Inactive [Not curable - Ramnit] multi-infection?

adam88

Posts: 68   +0
Hi guys,

As per your instructions:


MBAM log



Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.04.08

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Michael :: MICHAEL-PC [administrator]

5/12/2012 12:57:25 AM
mbam-log-2012-12-05 (00-57-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 277634
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Delete on reboot.
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 4
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Hijack.UserInit) -> Bad: (userinit.exe,,C:\Users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe) Good: (userinit.exe) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)






Attach.txt log:



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 3/07/2009 3:40:54 AM
System Uptime: 5/12/2012 1:04:12 AM (0 hours ago)
.
Motherboard: Dell Inc. | | 0W497D
Processor: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz | U2E1 | 2533/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 18.136 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 9.219 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0004
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #4
PNP Device ID: ROOT\*ISATAP\0004
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0007
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #7
PNP Device ID: ROOT\*ISATAP\0007
Service: tunnel
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description:
Device ID: ROOT\IMAGE\0001
Manufacturer: Creative Technology Ltd.
Name: Creative Live! Camera
PNP Device ID: ROOT\IMAGE\0001
Service:
.
==== System Restore Points ===================
.
RP423: 4/12/2012 1:11:22 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
7-Zip 4.65
A-PDF Restrictions Remover 1.6
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Advanced Audio FX Engine
Akamai NetSession Interface
Akamai NetSession Interface Service
Any Video Converter 3.1.8
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASDIP 4.1.0
ATI Catalyst Control Center
AVI ReComp 1.5.0
AviSynth 2.5
AVS Document Converter 2.0.1
AVS Update Manager 1.0
AVS4YOU Software Navigator 1.4
AZImage 2.5.1.0
B-LINE for Windows
BadCopy Pro
Bigasoft iPod Transfer 1.5.15.4023
Bonjour
calibre
Canon MG6100 series MP Drivers
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator EX 4.0
Canon Solution Menu EX
Canon Utilities Digital Photo Professional 3.11
Canon Utilities EOS Utility
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities WFT Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CanoScan LiDE 210 Scanner Driver
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCleaner
Choice Guard
Compatibility Pack for the 2007 Office system
COWON Media Center - jetAudio Basic
Crane Demo
dBpoweramp [Calculate Audio CRC] Codec
dBpoweramp Dalet Codec
dBpoweramp DSP Effects
dBpoweramp FLAC Codec
dBpoweramp Monkeys Audio Codec
dBpoweramp Mp2 and BwfMp2 codec
dBpoweramp mp3 (Fraunhofer IIS) Codec
dBpoweramp Ogg Vorbis Codec
dBpoweramp Real Audio (Helix) Encoder
dBPoweramp tooLame MP2 codec
dBpoweramp Wave64 Codec
dBpoweramp WavPack Codec
Dell DataSafe Online
Dell Dock
Dell Driver Download Manager
Dell Edoc Viewer
Dell Getting Started Guide
Dell Support Center
Dell Touchpad
Dell Video Chat
Dell Webcam Central
Digital Photo Navigator 1.5
Document Express DjVu Plug-in
Driver Robot
Easy CD-DA Extractor 15
Easy CD-DA Extractor 2011
Everio MediaBrowser HD Edition
Exact Audio Copy 1.0beta3
FastAccess
FaxAmatic
FileZilla Client 3.5.3
FLOW-3D 10.0.1
foobar2000 v1.1.18
FormatFactory 2.60
Google Chrome
Google Update Helper
GoToAssist 8.0.0.514
HL-2270DW
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP-MPI 1.1
ImgBurn
ImTOO iPhone Transfer Platinum
Integrated Webcam Driver (1.06.03.0309)
Internet Download Manager
ISO Recorder
ITECIR Driver
iTunes
Java(TM) 6 Update 13
Junk Mail filter update
Learn Chinese 2008 6.1
Limcon V3
Live! Cam Avatar Creator
Malwarebytes Anti-Malware version 1.65.1.1000
Medieval CUE Splitter
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft HPC Pack 2008 R2 MS-MPI Redistributable Pack
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Works
Monkey's Audio
Mozilla Firefox 17.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Navman NavDesk 2008
NewsBin Pro
Nitro Pro 7
Nitro Pro 8
PowerDVD
PowerISO
QuickSet
QuickStores-Toolbar 1.1.0
QuickTime
Real Alternative 2.0.2
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Section Builder 8
Security Task Manager 1.8d
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Sentinel Protection Installer 7.6.1
Sentinel System Driver
Sizer 3.34
Skins
Skype Toolbars
Skype™ 5.1
SolveigMM AVI Trimmer
Sound Blaster X-Fi MB
SumatraPDF
The KMPlayer (remove only)
TitanLM
TomTom HOME 2.7.6.2056
TomTom HOME Visual Studio Merge Modules
tools-windows
Universal Document Converter (Demo)
Unlocker 1.9.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VBA (2720)
VietOCR3.NET
VIPRE Antivirus Premium
Visual C++ 2008 x86 Runtime - (v9.0.30729.4967)
Visual C++ 2008 x86 Runtime - v9.0.30729.4967
Visual Studio 2005 Tools for Office Second Edition Runtime
VLC media player 1.1.9
VMware Player
VMwarePlayer_x86
VobSub 2.23
Vodafone Mobile Connect Lite
WIDCOMM Bluetooth Software 6.2.0.6600
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
Xilisoft Audio Maker
Xvid 1.2.2
.
==== End Of File ===========================





and dds log:


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.19088
Run by Michael at 1:06:02 on 2012-12-05
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3036.1837 [GMT 8:00]
.
AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
FW: Sunbelt VIPRE *Enabled* {86665057-352D-7810-313F-4F92DEFBC8FA}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Sensible Vision\Fast Access\FASecFacX.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Sensible Vision\Fast Access\FATrayMon.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Users\Michael\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Sensible Vision\Fast Access\FATrayAlert.exe
C:\Users\Michael\AppData\Local\Akamai\netsession_win.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Windows\system32\crypserv.exe
C:\Program Files\Sensible Vision\Fast Access\FAService.exe
C:\Program Files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe
C:\Program Files\Nitro\Pro 8\NitroPDFDriverService8.exe
C:\Windows\system32\NLSSRV32.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/advanced_search?hl=en
mWinlogon: Userinit = userinit.exe,,c:\users\michael\appdata\local\qjxavwgy\yppmgwpp.exe
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: QuickStores-Toolbar: {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FAIESSOHelper Class: {A2F122DA-055F-4df7-8F24-7354DBDBA85B} - c:\program files\sensible vision\fast access\FAIESSO.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: QuickStores-Toolbar: {10EDB994-47F8-43F7-AE96-F2EA63E9F90F} -
uRun: [Akamai NetSession Interface] "c:\users\michael\appdata\local\akamai\netsession_win.exe"
uRun: [YppMgwpp] c:\users\michael\appdata\local\qjxavwgy\yppmgwpp.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTAgent.exe" -autorun
mRun: [FAStartup] <no file>
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: Download with ImTOO iPhone Transfer Platinum - c:\program files\imtoo\iphone transfer platinum\upod_link.HTM
IE: Download with iphone-transfer-platinum - c:\program files\imtoo\iphone transfer platinum\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
LSP: %windir%\system32\vsocklib.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: Interfaces\{5992EEE3-B44D-4DEE-B664-3E499B7C733F} : DHCPNameServer = 203.21.112.40 202.81.67.132
TCP: Interfaces\{75B2985B-3C72-42E1-B639-B6445B4415B4} : DHCPNameServer = 10.1.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: FastAccess - c:\program files\sensible vision\fast access\FALogNot.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
LSA: Notification Packages = scecli FAPassSync
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\michael\appdata\roaming\mozilla\firefox\profiles\e63092ix.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B8f5b8c32-7fea-4664-8705-00fd9e15844d%7D&mid=c2e66f00971347d0aa85200f89d047d7-6fba2f3aa6da7b384e30f188008b11f5f811bdce&ds=st011&v=11.0.0.9&lang=en&pr=sa&d=2012-05-19%2001%3A42%3A28&sap=ku&q=
FF - component: c:\users\michael\appdata\roaming\idm\idmmzcc5\components\idmmzcc.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.50826.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\nitro\pro 8\npdf.dll
FF - plugin: c:\program files\nitro\pro 8\npnitroie.dll
FF - plugin: c:\program files\nitro\pro 8\npnitromozilla.dll
FF - plugin: c:\program files\nitro\pro 8\NPShellExtension.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - ExtSQL: 2012-10-20 11:03; googledictionary@toptip.ca; c:\users\michael\appdata\roaming\mozilla\firefox\profiles\e63092ix.default\extensions\googledictionary@toptip.ca.xpi
FF - ExtSQL: 2012-11-19 17:14; {5384767E-00D9-40E9-B72F-9CC39D655D6F}; c:\users\michael\appdata\roaming\mozilla\firefox\profiles\e63092ix.default\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}
FF - ExtSQL: !HIDDEN! 2009-07-13 16:31; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2012-7-6 71152]
R0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2012-10-11 61296]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-5-15 233024]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2011-6-18 221784]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-4-29 101720]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-7-19 202928]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f6ef8056\AEstSrv.exe [2009-7-3 81920]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-7-3 180224]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-19 155648]
R2 FAService;FAService;c:\program files\sensible vision\fast access\FAService.exe [2008-9-6 2340096]
R2 IDMWFP;IDMWFP;c:\windows\system32\drivers\idmwfp.sys [2012-11-21 100216]
R2 NitroDriverReadSpool2;NitroPDFDriverCreatorReadSpool2;c:\program files\nitro pdf\professional 7\NitroPDFDriverService2.exe [2012-4-12 175624]
R2 NitroDriverReadSpool8;NitroPDFDriverCreatorReadSpool8;c:\program files\nitro\pro 8\NitroPDFDriverService8.exe [2012-10-23 196616]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NLSSRV32.EXE [2012-4-12 69640]
R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2011-5-11 2804280]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-5-11 74968]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2011-5-11 181584]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2009-9-17 369952]
R2 SentinelSecurityRuntime;Sentinel Security Runtime;c:\program files\common files\safenet sentinel\sentinel security runtime\sntlsrtsrvr.exe [2009-9-17 292128]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-9-18 9216]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2012-8-1 719512]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2012-11-23 245760]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-7-3 144128]
R3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\drivers\facap.sys [2008-8-3 230912]
R3 hcw17bda;Hauppauge SMS1000-based;c:\windows\system32\drivers\hcw17bda.sys [2009-7-3 44288]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-3 203264]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-7-3 3662848]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-3-6 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-3-8 280096]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-7-19 69208]
S2 TitanLM;TitanLM;c:\program files\titanlm\titanLM.exe [2011-2-3 326656]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-7-3 29736]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-7-3 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-7-3 79360]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2009-7-23 112128]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2009-7-23 100736]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-4 22856]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2012-4-11 21744]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2009-7-19 69208]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2011-6-18 94040]
S3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files\common files\creative labs shared\service\XMBLicensing.exe [2009-7-3 79360]
.
=============== File Associations ===============
.
FileExt: .scr: AutoCADScriptFile=c:\windows\system32\notepad.exe "%1"
FileExt: .txt: Applications\wordpad.exe="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2012-12-04 07:03:17 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-04 02:53:53 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-04 02:53:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-03 14:34:03 -------- d-----w- c:\users\michael\appdata\roaming\Musue
2012-12-03 14:34:03 -------- d-----w- c:\users\michael\appdata\roaming\Ivzaqa
2012-12-03 14:34:03 -------- d-----w- c:\users\michael\appdata\roaming\Ewzyn
2012-11-29 12:03:26 -------- d-----w- c:\users\michael\appdata\roaming\foobar2000
2012-11-29 12:03:17 -------- d-----w- c:\program files\foobar2000
2012-11-27 07:29:19 -------- d-----w- c:\users\michael\appdata\roaming\FFSJ
2012-11-23 08:53:41 -------- d-----w- C:\Brother
2012-11-23 08:53:32 -------- d-----w- c:\program files\Browny02
2012-11-23 08:53:26 5120 ------w- c:\windows\system32\BrDctF2L.dll
2012-11-23 08:53:26 217088 ------w- c:\windows\system32\NSSearch.dll
2012-11-23 08:53:25 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-11-23 08:53:25 2560 ------w- c:\windows\system32\BrDctF2S.dll
2012-11-23 08:53:25 -------- d-----w- c:\program files\Brother
2012-11-21 13:02:36 100216 ----a-w- c:\windows\system32\drivers\idmwfp.sys
2012-11-20 06:38:28 -------- d-----w- c:\programdata\Windows
.
==================== Find3M ====================
.
2012-10-23 05:51:36 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll
2012-10-01 05:05:41 4779592 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-05-25 01:09:07 3993600 ----a-w- c:\program files\GUT23C6.tmp
2009-07-10 04:39:00 350720 ----a-w- c:\program files\hjsplit.exe
.
============= FINISH: 1:07:59.16 ===============




Thanks in advance, I can't cope with these problems.
Even though all (6 ?) threats are removed by MBAM, they do re-appear after the computer is rebooted
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

====================================

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

===============================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
Re aswMBR.exe

After I run it and then authorize the download of latest Avast definitions, the "Scan' button remains not active (it is 10 mins now)
 
Actually aswMBR started downloading Avast definitions now, after 18 minutes of waiting (?)
 
My PC crashed during aswMBR scan, restarting now (Normal mode)
I am just about to turn in, will be back in 5 hrs :)
 
Btw, shall I run RogueKiller and aswMBR again - after the PC restarted in the normal mode?
 
Here it is, pre-crash scan
I will do the other scan in the morning, ca 4pm PST




RogueKiller V8.3.1 [Dec 2 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Normal mode
User : Michael [Admin rights]
Mode : Remove -- Date : 12/05/2012 02:21:53

¤¤¤ Bad processes : 2 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 14 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : YppMgwpp (C:\Users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe) -> DELETED
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : Userinit (userinit.exe,,C:\Users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe) -> REPLACED (C:\Windows\system32\userinit.exe,)
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[64] : NtCreateKey @ 0x825FB0EF -> HOOKED (\??\C:\Users\Michael\AppData\Local\Temp\geqwjtlc.sys @ 0xA1DE46AC)
SSDT[65] : NtCreateKeyTransacted @ 0x8258F79F -> HOOKED (\??\C:\Users\Michael\AppData\Local\Temp\geqwjtlc.sys @ 0xA1DE4708)
SSDT[189] : NtOpenKey @ 0x82628683 -> HOOKED (\??\C:\Users\Michael\AppData\Local\Temp\geqwjtlc.sys @ 0xA1DE4562)
SSDT[190] : NtOpenKeyTransacted @ 0x8258F744 -> HOOKED (\??\C:\Users\Michael\AppData\Local\Temp\geqwjtlc.sys @ 0xA1DE4604)

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420ASG ATA Device +++++
--- User ---
[MBR] fe772ccb31b6ab66fb48cc3f7151239c
[BSP] ef385a468be39c6eef7786f3da1d26ae : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30800325 | Size: 461899 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Kingston DT 101 II USB Device +++++
--- User ---
[MBR] ded882b57f0e9088e50888bc632960cf
[BSP] ec038f3ca5091360f60d743d6f1c7fdb : Standard MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 1080 | Size: 3821 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_D_12052012_02d0221.txt >>
RKreport[1]_S_12052012_02d0221.txt ; RKreport[2]_D_12052012_02d0221.txt
 
I have restarted the PC in safe mode, here's the log for RogueKiller

(aswMBR scan is still underway)


RogueKiller V8.3.1 [Dec 2 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : https://www.techspot.com/downloads/5562-roguekiller.html
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Safe mode
User : Michael [Admin rights]
Mode : Remove -- Date : 12/05/2012 07:38:00

¤¤¤ Bad processes : 3 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SUSP PATH] HelpPane.exe -- C:\Windows\HelpPane.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : YppMgwpp (C:\Users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe) -> DELETED
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : Userinit (C:\Windows\system32\userinit.exe,,C:\Users\Michael\AppData\Local\Temp\qunklyrv.exe,C:\Users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe) -> REPLACED (C:\Windows\system32\userinit.exe,)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420ASG ATA Device +++++
--- User ---
[MBR] fe772ccb31b6ab66fb48cc3f7151239c
[BSP] ef385a468be39c6eef7786f3da1d26ae : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 15000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 30800325 | Size: 461899 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[4]_D_12052012_02d0738.txt >>
RKreport[1]_S_12052012_02d0221.txt ; RKreport[2]_D_12052012_02d0221.txt ; RKreport[3]_S_12052012_02d0737.txt ; RKreport[4]_D_12052012_02d0738.txt
 
... and here's the aswMBR log:

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-05 07:40:28
-----------------------------
07:40:28.766 OS Version: Windows 6.0.6001 Service Pack 1
07:40:28.766 Number of processors: 2 586 0x170A
07:40:28.766 ComputerName: MICHAEL-PC UserName: Michael
07:41:01.589 Initialize success
07:41:15.972 AVAST engine defs: 12120400
07:41:29.466 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
07:41:29.466 Disk 0 Vendor: ST9500420ASG 0002SDM1 Size: 476940MB BusType: 3
07:41:29.513 Disk 0 MBR read successfully
07:41:29.513 Disk 0 MBR scan
07:41:29.513 Disk 0 Windows VISTA default MBR code
07:41:29.513 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
07:41:29.528 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15000 MB offset 80325
07:41:29.544 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461899 MB offset 30800325
07:41:29.559 Disk 0 scanning sectors +976771120
07:41:29.669 Disk 0 scanning C:\Windows\system32\drivers
07:41:42.414 Service scanning
07:42:06.329 Modules scanning
07:42:09.199 Disk 0 trace - called modules:
07:42:09.215 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
07:42:09.215 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85716340]
07:42:09.215 3 CLASSPNP.SYS[8a5ab745] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8571f8a8]
07:42:11.898 AVAST engine scan C:\Windows
07:42:18.044 AVAST engine scan C:\Windows\system32
07:46:05.087 AVAST engine scan C:\Windows\system32\drivers
07:46:33.073 AVAST engine scan C:\Users\Michael
07:47:27.673 File: C:\Users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe **INFECTED** Win32:Kryptik-KUG [Trj]
07:47:30.153 File: C:\Users\Michael\AppData\Local\Temp\qunklyrv.exe **INFECTED** Win32:Kryptik-KUG [Trj]
07:47:30.715 File: C:\Users\Michael\AppData\Local\Temp\yppmgwpp.exe **INFECTED** Win32:Kryptik-KUG [Trj]
07:48:42.709 Disk 0 MBR has been saved successfully to "C:\Users\Michael\Desktop\Logs\MBR.dat"
07:48:42.740 The log file has been saved successfully to "C:\Users\Michael\Desktop\Logs\aswMBR.txt"
07:49:24.330 File: C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yppmgwpp.exe **INFECTED** Win32:Kryptik-KUG [Trj]
08:23:00.177 AVAST engine scan C:\ProgramData
08:29:17.729 Scan finished successfully
08:34:15.314 Disk 0 MBR has been saved successfully to "C:\Users\Michael\Desktop\Logs\MBR.dat"
08:34:15.345 The log file has been saved successfully to "C:\Users\Michael\Desktop\Logs\aswMBR.txt"
08:34:40.898 Disk 0 MBR has been saved successfully to "H:\klopot z wirusem\Logs\MBR.dat"
08:34:40.914 The log file has been saved successfully to "H:\klopot z wirusem\Logs\aswMBR.txt"
 
Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

=============================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/05/2012 09:49:30 AM in x86 mode.
Windows Version: Windows Vista (TM) Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Base Filtering Engine (BFE) is not Running.
Startup Type set to: Automatic

* DHCP Client (Dhcp) is not Running.
Startup Type set to: Automatic

* DNS Client (Dnscache) is not Running.
Startup Type set to: Automatic

* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Automatic

* Network Connections (Netman) is not Running.
Startup Type set to: Manual

* Network Store Interface Service (nsi) is not Running.
Startup Type set to: Automatic

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Disabled

* Windows Update (wuauserv) is not Running.
Startup Type set to: Disabled

* Ancilliary Function Driver for Winsock (AFD) is not Running.
Startup Type set to: System

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* NETBT (NetBT) is not Running.
Startup Type set to: System

* NSI proxy service (nsiproxy) is not Running.
Startup Type set to: System

* TCP/IP Protocol Driver (Tcpip) is not Running.
Startup Type set to: System

* NetIO Legacy TDI Support Driver (tdx) is not Running.
Startup Type set to: System

* ALG [Missing Service]
* MpsSvc [Missing Service]
* wscsvc [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost
::1 localhost

Program finished at: 12/05/2012 09:49:41 AM
Execution time: 0 hours(s), 0 minute(s), and 11 seconds(s)













ComboFix 12-12-04.01 - Michael 05/12/2012 9:55.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3036.2325 [GMT 8:00]
Running from: c:\users\Michael\Desktop\your_name.exe
AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
FW: Sunbelt VIPRE *Enabled* {86665057-352D-7810-313F-4F92DEFBC8FA}
SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
ADS - Windows: deleted 256 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Windows
c:\program files\Mozilla Firefox\components\AskHPRFF.js
c:\users\Michael\AppData\Local\.#
c:\users\Michael\AppData\Local\avcicvkj.log
c:\users\Michael\AppData\Local\bmjvusrj.log
c:\users\Michael\AppData\Local\cjylsara.log
c:\users\Michael\AppData\Local\ffwdeobe.log
c:\users\Michael\AppData\Local\mldjvlsa.log
c:\users\Michael\AppData\Local\oetgfkwd.log
c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe
c:\users\Michael\AppData\Local\ssmvktwb.log
c:\users\Michael\AppData\Local\vvfhnsqg.log
c:\users\Michael\AppData\Roaming\Ivzaqa
c:\users\Michael\AppData\Roaming\Ivzaqa\yhihi.exe
c:\users\Michael\AppData\Roaming\Microsoft\Windows\Recent\Matlab Guide.pdf
c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Repair
c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Repair\HDD Repair.lnk
c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Repair\Uninstall HDD Repair.lnk
c:\users\Michael\AppData\Roaming\Musue
c:\users\Michael\AppData\Roaming\Musue\qeyv.elo
c:\windows\system32\nitrolocalmon2.dll
c:\windows\system32\winsusrm.dll
c:\windows\system32\winsusrx.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
.
.
((((((((((((((((((((((((( Files Created from 2012-11-05 to 2012-12-05 )))))))))))))))))))))))))))))))
.
.
2012-12-05 02:22 . 2012-12-05 02:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-05 02:22 . 2012-12-05 02:22 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-12-05 02:22 . 2012-12-05 02:22 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-12-05 02:22 . 2012-12-05 02:22 -------- d-----w- c:\users\Michael\AppData\Local\temp
2012-12-05 02:22 . 2012-12-05 02:22 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-12-05 00:50 . 2012-12-05 00:50 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-12-04 23:33 . 2012-12-04 23:33 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-12-04 07:03 . 2012-12-04 07:06 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-04 02:53 . 2012-12-04 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-04 02:53 . 2012-09-29 11:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-03 14:34 . 2012-12-03 14:34 -------- d-----w- c:\users\Michael\AppData\Roaming\Ewzyn
2012-12-02 13:12 . 2012-12-05 02:20 -------- d-----w- c:\users\Michael\AppData\Local\qjxavwgy
2012-12-02 13:12 . 2012-12-02 13:12 102176 --s---w- c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yppmgwpp.exe
2012-11-29 12:03 . 2012-11-30 01:48 -------- d-----w- c:\users\Michael\AppData\Roaming\foobar2000
2012-11-29 12:03 . 2012-11-29 12:06 -------- d-----w- c:\program files\foobar2000
2012-11-27 07:29 . 2012-11-27 07:29 -------- d-----w- c:\users\Michael\AppData\Roaming\FFSJ
2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- C:\Brother
2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- c:\program files\Browny02
2012-11-23 08:53 . 2010-08-02 12:57 217088 ------w- c:\windows\system32\NSSearch.dll
2012-11-23 08:53 . 2007-12-13 14:16 5120 ------w- c:\windows\system32\BrDctF2L.dll
2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- c:\program files\Brother
2012-11-23 08:53 . 2010-03-15 11:56 2560 ------w- c:\windows\system32\BrDctF2S.dll
2012-11-23 08:53 . 2010-03-15 11:45 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-11-21 13:02 . 2012-11-22 00:43 100216 ----a-w- c:\windows\system32\drivers\idmwfp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 05:51 . 2012-04-17 16:32 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll
2012-10-01 05:05 . 2009-12-23 12:54 4779592 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-05-25 01:09 . 2012-05-25 01:09 3993600 ----a-w- c:\program files\GUT23C6.tmp
2009-07-10 04:39 . 2009-07-10 04:39 350720 ----a-w- c:\program files\hjsplit.exe
2012-12-01 14:16 . 2012-12-01 14:16 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-11-15 23:07 21904 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Michael\AppData\Local\Akamai\netsession_win.exe" [2012-05-25 4327744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-10-26 3540416]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2011-03-17 842048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FATrayAlert"="c:\program files\Sensible Vision\Fast Access\FATrayMon.exe" [2008-09-05 95488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-07-29 128296]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-04-09 1762032]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-29 483428]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-20 1422632]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-05-11 1353040]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-28 1316192]
.
c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
yppmgwpp.exe [2012-12-2 102176]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-28 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2008-09-05 22:16 140544 ----a-w- c:\program files\Sensible Vision\Fast Access\FALogNot.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-03 01:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli FAPassSync
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Camera Monitor HD.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Camera Monitor HD.lnk
backup=c:\windows\pss\Camera Monitor HD.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Michael^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Michael^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^FaxAmatic.lnk]
path=c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FaxAmatic.lnk
backup=c:\windows\pss\FaxAmatic.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 15:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 03:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLLEntry]
2008-12-17 20:07 14848 ------w- c:\windows\System32\AmbRunE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 09:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-04-23 03:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-08 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.2.0.5\DriverRobot.exe [2009-12-20 09:29]
.
2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 09:32]
.
2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 09:32]
.
2012-11-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
.
2012-08-29 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/advanced_search?hl=en
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Download with ImTOO iPhone Transfer Platinum - c:\program files\ImTOO\iPhone Transfer Platinum\upod_link.HTM
IE: Download with iphone-transfer-platinum - c:\program files\ImTOO\iPhone Transfer Platinum\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath -
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
HKCU-Run-YppMgwpp - c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe
HKLM-Run-FAStartup - (no file)
SafeBoot-10196708.sys
SafeBoot-23227816.sys
MSConfigStartUp-RocketDock - c:\program files\RocketDock\RocketDock.exe
MSConfigStartUp-Uwquwe - c:\users\Michael\AppData\Roaming\Ivzaqa\yhihi.exe
MSConfigStartUp-YppMgwpp - c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe
AddRemove-FaxAmatic - c:\faxmatic\faxasx.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-05 10:31
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\Michael\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-99913640-511744193-596132334-1000_Classes\CLSID\{62b5815b-3aff-4c89-b0a2-6a4cb4336d6a}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000005f
"Therad"=dword:00000022
"MData"=hex(0):5d,3a,76,a6,e3,fe,72,b9,b9,9b,74,3f,a4,5c,0f,51,4d,10,4e,4e,e4,
a1,1f,6f,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-99913640-511744193-596132334-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):4c,e2,3a,83,71,93,ed,db,b5,94,ad,bd,b4,2e,eb,fa,68,74,29,fb,a6,
1d,cf,24,e5,61,bd,81,f8,99,be,8e,14,d3,19,18,2e,a5,d7,1e,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\FAPassSync.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\atieclxx.exe
c:\program files\Sensible Vision\Fast Access\FASecFacX.exe
c:\program files\Dell\DellDock\DockLogin.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\crypserv.exe
c:\program files\Sensible Vision\Fast Access\FAService.exe
c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe
c:\program files\Nitro\Pro 8\NitroPDFDriverService8.exe
c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\WUDFHost.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-12-05 10:33:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-05 02:32
.
Pre-Run: 26,242,670,592 bytes free
Post-Run: 23,841,783,808 bytes free
.
- - End Of File - - C3272B3B09EDFA91705DA80CF9074D70
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yppmgwpp.exe

Folder::
c:\users\Michael\AppData\Roaming\Ewzyn
c:\users\Michael\AppData\Local\qjxavwgy

DDS::
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-12-04.01 - Michael 05/12/2012 10:59:10.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3036.1916 [GMT 8:00]
Running from: c:\users\Michael\Desktop\your_name.exe
Command switches used :: c:\users\Michael\Desktop\CFScript.txt
AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
FW: Sunbelt VIPRE *Enabled* {86665057-352D-7810-313F-4F92DEFBC8FA}
SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yppmgwpp.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Michael\AppData\Local\qjxavwgy
c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe
c:\users\Michael\AppData\Roaming\Ewzyn
c:\users\Michael\AppData\Roaming\Ewzyn\ibxa.abh
c:\users\Michael\AppData\Roaming\Ewzyn\ibxa.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2012-11-05 to 2012-12-05 )))))))))))))))))))))))))))))))
.
.
2012-12-05 03:10 . 2012-12-05 03:10 -------- d-----w- c:\users\Michael\AppData\Local\qjxavwgy
2012-12-05 03:05 . 2012-12-05 03:10 -------- d-----w- c:\users\Michael\AppData\Local\temp
2012-12-05 03:05 . 2012-12-05 03:05 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-12-05 03:05 . 2012-12-05 03:05 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-12-05 03:05 . 2012-12-05 03:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-05 03:05 . 2012-12-05 03:05 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-12-04 23:33 . 2012-12-04 23:33 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-12-04 07:03 . 2012-12-04 07:06 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-04 02:53 . 2012-12-04 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-04 02:53 . 2012-09-29 11:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-29 12:03 . 2012-11-30 01:48 -------- d-----w- c:\users\Michael\AppData\Roaming\foobar2000
2012-11-29 12:03 . 2012-11-29 12:06 -------- d-----w- c:\program files\foobar2000
2012-11-27 07:29 . 2012-11-27 07:29 -------- d-----w- c:\users\Michael\AppData\Roaming\FFSJ
2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- C:\Brother
2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- c:\program files\Browny02
2012-11-23 08:53 . 2010-08-02 12:57 217088 ------w- c:\windows\system32\NSSearch.dll
2012-11-23 08:53 . 2007-12-13 14:16 5120 ------w- c:\windows\system32\BrDctF2L.dll
2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- c:\program files\Brother
2012-11-23 08:53 . 2010-03-15 11:56 2560 ------w- c:\windows\system32\BrDctF2S.dll
2012-11-23 08:53 . 2010-03-15 11:45 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-11-21 13:02 . 2012-11-22 00:43 100216 ----a-w- c:\windows\system32\drivers\idmwfp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 05:51 . 2012-04-17 16:32 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll
2012-10-01 05:05 . 2009-12-23 12:54 4779592 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-05-25 01:09 . 2012-05-25 01:09 3993600 ----a-w- c:\program files\GUT23C6.tmp
2009-07-10 04:39 . 2009-07-10 04:39 350720 ----a-w- c:\program files\hjsplit.exe
2012-12-01 14:16 . 2012-12-01 14:16 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-11-15 23:07 21904 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Michael\AppData\Local\Akamai\netsession_win.exe" [2012-05-25 4327744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-10-26 3540416]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2011-03-17 842048]
"YppMgwpp"="c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FATrayAlert"="c:\program files\Sensible Vision\Fast Access\FATrayMon.exe" [2008-09-05 95488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-07-29 128296]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-04-09 1762032]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-29 483428]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-20 1422632]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-05-11 1353040]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"FAStartup"="" [BU]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-28 1316192]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-28 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2008-09-05 22:16 140544 ----a-w- c:\program files\Sensible Vision\Fast Access\FALogNot.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-03 01:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli FAPassSync
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Camera Monitor HD.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Camera Monitor HD.lnk
backup=c:\windows\pss\Camera Monitor HD.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Michael^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Michael^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^FaxAmatic.lnk]
path=c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FaxAmatic.lnk
backup=c:\windows\pss\FaxAmatic.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 15:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 03:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLLEntry]
2008-12-17 20:07 14848 ------w- c:\windows\System32\AmbRunE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 09:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-04-23 03:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-08 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.2.0.5\DriverRobot.exe [2009-12-20 09:29]
.
2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 09:32]
.
2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 09:32]
.
2012-11-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
.
2012-08-29 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/advanced_search?hl=en
uInternet Settings,ProxyOverride = <local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Download with ImTOO iPhone Transfer Platinum - c:\program files\ImTOO\iPhone Transfer Platinum\upod_link.HTM
IE: Download with iphone-transfer-platinum - c:\program files\ImTOO\iPhone Transfer Platinum\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.1.1.1
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-05 11:10
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-99913640-511744193-596132334-1000_Classes\CLSID\{62b5815b-3aff-4c89-b0a2-6a4cb4336d6a}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000005f
"Therad"=dword:00000022
"MData"=hex(0):5d,3a,76,a6,e3,fe,72,b9,b9,9b,74,3f,a4,5c,0f,51,4d,10,4e,4e,e4,
a1,1f,6f,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-99913640-511744193-596132334-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):4c,e2,3a,83,71,93,ed,db,b5,94,ad,bd,b4,2e,eb,fa,68,74,29,fb,a6,
1d,cf,24,e5,61,bd,81,f8,99,be,8e,14,d3,19,18,2e,a5,d7,1e,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\FAPassSync.dll
.
- - - - - - - > 'Explorer.exe'(4352)
c:\program files\Unlocker\UnlockerHook.dll
c:\program files\Internet Download Manager\idmmkb.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Dell\DellDock\DockLogin.exe
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\crypserv.exe
c:\program files\Sensible Vision\Fast Access\FAService.exe
c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe
c:\program files\Nitro\Pro 8\NitroPDFDriverService8.exe
c:\windows\system32\NLSSRV32.EXE
c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Browny02\BrYNSvc.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\windows\system32\WUDFHost.exe
.
**************************************************************************
.
Completion time: 2012-12-05 11:15:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-05 03:15
ComboFix2.txt 2012-12-05 02:33
.
Pre-Run: 23,932,235,776 bytes free
Post-Run: 27,073,773,568 bytes free
.
- - End Of File - - 0031A25B1EC98B49DD7F5D1F0B18E577
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
File::
c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YppMgwpp"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
I am not now allowed to drag the CFScript.txt into your_name ( I have been (consequently) using it as directed since ComboFix.exe did not want to run):


C:\Users\Michae;\Desktop\your_name.exe
Illegal operation attempted on a registry key that has been marked for deletion



(I did not have any problems with dragging the CFScript.exe in the previous step though)
 
I actually cannot start FF, Acrobat, IE or ANY other program I randomly picked, for the same reason

eg C:\Program Files\appl_folder\appl_file.exe
Illegal operation attempted on a registry key that has been marked for deletion
 
Also, when I try to run MS Word what I get is:

This file does not have a program associated with it for performing this action.
Create an association in the Set Associations control panel.
 
If you looked at my instructions...
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
 
ComboFix 12-12-04.01 - Michael 06/12/2012 0:39.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3036.1884 [GMT 8:00]
Running from: c:\users\Michael\Desktop\your_name.exe
Command switches used :: c:\users\Michael\Desktop\CFScript.txt
AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
FW: Sunbelt VIPRE *Enabled* {86665057-352D-7810-313F-4F92DEFBC8FA}
SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Michael\AppData\Local\bmjvusrj.log
c:\users\Michael\AppData\Local\cjylsara.log
c:\users\Michael\AppData\Local\ffwdeobe.log
c:\users\Michael\AppData\Local\mldjvlsa.log
c:\users\Michael\AppData\Local\oetgfkwd.log
c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe
c:\users\Michael\AppData\Local\ssmvktwb.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2012-11-05 to 2012-12-05 )))))))))))))))))))))))))))))))
.
.
2012-12-05 16:51 . 2012-12-05 16:54 -------- d-----w- c:\users\Michael\AppData\Local\temp
2012-12-05 16:51 . 2012-12-05 16:51 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-12-05 16:51 . 2012-12-05 16:51 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-12-05 16:51 . 2012-12-05 16:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-05 16:51 . 2012-12-05 16:51 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-12-05 03:10 . 2012-12-05 16:53 -------- d-----w- c:\users\Michael\AppData\Local\qjxavwgy
2012-12-04 23:33 . 2012-12-04 23:33 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-12-04 07:03 . 2012-12-04 07:06 -------- d-----w- C:\TDSSKiller_Quarantine
2012-12-04 02:53 . 2012-12-04 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-04 02:53 . 2012-09-29 11:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-29 12:03 . 2012-11-30 01:48 -------- d-----w- c:\users\Michael\AppData\Roaming\foobar2000
2012-11-29 12:03 . 2012-11-29 12:06 -------- d-----w- c:\program files\foobar2000
2012-11-27 07:29 . 2012-11-27 07:29 -------- d-----w- c:\users\Michael\AppData\Roaming\FFSJ
2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- C:\Brother
2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- c:\program files\Browny02
2012-11-23 08:53 . 2010-08-02 12:57 217088 ------w- c:\windows\system32\NSSearch.dll
2012-11-23 08:53 . 2007-12-13 14:16 5120 ------w- c:\windows\system32\BrDctF2L.dll
2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- c:\program files\Brother
2012-11-23 08:53 . 2010-03-15 11:56 2560 ------w- c:\windows\system32\BrDctF2S.dll
2012-11-23 08:53 . 2010-03-15 11:45 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-11-21 13:02 . 2012-11-22 00:43 100216 ----a-w- c:\windows\system32\drivers\idmwfp.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-23 05:51 . 2012-04-17 16:32 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll
2012-10-01 05:05 . 2009-12-23 12:54 4779592 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-05-25 01:09 . 2012-05-25 01:09 3993600 ----a-w- c:\program files\GUT23C6.tmp
2009-07-10 04:39 . 2009-07-10 04:39 350720 ----a-w- c:\program files\hjsplit.exe
2012-12-01 14:16 . 2012-12-01 14:16 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-11-15 23:07 21904 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Michael\AppData\Local\Akamai\netsession_win.exe" [2012-05-25 4327744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-10-26 3540416]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2011-03-17 842048]
"YppMgwpp"="c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe" [2012-12-05 102176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FATrayAlert"="c:\program files\Sensible Vision\Fast Access\FATrayMon.exe" [2008-09-05 95488]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-07-29 128296]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-04-09 1762032]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-29 483428]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-20 1422632]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-05-11 1353040]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"FAStartup"="" [BU]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-28 1316192]
.
c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
yppmgwpp.exe [2012-12-2 102176]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-28 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2008-09-05 22:16 140544 ----a-w- c:\program files\Sensible Vision\Fast Access\FALogNot.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-07-03 01:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli FAPassSync
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Camera Monitor HD.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Camera Monitor HD.lnk
backup=c:\windows\pss\Camera Monitor HD.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Michael^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Michael^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^FaxAmatic.lnk]
path=c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FaxAmatic.lnk
backup=c:\windows\pss\FaxAmatic.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-01 15:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 03:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLLEntry]
2008-12-17 20:07 14848 ------w- c:\windows\System32\AmbRunE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-01-26 09:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-04-23 03:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-08 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.2.0.5\DriverRobot.exe [2009-12-20 09:29]
.
2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 09:32]
.
2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 09:32]
.
2012-11-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
.
2012-08-29 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/advanced_search?hl=en
uInternet Settings,ProxyOverride = <local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Download with ImTOO iPhone Transfer Platinum - c:\program files\ImTOO\iPhone Transfer Platinum\upod_link.HTM
IE: Download with iphone-transfer-platinum - c:\program files\ImTOO\iPhone Transfer Platinum\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-06 00:53
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-99913640-511744193-596132334-1000_Classes\CLSID\{62b5815b-3aff-4c89-b0a2-6a4cb4336d6a}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000005f
"Therad"=dword:00000022
"MData"=hex(0):5d,3a,76,a6,e3,fe,72,b9,b9,9b,74,3f,a4,5c,0f,51,4d,10,4e,4e,e4,
a1,1f,6f,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-99913640-511744193-596132334-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):4c,e2,3a,83,71,93,ed,db,b5,94,ad,bd,b4,2e,eb,fa,68,74,29,fb,a6,
1d,cf,24,e5,61,bd,81,f8,99,be,8e,14,d3,19,18,2e,a5,d7,1e,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\FAPassSync.dll
.
- - - - - - - > 'Explorer.exe'(6020)
c:\windows\system32\btncopy.dll
c:\windows\system32\mscms.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Dell\DellDock\DockLogin.exe
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\crypserv.exe
c:\program files\Sensible Vision\Fast Access\FAService.exe
c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe
c:\program files\Nitro\Pro 8\NitroPDFDriverService8.exe
c:\windows\system32\NLSSRV32.EXE
c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Browny02\BrYNSvc.exe
c:\program files\Sensible Vision\Fast Access\FATrayAlert.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehsched.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe
c:\windows\ehome\ehRecvr.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\system32\WUDFHost.exe
.
**************************************************************************
.
Completion time: 2012-12-06 00:58:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-05 16:58
ComboFix2.txt 2012-12-05 03:15
ComboFix3.txt 2012-12-05 02:33
.
Pre-Run: 27,135,819,776 bytes free
Post-Run: 26,778,341,376 bytes free
.
- - End Of File - - 7685FE674AE91F17B6B78FD3BAF4AB15
 
Back