Jump to content

backdoor.agent and malware.trace


Recommended Posts

Quick Scan with MBAM Pro shows two threats:

Backdoor.Agent File C\Users\Rob\AppData\Roaming\UseNetServ.exe

Malware.Trace Registry Key HKCU\Software\VB and VBA Program Settings\SrvID

DDS.txt below

I am a paying customer.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by Rob at 21:07:54 on 2012-07-03

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3326.1389 [GMT -7:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Windows\system32\dktahsp.exe

C:\Program Files\Windows Home Server\esClient.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe

C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe

C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Windows Home Server\WHSConnector.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe

C:\Program Files\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe

C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Windows Home Server\WHSTrayApp.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\reg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\taskhost.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Nero\Update\NASvc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Newsbin\newsbinpro.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Windows Live\Mail\wlmail.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://sn123w.snt123.mail.live.com/default.aspx?wa=wsignin1.0

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll

BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll

uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe

uRun: [usenetServices] c:\users\rob\appdata\roaming\UseServe.exe

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Conime] %windir%\system32\conime.exe

mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe

mRun: [My Movies Tray] "c:\program files\binnerup consult\my movies for windows media center\My Movies Tray.exe"

mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: EnableLinkedConnections = 1 (0x1)

Trusted Zone: highland.com\office

DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab

DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1295333121964

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab

DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab

TCP: Interfaces\{84461330-3775-4679-86C3-253BB5E78260} : DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{9AC50678-6F29-42C0-B92C-22B32EE56D11} : NameServer = 8.8.8.8 8.8.4.4

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\rob\appdata\roaming\mozilla\firefox\profiles\mz85hv77.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\progra~1\common~1\nero\browse~1\npBrowserPlugin.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]

R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2011-10-9 56496]

R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2011-10-9 12464]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-6-29 66776]

R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/02/28 18:50:22];c:\program files\cyberlink\powerdvd dx\000.fcl [2012-2-28 87536]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-4-5 217600]

R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\windows home server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 239472]

R2 DkTahsp;OCUR SDV Service;c:\windows\system32\dktahsp.exe [2009-8-17 65536]

R2 esClient;Windows Media Center Client Service;c:\program files\windows home server\esClient.exe [2011-1-10 97136]

R2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\hewlett-packard\hp mediasmart server\MSSConnectorService.exe [2009-10-5 20992]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-2-14 13336]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-12-19 394672]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-11 654408]

R2 MediaCollectorService;MediaCollectorService;c:\program files\hewlett-packard\hp mediasmart server\MediaCollectorClient.exe [2009-10-5 81920]

R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2011-9-23 641832]

R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]

R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2012-4-5 9334784]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2012-4-5 275968]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-23 86544]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-30 22344]

R3 msta;Tuning Adapter Service;c:\windows\system32\drivers\msta.sys [2009-8-17 18432]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-4-13 67456]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-4-13 161024]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 250056]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2009-4-20 44784]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-2-26 15872]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-26 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-14 1343400]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2012-07-04 04:06:31 -------- d-----w- c:\users\rob\appdata\local\{E75E4197-088E-41E5-BDC4-929886D137D0}

2012-07-04 04:06:09 -------- d-----w- c:\users\rob\appdata\local\{1BE09295-1082-4EB3-B994-EE4CB973903C}

2012-07-03 14:57:41 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f9d91bec-dbde-4167-9c7a-165d901e6bfd}\gapaengine.dll

2012-07-03 14:56:34 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4b2e0a84-8288-43db-83af-1479e75132a1}\mpengine.dll

2012-07-03 14:26:22 738816 ----a-w- c:\users\rob\appdata\roaming\UseServe.exe

2012-07-03 03:45:33 -------- d-----w- c:\users\rob\appdata\local\{673679B3-2ED5-43F4-B44D-3FA869861853}

2012-07-03 03:45:13 -------- d-----w- c:\users\rob\appdata\local\{DC4BB9D4-7DF1-4BE4-97BF-E2CCF1A089B8}

2012-07-02 14:41:21 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2012-07-02 06:17:12 -------- d-----w- c:\users\rob\appdata\local\{5B03CC29-CA14-4A1A-B695-6F66706A8455}

2012-07-02 06:16:50 -------- d-----w- c:\users\rob\appdata\local\{D9ECD697-F21B-467C-ACB3-9308503CA9B6}

2012-07-01 18:16:24 -------- d-----w- c:\users\rob\appdata\local\{88C328BD-8223-4751-B6D3-58B72EA81991}

2012-07-01 18:16:13 -------- d-----w- c:\users\rob\appdata\local\{73E73947-0C3F-4B32-9FAF-6A48F9C50E64}

2012-06-30 22:41:29 -------- d-----w- c:\users\rob\appdata\local\{DA374AFF-D844-4BBA-8283-468D075CC41D}

2012-06-30 22:41:06 -------- d-----w- c:\users\rob\appdata\local\{2C70DB14-8EC2-45B7-9A5A-465DED71C1E8}

2012-06-30 10:40:53 -------- d-----w- c:\users\rob\appdata\local\{9F989FCF-7AAA-431B-B3D2-36166535FB45}

2012-06-30 10:40:31 -------- d-----w- c:\users\rob\appdata\local\{D857CF61-6EDC-4E37-BB61-5A31F5790A6B}

2012-06-29 22:40:07 -------- d-----w- c:\users\rob\appdata\local\{E420D828-83DD-4ED0-850B-1B52AC1DC39E}

2012-06-29 22:39:51 -------- d-----w- c:\users\rob\appdata\local\{2913235F-2873-4437-90AC-D5E175F35126}

2012-06-29 02:27:53 -------- d-----w- c:\users\rob\appdata\local\{0F1E3C4A-7046-4D81-B77B-97A77A6A7661}

2012-06-29 02:27:30 -------- d-----w- c:\users\rob\appdata\local\{B9CA9430-65F0-4461-88FD-758BFEEF863C}

2012-06-28 14:27:02 -------- d-----w- c:\users\rob\appdata\local\{5CD50142-56CB-41BF-9BE1-43A1EAA610D2}

2012-06-28 14:26:35 -------- d-----w- c:\users\rob\appdata\local\{775B5D9F-67F2-471D-A7AB-C74BED0AF8F1}

2012-06-28 04:16:21 -------- d-----w- c:\program files\AMD AVT

2012-06-28 04:16:15 -------- d-----w- c:\program files\AMD APP

2012-06-28 02:25:58 -------- d-----w- c:\users\rob\appdata\local\{DA541912-BA1B-4F02-B48F-30EE051F0133}

2012-06-28 02:25:46 -------- d-----w- c:\users\rob\appdata\local\{3E1F0DE1-9B36-4579-A916-FD5DC8A847D8}

2012-06-27 01:56:53 -------- d-----w- c:\users\rob\appdata\local\{8949294A-41A7-4018-AC36-AAF6514D53CB}

2012-06-27 01:56:30 -------- d-----w- c:\users\rob\appdata\local\{1322A18B-20AF-41A2-84CB-7A27D5DE5DB1}

2012-06-26 13:56:05 -------- d-----w- c:\users\rob\appdata\local\{ABA88789-DC7C-484A-A869-6D1E06416E5C}

2012-06-26 13:55:55 -------- d-----w- c:\users\rob\appdata\local\{73A8572F-FDD9-449D-BF87-8DB539610914}

2012-06-25 19:41:56 -------- d-----w- c:\users\rob\appdata\local\{D8CA4377-132C-4896-81E0-FBB8CCEA8368}

2012-06-25 19:41:38 -------- d-----w- c:\users\rob\appdata\local\{0B465C3E-3FF1-4ABD-94AA-183CA03FF00F}

2012-06-24 18:37:38 -------- d-----w- c:\users\rob\appdata\local\{10D4E33E-99F9-4B4F-970E-1421168ABE99}

2012-06-24 18:37:16 -------- d-----w- c:\users\rob\appdata\local\{701F56A9-AE71-45B7-A595-7BAB7864C0A7}

2012-06-24 06:36:51 -------- d-----w- c:\users\rob\appdata\local\{4AF9F52D-9771-40B6-A5B5-59ADC781C6B8}

2012-06-24 06:36:29 -------- d-----w- c:\users\rob\appdata\local\{BE8A43CC-9E61-44E2-A5E6-4FF55CB4E967}

2012-06-23 18:36:02 -------- d-----w- c:\users\rob\appdata\local\{E3BE6626-C19A-4E7F-AC77-28A047461D29}

2012-06-23 18:35:34 -------- d-----w- c:\users\rob\appdata\local\{C96E272F-24DB-4027-A560-A7C49EF57BCB}

2012-06-23 07:44:08 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-06-23 07:09:08 -------- d-----w- c:\users\rob\appdata\local\QuickPar

2012-06-23 07:08:17 -------- d-----w- c:\program files\QuickPar

2012-06-23 06:59:57 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-23 06:59:40 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-23 06:59:29 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-23 06:59:28 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-19 19:34:52 -------- d-----w- c:\users\rob\appdata\local\{EB660433-C800-4336-A874-7A021BF0E69A}

2012-06-19 19:34:42 -------- d-----w- c:\users\rob\appdata\local\{EF3570D2-59B2-4EE5-A7C9-FA7CCA0DDBCD}

2012-06-19 03:32:13 -------- d-----w- c:\users\rob\appdata\local\{20948427-56EE-4592-AB9F-F4116B856952}

2012-06-19 03:32:00 -------- d-----w- c:\users\rob\appdata\local\{B903EA9E-B1B7-4BF0-851B-7AC78436E9C6}

2012-06-18 14:18:27 -------- d-----w- c:\users\rob\appdata\local\{2A0EE2BA-4382-4DBE-B507-89775BD5BCA8}

2012-06-17 16:37:56 -------- d-----w- c:\users\rob\appdata\local\{643CFEAC-70DE-475C-A577-B27A5DBB92F0}

2012-06-17 04:37:17 -------- d-----w- c:\users\rob\appdata\local\{9B9079A8-E7E0-4CB6-9613-38489D9CAD71}

2012-06-17 03:33:32 -------- d-----w- c:\program files\Newsbin

2012-06-16 16:36:42 -------- d-----w- c:\users\rob\appdata\local\{8E194AD9-C608-4625-9F62-6E7263977E57}

2012-06-16 04:36:06 -------- d-----w- c:\users\rob\appdata\local\{BB873C56-CF7D-42BC-81B3-CF64C1863657}

2012-06-15 16:35:42 -------- d-----w- c:\users\rob\appdata\local\{35ECFE2E-1B7D-4C9F-8331-92D4FD34ED37}

2012-06-15 01:00:38 -------- d-----w- c:\users\rob\appdata\local\{5C282AC3-DD4E-43FD-9087-814E8FA70948}

2012-06-14 04:27:58 -------- d-----w- c:\users\rob\appdata\local\{F45F549B-CCE0-47D0-9038-1F2CB1AB8B6E}

2012-06-14 04:27:35 -------- d-----w- c:\users\rob\appdata\local\{09D1776A-3EAB-4C5F-8BBB-ADEFA6F7AC4D}

2012-06-13 22:14:34 919040 ----a-w- c:\windows\system32\rdpcorets.dll

2012-06-13 22:14:34 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 22:14:33 2343936 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 22:14:33 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-13 22:14:32 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-13 22:14:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-13 16:27:10 -------- d-----w- c:\users\rob\appdata\local\{861A400D-7CD8-42DE-853A-3DB27DEB184C}

2012-06-13 16:26:47 -------- d-----w- c:\users\rob\appdata\local\{CA70C550-6D76-4219-A23D-7958FE2F7AFB}

2012-06-13 04:26:23 -------- d-----w- c:\users\rob\appdata\local\{385B490C-A126-4108-ACEE-C77A1EA2898C}

2012-06-13 04:26:00 -------- d-----w- c:\users\rob\appdata\local\{AC156247-F531-473E-9079-D0FECAA0E738}

2012-06-13 03:06:16 -------- d-----w- c:\program files\EaseUS

2012-06-12 16:25:35 -------- d-----w- c:\users\rob\appdata\local\{C2E95D2B-7721-4505-B08C-1966E5898564}

2012-06-12 16:25:12 -------- d-----w- c:\users\rob\appdata\local\{181D1A4C-46FF-4962-BB01-A77EB01D8B96}

2012-06-12 01:07:35 -------- d-----w- c:\users\rob\appdata\local\{6ED357B3-33E5-4859-9FF1-DA564C449B69}

2012-06-12 01:07:24 -------- d-----w- c:\users\rob\appdata\local\{15774BF5-0610-417D-9F9B-35D03761176C}

2012-06-10 17:22:45 -------- d-----w- c:\users\rob\appdata\local\{A48E0282-737E-4920-AF1B-DCF5682C331B}

2012-06-10 17:22:22 -------- d-----w- c:\users\rob\appdata\local\{DA1B1F4C-0E1B-415E-9C0F-C4F0EF57648D}

2012-06-10 05:21:57 -------- d-----w- c:\users\rob\appdata\local\{58FFE684-572D-4A98-B818-0658896BB2AF}

2012-06-10 05:21:33 -------- d-----w- c:\users\rob\appdata\local\{11E5D463-7DB5-46FB-9F47-F3959C5EAD22}

2012-06-09 17:21:08 -------- d-----w- c:\users\rob\appdata\local\{FAF2F2B2-F051-43A5-9189-A3F2565AA1DF}

2012-06-09 17:20:57 -------- d-----w- c:\users\rob\appdata\local\{BC024C30-58A2-4BE6-8730-308C3165EC74}

2012-06-08 16:38:57 -------- d-----w- c:\users\rob\appdata\local\{420807A6-7650-4C0F-B5D4-985B61928989}

2012-06-08 16:38:34 -------- d-----w- c:\users\rob\appdata\local\{734236D2-FE82-4F53-8575-8B4440C6E858}

2012-06-08 04:38:10 -------- d-----w- c:\users\rob\appdata\local\{38C62A23-672B-49A3-B7B1-3A51D5E8A1FE}

2012-06-08 04:37:59 -------- d-----w- c:\users\rob\appdata\local\{5449B5A3-4638-42B0-8505-9942446F8AB7}

2012-06-07 14:58:16 -------- d-----w- c:\users\rob\appdata\local\{A9E8027E-682C-4B98-951A-DADD942ADD3E}

2012-06-07 14:57:54 -------- d-----w- c:\users\rob\appdata\local\{AC2D9747-5876-43E3-9C18-EEEC3C4E03AF}

2012-06-07 02:57:29 -------- d-----w- c:\users\rob\appdata\local\{9FCF7E48-2CC0-47F0-B86F-9CB6A3764B55}

2012-06-07 02:57:07 -------- d-----w- c:\users\rob\appdata\local\{81A3771D-203C-4A63-A087-CFC2ACCD0499}

2012-06-06 14:56:55 -------- d-----w- c:\users\rob\appdata\local\{66773C6D-6DDF-43CA-9CB2-C63140EAA3B4}

2012-06-06 14:56:32 -------- d-----w- c:\users\rob\appdata\local\{21135FCB-EC2A-4B6F-B9C2-F241DD394424}

2012-06-06 02:56:07 -------- d-----w- c:\users\rob\appdata\local\{CB68B574-5EE6-4592-BBD5-8BA1CD7D989F}

2012-06-06 02:55:45 -------- d-----w- c:\users\rob\appdata\local\{C8196FEA-D15F-488B-92BF-2A822E48DEA6}

2012-06-05 13:03:34 -------- d-----w- c:\users\rob\appdata\local\{7FF60068-1869-48EF-8F77-5A6A79F0C150}

2012-06-05 13:03:12 -------- d-----w- c:\users\rob\appdata\local\{B446392F-71CC-4FA6-A03F-988B455540FA}

2012-06-05 01:02:48 -------- d-----w- c:\users\rob\appdata\local\{00AA0DC1-B39A-4644-A299-9B2DB54970D3}

2012-06-05 01:02:32 -------- d-----w- c:\users\rob\appdata\local\{3F25FACE-89CB-4A45-865C-AE656B3FD1B8}

.

==================== Find3M ====================

.

2028-06-08 23:38:06 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL

2012-06-23 07:44:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-23 07:44:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-04-06 05:34:22 159232 ----a-w- c:\windows\system32\clinfo.exe

2012-04-06 05:34:04 64512 ----a-w- c:\windows\system32\OpenVideo.dll

2012-04-06 05:33:52 56320 ----a-w- c:\windows\system32\OVDecode.dll

2012-04-06 05:32:56 13007872 ----a-w- c:\windows\system32\amdocl.dll

2012-04-06 05:21:10 9334784 ----a-w- c:\windows\system32\drivers\atikmdag.sys

2012-04-06 02:22:00 159744 ----a-w- c:\windows\system32\atiapfxx.exe

2012-04-06 02:21:52 909312 ----a-w- c:\windows\system32\aticfx32.dll

2012-04-06 02:16:52 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll

2012-04-06 02:16:24 451072 ----a-w- c:\windows\system32\atieclxx.exe

2012-04-06 02:15:50 217600 ----a-w- c:\windows\system32\atiesrxx.exe

2012-04-06 02:14:36 159744 ----a-w- c:\windows\system32\atitmmxx.dll

2012-04-06 02:14:28 20992 ----a-w- c:\windows\system32\atimuixx.dll

2012-04-06 02:14:20 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2012-04-06 02:13:42 6800896 ----a-w- c:\windows\system32\atidxx32.dll

2012-04-06 02:00:08 52736 ----a-w- c:\windows\system32\coinst.dll

2012-04-06 01:50:56 19753984 ----a-w- c:\windows\system32\atioglxx.dll

2012-04-06 01:34:50 1831424 ----a-w- c:\windows\system32\atiumdmv.dll

2012-04-06 01:34:04 6203392 ----a-w- c:\windows\system32\atiumdag.dll

2012-04-06 01:30:14 46080 ----a-w- c:\windows\system32\aticalrt.dll

2012-04-06 01:30:06 44032 ----a-w- c:\windows\system32\aticalcl.dll

2012-04-06 01:25:30 13764096 ----a-w- c:\windows\system32\aticaldd.dll

2012-04-06 01:22:54 4795904 ----a-w- c:\windows\system32\atiumdva.dll

2012-04-06 01:11:18 360448 ----a-w- c:\windows\system32\atiadlxx.dll

2012-04-06 01:11:04 14848 ----a-w- c:\windows\system32\atiglpxx.dll

2012-04-06 01:10:52 33280 ----a-w- c:\windows\system32\atigktxx.dll

2012-04-06 01:10:22 275968 ----a-w- c:\windows\system32\drivers\atikmpag.sys

2012-04-06 01:09:48 41984 ----a-w- c:\windows\system32\atiuxpag.dll

2012-04-06 01:09:34 32256 ----a-w- c:\windows\system32\atiu9pag.dll

2012-04-06 01:09:02 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2012-04-06 01:06:04 53760 ----a-w- c:\windows\system32\atimpc32.dll

2012-04-06 01:06:04 53760 ----a-w- c:\windows\system32\amdpcom32.dll

.

============= FINISH: 21:08:52.25 ===============

Attach.txt

Link to post
Share on other sites

Hello boldfin and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Step 1

Please uninstall the following application: Ask Toolbar

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • aswMBR log
  • a new fresh DDS log file

Link to post
Share on other sites

I have read everything you suggested. Let's give cleaning a try first.

Malwarebytes Anti-Malware (PRO) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.04.06

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Rob :: BOLDFIN420 [administrator]

Protection: Enabled

7/4/2012 3:47:12 PM

mbam-log-2012-07-04 (15-47-12).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 289410

Time elapsed: 11 minute(s), 43 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Rob\AppData\Roaming\UseNetServ.exe (Backdoor.Agent) -> Quarantined and deleted successfully.

(end)

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-07-04 16:04:35

-----------------------------

16:04:35.100 OS Version: Windows 6.1.7601 Service Pack 1

16:04:35.100 Number of processors: 4 586 0x1707

16:04:35.100 ComputerName: BOLDFIN420 UserName: Rob

16:05:02.384 Initialize success

16:06:19.530 AVAST engine defs: 12070401

16:06:24.023 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2

16:06:24.023 Disk 0 Vendor: WDC_WD10 07.0 Size: 953869MB BusType: 8

16:06:24.039 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-3

16:06:24.039 Disk 1 Vendor: WDC_WD20 05.0 Size: 1907729MB BusType: 8

16:06:24.039 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-4

16:06:24.039 Disk 2 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 8

16:06:24.054 Disk 0 MBR read successfully

16:06:24.054 Disk 0 MBR scan

16:06:24.070 Disk 0 Windows 7 default MBR code

16:06:24.070 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048

16:06:24.132 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848

16:06:24.164 Disk 0 scanning sectors +1953521664

16:06:24.288 Disk 0 scanning C:\Windows\system32\drivers

16:06:44.335 Service scanning

16:06:59.903 Service MpKslcd571702 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\MpKslcd571702.sys **LOCKED** 32

16:07:17.063 Modules scanning

16:07:28.483 Disk 0 trace - called modules:

16:07:28.514 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll

16:07:28.529 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88821200]

16:07:28.529 3 CLASSPNP.SYS[8c79159e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x8688a028]

16:07:30.838 AVAST engine scan C:\Windows

16:07:35.113 AVAST engine scan C:\Windows\system32

16:12:18.853 AVAST engine scan C:\Windows\system32\drivers

16:12:41.769 AVAST engine scan C:\Users\Rob

16:13:40.067 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"

16:13:40.067 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-07-04 16:04:35

-----------------------------

16:04:35.100 OS Version: Windows 6.1.7601 Service Pack 1

16:04:35.100 Number of processors: 4 586 0x1707

16:04:35.100 ComputerName: BOLDFIN420 UserName: Rob

16:05:02.384 Initialize success

16:06:19.530 AVAST engine defs: 12070401

16:06:24.023 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2

16:06:24.023 Disk 0 Vendor: WDC_WD10 07.0 Size: 953869MB BusType: 8

16:06:24.039 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-3

16:06:24.039 Disk 1 Vendor: WDC_WD20 05.0 Size: 1907729MB BusType: 8

16:06:24.039 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-4

16:06:24.039 Disk 2 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 8

16:06:24.054 Disk 0 MBR read successfully

16:06:24.054 Disk 0 MBR scan

16:06:24.070 Disk 0 Windows 7 default MBR code

16:06:24.070 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048

16:06:24.132 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848

16:06:24.164 Disk 0 scanning sectors +1953521664

16:06:24.288 Disk 0 scanning C:\Windows\system32\drivers

16:06:44.335 Service scanning

16:06:59.903 Service MpKslcd571702 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\MpKslcd571702.sys **LOCKED** 32

16:07:17.063 Modules scanning

16:07:28.483 Disk 0 trace - called modules:

16:07:28.514 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll

16:07:28.529 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88821200]

16:07:28.529 3 CLASSPNP.SYS[8c79159e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x8688a028]

16:07:30.838 AVAST engine scan C:\Windows

16:07:35.113 AVAST engine scan C:\Windows\system32

16:12:18.853 AVAST engine scan C:\Windows\system32\drivers

16:12:41.769 AVAST engine scan C:\Users\Rob

16:13:40.067 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"

16:13:40.067 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"

17:14:35.316 File: C:\Users\Rob\AppData\Roaming\UseServe.exe **INFECTED** MSIL:Agent-OG [Trj]

18:49:30.840 AVAST engine scan C:\ProgramData

19:02:53.445 Scan finished successfully

19:38:04.940 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"

19:38:05.034 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by Rob at 19:38:25 on 2012-07-04

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3326.1302 [GMT -7:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Windows\system32\dktahsp.exe

C:\Program Files\Windows Home Server\esClient.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe

C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Windows Home Server\WHSConnector.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe

C:\Program Files\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe

C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Windows Home Server\WHSTrayApp.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\reg.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Windows\ehome\ehRecvr.exe

C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\ehome\ehmsas.exe

C:\Users\Rob\Desktop\aswMBR.exe

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Nero\Update\NASvc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Windows Live\Mail\wlmail.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://sn123w.snt123.mail.live.com/default.aspx?wa=wsignin1.0

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll

BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll

uRun: [usenetServices] c:\users\rob\appdata\roaming\UseServe.exe

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Conime] %windir%\system32\conime.exe

mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe

mRun: [My Movies Tray] "c:\program files\binnerup consult\my movies for windows media center\My Movies Tray.exe"

mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: EnableLinkedConnections = 1 (0x1)

Trusted Zone: highland.com\office

DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab

DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1295333121964

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab

DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab

DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{84461330-3775-4679-86C3-253BB5E78260} : DhcpNameServer = 209.18.47.61 209.18.47.62

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\rob\appdata\roaming\mozilla\firefox\profiles\mz85hv77.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\progra~1\common~1\nero\browse~1\npBrowserPlugin.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]

R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2011-10-9 56496]

R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2011-10-9 12464]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-6-29 66776]

R1 MpKslcd571702;MpKslcd571702;c:\programdata\microsoft\microsoft antimalware\definition updates\{e8ae3e55-479c-4be7-a1e7-e0043e77e064}\MpKslcd571702.sys [2012-7-4 29904]

R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/02/28 18:50:22];c:\program files\cyberlink\powerdvd dx\000.fcl [2012-2-28 87536]

R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-4-5 217600]

R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\windows home server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 239472]

R2 DkTahsp;OCUR SDV Service;c:\windows\system32\dktahsp.exe [2009-8-17 65536]

R2 esClient;Windows Media Center Client Service;c:\program files\windows home server\esClient.exe [2011-1-10 97136]

R2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\hewlett-packard\hp mediasmart server\MSSConnectorService.exe [2009-10-5 20992]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-2-14 13336]

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-12-19 394672]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-11 654408]

R2 MediaCollectorService;MediaCollectorService;c:\program files\hewlett-packard\hp mediasmart server\MediaCollectorClient.exe [2009-10-5 81920]

R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2011-9-23 641832]

R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]

R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]

R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2012-4-5 9334784]

R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2012-4-5 275968]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-23 86544]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-30 22344]

R3 msta;Tuning Adapter Service;c:\windows\system32\drivers\msta.sys [2009-8-17 18432]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-4-13 67456]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-4-13 161024]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 250056]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2009-4-20 44784]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]

S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-2-26 15872]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-26 52224]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-14 1343400]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

.

=============== Created Last 30 ================

.

2012-07-04 23:05:00 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e8ae3e55-479c-4be7-a1e7-e0043e77e064}\MpKslcd571702.sys

2012-07-04 22:58:20 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e8ae3e55-479c-4be7-a1e7-e0043e77e064}\mpengine.dll

2012-07-04 22:46:16 -------- d-----w- c:\users\rob\appdata\local\{EEE81CE0-B1E0-452E-BFED-7380F6FE215B}

2012-07-04 22:46:01 -------- d-----w- c:\users\rob\appdata\local\{63149514-E8E0-42B9-839A-D52DBCCF9FDA}

2012-07-04 04:06:31 -------- d-----w- c:\users\rob\appdata\local\{E75E4197-088E-41E5-BDC4-929886D137D0}

2012-07-04 04:06:09 -------- d-----w- c:\users\rob\appdata\local\{1BE09295-1082-4EB3-B994-EE4CB973903C}

2012-07-03 14:57:41 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f9d91bec-dbde-4167-9c7a-165d901e6bfd}\gapaengine.dll

2012-07-03 14:56:34 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2012-07-03 14:26:22 738816 ----a-w- c:\users\rob\appdata\roaming\UseServe.exe

2012-07-03 03:45:33 -------- d-----w- c:\users\rob\appdata\local\{673679B3-2ED5-43F4-B44D-3FA869861853}

2012-07-03 03:45:13 -------- d-----w- c:\users\rob\appdata\local\{DC4BB9D4-7DF1-4BE4-97BF-E2CCF1A089B8}

2012-07-02 06:17:12 -------- d-----w- c:\users\rob\appdata\local\{5B03CC29-CA14-4A1A-B695-6F66706A8455}

2012-07-02 06:16:50 -------- d-----w- c:\users\rob\appdata\local\{D9ECD697-F21B-467C-ACB3-9308503CA9B6}

2012-07-01 18:16:24 -------- d-----w- c:\users\rob\appdata\local\{88C328BD-8223-4751-B6D3-58B72EA81991}

2012-07-01 18:16:13 -------- d-----w- c:\users\rob\appdata\local\{73E73947-0C3F-4B32-9FAF-6A48F9C50E64}

2012-06-30 22:41:29 -------- d-----w- c:\users\rob\appdata\local\{DA374AFF-D844-4BBA-8283-468D075CC41D}

2012-06-30 22:41:06 -------- d-----w- c:\users\rob\appdata\local\{2C70DB14-8EC2-45B7-9A5A-465DED71C1E8}

2012-06-30 10:40:53 -------- d-----w- c:\users\rob\appdata\local\{9F989FCF-7AAA-431B-B3D2-36166535FB45}

2012-06-30 10:40:31 -------- d-----w- c:\users\rob\appdata\local\{D857CF61-6EDC-4E37-BB61-5A31F5790A6B}

2012-06-29 22:40:07 -------- d-----w- c:\users\rob\appdata\local\{E420D828-83DD-4ED0-850B-1B52AC1DC39E}

2012-06-29 22:39:51 -------- d-----w- c:\users\rob\appdata\local\{2913235F-2873-4437-90AC-D5E175F35126}

2012-06-29 02:27:53 -------- d-----w- c:\users\rob\appdata\local\{0F1E3C4A-7046-4D81-B77B-97A77A6A7661}

2012-06-29 02:27:30 -------- d-----w- c:\users\rob\appdata\local\{B9CA9430-65F0-4461-88FD-758BFEEF863C}

2012-06-28 14:27:02 -------- d-----w- c:\users\rob\appdata\local\{5CD50142-56CB-41BF-9BE1-43A1EAA610D2}

2012-06-28 14:26:35 -------- d-----w- c:\users\rob\appdata\local\{775B5D9F-67F2-471D-A7AB-C74BED0AF8F1}

2012-06-28 04:16:21 -------- d-----w- c:\program files\AMD AVT

2012-06-28 04:16:15 -------- d-----w- c:\program files\AMD APP

2012-06-28 02:25:58 -------- d-----w- c:\users\rob\appdata\local\{DA541912-BA1B-4F02-B48F-30EE051F0133}

2012-06-28 02:25:46 -------- d-----w- c:\users\rob\appdata\local\{3E1F0DE1-9B36-4579-A916-FD5DC8A847D8}

2012-06-27 01:56:53 -------- d-----w- c:\users\rob\appdata\local\{8949294A-41A7-4018-AC36-AAF6514D53CB}

2012-06-27 01:56:30 -------- d-----w- c:\users\rob\appdata\local\{1322A18B-20AF-41A2-84CB-7A27D5DE5DB1}

2012-06-26 13:56:05 -------- d-----w- c:\users\rob\appdata\local\{ABA88789-DC7C-484A-A869-6D1E06416E5C}

2012-06-26 13:55:55 -------- d-----w- c:\users\rob\appdata\local\{73A8572F-FDD9-449D-BF87-8DB539610914}

2012-06-25 19:41:56 -------- d-----w- c:\users\rob\appdata\local\{D8CA4377-132C-4896-81E0-FBB8CCEA8368}

2012-06-25 19:41:38 -------- d-----w- c:\users\rob\appdata\local\{0B465C3E-3FF1-4ABD-94AA-183CA03FF00F}

2012-06-24 18:37:38 -------- d-----w- c:\users\rob\appdata\local\{10D4E33E-99F9-4B4F-970E-1421168ABE99}

2012-06-24 18:37:16 -------- d-----w- c:\users\rob\appdata\local\{701F56A9-AE71-45B7-A595-7BAB7864C0A7}

2012-06-24 06:36:51 -------- d-----w- c:\users\rob\appdata\local\{4AF9F52D-9771-40B6-A5B5-59ADC781C6B8}

2012-06-24 06:36:29 -------- d-----w- c:\users\rob\appdata\local\{BE8A43CC-9E61-44E2-A5E6-4FF55CB4E967}

2012-06-23 18:36:02 -------- d-----w- c:\users\rob\appdata\local\{E3BE6626-C19A-4E7F-AC77-28A047461D29}

2012-06-23 18:35:34 -------- d-----w- c:\users\rob\appdata\local\{C96E272F-24DB-4027-A560-A7C49EF57BCB}

2012-06-23 07:44:08 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-06-23 07:09:08 -------- d-----w- c:\users\rob\appdata\local\QuickPar

2012-06-23 07:08:17 -------- d-----w- c:\program files\QuickPar

2012-06-23 06:59:57 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-23 06:59:40 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-23 06:59:29 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-23 06:59:28 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-19 19:34:52 -------- d-----w- c:\users\rob\appdata\local\{EB660433-C800-4336-A874-7A021BF0E69A}

2012-06-19 19:34:42 -------- d-----w- c:\users\rob\appdata\local\{EF3570D2-59B2-4EE5-A7C9-FA7CCA0DDBCD}

2012-06-19 03:32:13 -------- d-----w- c:\users\rob\appdata\local\{20948427-56EE-4592-AB9F-F4116B856952}

2012-06-19 03:32:00 -------- d-----w- c:\users\rob\appdata\local\{B903EA9E-B1B7-4BF0-851B-7AC78436E9C6}

2012-06-18 14:18:27 -------- d-----w- c:\users\rob\appdata\local\{2A0EE2BA-4382-4DBE-B507-89775BD5BCA8}

2012-06-17 16:37:56 -------- d-----w- c:\users\rob\appdata\local\{643CFEAC-70DE-475C-A577-B27A5DBB92F0}

2012-06-17 04:37:17 -------- d-----w- c:\users\rob\appdata\local\{9B9079A8-E7E0-4CB6-9613-38489D9CAD71}

2012-06-17 03:33:32 -------- d-----w- c:\program files\Newsbin

2012-06-16 16:36:42 -------- d-----w- c:\users\rob\appdata\local\{8E194AD9-C608-4625-9F62-6E7263977E57}

2012-06-16 04:36:06 -------- d-----w- c:\users\rob\appdata\local\{BB873C56-CF7D-42BC-81B3-CF64C1863657}

2012-06-15 16:35:42 -------- d-----w- c:\users\rob\appdata\local\{35ECFE2E-1B7D-4C9F-8331-92D4FD34ED37}

2012-06-15 01:00:38 -------- d-----w- c:\users\rob\appdata\local\{5C282AC3-DD4E-43FD-9087-814E8FA70948}

2012-06-14 04:27:58 -------- d-----w- c:\users\rob\appdata\local\{F45F549B-CCE0-47D0-9038-1F2CB1AB8B6E}

2012-06-14 04:27:35 -------- d-----w- c:\users\rob\appdata\local\{09D1776A-3EAB-4C5F-8BBB-ADEFA6F7AC4D}

2012-06-13 22:14:34 919040 ----a-w- c:\windows\system32\rdpcorets.dll

2012-06-13 22:14:34 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 22:14:33 2343936 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 22:14:33 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-13 22:14:32 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-13 22:14:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-13 16:27:10 -------- d-----w- c:\users\rob\appdata\local\{861A400D-7CD8-42DE-853A-3DB27DEB184C}

2012-06-13 16:26:47 -------- d-----w- c:\users\rob\appdata\local\{CA70C550-6D76-4219-A23D-7958FE2F7AFB}

2012-06-13 04:26:23 -------- d-----w- c:\users\rob\appdata\local\{385B490C-A126-4108-ACEE-C77A1EA2898C}

2012-06-13 04:26:00 -------- d-----w- c:\users\rob\appdata\local\{AC156247-F531-473E-9079-D0FECAA0E738}

2012-06-13 03:06:16 -------- d-----w- c:\program files\EaseUS

2012-06-12 16:25:35 -------- d-----w- c:\users\rob\appdata\local\{C2E95D2B-7721-4505-B08C-1966E5898564}

2012-06-12 16:25:12 -------- d-----w- c:\users\rob\appdata\local\{181D1A4C-46FF-4962-BB01-A77EB01D8B96}

2012-06-12 01:07:35 -------- d-----w- c:\users\rob\appdata\local\{6ED357B3-33E5-4859-9FF1-DA564C449B69}

2012-06-12 01:07:24 -------- d-----w- c:\users\rob\appdata\local\{15774BF5-0610-417D-9F9B-35D03761176C}

2012-06-10 17:22:45 -------- d-----w- c:\users\rob\appdata\local\{A48E0282-737E-4920-AF1B-DCF5682C331B}

2012-06-10 17:22:22 -------- d-----w- c:\users\rob\appdata\local\{DA1B1F4C-0E1B-415E-9C0F-C4F0EF57648D}

2012-06-10 05:21:57 -------- d-----w- c:\users\rob\appdata\local\{58FFE684-572D-4A98-B818-0658896BB2AF}

2012-06-10 05:21:33 -------- d-----w- c:\users\rob\appdata\local\{11E5D463-7DB5-46FB-9F47-F3959C5EAD22}

2012-06-09 17:21:08 -------- d-----w- c:\users\rob\appdata\local\{FAF2F2B2-F051-43A5-9189-A3F2565AA1DF}

2012-06-09 17:20:57 -------- d-----w- c:\users\rob\appdata\local\{BC024C30-58A2-4BE6-8730-308C3165EC74}

2012-06-08 16:38:57 -------- d-----w- c:\users\rob\appdata\local\{420807A6-7650-4C0F-B5D4-985B61928989}

2012-06-08 16:38:34 -------- d-----w- c:\users\rob\appdata\local\{734236D2-FE82-4F53-8575-8B4440C6E858}

2012-06-08 04:38:10 -------- d-----w- c:\users\rob\appdata\local\{38C62A23-672B-49A3-B7B1-3A51D5E8A1FE}

2012-06-08 04:37:59 -------- d-----w- c:\users\rob\appdata\local\{5449B5A3-4638-42B0-8505-9942446F8AB7}

2012-06-07 14:58:16 -------- d-----w- c:\users\rob\appdata\local\{A9E8027E-682C-4B98-951A-DADD942ADD3E}

2012-06-07 14:57:54 -------- d-----w- c:\users\rob\appdata\local\{AC2D9747-5876-43E3-9C18-EEEC3C4E03AF}

2012-06-07 02:57:29 -------- d-----w- c:\users\rob\appdata\local\{9FCF7E48-2CC0-47F0-B86F-9CB6A3764B55}

2012-06-07 02:57:07 -------- d-----w- c:\users\rob\appdata\local\{81A3771D-203C-4A63-A087-CFC2ACCD0499}

2012-06-06 14:56:55 -------- d-----w- c:\users\rob\appdata\local\{66773C6D-6DDF-43CA-9CB2-C63140EAA3B4}

2012-06-06 14:56:32 -------- d-----w- c:\users\rob\appdata\local\{21135FCB-EC2A-4B6F-B9C2-F241DD394424}

2012-06-06 02:56:07 -------- d-----w- c:\users\rob\appdata\local\{CB68B574-5EE6-4592-BBD5-8BA1CD7D989F}

2012-06-06 02:55:45 -------- d-----w- c:\users\rob\appdata\local\{C8196FEA-D15F-488B-92BF-2A822E48DEA6}

2012-06-05 13:03:34 -------- d-----w- c:\users\rob\appdata\local\{7FF60068-1869-48EF-8F77-5A6A79F0C150}

2012-06-05 13:03:12 -------- d-----w- c:\users\rob\appdata\local\{B446392F-71CC-4FA6-A03F-988B455540FA}

.

==================== Find3M ====================

.

2028-06-08 23:38:06 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL

2012-06-23 07:44:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-23 07:44:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-04-06 05:34:22 159232 ----a-w- c:\windows\system32\clinfo.exe

2012-04-06 05:34:04 64512 ----a-w- c:\windows\system32\OpenVideo.dll

2012-04-06 05:33:52 56320 ----a-w- c:\windows\system32\OVDecode.dll

2012-04-06 05:32:56 13007872 ----a-w- c:\windows\system32\amdocl.dll

2012-04-06 05:21:10 9334784 ----a-w- c:\windows\system32\drivers\atikmdag.sys

.

============= FINISH: 19:39:05.97 ===============

Link to post
Share on other sites

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Ran ComboFix:

ComboFix 12-07-05.02 - Rob 07/05/2012 8:04.1.4 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3326.1858 [GMT -7:00]

Running from: c:\users\Rob\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\users\Rob\AppData\Roaming\8D5595

c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check

c:\users\Rob\AppData\Roaming\UseNetServ.exe

c:\users\Rob\AppData\Roaming\UseServe.exe

c:\users\Rob\g2mdlhlpx.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))

.

.

2012-07-05 15:12 . 2012-07-05 15:30 -------- d-----w- c:\users\Rob\AppData\Local\temp

2012-07-05 15:12 . 2012-07-05 15:12 -------- d-----w- c:\users\Mcx3-BOLDFIN420\AppData\Local\temp

2012-07-05 15:12 . 2012-07-05 15:12 -------- d-----w- c:\users\Mcx2-BOLDFIN420\AppData\Local\temp

2012-07-05 15:12 . 2012-07-05 15:12 -------- d-----w- c:\users\Jennifer\AppData\Local\temp

2012-07-05 15:12 . 2012-07-05 15:12 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-05 14:59 . 2012-07-05 14:59 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\MpKsl405aafcf.sys

2012-07-04 22:58 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\mpengine.dll

2012-07-03 14:57 . 2012-02-10 10:28 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F9D91BEC-DBDE-4167-9C7A-165D901E6BFD}\gapaengine.dll

2012-07-03 14:56 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\programdata\ATI

2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\program files\AMD AVT

2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\program files\AMD APP

2012-06-23 07:44 . 2012-06-23 07:44 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-06-23 07:09 . 2012-06-30 20:36 -------- d-----w- c:\users\Rob\AppData\Local\QuickPar

2012-06-23 07:08 . 2012-06-23 07:08 -------- d-----w- c:\program files\QuickPar

2012-06-23 06:59 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-23 06:59 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-23 06:59 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-23 06:59 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-23 06:59 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-23 06:59 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-23 06:59 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-23 06:59 . 2012-06-02 22:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-23 06:59 . 2012-06-02 22:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-17 03:33 . 2012-06-17 03:33 -------- d-----w- c:\program files\Newsbin

2012-06-13 22:14 . 2012-04-28 04:41 919040 ----a-w- c:\windows\system32\rdpcorets.dll

2012-06-13 22:14 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 22:14 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 22:14 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-13 22:14 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-13 22:14 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-13 03:06 . 2012-06-13 03:06 -------- d-----w- c:\program files\EaseUS

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2028-06-08 23:38 . 2011-08-11 04:48 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL

2012-06-23 07:44 . 2012-04-03 01:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-23 07:44 . 2011-06-06 15:56 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-27 01:22 . 2012-04-27 01:22 413696 ----a-r- c:\users\Rob\AppData\Roaming\Microsoft\Installer\{4229F016-3A60-439E-B626-DE4BD457469F}\ARPPRODUCTICON.exe

2011-03-18 17:53 . 2011-04-10 23:44 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]

"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

"EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]

"My Movies Tray"="c:\program files\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe" [2011-12-15 477392]

"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-15 113288]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-11-20 128296]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-12-22 362432]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-05-09 1061520]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-2-7 603504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"EnableLinkedConnections"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]

path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk

backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]

2010-06-08 01:48 362488 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

2012-04-27 16:12 6065784 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]

2010-07-02 18:24 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]

2011-09-20 21:53 1493288 ----a-w- c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]

2010-06-08 01:47 2605424 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]

2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

R3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [x]

S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [x]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]

S1 MpKsl405aafcf;MpKsl405aafcf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\MpKsl405aafcf.sys [x]

S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/02/28 18:50];c:\program files\CyberLink\PowerDVD DX\000.fcl [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [x]

S2 DkTahsp;OCUR SDV Service;c:\windows\system32\dktahsp.exe [x]

S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [x]

S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [x]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [x]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [x]

S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [x]

S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]

S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 msta;Tuning Adapter Service;c:\windows\system32\Drivers\msta.sys [x]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-05 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 07:44]

.

2012-07-05 c:\windows\Tasks\RegistryBooster.job

- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2012-04-11 18:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://sn123w.snt123.mail.live.com/default.aspx?wa=wsignin1.0

Trusted Zone: highland.com\office

DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab

FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\mz85hv77.default\

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll

HKCU-Run-UsenetServices - c:\users\Rob\AppData\Roaming\UseServe.exe

HKLM-Run-Conime - c:\windows\system32\conime.exe

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-408190252-3311634441-3888657169-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-408190252-3311634441-3888657169-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(4696)

c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\MsMpEng.exe

c:\windows\system32\atieclxx.exe

c:\windows\system32\WUDFHost.exe

c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\WUDFHost.exe

c:\windows\ehome\ehRecvr.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\program files\Windows Home Server\WHSTrayApp.exe

c:\windows\ehome\ehmsas.exe

c:\windows\system32\taskhost.exe

.

**************************************************************************

.

Completion time: 2012-07-05 08:33:34 - machine was rebooted

ComboFix-quarantined-files.txt 2012-07-05 15:33

.

Pre-Run: 387,760,070,656 bytes free

Post-Run: 388,317,569,024 bytes free

.

- - End Of File - - 948414ACFBE9E3BC2A4C82A5850773C5

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\program files\Ask.com

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

In your previous instructions, you asked me to uninstall the Ask.com Toolbar. This program was not listed under installed programs. There was a folder for it, however, in C:/program files - which I deleted. This was done yesterday.

ComboFix 12-07-05.02 - Rob 07/05/2012 19:50:26.2.4 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3326.1784 [GMT -7:00]

Running from: c:\users\Rob\Desktop\ComboFix.exe

Command switches used :: c:\users\Rob\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))

.

.

2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Mcx3-BOLDFIN420\AppData\Local\temp

2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Mcx2-BOLDFIN420\AppData\Local\temp

2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Jennifer\AppData\Local\temp

2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2012-07-05 15:12 . 2012-07-06 03:00 -------- d-----w- c:\users\Rob\AppData\Local\temp

2012-07-04 22:58 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\mpengine.dll

2012-07-03 14:57 . 2012-02-10 10:28 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F9D91BEC-DBDE-4167-9C7A-165D901E6BFD}\gapaengine.dll

2012-07-03 14:56 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\programdata\ATI

2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\program files\AMD AVT

2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\program files\AMD APP

2012-06-23 07:44 . 2012-06-23 07:44 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-06-23 07:09 . 2012-06-30 20:36 -------- d-----w- c:\users\Rob\AppData\Local\QuickPar

2012-06-23 07:08 . 2012-06-23 07:08 -------- d-----w- c:\program files\QuickPar

2012-06-23 06:59 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-23 06:59 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-23 06:59 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-23 06:59 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-23 06:59 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-23 06:59 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-23 06:59 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-23 06:59 . 2012-06-02 22:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-23 06:59 . 2012-06-02 22:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-17 03:33 . 2012-06-17 03:33 -------- d-----w- c:\program files\Newsbin

2012-06-13 22:14 . 2012-04-28 04:41 919040 ----a-w- c:\windows\system32\rdpcorets.dll

2012-06-13 22:14 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 22:14 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys

2012-06-13 22:14 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-13 22:14 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-13 22:14 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-13 03:06 . 2012-06-13 03:06 -------- d-----w- c:\program files\EaseUS

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2028-06-08 23:38 . 2011-08-11 04:48 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL

2012-06-23 07:44 . 2012-04-03 01:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-23 07:44 . 2011-06-06 15:56 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-27 01:22 . 2012-04-27 01:22 413696 ----a-r- c:\users\Rob\AppData\Roaming\Microsoft\Installer\{4229F016-3A60-439E-B626-DE4BD457469F}\ARPPRODUCTICON.exe

2011-03-18 17:53 . 2011-04-10 23:44 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]

"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

"EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]

"My Movies Tray"="c:\program files\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe" [2011-12-15 477392]

"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-15 113288]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-11-20 128296]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-12-22 362432]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-05-09 1061520]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-2-7 603504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"EnableLinkedConnections"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]

path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk

backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]

2010-06-08 01:48 362488 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

2012-04-27 16:12 6065784 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]

2010-07-02 18:24 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]

2011-09-20 21:53 1493288 ----a-w- c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]

2010-06-08 01:47 2605424 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]

2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

R3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [x]

S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [x]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]

S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/02/28 18:50];c:\program files\CyberLink\PowerDVD DX\000.fcl [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [x]

S2 DkTahsp;OCUR SDV Service;c:\windows\system32\dktahsp.exe [x]

S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [x]

S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [x]

S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [x]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [x]

S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [x]

S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]

S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 msta;Tuning Adapter Service;c:\windows\system32\Drivers\msta.sys [x]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-06 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 07:44]

.

2012-07-06 c:\windows\Tasks\RegistryBooster.job

- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2012-04-11 18:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://sn123w.snt123.mail.live.com/default.aspx?wa=wsignin1.0

Trusted Zone: highland.com\office

DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab

FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\mz85hv77.default\

FF - prefs.js: network.proxy.type - 0

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-408190252-3311634441-3888657169-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-408190252-3311634441-3888657169-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-07-05 20:02:53

ComboFix-quarantined-files.txt 2012-07-06 03:02

ComboFix2.txt 2012-07-05 15:33

.

Pre-Run: 388,650,045,440 bytes free

Post-Run: 388,093,710,336 bytes free

.

- - End Of File - - 1AF48684F65612D6250FD1803BF15C11

Link to post
Share on other sites

Thank you for your cooperation!

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

I am back in town. I ran scans with MS Security Essentials znd MBAW, both came back with one threat each. MSSE reported a Win32 worm, which I quarantined, MBAW log is posted below. What next steps do you recommend?

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.14.07

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Rob :: BOLDFIN420 [administrator]

Protection: Enabled

7/14/2012 12:56:05 PM

mbam-log-2012-07-14 (12-56-05).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 280845

Time elapsed: 7 minute(s), 57 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Rob\AppData\Roaming\jullli_2012 (Stolen.Data) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right

AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

avpsettings.gif

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and post it in your next reply.

Link to post
Share on other sites

I just completed an automatic scan with the AVPTool, per your instructions. It took six hours to run the scan of my main drive. No threats were detected, so there is no Detected Threats report to post in this reply.

Just to make sure, I ran another MBAW Quick Scan:

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.14.07

Windows 7 Service Pack 1 x86 NTFS

Internet Explorer 9.0.8112.16421

Rob :: BOLDFIN420 [administrator]

Protection: Enabled

7/14/2012 10:45:03 PM

mbam-log-2012-07-14 (22-45-03).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 285703

Time elapsed: 9 minute(s), 34 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

What do you recommend at this point?

Link to post
Share on other sites

It appears to be working normally. I rescanned with MBAW and MS Security Essentials, and no threats were found. I understand that there is no guarantee that the system is truly "clean", but please tell me if I should consider nuke/pave at this point.

Link to post
Share on other sites

For now everything seems to be fine. What you should consider is changing all your passwords, especially banking accounts.

Please uninstall ComboFix:

www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Next, manually delete DDS, aswMBR and Kaspersky AVP. Please uninstall ESET Online Scanner too.

Some malware prevention tips:

http://forums.malwarebytes.org/index.php?showtopic=104379&pid=515983&st=0entry515983

Safe surfing! :)

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.