Followed all instructions, logs as request!
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-08-11 19:05:14
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\00000060 ST332062 rev.3.AA
Running: gh1nj5kv.exe; Driver: C:\Users\Dean\AppData\Local\Temp\kxldapog.sys
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 852201F8
Device \Driver\atapi \Device\Ide\IdePort0 852201F8
Device \Driver\atapi \Device\Ide\IdePort1 852201F8
Device \Driver\atapi \Device\Ide\IdePort2 852201F8
Device \Driver\msahci \Device\Ide\PciIde1Channel0 852221F8
Device \Driver\asm6bken \Device\Scsi\asm6bken1Port8Path0Target0Lun0 86CA91F8
Device \Driver\asm6bken \Device\Scsi\asm6bken1 86CA91F8
Device \FileSystem\Ntfs \Ntfs 852241F8
---- EOF - GMER 1.0.15 ----
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.08.04
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.18928
Dean :: DEAN-PC [administrator]
Protection: Enabled
2012-08-08 11:58:27
mbam-log-2012-08-08 (11-58-27).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247799
Time elapsed: 4 minute(s), 41 second(s)
Memory Processes Detected: 1
C:\Windows\Cursors\lsass.exe (Trojan.Dropper) -> 1572 -> Delete on reboot.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 42
HKCR\CLSID\{4445414E-4445-4445-4445-4445414E2D50} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{4445414E-4445-4445-4445-4445414E2D50} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044044435} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055045535} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO.1 (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044344491} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055345591} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.BHO.1 (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{514A5C49-0C7D-42C3-A71B-38864A269B7A} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.BHO (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\AppID\activex.DLL (Adware.180Solutions) -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\3491 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\FUNMOODS\FUNMOODS (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Detected: 9
HKCU\Control Panel\Desktop|OriginalWallpaper (Hijack.Wallpaper) -> Data: C:\Windows\system32\phctcoj0e90l.bmp -> Quarantined and deleted successfully.
HKCU\Control Panel\Desktop|ConvertedWallpaper (Hijack.Wallpaper) -> Data: C:\Windows\system32\phctcoj0e90l.bmp -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\OLE|DRam prosessor (Trojan.Agent) -> Data: gibwaoqk.exe -> Quarantined and deleted successfully.
HKCU\Software\Funmoods\funmoods|tlbrSrchUrl (PUP.Funmoods) -> Data: http://start.funmoods.com/results.php?f=3&a=bf4&q= -> Quarantined and deleted successfully.
HKCU\Software\InstalledBrowserExtensions\215 Apps|3491 (PUP.CrossFire.SA) -> Data: Vid-Saver -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bf (Trojan.Agent) -> Data: 嶝髪퉽沔䍢켇笗ꮯリ⚝﹣赥鐱⥙毺飹讝媒坳ﶙԯ⦅ꤷ䨢秜⇾ꏟ쑫岺楑⌀鋛䨪놖濣痍﹝驪錰⬘寢긽ꧣ軴힅 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bk (Trojan.Agent) -> Data: ¥V…úK„Õ/}*.X*k‹©’A"÷³ànÓt—–Õ7Êg¡
ËJf -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|iu (Trojan.Agent) -> Data: 3077 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|mu (Trojan.Agent) -> Data: {®Gáz„? -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 7
C:\Windows\Cursors\lsass.exe (Trojan.Dropper) -> Delete on reboot.
C:\Program Files\Codec-V\Codec-V.dll (PUP.Codec.PR) -> Quarantined and deleted successfully.
C:\Program Files\Vid-Saver\Vid-Saver.dll (PUP.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\Dean\Downloads\Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.
C:\Users\Dean\Downloads\Codec-V.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Help\DVCLAL (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\Help\PACKAGEINFO (Malware.Trace) -> Quarantined and deleted successfully.
(end)
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_31
Run by Dean at 19:07:56 on 2012-08-11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.967 [GMT 1:00]
.
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\TEMP\mrt754E.tmp\stdrt.exe
C:\Program Files\Razer\Abyssus\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Razer\Abyssus\razerofa.exe
C:\Users\Dean\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\PostgreSQL\8.4\bin\pg_ctl.exe
C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\System32\svchost.exe -k wdisvc
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://isearch.avg.com/?cid={602ED...fb3797180&lang=en&ds=gm011&pr=sa&d=2012-06-26 11:13:19&v=11.1.1.7&sap=hp
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeo2.dll
mURLSearchHooks: H - No File
mURLSearchHooks: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeo2.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeo2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll
TB: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeo2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Google Update] "c:\users\dean\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Abyssus] c:\program files\razer\abyssus\razerhid.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
StartupFolder: c:\users\dean\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: plu.cn\3
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3366FFC0-7663-4AC5-9FB2-29D09949FC0F} : DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{BD3E9A98-4DDE-431B-9918-A814EB040FEF} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\fcccayxY
Hosts: 127.0.0.1www.spywareinfo.com
Hosts: 255.255.255.255 easyanticheat.se # misleading site
Hosts: 255.255.255.255 www.easyanticheat.se # misleading site
Hosts: 255.255.255.255 easyanticheat.com # misleading site
Hosts: 255.255.255.255 www.easyanticheat.com # misleading site
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dean\appdata\roaming\mozilla\firefox\profiles\imwplybk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://search.iminent.com/?appId=793c20b6-80ae-4bc3-b136-6f08d5d26c78&lcid=2057&ref=homepage
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - prefs.js: browser.startup.homepage - hxxp://search.iminent.com/?appId=793C20B6-80AE-4BC3-B136-6F08D5D26C78
FF - prefs.js: browser.search.selectedEngine - SearchTheWeb
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: browser.search.selectedEngine -
FF - plugin: c:\program files\common files\gretech\npgomtvx_nie.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\dean\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0808050_sua_900\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0810164_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0905250_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0907083_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0907280_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0912302_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1001140_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1002010_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1002170_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1008042_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1010120_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1101262_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\roaming\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(extensions.funmoods.autoRvrt, false
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=bf4
FF - user.js: extensions.funmoods_i.dfltSrch - true
FF - user.js: extensions.funmoods_i.srchPrvdr - Search
FF - user.js: extensions.funmoods_i.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=bf4
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=
FF - user.js: extensions.funmoods_i.id - a894eecf000000000000001a9282357f
FF - user.js: extensions.funmoods_i.instlDay - 15406
FF - user.js: extensions.funmoods_i.vrsn - 1.5.17.8
FF - user.js: extensions.funmoods_i.vrsni - 1.5.17.8
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.17.812:16:00
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - bf4
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef -
FF - user.js: extensions.funmoods_i.dfltLng -
FF - user.js: extensions.funmoods_i.excTlbr - false
FF - user.js: extensions.funmoods_i.admin - false
FF - user.js: extentions.y2layers.installId - 4dee6cb6-a544-4543-b426-f89cb6793250
FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader,ezLooker,pagerage,buzzdock,toprelatedtopics,twittube
.
FF - user.js: extensions.autoDisableScopes - 14
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-27 64160]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-8-8 655944]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-7-11 1262400]
R2 postgresql-8.4;postgresql-8.4 - PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RalinkRegistryWriter.exe [2011-2-22 69632]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-7-5 3048136]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-5-15 382272]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-6-14 2666880]
R3 Abyssus03;Razer Abyssus USB Filter Driver;c:\windows\system32\drivers\Abyssus.sys [2012-1-24 9216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-8 22344]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [2012-1-24 5760]
S2 Adobe Licensing Console;Adobe Licensing Console;c:\windows\system32\lnsecsl.exe [2012-6-15 910564]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-3 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-18 250056]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-8 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2011-2-22 641024]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\system32\drivers\Salmosa.sys [2008-10-29 9344]
S3 VundoFixSvc;VundoFix Service;VundoFixSVC.exe --> VundoFixSVC.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1036104]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
.
=============== Created Last 30 ================
.
2012-08-11 17:57:08100864----a-w-C:\kxldapog.sys
2012-08-08 10:57:36--------d-----w-c:\users\dean\appdata\roaming\Malwarebytes
2012-08-08 10:57:28--------d-----w-c:\programdata\Malwarebytes
2012-08-08 10:57:2722344----a-w-c:\windows\system32\drivers\mbam.sys
2012-08-08 10:57:27--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-08-08 10:56:27--------d-----w-c:\program files\Ad-Aware Antivirus
2012-08-08 10:55:20--------d-----w-c:\users\dean\appdata\roaming\Ad-Aware Antivirus
2012-07-18 11:28:01426184----a-w-c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-08-02 19:49:2670344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-15 03:50:48910564----a-w-c:\windows\system32\lnsecsl.exe
2012-05-15 10:26:00883008----a-w-c:\windows\system32\nvgenco32.dll
2012-05-15 10:26:008105280----a-w-c:\windows\system32\nvwgf2um.dll
2012-05-15 10:26:0061248----a-w-c:\windows\system32\OpenCL.dll
2012-05-15 10:26:005982528----a-w-c:\windows\system32\nvcuda.dll
2012-05-15 10:26:002524992----a-w-c:\windows\system32\nvcuvid.dll
2012-05-15 10:26:002445120----a-w-c:\windows\system32\nvcuvenc.dll
2012-05-15 10:26:002368832----a-w-c:\windows\system32\nvapi.dll
2012-05-15 10:26:0019607872----a-w-c:\windows\system32\nvoglv32.dll
2012-05-15 10:26:0017551680----a-w-c:\windows\system32\nvcompiler.dll
2012-05-15 10:26:0015322432----a-w-c:\windows\system32\nvd3dum.dll
2012-05-15 10:26:0011354944----a-w-c:\windows\system32\drivers\nvlddmkm.sys
2012-05-15 10:26:001000768----a-w-c:\windows\system32\nvdispco32.dll
2012-05-15 09:28:502561344----a-w-c:\windows\system32\nvsvcr.dll
2012-05-15 09:28:49645440----a-w-c:\windows\system32\nvvsvc.exe
2012-05-15 09:28:4962272----a-w-c:\windows\system32\nvshext.dll
2012-05-15 09:28:49108352----a-w-c:\windows\system32\nvmctray.dll
2012-05-15 09:28:483931456----a-w-c:\windows\system32\nvcpl.dll
2012-05-15 09:27:282759488----a-w-c:\windows\system32\nvsvc.dll
2012-05-15 01:21:50423744----a-w-c:\windows\system32\nvStreaming.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\gibwaoqk.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\quierwtw.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\ulzhortg.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\vechijoj.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\ymafemxq.exe
.
============= FINISH: 19:08:43.98 ===============
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-08-11 19:05:14
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\00000060 ST332062 rev.3.AA
Running: gh1nj5kv.exe; Driver: C:\Users\Dean\AppData\Local\Temp\kxldapog.sys
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 852201F8
Device \Driver\atapi \Device\Ide\IdePort0 852201F8
Device \Driver\atapi \Device\Ide\IdePort1 852201F8
Device \Driver\atapi \Device\Ide\IdePort2 852201F8
Device \Driver\msahci \Device\Ide\PciIde1Channel0 852221F8
Device \Driver\asm6bken \Device\Scsi\asm6bken1Port8Path0Target0Lun0 86CA91F8
Device \Driver\asm6bken \Device\Scsi\asm6bken1 86CA91F8
Device \FileSystem\Ntfs \Ntfs 852241F8
---- EOF - GMER 1.0.15 ----
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.08.04
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.18928
Dean :: DEAN-PC [administrator]
Protection: Enabled
2012-08-08 11:58:27
mbam-log-2012-08-08 (11-58-27).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 247799
Time elapsed: 4 minute(s), 41 second(s)
Memory Processes Detected: 1
C:\Windows\Cursors\lsass.exe (Trojan.Dropper) -> 1572 -> Delete on reboot.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 42
HKCR\CLSID\{4445414E-4445-4445-4445-4445414E2D50} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{4445414E-4445-4445-4445-4445414E2D50} (Trojan.Dropper) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044044435} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055045535} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO.1 (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044344491} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055345591} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.BHO.1 (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011341191} (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{514A5C49-0C7D-42C3-A71B-38864A269B7A} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.BHO (PUP.GamePlayLab) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.FBApi (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.FBApi.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.Sandbox (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0003491.Sandbox.1 (PUP.CrossFire.Gen) -> Quarantined and deleted successfully.
HKCR\AppID\activex.DLL (Adware.180Solutions) -> Delete on reboot.
HKCU\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\3491 (Adware.GamePlayLab) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\FUNMOODS\FUNMOODS (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Detected: 9
HKCU\Control Panel\Desktop|OriginalWallpaper (Hijack.Wallpaper) -> Data: C:\Windows\system32\phctcoj0e90l.bmp -> Quarantined and deleted successfully.
HKCU\Control Panel\Desktop|ConvertedWallpaper (Hijack.Wallpaper) -> Data: C:\Windows\system32\phctcoj0e90l.bmp -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\OLE|DRam prosessor (Trojan.Agent) -> Data: gibwaoqk.exe -> Quarantined and deleted successfully.
HKCU\Software\Funmoods\funmoods|tlbrSrchUrl (PUP.Funmoods) -> Data: http://start.funmoods.com/results.php?f=3&a=bf4&q= -> Quarantined and deleted successfully.
HKCU\Software\InstalledBrowserExtensions\215 Apps|3491 (PUP.CrossFire.SA) -> Data: Vid-Saver -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bf (Trojan.Agent) -> Data: 嶝髪퉽沔䍢켇笗ꮯリ⚝﹣赥鐱⥙毺飹讝媒坳ﶙԯ⦅ꤷ䨢秜⇾ꏟ쑫岺楑⌀鋛䨪놖濣痍﹝驪錰⬘寢긽ꧣ軴힅 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|bk (Trojan.Agent) -> Data: ¥V…úK„Õ/}*.X*k‹©’A"÷³ànÓt—–Õ7Êg¡
ËJf -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|iu (Trojan.Agent) -> Data: 3077 -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings|mu (Trojan.Agent) -> Data: {®Gáz„? -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 7
C:\Windows\Cursors\lsass.exe (Trojan.Dropper) -> Delete on reboot.
C:\Program Files\Codec-V\Codec-V.dll (PUP.Codec.PR) -> Quarantined and deleted successfully.
C:\Program Files\Vid-Saver\Vid-Saver.dll (PUP.GamePlayLab) -> Quarantined and deleted successfully.
C:\Users\Dean\Downloads\Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.
C:\Users\Dean\Downloads\Codec-V.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Help\DVCLAL (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\Help\PACKAGEINFO (Malware.Trace) -> Quarantined and deleted successfully.
(end)
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_31
Run by Dean at 19:07:56 on 2012-08-11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.967 [GMT 1:00]
.
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\TEMP\mrt754E.tmp\stdrt.exe
C:\Program Files\Razer\Abyssus\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Razer\Abyssus\razerofa.exe
C:\Users\Dean\AppData\Local\Google\Update\1.3.21.115\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\PostgreSQL\8.4\bin\pg_ctl.exe
C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\PostgreSQL\8.4\bin\postgres.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\System32\svchost.exe -k wdisvc
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dean\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://isearch.avg.com/?cid={602ED...fb3797180&lang=en&ds=gm011&pr=sa&d=2012-06-26 11:13:19&v=11.1.1.7&sap=hp
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
uURLSearchHooks: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeo2.dll
mURLSearchHooks: H - No File
mURLSearchHooks: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeo2.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeo2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll
TB: Veoh Web Player Toolbar: {cd90bf73-20f6-44ef-993d-bb920303bd2e} - c:\program files\veoh_web_player\prxtbVeo2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Google Update] "c:\users\dean\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Abyssus] c:\program files\razer\abyssus\razerhid.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
StartupFolder: c:\users\dean\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: plu.cn\3
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3366FFC0-7663-4AC5-9FB2-29D09949FC0F} : DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{BD3E9A98-4DDE-431B-9918-A814EB040FEF} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\fcccayxY
Hosts: 127.0.0.1www.spywareinfo.com
Hosts: 255.255.255.255 easyanticheat.se # misleading site
Hosts: 255.255.255.255 www.easyanticheat.se # misleading site
Hosts: 255.255.255.255 easyanticheat.com # misleading site
Hosts: 255.255.255.255 www.easyanticheat.com # misleading site
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\dean\appdata\roaming\mozilla\firefox\profiles\imwplybk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://search.iminent.com/?appId=793c20b6-80ae-4bc3-b136-6f08d5d26c78&lcid=2057&ref=homepage
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - prefs.js: browser.startup.homepage - hxxp://search.iminent.com/?appId=793C20B6-80AE-4BC3-B136-6F08D5D26C78
FF - prefs.js: browser.search.selectedEngine - SearchTheWeb
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: browser.search.selectedEngine -
FF - plugin: c:\program files\common files\gretech\npgomtvx_nie.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\dean\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0808050_sua_900\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0810164_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0905250_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0907083_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0907280_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms0912302_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1001140_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1002010_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1002170_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1008042_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1010120_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\local\octoshape\octoshape streaming services\octoprogram-l03-nms1101262_sua_000\npoctoshape.dll
FF - plugin: c:\users\dean\appdata\roaming\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(extensions.funmoods.autoRvrt, false
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.funmoods_i.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=bf4
FF - user.js: extensions.funmoods_i.dfltSrch - true
FF - user.js: extensions.funmoods_i.srchPrvdr - Search
FF - user.js: extensions.funmoods_i.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods_i.newTabUrl - hxxp://start.funmoods.com/?f=2&a=bf4
FF - user.js: extensions.funmoods_i.tlbrSrchUrl - hxxp://start.funmoods.com/results.php?f=3&a=bf4&q=
FF - user.js: extensions.funmoods_i.id - a894eecf000000000000001a9282357f
FF - user.js: extensions.funmoods_i.instlDay - 15406
FF - user.js: extensions.funmoods_i.vrsn - 1.5.17.8
FF - user.js: extensions.funmoods_i.vrsni - 1.5.17.8
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.17.812:16:00
FF - user.js: extensions.funmoods_i.prtnrId - funmoods
FF - user.js: extensions.funmoods_i.prdct - funmoods
FF - user.js: extensions.funmoods_i.aflt - bf4
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods_i.tlbrId - base
FF - user.js: extensions.funmoods_i.instlRef -
FF - user.js: extensions.funmoods_i.dfltLng -
FF - user.js: extensions.funmoods_i.excTlbr - false
FF - user.js: extensions.funmoods_i.admin - false
FF - user.js: extentions.y2layers.installId - 4dee6cb6-a544-4543-b426-f89cb6793250
FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader,ezLooker,pagerage,buzzdock,toprelatedtopics,twittube
.
FF - user.js: extensions.autoDisableScopes - 14
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-27 64160]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-8-8 655944]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-7-11 1262400]
R2 postgresql-8.4;postgresql-8.4 - PostgreSQL Server 8.4;C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "C:/Program Files/PostgreSQL/8.4/data" -w --> C:/Program Files/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RalinkRegistryWriter.exe [2011-2-22 69632]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2012-7-5 3048136]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2012-5-15 382272]
R2 TeamViewer7;TeamViewer 7;c:\program files\teamviewer\version7\TeamViewer_Service.exe [2012-6-14 2666880]
R3 Abyssus03;Razer Abyssus USB Filter Driver;c:\windows\system32\drivers\Abyssus.sys [2012-1-24 9216]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-8 22344]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [2012-1-24 5760]
S2 Adobe Licensing Console;Adobe Licensing Console;c:\windows\system32\lnsecsl.exe [2012-6-15 910564]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-3 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-18 250056]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-8 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2011-2-22 641024]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 Salmosa03;Razer Salmosa USB Filter Driver;c:\windows\system32\drivers\Salmosa.sys [2008-10-29 9344]
S3 VundoFixSvc;VundoFix Service;VundoFixSVC.exe --> VundoFixSVC.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1036104]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
.
=============== Created Last 30 ================
.
2012-08-11 17:57:08100864----a-w-C:\kxldapog.sys
2012-08-08 10:57:36--------d-----w-c:\users\dean\appdata\roaming\Malwarebytes
2012-08-08 10:57:28--------d-----w-c:\programdata\Malwarebytes
2012-08-08 10:57:2722344----a-w-c:\windows\system32\drivers\mbam.sys
2012-08-08 10:57:27--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-08-08 10:56:27--------d-----w-c:\program files\Ad-Aware Antivirus
2012-08-08 10:55:20--------d-----w-c:\users\dean\appdata\roaming\Ad-Aware Antivirus
2012-07-18 11:28:01426184----a-w-c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-08-02 19:49:2670344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-15 03:50:48910564----a-w-c:\windows\system32\lnsecsl.exe
2012-05-15 10:26:00883008----a-w-c:\windows\system32\nvgenco32.dll
2012-05-15 10:26:008105280----a-w-c:\windows\system32\nvwgf2um.dll
2012-05-15 10:26:0061248----a-w-c:\windows\system32\OpenCL.dll
2012-05-15 10:26:005982528----a-w-c:\windows\system32\nvcuda.dll
2012-05-15 10:26:002524992----a-w-c:\windows\system32\nvcuvid.dll
2012-05-15 10:26:002445120----a-w-c:\windows\system32\nvcuvenc.dll
2012-05-15 10:26:002368832----a-w-c:\windows\system32\nvapi.dll
2012-05-15 10:26:0019607872----a-w-c:\windows\system32\nvoglv32.dll
2012-05-15 10:26:0017551680----a-w-c:\windows\system32\nvcompiler.dll
2012-05-15 10:26:0015322432----a-w-c:\windows\system32\nvd3dum.dll
2012-05-15 10:26:0011354944----a-w-c:\windows\system32\drivers\nvlddmkm.sys
2012-05-15 10:26:001000768----a-w-c:\windows\system32\nvdispco32.dll
2012-05-15 09:28:502561344----a-w-c:\windows\system32\nvsvcr.dll
2012-05-15 09:28:49645440----a-w-c:\windows\system32\nvvsvc.exe
2012-05-15 09:28:4962272----a-w-c:\windows\system32\nvshext.dll
2012-05-15 09:28:49108352----a-w-c:\windows\system32\nvmctray.dll
2012-05-15 09:28:483931456----a-w-c:\windows\system32\nvcpl.dll
2012-05-15 09:27:282759488----a-w-c:\windows\system32\nvsvc.dll
2012-05-15 01:21:50423744----a-w-c:\windows\system32\nvStreaming.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\gibwaoqk.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\quierwtw.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\ulzhortg.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\vechijoj.exe
2008-10-29 06:29:41399386--sh--r-c:\windows\system32\ymafemxq.exe
.
============= FINISH: 19:08:43.98 ===============