorfl.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\avgrkx64.sys
    \SystemRoot\system32\DRIVERS\avgloga.sys
    \SystemRoot\system32\DRIVERS\avgmfx64.sys
    \SystemRoot\system32\DRIVERS\avgidsha.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\avgtdia.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\avgldx64.sys
    \SystemRoot\system32\DRIVERS\avgidsdrivera.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd64.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\drivers\usbehci.sys
    \SystemRoot\system32\drivers\USBPORT.SYS
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\DRIVERS\athrx.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\KeyCrypt64.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\drivers\wmiacpi.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\dne64x.sys
    \SystemRoot\system32\DRIVERS\dsNcAdpt.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\Neo_0118.sys
    \SystemRoot\system32\DRIVERS\rdpbus.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\btath_bus.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\ew_jubusenum.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\stwrt64.sys
    \SystemRoot\system32\DRIVERS\portcls.sys
    \SystemRoot\system32\DRIVERS\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\IntcDAud.sys
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\vmnetbridge.sys
    \SystemRoot\system32\DRIVERS\VMNET.SYS
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\vwifimp.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \??\C:\Windows\system32\drivers\hcmon.sys
    \??\C:\Windows\system32\drivers\vmx86.sys
    \??\C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \??\C:\Windows\system32\drivers\vmnetuserif.sys
    \SystemRoot\SysWOW64\drivers\vstor2-mntapi10-shared.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \??\C:\Windows\system32\Drivers\CVPNDRVA.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\System32\drivers\rdpdr.sys
    \SystemRoot\system32\drivers\tdtcp.sys
    \SystemRoot\System32\DRIVERS\tssecsrv.sys
    \SystemRoot\System32\Drivers\RDPWD.SYS
    \SystemRoot\system32\drivers\spsys.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xfffffa800642d790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\00000099\
    Lower Device Object: 0xfffffa80077c8b60
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa8005ff7060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xfffffa80040be050
    Lower Device Driver Name: \Driver\iaStor\
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa8005ff7060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8005ff7b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8005ff7060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa80040b89d0, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xfffffa80040be050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\Windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 5652041F

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848 Numsec = 209510400

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 209717248 Numsec = 415422464

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 320072933376 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
    Done!
    Physical Sector Size: 0
    Drive: 1, DevicePointer: 0xfffffa800642d790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8006413570, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa800642d790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa80077c8b60, DeviceName: \Device\00000099\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Infected: c:\Users\iHorizons\Desktop\VMware.Workstation.v9.0.0.812388.Incl.Keymaker-ZWT\keygen.exe --> [Riskware.Tool.CK]
    Scan finished
    Creating System Restore point...
    Cleaning up...
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================


    Removal queue found; removal started
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
    Removal finished
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.06.0.1004

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 10.0.9200.16521

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
    CPU speed: 2.394000 GHz
    Memory total: 4198785024, free: 1554046976

    Initializing...
    ------------ Kernel report ------------
    06/24/2013 08:34:20
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\drivers\ACPI.sys
    \SystemRoot\system32\drivers\WMILIB.SYS
    \SystemRoot\system32\drivers\msisadrv.sys
    \SystemRoot\system32\drivers\pci.sys
    \SystemRoot\system32\drivers\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\system32\DRIVERS\vmci.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\drivers\vmbus.sys
    \SystemRoot\system32\drivers\winhv.sys
    \SystemRoot\system32\drivers\vsock.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\drivers\atapi.sys
    \SystemRoot\system32\drivers\ataport.SYS
    \SystemRoot\system32\drivers\msahci.sys
    \SystemRoot\system32\drivers\PCIIDEX.SYS
    \SystemRoot\system32\drivers\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\drivers\vmstorfl.sys
    \SystemRoot\system32\drivers\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\system32\DRIVERS\avgrkx64.sys
    \SystemRoot\system32\DRIVERS\avgloga.sys
    \SystemRoot\system32\DRIVERS\avgmfx64.sys
    \SystemRoot\system32\DRIVERS\avgidsha.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\system32\DRIVERS\avgtdia.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\drivers\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\drivers\mssmbios.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\system32\drivers\csc.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\avgldx64.sys
    \SystemRoot\system32\DRIVERS\avgidsdrivera.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\igdkmd64.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\HECIx64.sys
    \SystemRoot\system32\drivers\usbehci.sys
    \SystemRoot\system32\drivers\USBPORT.SYS
    \SystemRoot\system32\drivers\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\Rt64win7.sys
    \SystemRoot\system32\DRIVERS\athrx.sys
    \SystemRoot\system32\DRIVERS\vwifibus.sys
    \SystemRoot\system32\drivers\i8042prt.sys
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\KeyCrypt64.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\drivers\wmiacpi.sys
    \SystemRoot\system32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\dne64x.sys
    \SystemRoot\system32\DRIVERS\dsNcAdpt.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\Neo_0118.sys
    \SystemRoot\system32\DRIVERS\rdpbus.sys
    \SystemRoot\system32\drivers\swenum.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\btath_bus.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\ew_jubusenum.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\DRIVERS\stwrt64.sys
    \SystemRoot\system32\DRIVERS\portcls.sys
    \SystemRoot\system32\DRIVERS\drmk.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\DRIVERS\IntcDAud.sys
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\system32\DRIVERS\vmnetbridge.sys
    \SystemRoot\system32\DRIVERS\VMNET.SYS
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\vwifimp.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \??\C:\Windows\system32\drivers\hcmon.sys
    \??\C:\Windows\system32\drivers\vmx86.sys
    \??\C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \??\C:\Windows\system32\drivers\vmnetuserif.sys
    \SystemRoot\SysWOW64\drivers\vstor2-mntapi10-shared.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \??\C:\Windows\system32\Drivers\CVPNDRVA.sys
    \SystemRoot\System32\drivers\rdpdr.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\system32\drivers\tdtcp.sys
    \SystemRoot\System32\DRIVERS\tssecsrv.sys
    \SystemRoot\System32\Drivers\RDPWD.SYS
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\system32\drivers\spsys.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\mbamswissarmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xfffffa8007416790
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\0000009c\
    Lower Device Object: 0xfffffa8007469b60
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xfffffa8006017060
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xfffffa8004153050
    Lower Device Driver Name: \Driver\iaStor\
    <<<2>>>
    Device number: 0, partition: 2
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xfffffa8006017060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa8006017b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8006017060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8004114470, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xfffffa8004153050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\Windows\system32\drivers...
    <<<2>>>
    Device number: 0, partition: 2
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 5652041F

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048 Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848 Numsec = 209510400

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 209717248 Numsec = 415422464

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 320072933376 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
    Done!
    Physical Sector Size: 0
    Drive: 1, DevicePointer: 0xfffffa8007416790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xfffffa80074fab90, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xfffffa8007416790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
    DevicePointer: 0xfffffa8007469b60, DeviceName: \Device\0000009c\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\bootstrap_0_0_2048_i.mbam...
    Removing c:\programdata\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
    Removal finished
     
  21. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Hello,

    After finishing all steps as advise, I have run eSet Online scanner and it seems there are still Trojans on the computer.

    Here is the list of found threats
    Win64/Sirefef.W trojan
    Win64/Sirefef.EZ trojan
    Win64/Patched.A.Gen trojan
    Win64/Sirefef.W trojan
    Win64/Sirefef.EZ trojan
     
  22. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    You're not following my rules:
    [​IMG]

    =======================================

    [​IMG] Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    [​IMG] Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  23. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    rKill Log

    Rkill 2.5.3 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2013 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 06/25/2013 12:08:08 PM in x64 mode.
    Windows Version: Windows 7 Enterprise Service Pack 1

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * No malware processes found to kill.

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * Windows Firewall Disabled

    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = dword:00000000

    Checking Windows Service Integrity:

    * COM+ Event System (EventSystem) is not Running.
    Startup Type set to: Automatic

    * Security Center (wscsvc) is not Running.
    Startup Type set to: Automatic (Delayed Start)

    * Windows Update (wuauserv) is not Running.
    Startup Type set to: Automatic (Delayed Start)

    Searching for Missing Digital Signatures:

    * No issues found.

    Checking HOSTS File:

    * HOSTS file entries found:

    127.0.0.1 localhost

    Program finished at: 06/25/2013 12:12:57 PM
    Execution time: 0 hours(s), 4 minute(s), and 49 seconds(s)
     
  24. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    ComboFix 13-06-24.01 - iHorizons 06/25/2013 15:06:43.2.4 - x64 NETWORK
    Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.4004.2853 [GMT 3:00]
    Running from: c:\users\dendi\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
    c:\windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
    c:\windows\SysWow64\drivers\npf.sys
    c:\windows\SysWow64\muzapp.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-05-25 to 2013-06-25 )))))))))))))))))))))))))))))))
    .
    .
    2013-06-25 12:11 . 2013-06-25 12:11--------d-----w-c:\users\mohammad.marei\AppData\Local\temp
    2013-06-25 12:11 . 2013-06-25 12:11--------d-----w-c:\users\iHorizons\AppData\Local\temp
    2013-06-25 12:11 . 2013-06-25 12:11--------d-----w-c:\users\Default\AppData\Local\temp
    2013-06-25 12:08 . 2013-06-25 12:0876232----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{FFA41B9C-A8F5-4C98-895B-D9F5F9DFB8C2}\offreg.dll
    2013-06-25 12:01 . 2013-06-16 23:109552976----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{FFA41B9C-A8F5-4C98-895B-D9F5F9DFB8C2}\mpengine.dll
    2013-06-25 08:52 . 2013-06-25 08:52--------d-----w-c:\users\iHorizons\AppData\Local\Avg2013
    2013-06-25 07:55 . 2013-06-25 07:55--------d-----w-c:\users\iHorizons\AppData\Roaming\Anvisoft
    2013-06-25 07:55 . 2012-11-07 07:1617232----a-w-c:\windows\system32\drivers\asdws.sys
    2013-06-25 07:55 . 2012-11-07 07:1623376----a-w-c:\windows\system32\drivers\asdrs.sys
    2013-06-25 07:55 . 2012-11-07 07:1618768----a-w-c:\windows\system32\drivers\asdrm.sys
    2013-06-25 07:55 . 2013-06-25 07:55--------d-----w-c:\programdata\Anvisoft
    2013-06-25 07:55 . 2013-06-25 07:55--------d-----w-c:\program files (x86)\Anvisoft
    2013-06-23 20:40 . 2013-06-24 06:02--------d-----w-c:\programdata\Malwarebytes' Anti-Malware (portable)
    2013-06-23 19:53 . 2013-04-04 11:5025928----a-w-c:\windows\system32\drivers\mbam.sys
    2013-06-23 19:17 . 2013-06-23 20:30--------d-----w-c:\program files (x86)\Emsisoft Anti-Malware
    2013-06-23 19:14 . 2002-03-05 22:0075264----a-w-c:\windows\SysWow64\unacev2.dll
    2013-06-23 19:14 . 2003-02-02 17:06153088----a-w-c:\windows\SysWow64\UNRAR3.dll
    2013-06-23 19:14 . 2013-06-23 19:15--------d-----w-c:\program files (x86)\Trojan Remover
    2013-06-23 19:14 . 2013-06-23 19:14--------d-----w-c:\users\iHorizons\AppData\Roaming\Simply Super Software
    2013-06-23 19:14 . 2013-06-23 19:14--------d-----w-c:\programdata\Simply Super Software
    2013-06-22 20:34 . 2013-06-22 20:34--------d-----w-c:\program files\CCleaner
    2013-06-22 14:14 . 2013-06-22 14:14--------d-----w-C:\TDSSKiller_Quarantine
    2013-06-22 13:53 . 2013-06-22 13:53--------d-----w-c:\users\iHorizons\AppData\Roaming\Malwarebytes
    2013-06-22 13:52 . 2013-06-22 13:52--------d-----w-c:\programdata\Malwarebytes
    2013-06-22 13:52 . 2013-06-23 19:53--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2013-06-22 13:30 . 2013-06-23 19:36--------d-----w-C:\FRST
    2013-06-22 13:17 . 2013-06-22 13:17--------d-----w-c:\program files (x86)\ESET
    2013-06-20 19:45 . 2013-06-20 19:45--------d-----w-c:\program files (x86)\Twitter
    2013-06-20 19:16 . 2013-06-22 12:44--------d-----w-c:\users\dendi\AppData\Local\AntiLogger Free
    2013-06-20 19:07 . 2013-06-22 20:23--------d-----w-c:\program files (x86)\KeyCryptSDK
    2013-06-20 19:07 . 2013-05-24 14:0826080----a-w-c:\windows\system32\drivers\KeyCrypt64.sys
    2013-06-20 19:07 . 2013-06-20 19:07--------d-----w-c:\users\iHorizons\AppData\Local\AntiLogger Free
    2013-06-20 19:07 . 2013-06-20 19:07--------d-----w-c:\program files (x86)\Zemana AntiLogger Free
    2013-05-28 21:08 . 2013-05-28 21:08--------d-----w-c:\users\iHorizons\.loadui
    2013-05-28 20:46 . 2013-05-28 20:46--------d-----w-c:\users\iHorizons\tempLoadUI
    2013-05-28 20:46 . 2013-05-28 21:08--------d-----w-c:\program files (x86)\SmartBear
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-06-12 07:22 . 2013-01-18 00:1371048----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2013-06-12 07:22 . 2013-01-18 00:13692104----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2013-05-05 05:47 . 2013-05-05 05:47524----a-w-c:\users\iHorizons\AppData\Roaming\clean.bat
    2013-04-27 00:18 . 2013-01-25 22:24135736----a-w-c:\windows\system32\vpncmd.exe
    2013-04-05 17:40 . 2013-04-05 17:405165088----a-r-c:\users\dendi\AppData\Roaming\Microsoft\Installer\{3890215D-D18A-43EF-AE0C-0C6B084F652D}\icon.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KiesPreload"="c:\program files (x86)\Samsung\Kies\Kies.exe" [2013-03-28 1511792]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Communicator"="c:\program files (x86)\Microsoft Office Communicator\communicator.exe" [2012-11-30 5164624]
    "KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2013-03-28 310640]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
    "ZALFree"="c:\program files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe" [2013-05-24 12995376]
    "TrojanScanner"="c:\program files (x86)\Trojan Remover\Trjscan.exe" [2013-06-23 1653008]
    "Anvi Smart Defender"="c:\program files (x86)\Anvisoft\Anvi Smart Defender\ASDTray.exe" [2013-06-08 1563720]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "Trojan Remover"="c:\program files (x86)\Trojan Remover\RMVTRJAN.EXE" [2013-06-20 4975864]
    "Malwarebytes Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2013-04-04 532040]
    "(cleanup)"="c:\programdata\Malwarebytes' Anti-Malware (portable)\cleanup.dll" [2013-06-01 1563720]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt32(1).dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
    "128.227.248.0,255.255.248.0,192.168.0.201,1"=""
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1085031214-343818398-725345543-13192\Scripts\Logon\0\0]
    "Script"=DeleteRDP.cmd
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    "SwitchBoard"=c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    "vmware-tray.exe"="c:\program files (x86)\VMware\VMware Workstation\vmware-tray.exe"
    "IAStorIcon"=c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R1 asdrm;asdrm;c:\windows\system32\DRIVERS\asdrm.sys;c:\windows\SYSNATIVE\DRIVERS\asdrm.sys [x]
    R2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
    R2 asdrs;AntiMalware Host-based Intrusion Prevention System;c:\windows\system32\DRIVERS\asdrs.sys;c:\windows\SYSNATIVE\DRIVERS\asdrs.sys [x]
    R2 asdsrv;Anvi Smart Defender Realtime Guard Service;c:\program files (x86)\Anvisoft\Anvi Smart Defender\ASDSrv.exe;c:\program files (x86)\Anvisoft\Anvi Smart Defender\ASDSrv.exe [x]
    R2 asdws;AnviSmartDefender Web Guard;c:\windows\system32\DRIVERS\asdws.sys;c:\windows\SYSNATIVE\DRIVERS\asdws.sys [x]
    R2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe;c:\program files (x86)\Dell Wireless\Bluetooth Suite\Ath_CoexAgent.exe [x]
    R2 AtherosSvc;AtherosSvc;c:\program files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [x]
    R2 BstHdAndroidSvc;BlueStacks Android Service;c:\program files (x86)\BlueStacks\HD-Service.exe BstHdAndroidSvc Android;c:\program files (x86)\BlueStacks\HD-Service.exe BstHdAndroidSvc Android [x]
    R2 BstHdDrv;BlueStacks Hypervisor;c:\program files (x86)\BlueStacks\HD-Hypervisor-amd64.sys;c:\program files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [x]
    R2 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files (x86)\BlueStacks\HD-LogRotatorService.exe;c:\program files (x86)\BlueStacks\HD-LogRotatorService.exe [x]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R2 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [x]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
    R2 Qtel Mobile Broadband. RunOuc;Qtel Mobile Broadband. OUC;c:\program files (x86)\Qtel Mobile Broadband\UpdateDog\ouc.exe;c:\program files (x86)\Qtel Mobile Broadband\UpdateDog\ouc.exe [x]
    R2 SEVPNCLIENT;SoftEther VPN Client;c:\program files\SoftEther VPN Client\vpnclient_x64.exe;c:\program files\SoftEther VPN Client\vpnclient_x64.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
    R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
    R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [x]
    R2 VMwareHostd;VMware Workstation Server;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe;c:\program files (x86)\VMware\VMware Workstation\vmware-hostd.exe [x]
    R2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys;SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]
    R2 WDBackup;WD Backup;c:\program files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe;c:\program files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [x]
    R2 WDDriveService;WD Drive Manager;c:\program files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe;c:\program files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [x]
    R2 WDRulesService;WD Rules;c:\program files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe;c:\program files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [x]
    R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x]
    R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x]
    R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x]
    R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x]
    R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x]
    R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
    R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
    R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys [x]
    R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys;c:\windows\SYSNATIVE\DRIVERS\ew_usbenumfilter.sys [x]
    R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys;c:\windows\SYSNATIVE\DRIVERS\ewusbwwan.sys [x]
    R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
    R3 massfilter_lte;ZTE LTE Device Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_lte.sys;c:\windows\SYSNATIVE\drivers\massfilter_lte.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
    R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
    R3 zgdcat;ZTE Datacard AT Port;c:\windows\system32\DRIVERS\zgdcat.sys;c:\windows\SYSNATIVE\DRIVERS\zgdcat.sys [x]
    R3 zgdcdiag;ZTE Datacard Diagnostics Port;c:\windows\system32\DRIVERS\zgdcdiag.sys;c:\windows\SYSNATIVE\DRIVERS\zgdcdiag.sys [x]
    R3 zgdcmdm;ZTE Datacard Modem;c:\windows\system32\DRIVERS\zgdcmdm.sys;c:\windows\SYSNATIVE\DRIVERS\zgdcmdm.sys [x]
    R3 zgdcnet;ZTE Datacard Network Adapter;c:\windows\system32\DRIVERS\zgdcnet.sys;c:\windows\SYSNATIVE\DRIVERS\zgdcnet.sys [x]
    R3 zgdcnmea;ZTE Datacard NMEA Port;c:\windows\system32\DRIVERS\zgdcnmea.sys;c:\windows\SYSNATIVE\DRIVERS\zgdcnmea.sys [x]
    S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys;c:\windows\SYSNATIVE\DRIVERS\vmci.sys [x]
    S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys;c:\windows\SYSNATIVE\drivers\vsock.sys [x]
    S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x]
    S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys [x]
    S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
    S3 Neo_VPN;VPN Client Device Driver - VPN;c:\windows\system32\DRIVERS\Neo_0118.sys;c:\windows\SYSNATIVE\DRIVERS\Neo_0118.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2013-06-20 11:251165776----a-w-c:\program files (x86)\Google\Chrome\Application\27.0.1453.116\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-06-25 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-18 07:22]
    .
    2013-06-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1085031214-343818398-725345543-12728Core.job
    - c:\users\dendi\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-02-14 22:59]
    .
    2013-06-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1085031214-343818398-725345543-12728UA.job
    - c:\users\dendi\AppData\Local\Facebook\Update\FacebookUpdate.exe [2013-02-14 22:59]
    .
    2013-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-09 06:10]
    .
    2013-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-09 06:10]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2013-03-12 06:39162552----a-w-c:\users\dendi\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2013-03-12 06:39162552----a-w-c:\users\dendi\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2013-03-12 06:39162552----a-w-c:\users\dendi\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2013-03-12 06:39162552----a-w-c:\users\dendi\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-05-27 1128448]
    "AtherosBtStack"="c:\program files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" [2011-05-20 627360]
    "AthBtTray"="c:\program files (x86)\Dell Wireless\Bluetooth Suite\AthBtTray.exe" [2011-05-20 379552]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-29 167960]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-29 391704]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-29 418840]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "*Restore"="c:\windows\System32\rstrui.exe" [2010-11-20 296960]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt64(1).dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\persistentroutes]
    "128.227.248.0,255.255.248.0,192.168.0.201,1"=""
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{3B634AEE-6BB1-478B-9E4E-35FBEC5D2DD2}: NameServer = 212.77.192.59 212.77.192.60
    TCP: Interfaces\{A4E60143-839F-4212-8694-2C4921D717CC}: NameServer = 212.77.192.59 212.77.192.60
    FF - ProfilePath -
    .
    - - - - ORPHANS REMOVED - - - -
    .
    ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
    ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
    ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
    Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
    c:\users\dendi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk - c:\users\iHorizons\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup
    HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\BlueStacks]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-06-25 15:13:06
    ComboFix-quarantined-files.txt 2013-06-25 12:13
    .
    Pre-Run: 26,207,547,392 bytes free
    Post-Run: 25,686,597,632 bytes free
    .
    - - End Of File - - D28FE717F87CAA8BAE640E58A8484AEC
    D41D8CD98F00B204E9800998ECF8427E
     
  25. Dendi

    Dendi TS Rookie Topic Starter Posts: 36

    Apologies again for running other tools
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.