Solved Keylogger detected, hopefully removed

[gubar]

Hi,

unknowingly had my antivirus disabled for a while today and got a keylogger, which was detected when I re-enabled it. I followed the link to the file in appData and it had my personal and work email loggons/passwords right there in black and white. I've since ran all the steps here, installed a keyscrambler and changed those listed passwords. Lucking I don't have any personal info on my computer, or stored on those email accounts. Anyway, here are my logs - would be very grateful is someone could take a look:

System: Windows 7 pro 64 bit, k8we m/board, 2 x opteron 280, 4 gigs, gtx 275

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6428

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

24/04/2011 01:23:01
mbam-log-2011-04-24 (01-23-01).txt

Scan type: Quick scan
Objects scanned: 180482
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

gmer (no information saved in log - 0kb file produced. It did complete it's run though)

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Steven at 1:29:03.12 on 24/04/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.4095.2870 [GMT 1:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sesinetd.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\EVGA Precision\EVGAPrecision.exe
C:\Windows\system32\hserver.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\soundman.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Creative\Software Update 3\SoftAuto.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Steven\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
mWinlogon: Userinit=userinit.exe,
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - C:\Program Files (x86)\KeyScrambler\KeyScramblerIE.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [AdobeBridge]
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [SoftAuto.exe] "C:\Program Files (x86)\Creative\Software Update 3\SoftAuto.exe"
mRun: [Diamondback] C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - C:\Program Files (x86)\KeyScrambler\KeyScramblerIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
BHO-X64: KeyScramblerBHO Class: {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files (x86)\KeyScrambler\x64\KeyScramblerIE.dll
BHO-X64: QFX Software KeyScrambler - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
mRun-x64: [SoundMan] SOUNDMAN.EXE
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-8-13 55856]
R0 SI3112r;SiI-3112 SATARaid Controller;C:\Windows\System32\drivers\SI3112r.sys [2010-10-1 162144]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-1-20 135336]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-1-20 269480]
R2 avgntflt;avgntflt;C:\Windows\System32\drivers\avgntflt.sys [2010-1-20 83120]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-1-20 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-1-7 378984]
R2 TabletServicePen;TabletServicePen;C:\Windows\System32\Pen_Tablet.exe [2010-3-24 5556520]
R2 WTouchService;WTouch Service;C:\Program Files\WTouch\WTouchService.exe [2010-3-24 127784]
R3 KeyScrambler;KeyScrambler;C:\Windows\System32\drivers\keyscrambler.sys [2011-4-24 130696]
R3 Razerlow;Razer Pro|Solutions;C:\Windows\System32\drivers\DB3G.sys [2005-11-7 21120]
R3 RTCore64;RTCore64;C:\Program Files (x86)\EVGA Precision\RTCore64.sys [2011-1-17 14440]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-13 136176]
S3 CTUPnPSv;Creative Centrale Media Server;C:\Program Files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 SysTool;SysTool Overclocking Utility;C:\Windows\System32\drivers\SysTool64.sys [2006-11-10 30720]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-6 1255736]
S4 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
.
=============== Created Last 30 ================
.
2011-04-23 23:20:15 130696 ----a-w- C:\Windows\System32\drivers\keyscrambler.sys
2011-04-23 23:20:15 -------- d-----w- C:\Program Files (x86)\KeyScrambler
2011-04-23 10:33:28 -------- d-----w- C:\Users\Steven\AppData\Roaming\AVS4YOU
2011-04-23 10:30:18 10915840 ----a-w- C:\Windows\SysWow64\libmfxhw32.dll
2011-04-23 10:30:18 10833920 ----a-w- C:\Windows\SysWow64\libmfxsw32.dll
2011-04-23 10:30:12 24576 ----a-w- C:\Windows\SysWow64\msxml3a.dll
2011-04-23 10:30:12 1700352 ----a-w- C:\Windows\SysWow64\GdiPlus.dll
2011-04-23 10:30:12 -------- d-----w- C:\Program Files (x86)\Common Files\AVSMedia
2011-04-23 10:30:12 -------- d-----w- C:\Program Files (x86)\AVS4YOU
2011-04-23 10:30:12 -------- d-----w- C:\PROGRA~3\AVS4YOU
2011-04-22 22:57:28 8802128 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{9DE0B43C-76F5-4CD8-B8DD-C79260618A47}\mpengine.dll
2011-04-18 18:05:00 -------- d-----w- C:\Users\Steven\AppData\Local\Cyberlink
2011-04-16 10:23:35 540688 ----a-w- C:\Windows\System32\d3dx10_39.dll
2011-04-16 10:23:35 467984 ----a-w- C:\Windows\SysWow64\d3dx10_39.dll
2011-04-16 10:23:35 1942552 ----a-w- C:\Windows\System32\D3DCompiler_39.dll
2011-04-16 10:23:35 1493528 ----a-w- C:\Windows\SysWow64\D3DCompiler_39.dll
2011-04-16 10:23:34 4992520 ----a-w- C:\Windows\System32\D3DX9_39.dll
2011-04-16 10:23:34 3851784 ----a-w- C:\Windows\SysWow64\D3DX9_39.dll
2011-04-16 10:13:54 -------- d-----w- C:\Program Files (x86)\Codemasters
2011-04-16 09:43:35 -------- d-----w- C:\Windows\Back to the Future Episode 1
2011-04-16 09:43:35 -------- d-----w- C:\Program Files (x86)\Back to the Future Episode 1
2011-04-14 18:15:48 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-04-07 21:32:37 -------- d-----w- C:\Users\Steven\.nuke
2011-04-07 21:29:24 -------- d-----w- C:\Program Files\The Foundry
2011-04-07 21:29:24 -------- d-----w- C:\Program Files\Nuke6.0v4
2011-04-05 18:45:49 -------- d-----w- C:\Program Files (x86)\SystemRequirementsLab
2011-04-03 11:29:08 -------- d-----w- C:\Users\Steven\AppData\Local\{3D8565C1-2387-47A9-80AE-52E8AA335C27}
2011-04-02 16:50:41 -------- d-----w- C:\Users\Steven\AppData\Local\{6E63F4FD-74B8-412D-A503-DBB896391D84}
.
==================== Find3M ====================
.
2011-03-15 21:30:21 73 ----a-w- C:\Windows\SysWow64\ssprs.dll
2011-03-15 21:30:21 205 ----a-w- C:\Windows\SysWow64\lsprst7.dll
2011-03-11 06:19:26 1395712 ----a-w- C:\Windows\System32\mfc42.dll
2011-03-11 06:19:26 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2011-03-11 05:40:24 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
2011-03-08 06:14:30 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-03-08 05:38:13 740864 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-03-03 06:17:10 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll
2011-03-03 06:14:38 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2011-03-03 05:27:30 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
2011-03-03 03:58:32 3133440 ----a-w- C:\Windows\System32\win32k.sys
2011-02-24 05:32:52 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-02-23 05:16:28 461312 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-02-23 05:16:01 401920 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-02-23 05:15:50 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-02-23 05:15:27 157696 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-02-23 05:15:14 286720 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-02-23 05:15:13 126464 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-02-23 05:15:06 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2011-02-19 06:37:44 1135104 ----a-w- C:\Windows\System32\FntCache.dll
2011-02-19 06:37:10 1540608 ----a-w- C:\Windows\System32\DWrite.dll
2011-02-19 06:36:49 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-02-19 06:36:13 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-02-19 05:32:48 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-02-19 05:32:08 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-02-19 04:13:39 367104 ----a-w- C:\Windows\System32\atmfd.dll
2011-02-19 03:37:02 294912 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-02-12 06:14:41 267776 ----a-w- C:\Windows\System32\FXSCOVER.exe
2011-02-05 12:41:43 556928 ----a-w- C:\Windows\System32\winresume.efi
2011-02-05 12:41:35 640896 ----a-w- C:\Windows\System32\winload.efi
2011-02-05 12:41:24 20352 ----a-w- C:\Windows\System32\kdusb.dll
2011-02-05 12:41:24 19328 ----a-w- C:\Windows\System32\kd1394.dll
2011-02-05 12:41:23 17792 ----a-w- C:\Windows\System32\kdcom.dll
2011-02-05 12:39:21 603976 ----a-w- C:\Windows\System32\winload.exe
2011-02-05 12:39:21 518160 ----a-w- C:\Windows\System32\winresume.exe
2011-02-02 21:40:23 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-02-02 17:11:20 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
.
============= FINISH: 1:29:49.65 ===============


DDS attach file:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20/01/2010 21:01:04
System Uptime: 24/04/2011 01:18:17 (0 hours ago)
.
Motherboard: Tyan Computer Corp | | S2895
Processor: Dual Core AMD Opteron(tm) Processor 280 | CPU0-Socket 940 | 2411/200mhz
Processor: Dual Core AMD Opteron(tm) Processor 280 | CPU1-Socket 940 | 2411/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 931 GiB total, 687.548 GiB free.
D: is CDROM ()
F: is FIXED (NTFS) - 149 GiB total, 45.061 GiB free.
H: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Standard PS/2 Keyboard
Device ID: ACPI\PNP0303\3&13C0B0C5&0
Manufacturer: (Standard keyboards)
Name: Standard PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\3&13C0B0C5&0
Service: i8042prt
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\3&13C0B0C5&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\3&13C0B0C5&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP281: 18/04/2011 19:02:53 - Installed MediaEspresso
RP282: 18/04/2011 19:06:29 - Installed MediaEspresso
RP283: 19/04/2011 19:44:04 - Windows Update
RP284: 20/04/2011 20:37:09 - Windows Update
RP285: 20/04/2011 22:26:11 - Configured MediaEspresso
RP286: 22/04/2011 23:57:10 - Windows Update
.
==== Installed Programs ======================
.
AC3Filter 1.63b
Adobe After Effects CS5
Adobe After Effects CS5 Third Party Content
Adobe After Effects CS5 Third Party Royalty Content
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color Video Profiles CS CS4
Adobe Community Help
Adobe CS4 American English Speech Analysis Models
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS5
Adobe Dynamiclink Support
Adobe Encore CS4
Adobe Encore CS4 Codecs
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Encoder CS5 PCI X64
Adobe Media Player
Adobe OnLocation CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS5
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Premiere Pro CS4 Third Party Content
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe XMP Panels CS4
AdobeColorCommonSetRGB
Any DVD Cloner Platinum 1.0.7
Any Video Converter 3.0.7
Apple Application Support
Apple Software Update
ArmA 2 Uninstall
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
AVS Update Manager 1.0
AVS Video Converter 7
AVS4YOU Software Navigator 1.4
AVStoDVD 2.3.2
Back to the Future Episode 1
Company of Heroes
Company of Heroes - FAKEMSI
ConvertXtoDVD 4.0.9.322
Creative Centrale
Creative Software Update
D3DX10
Driver Sweeper 2.1.0
DVD Shrink 3.2
EA Download Manager
EVGA Precision 2.0.2
Foxit Reader
Google Earth
Google Update Helper
ImgBurn
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 24
KeyScrambler
Malwarebytes' Anti-Malware
MediaInfo 0.7.34 (32-bit)
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox 4.0 (x86 en-GB)
Mp3tag v2.48c
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero BurnLite 10
Nero Control Center 10
Nero ControlCenter 10 Help (CHM)
Nero Core Components 10
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OpenOffice.org 3.2
PDF Settings CS5
Pen Tablet
PFTrack V5.0
Photoshop Camera Raw
QuickTime
Razer Diamondback 3G
Realtek AC'97 Audio
S.T.A.L.K.E.R. - Call of Pripyat [v1.6.02]
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Spybot - Search & Destroy
SpywareBlaster 4.4
Suite Shared Configuration CS4
System Requirements Lab
The Longest Journey
Vicon boujou 5.0
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.7
WebTablet IE Plugin
WebTablet Netscape Plugin
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinX DVD Ripper Platinum 5.21.0
Wondershare DVD Ripper Platinum(Build 4.4.8.0)
Xilisoft DVD Ripper Ultimate 6
xNormal 3.17.2
ZBrush 3.5 R3
ZBrush 4
.
==== End Of File ===========================



Thanks in advance for any help,

regards,

gubar

 

[Broni]

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=================================================================

So far, I don't see much....

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[gubar]

Thanks for your help - here are the logs you asked for:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: (build 7600), 64-bit
Logical Drives Mask: 0x000000ad

Kernel Drivers (total 164):
0x02A52000 \SystemRoot\system32\ntoskrnl.exe
0x02A09000 \SystemRoot\system32\hal.dll
0x00BCF000 \SystemRoot\system32\kdcom.dll
0x00CCF000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
0x00CDC000 \SystemRoot\system32\PSHED.dll
0x00CF0000 \SystemRoot\system32\CLFS.SYS
0x00C00000 \SystemRoot\system32\CI.dll
0x00D4E000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00CC0000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00E37000 \SystemRoot\System32\Drivers\spny.sys
0x00F5D000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x00F66000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x00F95000 \SystemRoot\system32\DRIVERS\ACPI.sys
0x00FEC000 \SystemRoot\system32\DRIVERS\msisadrv.sys
0x00E00000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
0x0102B000 \SystemRoot\system32\DRIVERS\pci.sys
0x0105E000 \SystemRoot\System32\drivers\partmgr.sys
0x01073000 \SystemRoot\system32\DRIVERS\volmgr.sys
0x01088000 \SystemRoot\System32\drivers\volmgrx.sys
0x010E4000 \SystemRoot\system32\DRIVERS\pciide.sys
0x010EB000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x010FB000 \SystemRoot\System32\drivers\mountmgr.sys
0x01115000 \SystemRoot\system32\DRIVERS\atapi.sys
0x0111E000 \SystemRoot\system32\DRIVERS\ataport.SYS
0x01148000 \SystemRoot\system32\DRIVERS\SI3112r.sys
0x01174000 \SystemRoot\system32\DRIVERS\amdxata.sys
0x0117F000 \SystemRoot\system32\drivers\fltmgr.sys
0x011CB000 \SystemRoot\system32\drivers\fileinfo.sys
0x011DF000 \SystemRoot\system32\DRIVERS\SiWinAcc.sys
0x011E8000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x0123E000 \SystemRoot\System32\Drivers\Ntfs.sys
0x014D1000 \SystemRoot\System32\Drivers\msrpc.sys
0x0152F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x01549000 \SystemRoot\System32\Drivers\cng.sys
0x015BC000 \SystemRoot\System32\drivers\pcw.sys
0x015CD000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x0162B000 \SystemRoot\system32\drivers\ndis.sys
0x0171D000 \SystemRoot\system32\drivers\NETIO.SYS
0x0177D000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01800000 \SystemRoot\System32\drivers\tcpip.sys
0x017A8000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01600000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
0x01400000 \SystemRoot\system32\DRIVERS\volsnap.sys
0x01610000 \SystemRoot\System32\Drivers\spldr.sys
0x0144C000 \SystemRoot\System32\drivers\rdyboost.sys
0x01618000 \SystemRoot\System32\Drivers\mup.sys
0x017F2000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01486000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x015D7000 \SystemRoot\system32\DRIVERS\disk.sys
0x01200000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x01000000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x013F4000 \SystemRoot\System32\Drivers\Null.SYS
0x011F5000 \SystemRoot\System32\Drivers\Beep.SYS
0x00E0D000 \SystemRoot\System32\drivers\vga.sys
0x02C90000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02CB5000 \SystemRoot\System32\drivers\watchdog.sys
0x02CC5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02CCE000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02CD7000 \SystemRoot\system32\drivers\rdprefmp.sys
0x02CE0000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02CEB000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02CFC000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02D1A000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02D27000 \SystemRoot\system32\drivers\afd.sys
0x02DB1000 \SystemRoot\System32\DRIVERS\netbt.sys
0x02DF6000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x02C00000 \SystemRoot\system32\DRIVERS\pacer.sys
0x02C26000 \SystemRoot\system32\DRIVERS\netbios.sys
0x02C35000 \SystemRoot\system32\DRIVERS\serial.sys
0x02C52000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x02C6D000 \SystemRoot\system32\DRIVERS\termdd.sys
0x03EE7000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03F38000 \SystemRoot\system32\drivers\nsiproxy.sys
0x03F44000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x03F4F000 \SystemRoot\System32\drivers\discache.sys
0x03F5E000 \SystemRoot\system32\drivers\csc.sys
0x03FE1000 \SystemRoot\System32\Drivers\dfsc.sys
0x03E00000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x03E11000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x03E33000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x03E59000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x03E70000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x03E7B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x03ED1000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x0405A000 \SystemRoot\system32\drivers\ALCWDM64.SYS
0x043A6000 \SystemRoot\system32\drivers\portcls.sys
0x04000000 \SystemRoot\system32\drivers\drmk.sys
0x044D2000 \SystemRoot\system32\drivers\ks.sys
0x04515000 \SystemRoot\system32\drivers\ksthunk.sys
0x0451B000 \SystemRoot\system32\DRIVERS\1394ohci.sys
0x04559000 \SystemRoot\system32\DRIVERS\nvm62x64.sys
0x0FED5000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x10B31000 \SystemRoot\System32\Drivers\nvBridge.kmd
0x04A02000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x04AF6000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04B3C000 \SystemRoot\System32\Drivers\ahx7yb0q.SYS
0x04B81000 \SystemRoot\system32\DRIVERS\serenum.sys
0x04B8D000 \SystemRoot\system32\DRIVERS\fdc.sys
0x04BDD000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x04BEC000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x10B33000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x04BFB000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
0x10B43000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x10B5C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x10B65000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x10B7B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x10B9F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x10BAB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x10BDA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0FE00000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x0FE21000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x0FE3B000 \SystemRoot\System32\Drivers\pcouffin.sys
0x0FE50000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x04BFE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x0FE5B000 \SystemRoot\system32\DRIVERS\umbus.sys
0x0FE6D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x0FEC7000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0x045BD000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x10BF5000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
0x045CA000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x04B9A000 \SystemRoot\system32\drivers\DB3G.sys
0x04BA0000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x04BAE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x04BB0000 \SystemRoot\System32\Drivers\crashdmp.sys
0x04BBE000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x04BCA000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x045DF000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x04400000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x0441D000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x0442B000 \SystemRoot\System32\drivers\keyscrambler.sys
0x00070000 \SystemRoot\System32\win32k.sys
0x04450000 \SystemRoot\System32\drivers\Dxapi.sys
0x0445C000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00440000 \SystemRoot\System32\TSDDD.dll
0x00700000 \SystemRoot\System32\cdd.dll
0x00820000 \SystemRoot\System32\ATMFD.DLL
0x0446A000 \SystemRoot\system32\drivers\luafv.sys
0x0448D000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x044AA000 \SystemRoot\system32\drivers\WudfPf.sys
0x04022000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x04037000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x0646F000 \SystemRoot\system32\drivers\HTTP.sys
0x06537000 \SystemRoot\system32\DRIVERS\bowser.sys
0x06555000 \SystemRoot\System32\drivers\mpsdrv.sys
0x0656D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0659A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x06400000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x06423000 \SystemRoot\System32\Drivers\adfs.SYS
0x07EC8000 \SystemRoot\system32\drivers\peauth.sys
0x07F6E000 \SystemRoot\System32\Drivers\secdrv.SYS
0x07F79000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x07FA6000 \SystemRoot\System32\drivers\tcpipreg.sys
0x07E00000 \SystemRoot\System32\DRIVERS\srv2.sys
0x08650000 \SystemRoot\System32\DRIVERS\srv.sys
0x086E5000 \??\C:\Program Files (x86)\EVGA Precision\RTCore64.sys
0x086EB000 \SystemRoot\System32\drivers\rdpdr.sys
0x08719000 \SystemRoot\system32\drivers\tdtcp.sys
0x08724000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
0x08733000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x0876B000 \SystemRoot\system32\drivers\spsys.sys
0x087DC000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x76FC0000 \Windows\System32\ntdll.dll
0x48300000 \Windows\System32\smss.exe
0xFF2E0000 \Windows\System32\apisetschema.dll

Processes (total 71):
0 System Idle Process
4 System
296 C:\Windows\System32\smss.exe
384 csrss.exe
444 C:\Windows\System32\wininit.exe
480 csrss.exe
504 C:\Windows\System32\services.exe
520 C:\Windows\System32\lsass.exe
528 C:\Windows\System32\lsm.exe
652 C:\Windows\System32\svchost.exe
716 C:\Windows\System32\winlogon.exe
796 C:\Windows\System32\nvvsvc.exe
836 C:\Windows\System32\svchost.exe
904 C:\Windows\System32\svchost.exe
940 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
396 C:\Windows\System32\audiodg.exe
1004 C:\Windows\System32\svchost.exe
1100 C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
1120 C:\Windows\System32\nvvsvc.exe
1128 C:\Program Files\WTouch\WTouchService.exe
1300 C:\Windows\System32\svchost.exe
1424 C:\Windows\System32\spoolsv.exe
1460 C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
1540 C:\Windows\System32\svchost.exe
1648 C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
1704 C:\Windows\System32\svchost.exe
1756 C:\Windows\System32\sesinetd.exe
1884 C:\Windows\System32\taskeng.exe
1944 C:\Windows\System32\dwm.exe
1968 C:\Windows\explorer.exe
1980 C:\Windows\System32\taskhost.exe
1992 C:\Program Files\WTouch\WTouchUser.exe
1576 C:\Windows\System32\taskeng.exe
1516 C:\Program Files (x86)\EVGA Precision\EVGAPrecision.exe
2212 C:\Windows\System32\hserver.exe
2220 C:\Windows\soundman.exe
2236 C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
2244 C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
2256 C:\Windows\System32\conhost.exe
2268 C:\Program Files\Windows Sidebar\sidebar.exe
2292 C:\Program Files (x86)\Creative\Software Update 3\SoftAuto.exe
2448 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
2500 C:\Windows\System32\svchost.exe
2528 C:\Windows\System32\Pen_Tablet.exe
2672 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2748 C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
2888 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
1604 C:\Windows\System32\WTablet\Pen_TabletUser.exe
1160 C:\Windows\System32\Pen_Tablet.exe
3208 C:\Program Files (x86)\Razer\Diamondback 3G\razerhid.exe
3216 C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
3244 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
3704 C:\Windows\System32\SearchIndexer.exe
3792 C:\Windows\System32\svchost.exe
3820 C:\Windows\System32\svchost.exe
3276 C:\Program Files\Windows Media Player\wmpnetwk.exe
3336 C:\Program Files (x86)\Razer\Diamondback 3G\razertra.exe
4076 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
3324 WmiPrvSE.exe
3304 C:\Program Files (x86)\Razer\Diamondback 3G\razerofa.exe
668 C:\Windows\System32\SearchProtocolHost.exe
3224 C:\Windows\System32\SearchFilterHost.exe
3532 C:\Windows\System32\svchost.exe
4344 C:\Windows\explorer.exe
2324 C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
3692 C:\Windows\System32\sppsvc.exe
976 C:\Users\Steven\Desktop\MBRCheck.exe
3672 C:\Windows\System32\conhost.exe
620 C:\Windows\System32\dllhost.exe
3188 C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD103SJ, Rev: 1AJ100E4
PhysicalDrive1 Model Number: ST3160811AS, Rev: 3.AAE

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
149 GB \\.\PhysicalDrive1 RE: Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!



ComboFix 11-04-23.02 - Steven 24/04/2011 13:37:29.4.4 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.4095.2468 [GMT 1:00]
Running from: c:\users\Steven\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-24 to 2011-04-24 )))))))))))))))))))))))))))))))
.
.
2011-04-24 12:41 . 2011-04-24 12:41 -------- d-----w- c:\users\Mcx1-STEVEN-PC\AppData\Local\temp
2011-04-24 12:41 . 2011-04-24 12:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-23 23:20 . 2011-04-23 23:20 -------- d-----w- c:\program files (x86)\KeyScrambler
2011-04-23 23:20 . 2010-02-11 15:04 130696 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2011-04-23 10:33 . 2011-04-23 10:33 -------- d-----w- c:\users\Steven\AppData\Roaming\AVS4YOU
2011-04-23 10:30 . 2010-12-13 13:37 10915840 ----a-w- c:\windows\SysWow64\libmfxhw32.dll
2011-04-23 10:30 . 2010-12-13 13:37 10833920 ----a-w- c:\windows\SysWow64\libmfxsw32.dll
2011-04-23 10:30 . 2011-04-23 10:33 -------- d-----w- c:\programdata\AVS4YOU
2011-04-23 10:30 . 2011-04-23 10:32 -------- d-----w- c:\program files (x86)\AVS4YOU
2011-04-23 10:30 . 2011-04-23 10:30 -------- d-----w- c:\program files (x86)\Common Files\AVSMedia
2011-04-23 10:30 . 2010-09-14 16:38 1700352 ----a-w- c:\windows\SysWow64\GdiPlus.dll
2011-04-23 10:30 . 2010-09-14 16:38 24576 ----a-w- c:\windows\SysWow64\msxml3a.dll
2011-04-22 22:57 . 2011-04-11 08:21 8802128 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9DE0B43C-76F5-4CD8-B8DD-C79260618A47}\mpengine.dll
2011-04-18 18:08 . 2011-04-18 18:08 -------- d-----w- c:\users\Public\CyberLink
2011-04-18 18:06 . 2011-04-18 18:06 -------- d-----w- c:\users\Steven\AppData\Roaming\CyberLink
2011-04-18 18:05 . 2011-04-18 18:05 -------- d-----w- c:\programdata\CyberLink
2011-04-18 18:05 . 2011-04-20 21:35 -------- d-----w- c:\users\Steven\AppData\Local\Cyberlink
2011-04-16 10:23 . 2008-07-12 07:18 467984 ----a-w- c:\windows\SysWow64\d3dx10_39.dll
2011-04-16 10:23 . 2008-07-12 07:18 1493528 ----a-w- c:\windows\SysWow64\D3DCompiler_39.dll
2011-04-16 10:23 . 2008-07-12 07:18 540688 ----a-w- c:\windows\system32\d3dx10_39.dll
2011-04-16 10:23 . 2008-07-12 07:18 1942552 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2011-04-16 10:23 . 2008-07-12 07:18 3851784 ----a-w- c:\windows\SysWow64\D3DX9_39.dll
2011-04-16 10:23 . 2008-07-12 07:18 4992520 ----a-w- c:\windows\system32\D3DX9_39.dll
2011-04-16 10:13 . 2011-04-16 11:11 -------- d-----w- c:\program files (x86)\Codemasters
2011-04-16 09:43 . 2011-04-16 09:43 -------- d-----w- c:\program files (x86)\Back to the Future Episode 1
2011-04-16 09:43 . 2011-04-16 09:43 -------- d-----w- c:\windows\Back to the Future Episode 1
2011-04-14 18:15 . 2011-02-24 06:30 476160 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-07 21:32 . 2011-04-07 21:34 -------- d-----w- c:\users\Steven\.nuke
2011-04-07 21:29 . 2011-04-07 21:30 -------- d-----w- c:\program files\Nuke6.0v4
2011-04-07 21:29 . 2011-04-07 21:29 -------- d-----w- c:\program files\The Foundry
2011-04-05 18:45 . 2011-04-05 18:45 -------- d-----w- c:\program files (x86)\SystemRequirementsLab
2011-04-05 18:45 . 2011-04-05 18:45 -------- d-----w- c:\users\Steven\AppData\Roaming\SystemRequirementsLab
2011-04-03 11:29 . 2011-04-03 11:29 -------- d-----w- c:\users\Steven\AppData\Local\{3D8565C1-2387-47A9-80AE-52E8AA335C27}
2011-04-02 16:50 . 2011-04-02 16:50 -------- d-----w- c:\users\Steven\AppData\Local\{6E63F4FD-74B8-412D-A503-DBB896391D84}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 18:42 . 2010-06-24 10:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-08 20:17 . 2011-03-08 20:17 61440 ----a-r- c:\users\Steven\AppData\Roaming\Microsoft\Installer\{44BBD1DC-F713-4FD2-8B27-C19495A1CDBB}\NewShortcut4_5CAB993EDD3D46CC9A9960173F42D18C.exe
2011-02-23 07:28 . 2011-02-23 07:28 67176 ----a-w- c:\windows\system32\OpenCL.dll
2011-02-23 07:28 . 2011-02-23 07:28 6606440 ----a-w- c:\windows\system32\nvcuda.dll
2011-02-23 07:28 . 2011-02-23 07:28 3112040 ----a-w- c:\windows\system32\nvcuvid.dll
2011-02-23 07:28 . 2011-02-23 07:28 2895976 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2011-02-23 07:28 . 2011-02-23 07:28 2479720 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-02-23 07:28 . 2011-02-23 07:28 2251368 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2011-02-23 07:28 . 2011-02-23 07:28 20473960 ----a-w- c:\windows\system32\nvoglv64.dll
2011-02-23 07:28 . 2011-02-23 07:28 18580072 ----a-w- c:\windows\system32\nvcompiler.dll
2011-02-23 07:28 . 2011-02-23 07:28 13011560 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2011-02-23 07:28 . 2011-02-23 07:28 12962792 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-02-23 07:28 . 2011-02-23 07:28 12862568 ----a-w- c:\windows\system32\nvd3dumx.dll
2011-02-23 07:28 . 2011-02-23 07:28 10079336 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2011-02-23 07:28 . 2011-02-10 19:29 7732328 ----a-w- c:\windows\system32\nvwgf2umx.dll
2011-02-23 07:28 . 2011-02-10 19:29 57960 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-02-23 07:28 . 2011-02-10 19:29 5654120 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2011-02-23 07:28 . 2011-02-10 19:29 4942952 ----a-w- c:\windows\SysWow64\nvcuda.dll
2011-02-23 07:28 . 2011-02-10 19:29 2200680 ----a-w- c:\windows\system32\nvapi64.dll
2011-02-23 07:28 . 2011-02-10 19:29 1965672 ----a-w- c:\windows\SysWow64\nvapi.dll
2011-02-23 07:28 . 2011-02-10 19:29 1614440 ----a-w- c:\windows\system32\nvdispco642090.dll
2011-02-23 07:28 . 2011-02-10 19:29 15047272 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2011-02-23 07:28 . 2011-02-10 19:29 1359976 ----a-w- c:\windows\system32\nvgenco642040.dll
2011-02-19 06:37 . 2011-03-09 18:57 1135104 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:37 . 2011-03-09 18:57 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:36 . 2011-03-09 18:57 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 05:32 . 2011-03-09 18:57 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-02-19 05:32 . 2011-03-09 18:57 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-02-10 19:24 . 2011-02-10 19:24 41984 ----a-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Phyxion.net\Driver Sweeper\~WebUpdateHelper.exe
2011-02-02 21:40 . 2010-06-04 19:47 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-02-02 17:11 . 2010-01-20 21:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-01-26 06:53 . 2011-02-09 10:38 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-26 06:53 . 2011-02-09 10:38 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-01-26 06:31 . 2011-02-09 10:38 144384 ----a-w- c:\windows\system32\cdd.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-24_12.01.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 02:36 . 2011-04-24 11:57 628024 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-04-24 12:07 628024 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-04-24 12:07 110208 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-04-24 11:57 110208 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"SoftAuto.exe"="c:\program files (x86)\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Diamondback"="c:\program files (x86)\Razer\Diamondback 3G\razerhid.exe" [2009-10-12 226816]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-13 136176]
R3 CTUPnPSv;Creative Centrale Media Server;c:\program files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-05-21 64000]
R3 SysTool;SysTool Overclocking Utility;c:\windows\system32\DRIVERS\SysTool64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 SI3112r;SiI-3112 SATARaid Controller;c:\windows\system32\DRIVERS\SI3112r.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2010-11-03 135336]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-01-07 378984]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [x]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-11-23 127784]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [x]
S3 Razerlow;Razer Pro|Solutions;c:\windows\system32\drivers\DB3G.sys [x]
S3 RTCore64;RTCore64;c:\program files (x86)\EVGA Precision\RTCore64.sys [2011-01-17 14440]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-13 19:06]
.
2011-04-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-13 19:06]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.co.uk/
mLocal Page = c:\windows\SysWOW64\blank.htm
FF - ProfilePath - c:\users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2236794595-2926511892-2532432918-1001\Software\SecuROM\License information*]
"datasecu"=hex:02,02,de,f4,4a,6b,14,f5,54,f4,01,d7,8b,be,e9,c2,83,b7,c7,a3,c8,
da,54,84,b0,b0,72,3e,d6,fb,8d,2c,4e,2d,90,a8,b1,2d,7f,21,bb,b4,65,63,19,15,\
"rkeysecu"=hex:b5,c9,e5,f9,35,0d,12,cd,ec,89,f0,74,71,cf,e1,9d
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:8f,53,c3,60,95,91,37,e5,7e,cc,bd,1a,46,27,83,9c,bb,0e,c8,97,ba,
32,81,41,cf,97,36,ff,05,fb,fc,bf,ba,ba,38,0e,ba,85,89,72,4e,46,62,5b,5a,55,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:8f,53,c3,60,95,91,37,e5,7e,cc,bd,1a,46,27,83,9c,bb,0e,c8,97,ba,
32,81,41,cf,97,36,ff,05,fb,fc,bf,ba,ba,38,0e,ba,85,89,72,4e,46,62,5b,5a,55,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-24 13:43:27
ComboFix-quarantined-files.txt 2011-04-24 12:43
ComboFix2.txt 2011-04-24 12:03
.
Pre-Run: 735,549,444,096 bytes free
Post-Run: 735,245,930,496 bytes free
.
- - End Of File - - C23831C4C7078F72D0E7F598133E9D21


One more things - I have tried KL-Detector, and it gives warning, which I'll post below. I am thinking they may be false positives though, here's hoping:

KL-Detector has found a suspicious file:
C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js

Please check; someone might have installed a keylogger on your computer!


You MAY want to take a look at:
C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\
C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\

FULL REPORT:

Below are some file operations that were done during the monitoring process.
Review them carefully and check for suspicious files.


C:\Windows\Prefetch\ReadyBoot\Trace4.fx
was created.

C:\Windows\Prefetch\ReadyBoot
was modified.

C:\Windows\Prefetch\ReadyBoot\Trace4.fx
was modified.

C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl
was removed.

C:\Windows\Prefetch\ReadyBoot
was modified.

C:\Windows\Prefetch\ReadyBoot
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\parent.lock
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\ProgramData\Spybot - Search & Destroy\ProcCache.sbc
was modified.

C:\ProgramData\Spybot - Search & Destroy\ProcCache.sbc
was modified.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\places.sqlite-wal
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\places.sqlite-shm
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore.bak
was removed.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore.bak
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\urlclassifierkey3.txt
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\urlclassifier3.sqlite-journal
was removed.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was removed.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Windows\System32\wfp\wfpdiag.etl
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\cookies.sqlite-wal
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\cookies.sqlite-shm
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\formhistory.sqlite-journal
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\formhistory.sqlite-journal
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\formhistory.sqlite
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\formhistory.sqlite-journal
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\8\6E\117A2d01
was created.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\8\6E\117A2d01
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\permissions.sqlite-journal
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\F
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\F\3B
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\F\3B\3B73Cd01
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\prefs-1.js
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\prefs-1.js
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\prefs-1.js
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\prefs-1.js
was removed.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\3
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\3\56
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\3\56\9DC36d01
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\2
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\2\9A
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\2\9A\AE20Cd01
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\chromeappsstore.sqlite-journal
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\chromeappsstore.sqlite-journal
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\chromeappsstore.sqlite
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\chromeappsstore.sqlite-journal
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Windows\temp\TMP000000019209460557ED9633
was created.

C:\Windows\temp\TMP000000019209460557ED9633
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\B
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\B\1B
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\B\1B\6B260d01
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\NoScriptSTS.db.tmp
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was removed.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Windows\temp\TMP000000019209460557ED9633
was removed.

C:\ProgramData\Spybot - Search & Destroy\ProcCache.sbc
was modified.

C:\ProgramData\Spybot - Search & Destroy\ProcCache.sbc
was modified.

C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf
was modified.

C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\8
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\8\D5
was modified.

C:\Users\Steven\AppData\Local\Mozilla\Firefox\Profiles\ki2x551s.default\Cache\8\D5\67B03d01
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was created.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was modified.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
was removed.

C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default
was modified.

C:\Windows\System32\wdi\LogFiles\BootCKCL.etl
was modified.

C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}
was modified.

C:\Windows\System32\wdi\LogFiles\WdiContextLog.etl.001
was modified.

C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{bb5462db-61b4-4700-861a-a4fb6c8faf16}\snapshot.etl
was created.

C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{bb5462db-61b4-4700-861a-a4fb6c8faf16}\snapshot.etl
was modified.

C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{bb5462db-61b4-4700-861a-a4fb6c8faf16}\snapshot.etl
was modified.

C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{bb5462db-61b4-4700-861a-a4fb6c8faf16}\snapshot.etl
was modified.

C:\Windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
was modified.

C:\Windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
was modified.

C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236794595-2926511892-2532432918-1001_UserData.bin
was modified.

C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2236794595-2926511892-2532432918-1001_UserData.bin
was modified.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
was modified.




Thanks again,

Gubar

 

[Broni]

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Users\Steven\AppData\Roaming\Mozilla\Firefox\Profiles\ki2x551s.default\sessionstore-1.js
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[gubar]

I checked the folder and the file "sessionstore-1.js" was not there, though it was yesterday - is this possibly a temp file? The file "sessionstore.js" was there, scanned it and the result was good:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
sessionstore.js
Submission date:
2011-04-24 15:55:15 (UTC)
Current status:
finished
Result:
0/ 42 (0.0%)

AhnLab-V3 2011.04.25.00 2011.04.24 -
AntiVir 7.11.6.253 2011.04.24 -
Antiy-AVL 2.0.3.7 2011.04.24 -
Avast 4.8.1351.0 2011.04.24 -
Avast5 5.0.677.0 2011.04.24 -
AVG 10.0.0.1190 2011.04.24 -
BitDefender 7.2 2011.04.24 -
CAT-QuickHeal 11.00 2011.04.24 -
ClamAV 0.97.0.0 2011.04.24 -
Commtouch 5.3.2.6 2011.04.23 -
Comodo 8459 2011.04.24 -
DrWeb 5.0.2.03300 2011.04.24 -
Emsisoft 5.1.0.5 2011.04.24 -
eSafe 7.0.17.0 2011.04.24 -
eTrust-Vet 36.1.8286 2011.04.22 -
F-Prot 4.6.2.117 2011.04.23 -
F-Secure 9.0.16440.0 2011.04.24 -
Fortinet 4.2.257.0 2011.04.24 -
GData 22 2011.04.24 -
Ikarus T3.1.1.103.0 2011.04.24 -
Jiangmin 13.0.900 2011.04.24 -
K7AntiVirus 9.98.4458 2011.04.23 -
Kaspersky 7.0.0.125 2011.04.24 -
McAfee 5.400.0.1158 2011.04.24 -
McAfee-GW-Edition 2010.1D 2011.04.23 -
Microsoft 1.6802 2011.04.24 -
NOD32 6067 2011.04.24 -
Norman 6.07.07 2011.04.24 -
Panda 10.0.3.5 2011.04.24 -
PCTools 7.0.3.5 2011.04.21 -
Prevx 3.0 2011.04.24 -
Rising 23.54.06.06 2011.04.24 -
Sophos 4.64.0 2011.04.24 -
SUPERAntiSpyware 4.40.0.1006 2011.04.24 -
Symantec 20101.3.2.89 2011.04.24 -
TheHacker 6.7.0.1.180 2011.04.23 -
TrendMicro 9.200.0.1012 2011.04.24 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.24 -
VBA32 3.12.16.0 2011.04.22 -
VIPRE 9106 2011.04.24 -
ViRobot 2011.4.23.4426 2011.04.24 -
VirusBuster 13.6.318.3 2011.04.23 -
Additional information
MD5 : 0285eae5fd69d47647236b448059332e
SHA1 : 65a5bf4c93026ec2d5ee2470a72440cb672a7346
SHA256: a260be6248f790f785a6dbcafad7ce3edfc7a412a9fbbd2cd316730bb8fb2a30

I also ran a "full" scan with malwarebytes, which came back clean, and trend's housecall online scan which was also clean.

Still a little wary though after seeing that file with my loggon details in it though,.

Thanks again,

g

 

[Broni]

I'm not sure, what else we can do here.
All logs look totally clean.

 

[gubar]

So you reckon that my computer is safe again? Seems to be from the logs, as far as I can tell it's back to normal.

KL-Detector still points towards gives warnings about temporary files in the address above, but I think they must be false positives, cookie files/sqlite files that update as you surf being detected as malicious.

If you reckon it looks clean I guess that's good enough for me - thanks for your help, this site is really cool

EDIT - sorry, meant to add that prehaps the keylogger viruse was removed when it was first discovered (before I came here), still usefull following these steps for peace on mind though.

cheers,

gubar

 

[Broni]

Looks clean to me.
You may want to...

Clear your Java Cache

• Go Start>Control Panel (Classic View)>Java
• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - leave BOTH checked
  • Applications and Applets
  • Trace and Log Files
• Click OK on Delete Temporary Files Window.
  • Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

 

[gubar]

Done. Fingers crossed I'll see no more problems - thanks for your time, much appreaciated,

Cheersm

gubar

 

[Broni]

You're very welcome