Help with Win32/Olmarik.TDL4 Trojan

[Siemnok]

Post Merged

We look for post with 0 replies, so when you reply to your own topic, we assume you're being helped.

Please be patient, someone will assist you as soon as possible.

Hi, this is my first post

I have a problem with this trojan. That what I did so far is:

- MalwareBytes-Anty Malware

- TDSSKiller, I can't launch the tool on Win7, even changing the .exe name.

After runnig the tool Combofix the PC started to run a bit faster but I have a problem with the browsers.

They run too slow and sometimes redirects to other pages.

I place the DDS and CombofixLogs. Many thanks!

DDS Logs:

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1

Run by Leo at 10:16:49 on 2012-09-08

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2194 [GMT -3:00]

.

AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}

SP: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE

C:\Windows\system32\svchost.exe -k RPCSS

C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\UnsignedThemesSvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\Samsung\USB Drivers\26_VIA_driver2\amd64\VIAService.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe

C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\SysWOW64\PnkBstrA.exe

C:\Windows\SysWOW64\PnkBstrB.exe

C:\Program Files (x86)\Planex\Common\RalinkRegistryWriter.exe

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Tunngle\TnglCtrl.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\DllHost.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe

C:\Program Files (x86)\RocketDock\RocketDock.exe

C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDL R.exe

C:\Users\Leo\Local Settings\Apps\F.lux\flux.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files (x86)\Planex\Common\RaUI.exe

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\Pres entationFontCache.exe

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\DataProxy.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlug in_11_3_300_271.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlug in_11_3_300_271.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = 192.168.*.*;*.local

mWinlogon: Userinit=userinit.exe,

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO: SteadyVideoBHO Class: {6c680bae-655c-4e3d-8fc4-e6a520c3d928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.Visua lStudio.QualityTools.RecorderBarBHO100.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll

uRun: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"

uRun: [steam] "H:\Steam\steam.exe" -silent

uRun: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDL R.exe

uRun: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s

uRun: [F.lux] "C:\Users\Leo\Local Settings\Apps\F.lux\flux.exe" /noshow

uRun: [Google Update] "C:\Users\Leo\AppData\Local\Google\Update\GoogleUp date.exe" /c

mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.ex e" -launchedbylogin

mRun: [<NO NAME>]

mRun: [mumservice] C:\Program Files\Motorola\Software Update\mumservice.exe

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\Users\Leo\AppData\Roaming\MICROS~1\Windows\STAR TM~1\Programs\Startup\Dropbox.lnk - C:\Users\Leo\AppData\Roaming\Dropbox\bin\Dropbox.e xe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Sta rtup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Sta rtup\PLANEX~1.LNK - C:\Program Files (x86)\Planex\Common\RaUI.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xportar a Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 200.42.4.203 200.49.130.40

TCP: Interfaces\{0E5927F1-B36D-4CF3-B043-8D8A721F621E} : DhcpNameServer = 200.42.4.203 200.49.130.40

Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll

Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

mASetup: {SFMQ4M5D-TGLO-833R-G2RI-6L81C0X272LQ} - C:\Windows\system\system.exe

BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO-X64: HP Print Enhancer - No File

BHO-X64: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll

BHO-X64: AMD SteadyVideo BHO - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

BHO-X64: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.Visua lStudio.QualityTools.RecorderBarBHO100.dll

BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

BHO-X64: HP Smart BHO Class - No File

EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

EB-X64: {5802D092-1784-4908-8CDB-99B6842D353D} - No File

mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun-x64: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE

mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun-x64: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart

mRun-x64: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.ex e" -launchedbylogin

mRun-x64: [(Default)]

mRun-x64: [mumservice] C:\Program Files\Motorola\Software Update\mumservice.exe

mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun-x64: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Leo\AppData\Roaming\Mozilla\Firefox\Profi les\tryy8m62.default\

FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\compone nts\KavLinkFilter.dll

FF - component: C:\Users\Leo\AppData\Roaming\Mozilla\Firefox\Profi les\tryy8m62.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: C:\Users\Leo\AppData\Roaming\Mozilla\Firefox\Profi les\tryy8m62.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - component: C:\Users\Leo\AppData\Roaming\Mozilla\Firefox\Profi les\tryy8m62.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll

FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.110.0\npesnlaunch.dll

FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll

FF - plugin: C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll

FF - plugin: C:\Users\Leo\AppData\Local\Google\Update\1.3.21.12 3\npGoogleUpdate3.dll

FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_30 0_271.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

============= SERVICES / DRIVERS ===============

.

R0 RapportKE64;RapportKE64;C:\Windows\system32\Driver s\RapportKE64.sys --> C:\Windows\system32\Drivers\RapportKE64.sys [?]

R1 RapportCerberus_34302;RapportCerberus_34302;C:\Pro gramData\Trusteer\Rapport\store\exts\RapportCerber us\34302\RapportCerberus64_34302.sys [2011-12-15 397520]

R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2012-1-25 55056]

R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2012-1-25 61712]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-8-6 361984]

R2 CDMA Device Service;CDMA Device Service;C:\Program Files (x86)\Samsung\USB Drivers\26_VIA_driver2\amd64\VIAService.exe [2011-9-18 159232]

R2 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.s ys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]

R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2010-4-7 810120]

R2 epfwwfpr;epfwwfpr;C:\Windows\system32\DRIVERS\epfw wfpr.sys --> C:\Windows\system32\DRIVERS\epfwwfpr.sys [?]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\Windows\system32\drivers\LMIRfsDrive r.sys --> C:\Windows\system32\drivers\LMIRfsDriver.sys [?]

R2 MotoHelper;MotoHelper Service;C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-4-26 223088]

R2 RalinkRegistryWriter;Ralink Registry Writer;C:\Program Files (x86)\Planex\Common\RalinkRegistryWriter.exe [2010-7-7 54272]

R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2012-1-25 931640]

R2 SplashtopRemoteService;Splashtop® Remote Service;C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe [2012-8-6 548264]

R2 SpyHunter 4 Service;SpyHunter 4 Service;C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [2012-8-21 1019328]

R2 SSUService;Splashtop Software Updater Service;C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [2012-3-15 370504]

R2 TunngleService;TunngleService;C:\Program Files (x86)\Tunngle\TnglCtrl.exe [2011-7-16 741624]

R2 UnsignedThemes;Unsigned Themes;C:\Windows\UnsignedThemesSvc.exe [2009-7-13 24168]

R2 uxpatch;uxpatch;\??\C:\Windows\system32\drivers\ux patch.sys --> C:\Windows\system32\drivers\uxpatch.sys [?]

R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]

R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atik mdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atik mpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\system32\DRIVERS\LEqdUsb.Sys --> C:\Windows\system32\DRIVERS\LEqdUsb.Sys [?]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\system32\DRIVERS\LHidEqd.Sys --> C:\Windows\system32\DRIVERS\LHidEqd.Sys [?]

R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);C:\Windows\system32\DRIVERS\tap0901t.sys --> C:\Windows\system32\DRIVERS\tap0901t.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\ v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework6 4\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-11 136176]

S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-1 655944]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-5-3 158856]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPl ayerUpdateService.exe [2012-3-31 250056]

S3 BTCFilterService;USB Networking Driver Filter Service;C:\Windows\system32\DRIVERS\motfilt.sys --> C:\Windows\system32\DRIVERS\motfilt.sys [?]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe --> c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [?]

S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\system32\DRIVERS\ssudbus.sys --> C:\Windows\system32\DRIVERS\ssudbus.sys [?]

S3 esgiguard;esgiguard;C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-3-2 13088]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-11 136176]

S3 motandroidusb;Mot ADB Interface Driver;C:\Windows\system32\Drivers\motoandroid.sys --> C:\Windows\system32\Drivers\motoandroid.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys --> C:\Windows\system32\DRIVERS\motccgp.sys [?]

S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRI VERS\motccgpfl.sys --> C:\Windows\system32\DRIVERS\motccgpfl.sys [?]

S3 Motousbnet;Motorola USB Networking Driver Service;C:\Windows\system32\DRIVERS\Motousbnet.sys --> C:\Windows\system32\DRIVERS\Motousbnet.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-5 114144]

S3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr28ux.sys --> C:\Windows\system32\DRIVERS\netr28ux.sys [?]

S3 PsSdk41;PsSdk41;\??\C:\Windows\system32\Drivers\ps sdk41.sys --> C:\Windows\system32\Drivers\pssdk41.sys [?]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\rt2870.sys --> C:\Windows\system32\DRIVERS\rt2870.sys [?]

S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\system32\DRIVERS\ssudmdm.sys --> C:\Windows\system32\DRIVERS\ssudmdm.sys [?]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsus bflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-3-17 68440]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]

S4 RsFx0103;RsFx0103 Driver;C:\Windows\system32\DRIVERS\RsFx0103.sys --> C:\Windows\system32\DRIVERS\RsFx0103.sys [?]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2010-9-17 430424]

.

=============== Created Last 30 ================

.

2012-09-08 11:58:24 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D159B867-0EB3-4113-B5BF-991B2DC2A869}\offreg.dll

2012-09-07 11:44:03 9310152 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D159B867-0EB3-4113-B5BF-991B2DC2A869}\mpengine.dll

2012-09-03 22:38:26 -------- d-----w- C:\Program Files (x86)\ESET

2012-09-01 13:38:31 -------- d-----w- C:\Users\Leo\AppData\Roaming\Malwarebytes

2012-09-01 13:37:57 -------- d-----w- C:\ProgramData\Malwarebytes

2012-09-01 13:37:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-09-01 12:11:58 110080 ----a-w- C:\Users\Leo\AppData\Roaming\Microsoft\Installer\{ 8C5C34C7-BC6B-4831-8B2C-6535FE63E502}\IconD7F16134.exe

2012-09-01 12:11:58 110080 ----a-w- C:\Users\Leo\AppData\Roaming\Microsoft\Installer\{ 8C5C34C7-BC6B-4831-8B2C-6535FE63E502}\Icon1226A4C5.exe

2012-09-01 12:11:57 110080 ----a-w- C:\Users\Leo\AppData\Roaming\Microsoft\Installer\{ 8C5C34C7-BC6B-4831-8B2C-6535FE63E502}\IconF7A21AF7.exe

2012-09-01 12:11:57 -------- d-----w- C:\sh4ldr

2012-09-01 12:11:57 -------- d-----w- C:\Program Files\Enigma Software Group

2012-09-01 12:11:35 -------- d-----w- C:\Windows\8C5C34C7BC6B48318B2C6535FE63E502.TMP

2012-08-28 11:39:54 -------- d-----w- C:\Program Files (x86)\AMD APP

2012-08-24 12:04:36 -------- d-----w- C:\Users\Leo\AppData\Local\SIX_Projects

2012-08-22 00:41:19 -------- d-----w- C:\Users\Leo\AppData\Local\Dreambelievers

2012-08-22 00:40:55 -------- d-----w- C:\Program Files (x86)\Pokemon Online

2012-08-18 18:33:45 -------- d-----w- C:\Users\Leo\romannurik-code

2012-08-18 18:31:07 -------- d-----w- C:\Program Files (x86)\Git

2012-08-18 18:22:42 -------- d-----w- C:\Users\Leo\.ssh

2012-08-18 18:20:41 -------- d-----w- C:\Users\Leo\AppData\Local\GitHub

2012-08-18 18:20:39 -------- d-----w- C:\Users\Leo\AppData\Roaming\GitHub

2012-08-15 11:35:17 59392 ----a-w- C:\Windows\System32\browcli.dll

2012-08-15 11:35:17 136704 ----a-w- C:\Windows\System32\browser.dll

2012-08-15 11:35:16 41984 ----a-w- C:\Windows\SysWow64\browcli.dll

2012-08-15 11:35:14 503808 ----a-w- C:\Windows\System32\srcore.dll

2012-08-15 11:35:13 43008 ----a-w- C:\Windows\SysWow64\srclient.dll

2012-08-15 11:35:08 751104 ----a-w- C:\Windows\System32\win32spl.dll

2012-08-15 11:35:07 67072 ----a-w- C:\Windows\splwow64.exe

2012-08-15 11:35:07 559104 ----a-w- C:\Windows\System32\spoolsv.exe

2012-08-15 11:35:07 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll

2012-08-15 11:35:03 3148800 ----a-w- C:\Windows\System32\win32k.sys

2012-08-15 11:34:37 956928 ----a-w- C:\Windows\System32\localspl.dll

2012-08-13 11:31:02 -------- d-----w- C:\ProgramData\Splashtop

2012-08-13 11:30:20 -------- d-----w- C:\Users\Leo\AppData\Local\{BB3E1258-9A73-4A91-BE1F-249B31DCD5EF}

.

==================== Find3M ====================

.

2012-08-15 03:08:23 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-08-15 03:08:23 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-07-28 04:09:20 5538984 ----a-w- C:\Windows\SysWow64\atiumdag.dll

2012-07-28 04:07:44 10278912 ----a-w- C:\Windows\System32\drivers\atikmdag.sys

2012-07-28 03:43:12 70144 ----a-w- C:\Windows\System32\coinst_8.982.dll

2012-07-28 03:19:34 24935424 ----a-w- C:\Windows\System32\atio6axx.dll

2012-07-28 02:50:10 20546560 ----a-w- C:\Windows\SysWow64\atioglxx.dll

2012-07-28 02:15:50 163840 ----a-w- C:\Windows\System32\atiapfxx.exe

2012-07-28 02:15:42 931328 ----a-w- C:\Windows\SysWow64\aticfx32.dll

2012-07-28 02:13:56 1100288 ----a-w- C:\Windows\System32\aticfx64.dll

2012-07-28 0240 442368 ----a-w- C:\Windows\System32\ATIDEMGX.dll

2012-07-28 0234 534528 ----a-w- C:\Windows\System32\atieclxx.exe

2012-07-28 02:09:44 239616 ----a-w- C:\Windows\System32\atiesrxx.exe

2012-07-28 02:08:20 120320 ----a-w- C:\Windows\System32\atitmm64.dll

2012-07-28 02:08:04 21504 ----a-w- C:\Windows\System32\atimuixx.dll

2012-07-28 02:07:58 59392 ----a-w- C:\Windows\System32\atiedu64.dll

2012-07-28 02:07:52 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll

2012-07-28 02:07:10 6430208 ----a-w- C:\Windows\SysWow64\atidxx32.dll

2012-07-28 01:51:12 7052288 ----a-w- C:\Windows\System32\atidxx64.dll

2012-07-28 01:47:40 187392 ----a-w- C:\Windows\System32\clinfo.exe

2012-07-28 01:47:24 75776 ----a-w- C:\Windows\System32\OpenVideo64.dll

2012-07-28 01:47:16 65024 ----a-w- C:\Windows\SysWow64\OpenVideo.dll

2012-07-28 01:47:10 63488 ----a-w- C:\Windows\System32\OVDecode64.dll

2012-07-28 01:47:06 56320 ----a-w- C:\Windows\SysWow64\OVDecode.dll

2012-07-28 01:46:56 16464896 ----a-w- C:\Windows\System32\amdocl64.dll

2012-07-28 01:46:06 13013504 ----a-w- C:\Windows\SysWow64\amdocl.dll

2012-07-28 01:41:32 4266496 ----a-w- C:\Windows\System32\atiumd6a.dll

2012-07-28 01:35:10 51200 ----a-w- C:\Windows\System32\aticalrt64.dll

2012-07-28 01:35:08 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll

2012-07-28 01:35:02 44544 ----a-w- C:\Windows\System32\aticalcl64.dll

2012-07-28 01:35:00 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll

2012-07-28 01:34:48 16034304 ----a-w- C:\Windows\System32\aticaldd64.dll

2012-07-28 01:32:32 4751872 ----a-w- C:\Windows\SysWow64\atiumdva.dll

2012-07-28 01:30:10 13605888 ----a-w- C:\Windows\SysWow64\aticaldd.dll

2012-07-28 01:25:52 6676480 ----a-w- C:\Windows\System32\atiumd64.dll

2012-07-28 01:15:32 540160 ----a-w- C:\Windows\System32\atiadlxx.dll

2012-07-28 01:15:22 368640 ----a-w- C:\Windows\SysWow64\atiadlxy.dll

2012-07-28 01:15:12 17920 ----a-w- C:\Windows\System32\atig6pxx.dll

2012-07-28 01:15:08 14848 ----a-w- C:\Windows\SysWow64\atiglpxx.dll

2012-07-28 01:15:08 14848 ----a-w- C:\Windows\System32\atiglpxx.dll

2012-07-28 01:15:04 41984 ----a-w- C:\Windows\System32\atig6txx.dll

2012-07-28 01:14:56 33280 ----a-w- C:\Windows\SysWow64\atigktxx.dll

2012-07-28 01:14:46 368640 ----a-w- C:\Windows\System32\drivers\atikmpag.sys

2012-07-28 01:13:54 129536 ----a-w- C:\Windows\System32\atiuxp64.dll

2012-07-28 01:13:48 109568 ----a-w- C:\Windows\SysWow64\atiuxpag.dll

2012-07-28 01:13:40 103936 ----a-w- C:\Windows\System32\atiu9p64.dll

2012-07-28 01:13:32 83456 ----a-w- C:\Windows\SysWow64\atiu9pag.dll

2012-07-28 01:12:54 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll

2012-07-28 01:08:42 56320 ----a-w- C:\Windows\System32\atimpc64.dll

2012-07-28 01:08:42 56320 ----a-w- C:\Windows\System32\amdpcom64.dll

2012-07-28 01:08:36 56832 ----a-w- C:\Windows\SysWow64\atimpc32.dll

2012-07-28 01:08:36 56832 ----a-w- C:\Windows\SysWow64\amdpcom32.dll

2012-07-06 01:06:30 772544 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2012-07-06 01:06:20 687544 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2012-07-05 21:11:18 87488 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll

2012-07-05 2124 34720 ----a-w- C:\Windows\System32\LMIport.dll

2012-07-05 2122 80800 ----a-w- C:\Windows\System32\LMIinit.dll

2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

.

============= FINISH: 10:25:29.88 ===============

Sorry for the double post, but I cant add all the logs:

This is the ComboFix Log:

And Combofix Log:

Combofix:

ComboFix 12-09-09.02 - Leo 09/09/2012 9:48.1.2 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2285 [GMT -3:00]

Running from: c:\users\Leo\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}

SP: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\BPvtbPC5NC2sT6

c:\users\Leo\AppData\Local\assembly\tmp

c:\users\Leo\AppData\Local\Temp\26b4a1dd-e07b-48af-be4e-9642b273284b\CliSecureRT.dll

c:\users\Leo\AppData\Roaming\FFSJ

c:\users\Leo\AppData\Roaming\FFSJ\FFSJ.cfg

c:\windows\pkunzip.pif

c:\windows\pkzip.pif

c:\windows\SysWow64\muzapp.exe

c:\windows\SysWow64\System32\MASetupCleaner.exe

c:\windows\SysWow64\System32\muzapp.exe

D:\install.exe

.

----- File Replicators -----

.

c:\program files (x86)\Git\bin\git.exe

c:\program files (x86)\Git\libexec\git-core\git-add.exe

c:\program files (x86)\Git\libexec\git-core\git-annotate.exe

c:\program files (x86)\Git\libexec\git-core\git-apply.exe

c:\program files (x86)\Git\libexec\git-core\git-archive.exe

c:\program files (x86)\Git\libexec\git-core\git-bisect--helper.exe

c:\program files (x86)\Git\libexec\git-core\git-blame.exe

c:\program files (x86)\Git\libexec\git-core\git-branch.exe

c:\program files (x86)\Git\libexec\git-core\git-bundle.exe

c:\program files (x86)\Git\libexec\git-core\git-cat-file.exe

c:\program files (x86)\Git\libexec\git-core\git-check-attr.exe

c:\program files (x86)\Git\libexec\git-core\git-check-ref-format.exe

c:\program files (x86)\Git\libexec\git-core\git-checkout-index.exe

c:\program files (x86)\Git\libexec\git-core\git-checkout.exe

c:\program files (x86)\Git\libexec\git-core\git-cherry-pick.exe

c:\program files (x86)\Git\libexec\git-core\git-cherry.exe

c:\program files (x86)\Git\libexec\git-core\git-clean.exe

c:\program files (x86)\Git\libexec\git-core\git-clone.exe

c:\program files (x86)\Git\libexec\git-core\git-column.exe

c:\program files (x86)\Git\libexec\git-core\git-commit-tree.exe

c:\program files (x86)\Git\libexec\git-core\git-commit.exe

c:\program files (x86)\Git\libexec\git-core\git-config.exe

c:\program files (x86)\Git\libexec\git-core\git-count-objects.exe

c:\program files (x86)\Git\libexec\git-core\git-describe.exe

c:\program files (x86)\Git\libexec\git-core\git-diff-files.exe

c:\program files (x86)\Git\libexec\git-core\git-diff-index.exe

c:\program files (x86)\Git\libexec\git-core\git-diff-tree.exe

c:\program files (x86)\Git\libexec\git-core\git-diff.exe

c:\program files (x86)\Git\libexec\git-core\git-fast-export.exe

c:\program files (x86)\Git\libexec\git-core\git-fetch-pack.exe

c:\program files (x86)\Git\libexec\git-core\git-fetch.exe

c:\program files (x86)\Git\libexec\git-core\git-fmt-merge-msg.exe

c:\program files (x86)\Git\libexec\git-core\git-for-each-ref.exe

c:\program files (x86)\Git\libexec\git-core\git-format-patch.exe

c:\program files (x86)\Git\libexec\git-core\git-fsck-objects.exe

c:\program files (x86)\Git\libexec\git-core\git-fsck.exe

c:\program files (x86)\Git\libexec\git-core\git-gc.exe

c:\program files (x86)\Git\libexec\git-core\git-get-tar-commit-id.exe

c:\program files (x86)\Git\libexec\git-core\git-grep.exe

c:\program files (x86)\Git\libexec\git-core\git-hash-object.exe

c:\program files (x86)\Git\libexec\git-core\git-help.exe

c:\program files (x86)\Git\libexec\git-core\git-index-pack.exe

c:\program files (x86)\Git\libexec\git-core\git-init-db.exe

c:\program files (x86)\Git\libexec\git-core\git-init.exe

c:\program files (x86)\Git\libexec\git-core\git-log.exe

c:\program files (x86)\Git\libexec\git-core\git-ls-files.exe

c:\program files (x86)\Git\libexec\git-core\git-ls-remote.exe

c:\program files (x86)\Git\libexec\git-core\git-ls-tree.exe

c:\program files (x86)\Git\libexec\git-core\git-mailinfo.exe

c:\program files (x86)\Git\libexec\git-core\git-mailsplit.exe

c:\program files (x86)\Git\libexec\git-core\git-merge-base.exe

c:\program files (x86)\Git\libexec\git-core\git-merge-file.exe

c:\program files (x86)\Git\libexec\git-core\git-merge-index.exe

c:\program files (x86)\Git\libexec\git-core\git-merge-ours.exe

c:\program files (x86)\Git\libexec\git-core\git-merge-recursive.exe

c:\program files (x86)\Git\libexec\git-core\git-merge-subtree.exe

c:\program files (x86)\Git\libexec\git-core\git-merge-tree.exe

c:\program files (x86)\Git\libexec\git-core\git-merge.exe

c:\program files (x86)\Git\libexec\git-core\git-mktag.exe

c:\program files (x86)\Git\libexec\git-core\git-mktree.exe

c:\program files (x86)\Git\libexec\git-core\git-mv.exe

c:\program files (x86)\Git\libexec\git-core\git-name-rev.exe

c:\program files (x86)\Git\libexec\git-core\git-notes.exe

c:\program files (x86)\Git\libexec\git-core\git-pack-objects.exe

c:\program files (x86)\Git\libexec\git-core\git-pack-redundant.exe

c:\program files (x86)\Git\libexec\git-core\git-pack-refs.exe

c:\program files (x86)\Git\libexec\git-core\git-patch-id.exe

c:\program files (x86)\Git\libexec\git-core\git-peek-remote.exe

c:\program files (x86)\Git\libexec\git-core\git-prune-packed.exe

c:\program files (x86)\Git\libexec\git-core\git-prune.exe

c:\program files (x86)\Git\libexec\git-core\git-push.exe

c:\program files (x86)\Git\libexec\git-core\git-read-tree.exe

c:\program files (x86)\Git\libexec\git-core\git-receive-pack.exe

c:\program files (x86)\Git\libexec\git-core\git-reflog.exe

c:\program files (x86)\Git\libexec\git-core\git-remote-ext.exe

c:\program files (x86)\Git\libexec\git-core\git-remote-fd.exe

c:\program files (x86)\Git\libexec\git-core\git-remote.exe

c:\program files (x86)\Git\libexec\git-core\git-replace.exe

c:\program files (x86)\Git\libexec\git-core\git-repo-config.exe

c:\program files (x86)\Git\libexec\git-core\git-rerere.exe

c:\program files (x86)\Git\libexec\git-core\git-reset.exe

c:\program files (x86)\Git\libexec\git-core\git-rev-list.exe

c:\program files (x86)\Git\libexec\git-core\git-rev-parse.exe

c:\program files (x86)\Git\libexec\git-core\git-revert.exe

c:\program files (x86)\Git\libexec\git-core\git-rm.exe

c:\program files (x86)\Git\libexec\git-core\git-send-pack.exe

c:\program files (x86)\Git\libexec\git-core\git-shortlog.exe

c:\program files (x86)\Git\libexec\git-core\git-show-branch.exe

c:\program files (x86)\Git\libexec\git-core\git-show-ref.exe

c:\program files (x86)\Git\libexec\git-core\git-show.exe

c:\program files (x86)\Git\libexec\git-core\git-stage.exe

c:\program files (x86)\Git\libexec\git-core\git-status.exe

c:\program files (x86)\Git\libexec\git-core\git-stripspace.exe

c:\program files (x86)\Git\libexec\git-core\git-symbolic-ref.exe

c:\program files (x86)\Git\libexec\git-core\git-tag.exe

c:\program files (x86)\Git\libexec\git-core\git-tar-tree.exe

c:\program files (x86)\Git\libexec\git-core\git-unpack-file.exe

c:\program files (x86)\Git\libexec\git-core\git-unpack-objects.exe

c:\program files (x86)\Git\libexec\git-core\git-update-index.exe

c:\program files (x86)\Git\libexec\git-core\git-update-ref.exe

c:\program files (x86)\Git\libexec\git-core\git-update-server-info.exe

c:\program files (x86)\Git\libexec\git-core\git-upload-archive.exe

c:\program files (x86)\Git\libexec\git-core\git-var.exe

c:\program files (x86)\Git\libexec\git-core\git-verify-pack.exe

c:\program files (x86)\Git\libexec\git-core\git-verify-tag.exe

c:\program files (x86)\Git\libexec\git-core\git-whatchanged.exe

c:\program files (x86)\Git\libexec\git-core\git-write-tree.exe

c:\program files (x86)\Git\libexec\git-core\git.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-08-09 to 2012-09-09 )))))))))))))))))))))))))))))))

.

.

2012-09-09 13:35 . 2012-09-09 13:35 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp

2012-09-09 13:35 . 2012-09-09 13:35 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-09-09 13:35 . 2012-09-09 13:35 -------- d-----w- c:\users\Sil\AppData\Local\temp

2012-09-07 11:44 . 2012-08-23 08:26 9310152 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D159B867-0EB3-4113-B5BF-991B2DC2A869}\mpengine.dll

2012-09-01 13:38 . 2012-09-01 13:38 -------- d-----w- c:\users\Leo\AppData\Roaming\Malwarebytes

2012-09-01 13:37 . 2012-09-01 13:37 -------- d-----w- c:\programdata\Malwarebytes

2012-09-01 13:37 . 2012-09-01 13:38 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-09-01 12:11 . 2012-09-01 12:11 110080 ----a-w- c:\users\Leo\AppData\Roaming\Microsoft\Installer\{ 8C5C34C7-BC6B-4831-8B2C-6535FE63E502}\IconD7F16134.exe

2012-09-01 12:11 . 2012-09-01 12:11 110080 ----a-w- c:\users\Leo\AppData\Roaming\Microsoft\Installer\{ 8C5C34C7-BC6B-4831-8B2C-6535FE63E502}\Icon1226A4C5.exe

2012-09-01 12:11 . 2012-09-01 12:12 -------- d-----w- C:\sh4ldr

2012-09-01 12:11 . 2012-09-01 12:11 110080 ----a-w- c:\users\Leo\AppData\Roaming\Microsoft\Installer\{ 8C5C34C7-BC6B-4831-8B2C-6535FE63E502}\IconF7A21AF7.exe

2012-09-01 12:11 . 2012-09-01 12:11 -------- d-----w- c:\program files\Enigma Software Group

2012-09-01 12:11 . 2012-09-01 12:12 -------- d-----w- c:\windows\8C5C34C7BC6B48318B2C6535FE63E502.TMP

2012-08-28 11:40 . 2012-08-28 11:40 -------- d-----w- c:\programdata\ATI

2012-08-28 11:39 . 2012-08-28 11:39 -------- d-----w- c:\program files (x86)\AMD APP

2012-08-24 12:04 . 2012-08-24 12:04 -------- d-----w- c:\users\Leo\AppData\Local\SIX_Projects

2012-08-22 00:41 . 2012-08-22 00:41 -------- d-----w- c:\users\Leo\AppData\Local\Dreambelievers

2012-08-22 00:40 . 2012-08-22 00:41 -------- d-----w- c:\program files (x86)\Pokemon Online

2012-08-18 18:33 . 2012-08-18 18:33 -------- d-----w- c:\users\Leo\romannurik-code

2012-08-18 18:31 . 2012-08-18 18:32 -------- d-----w- c:\program files (x86)\Git

2012-08-18 18:22 . 2012-08-18 18:22 -------- d-----w- c:\users\Leo\.ssh

2012-08-18 18:20 . 2012-08-18 18:28 -------- d-----w- c:\users\Leo\AppData\Local\GitHub

2012-08-18 18:20 . 2012-08-18 18:20 -------- d-----w- c:\users\Leo\AppData\Roaming\GitHub

2012-08-15 11:35 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll

2012-08-15 11:35 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll

2012-08-15 11:35 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll

2012-08-15 11:35 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll

2012-08-15 11:35 . 2012-05-05 08:36 503808 ----a-w- c:\windows\system32\srcore.dll

2012-08-15 11:35 . 2012-05-05 07:46 43008 ----a-w- c:\windows\SysWow64\srclient.dll

2012-08-15 11:35 . 2012-02-11 06:43 751104 ----a-w- c:\windows\system32\win32spl.dll

2012-08-15 11:35 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe

2012-08-15 11:35 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe

2012-08-15 11:35 . 2012-02-11 05:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2012-08-15 11:35 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys

2012-08-15 11:34 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll

2012-08-13 11:31 . 2012-08-13 11:31 -------- d-----w- c:\programdata\Splashtop

2012-08-13 11:30 . 2012-08-13 11:30 -------- d-----w- c:\users\Leo\AppData\Local\{BB3E1258-9A73-4A91-BE1F-249B31DCD5EF}

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

.

2012-08-15 11:27 . 2009-11-08 10:56 62134624 ----a-w- c:\windows\system32\MRT.exe

2012-08-15 03:08 . 2012-03-31 10:52 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-08-15 03:08 . 2011-05-15 12:36 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-28 04:09 . 2011-09-03 20:14 5538984 ----a-w- c:\windows\SysWow64\atiumdag.dll

2012-07-28 04:07 . 2012-07-28 04:07 10278912 ----a-w- c:\windows\system32\drivers\atikmdag.sys

2012-07-28 03:43 . 2012-07-28 03:43 70144 ----a-w- c:\windows\system32\coinst_8.982.dll

2012-07-28 03:19 . 2012-07-28 03:19 24935424 ----a-w- c:\windows\system32\atio6axx.dll

2012-07-28 02:50 . 2012-07-28 02:50 20546560 ----a-w- c:\windows\SysWow64\atioglxx.dll

2012-07-28 02:15 . 2012-07-28 02:15 163840 ----a-w- c:\windows\system32\atiapfxx.exe

2012-07-28 02:15 . 2011-09-03 20:12 931328 ----a-w- c:\windows\SysWow64\aticfx32.dll

2012-07-28 02:13 . 2009-12-11 20:34 1100288 ----a-w- c:\windows\system32\aticfx64.dll

2012-07-28 02:10 . 2012-07-28 02:10 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll

2012-07-28 02:10 . 2012-07-28 02:10 534528 ----a-w- c:\windows\system32\atieclxx.exe

2012-07-28 02:09 . 2012-07-28 02:09 239616 ----a-w- c:\windows\system32\atiesrxx.exe

2012-07-28 02:08 . 2012-07-28 02:08 120320 ----a-w- c:\windows\system32\atitmm64.dll

2012-07-28 02:08 . 2012-07-28 02:08 21504 ----a-w- c:\windows\system32\atimuixx.dll

2012-07-28 02:07 . 2012-07-28 02:07 59392 ----a-w- c:\windows\system32\atiedu64.dll

2012-07-28 02:07 . 2012-07-28 02:07 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll

2012-07-28 02:07 . 2012-04-06 02:13 6430208 ----a-w- c:\windows\SysWow64\atidxx32.dll

2012-07-28 01:51 . 2009-12-11 20:31 7052288 ----a-w- c:\windows\system32\atidxx64.dll

2012-07-28 01:47 . 2012-07-28 01:47 187392 ----a-w- c:\windows\system32\clinfo.exe

2012-07-28 01:47 . 2012-07-28 01:47 75776 ----a-w- c:\windows\system32\OpenVideo64.dll

2012-07-28 01:47 . 2012-07-28 01:47 65024 ----a-w- c:\windows\SysWow64\OpenVideo.dll

2012-07-28 01:47 . 2012-07-28 01:47 63488 ----a-w- c:\windows\system32\OVDecode64.dll

2012-07-28 01:47 . 2012-07-28 01:47 56320 ----a-w- c:\windows\SysWow64\OVDecode.dll

2012-07-28 01:46 . 2012-07-28 01:46 16464896 ----a-w- c:\windows\system32\amdocl64.dll

2012-07-28 01:46 . 2012-07-28 01:46 13013504 ----a-w- c:\windows\SysWow64\amdocl.dll

2012-07-28 01:41 . 2012-07-28 01:41 4266496 ----a-w- c:\windows\system32\atiumd6a.dll

2012-07-28 01:35 . 2012-07-28 01:35 51200 ----a-w- c:\windows\system32\aticalrt64.dll

2012-07-28 01:35 . 2012-07-28 01:35 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll

2012-07-28 01:35 . 2012-07-28 01:35 44544 ----a-w- c:\windows\system32\aticalcl64.dll

2012-07-28 01:35 . 2012-07-28 01:35 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll

2012-07-28 01:34 . 2012-07-28 01:34 16034304 ----a-w- c:\windows\system32\aticaldd64.dll

2012-07-28 01:32 . 2011-09-03 20:12 4751872 ----a-w- c:\windows\SysWow64\atiumdva.dll

2012-07-28 01:30 . 2012-07-28 01:30 13605888 ----a-w- c:\windows\SysWow64\aticaldd.dll

2012-07-28 01:25 . 2012-07-28 01:25 6676480 ----a-w- c:\windows\system32\atiumd64.dll

2012-07-28 01:15 . 2012-07-28 01:15 540160 ----a-w- c:\windows\system32\atiadlxx.dll

2012-07-28 01:15 . 2012-07-28 01:15 368640 ----a-w- c:\windows\SysWow64\atiadlxy.dll

2012-07-28 01:15 . 2012-07-28 01:15 17920 ----a-w- c:\windows\system32\atig6pxx.dll

2012-07-28 01:15 . 2012-07-28 01:15 14848 ----a-w- c:\windows\SysWow64\atiglpxx.dll

2012-07-28 01:15 . 2012-07-28 01:15 14848 ----a-w- c:\windows\system32\atiglpxx.dll

2012-07-28 01:15 . 2012-07-28 01:15 41984 ----a-w- c:\windows\system32\atig6txx.dll

2012-07-28 01:14 . 2012-07-28 01:14 33280 ----a-w- c:\windows\SysWow64\atigktxx.dll

2012-07-28 01:14 . 2012-07-28 01:14 368640 ----a-w- c:\windows\system32\drivers\atikmpag.sys

2012-07-28 01:13 . 2009-12-11 19:50 129536 ----a-w- c:\windows\system32\atiuxp64.dll

2012-07-28 01:13 . 2012-04-06 01:09 109568 ----a-w- c:\windows\SysWow64\atiuxpag.dll

2012-07-28 01:13 . 2012-07-28 01:13 103936 ----a-w- c:\windows\system32\atiu9p64.dll

2012-07-28 01:13 . 2010-05-05 01:22 83456 ----a-w- c:\windows\SysWow64\atiu9pag.dll

2012-07-28 01:12 . 2012-07-28 01:12 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2012-07-28 01:08 . 2012-07-28 01:08 56320 ----a-w- c:\windows\system32\atimpc64.dll

2012-07-28 01:08 . 2012-07-28 01:08 56320 ----a-w- c:\windows\system32\amdpcom64.dll

2012-07-28 01:08 . 2012-07-28 01:08 56832 ----a-w- c:\windows\SysWow64\atimpc32.dll

2012-07-28 01:08 . 2012-07-28 01:08 56832 ----a-w- c:\windows\SysWow64\amdpcom32.dll

2012-07-06 01:06 . 2012-07-16 01:23 772544 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2012-07-06 01:06 . 2010-12-25 01:58 687544 ----a-w- c:\windows\SysWow64\deployJava1.dll

2012-07-05 21:11 . 2012-07-16 01:18 87488 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-07-05 21:10 . 2012-07-16 01:18 34720 ----a-w- c:\windows\system32\LMIport.dll

2012-07-05 21:10 . 2012-07-16 01:18 80800 ----a-w- c:\windows\system32\LMIinit.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows\currentversion\explorer\shelliconoverlayid entifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Leo\AppData\Roaming\Dropbox\bin\DropboxEx t.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows\currentversion\explorer\shelliconoverlayid entifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Leo\AppData\Roaming\Dropbox\bin\DropboxEx t.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows\currentversion\explorer\shelliconoverlayid entifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Leo\AppData\Roaming\Dropbox\bin\DropboxEx t.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows\currentversion\explorer\shelliconoverlayid entifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 94208 ----a-w- c:\users\Leo\AppData\Roaming\Dropbox\bin\DropboxEx t.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]

"RocketDock"="c:\program files (x86)\RocketDock\RocketDock.exe" [2007-09-02 495616]

"Steam"="h:\steam\steam.exe" [2012-08-04 1353080]

"KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDL R.exe" [2012-05-30 21432]

"F.lux"="c:\users\Leo\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\Run]

"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]

"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]

"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"googletalk"="c:\program files (x86)\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.ex e" [2010-07-23 402432]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-08-06 642216]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]

.

c:\users\Leo\AppData\Roaming\Microsoft\Windows\Sta rt Menu\Programs\Startup\

Dropbox.lnk - c:\users\Leo\AppData\Roaming\Dropbox\bin\Dropbox.e xe [2012-5-24 27112840]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]

Planex Wireless Utility.lnk - c:\program files (x86)\Planex\Common\RaUI.exe [2010-7-7 1568768]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows\currentversion\run-]

"HKLM"=c:\windows\system\system.exe

"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"

"HP Software Update"=c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework6 4\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-12 136176]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [x]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-05-03 158856]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPl ayerUpdateService.exe [2012-08-15 250056]

R3 ALSysIO;ALSysIO;c:\users\Leo\AppData\Local\Temp\AL SysIO64.sys [x]

R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-29 6144]

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe [x]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-05-21 99384]

R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgde rdrv.sys [x]

R3 EagleX64;EagleX64;c:\windows\system32\drivers\Eagl eX64.sys [x]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-03-02 13088]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-12 136176]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\dr ivers\mbam.sys [x]

R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [2009-07-10 31744]

R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2011-04-04 21504]

R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRI VERS\motccgpfl.sys [2009-01-29 9216]

R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]

R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 26624]

R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sy s [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-07 114144]

R3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2009-06-10 867328]

R3 PsSdk41;PsSdk41;c:\windows\system32\Drivers\pssdk4 1.sys [2012-04-15 51776]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-05-21 203320]

R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsus bflt.sys [2010-11-20 59392]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-02-18 51712]

R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2010-03-18 68440]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-15 1255736]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-06 868848]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2010-09-17 430424]

S0 RapportKE64;RapportKE64;c:\windows\System32\Driver s\RapportKE64.sys [2012-01-25 63760]

S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-04-08 139704]

S1 RapportCerberus_34302;RapportCerberus_34302;c:\pro gramdata\Trusteer\Rapport\store\exts\RapportCerber us\34302\RapportCerberus64_34302.sys [2011-12-15 397520]

S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2012-01-25 55056]

S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2012-01-25 61712]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-28 239616]

S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-08-06 361984]

S2 CDMA Device Service;CDMA Device Service;c:\program files (x86)\Samsung\USB Drivers\26_VIA_driver2\amd64\VIAService.exe [2011-08-02 159232]

S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.s ys [2010-04-08 163888]

S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2010-04-08 810120]

S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfw wfpr.sys [2010-04-08 124760]

S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-04-26 223088]

S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2012-01-25 931640]

S2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe [2012-08-07 548264]

S2 SSUService;Splashtop Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe [2012-03-15 370504]

S2 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe [2011-07-15 741624]

S2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [2009-07-13 24168]

S2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatc h.sys [2009-07-13 30568]

S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atik mdag.sys [2012-07-28 10278912]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atik mpag.sys [2012-07-28 368640]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-05-14 96896]

S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [2009-06-17 74256]

S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [2009-06-17 13328]

S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 31232]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpda teService.exe [2012-03-31 03:08]

.

2012-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-12 01:11]

.

2012-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-12 01:11]

.

2012-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-426816942-16390753-694045178-1001Core.job

- c:\users\Leo\AppData\Local\Google\Update\GoogleUpd ate.exe [2012-09-03 17:59]

.

2012-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-426816942-16390753-694045178-1001UA.job

- c:\users\Leo\AppData\Local\Google\Update\GoogleUpd ate.exe [2012-09-03 17:59]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Dr opboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Leo\AppData\Roaming\Dropbox\bin\DropboxEx t64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Dr opboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Leo\AppData\Roaming\Dropbox\bin\DropboxEx t64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Dr opboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Leo\AppData\Roaming\Dropbox\bin\DropboxEx t64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Dr opboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-12-05 19:17 97792 ----a-w- c:\users\Leo\AppData\Roaming\Dropbox\bin\DropboxEx t64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 825184]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-04-08 2839840]

"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.e xe" [2010-03-06 500208]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-04-13 1860496]

"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-05-30 3521464]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = 192.168.*.*;*.local

IE: E&xportar a Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: soe.com

Trusted Zone: sony.com

TCP: DhcpNameServer = 200.42.4.203 200.49.130.40

FF - ProfilePath - c:\users\Leo\AppData\Roaming\Mozilla\Firefox\Profi les\tryy8m62.default\

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-KiesHelper - c:\program files (x86)\Samsung\Kies\KiesHelper.exe

Wow6432Node-HKLM-Run-mumservice - c:\program files\Motorola\Software Update\mumservice.exe

BHO-{F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll

HKLM-Run-LogMeIn GUI - c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe

AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe

AddRemove-BattlEye for A2 - h:\steam\steamapps\common\arma 2BattlEye\UnInstallBE.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-426816942-16390753-694045178-1001\Software\SecuROM\License information*]

"datasecu"=hex:f0,7f,35,b5,29,a0,20,f2,8f,ba,6d,39 ,a3,97,43,47,12,ac,dd,c7,2e,

78,40,b0,a6,dc,a5,12,e9,1f,0e,6b,04,b7,83,e6,6f,e9 ,d5,a9,38,da,e3,4a,fa,14,\

"rkeysecu"=hex:e7,be,44,82,89,9c,9c,e0,7b,e4,ac,38 ,1d,44,fa,46

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macrome d\\Flash\\FlashUtil10c.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUt il10c.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10 c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10 c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10 c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10 c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\windows\SysWOW64\PnkBstrA.exe

c:\windows\SysWOW64\PnkBstrB.exe

c:\program files (x86)\Planex\Common\RalinkRegistryWriter.exe

c:\program files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe

c:\program files (x86)\Trusteer\Rapport\bin\RapportService.exe

c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

.

************************************************** ************************

.

Completion time: 2012-09-09 11:05:58 - machine was rebooted

ComboFix-quarantined-files.txt 2012-09-09 14:05

.

Pre-Run: 35,316,404,224 bytes free

Post-Run: 39,008,477,184 bytes free

.

- - End Of File - - B4CA6BCA0D789EEE5271BC9EE3E0CFC8

Attach.txt

[Maurice Naggar]

Hello and welcome to MalwareBytes forums.

Backdoor trojan warning:TDL4

This is a point where you need to decide about whether to make a clean start.

According to the information provided in logs, one or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

You are strongly advised to do the following immediately.

1. Contact your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.

3. Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer. (Remote access trojan) Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, do screenshots, log passwords, start and stop programs.

* Take any other steps you think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Trojan backdoor, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows fresh.

While we usually can successfully remove malware like this, we cannot guarantee that it is totally gone, and that your system is completely safe to use for future financial information and/or transactions.

Here is some additional information: What Is A Backdoor Trojan? http://www.geekstogo...backdoor-trojan

Danger: Remote Access Trojans http://www.microsoft...o/virusrat.mspx

Consumers – Identity Theft http://www.ftc.gov/b...mers/index.html

When should I re-format? How should I reinstall? http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? http://www.dslreports.com/faq/10451

Rootkits: The Obscure Hacker Attack http://www.microsoft...tip/st1005.mspx

Help: I Got Hacked. Now What Do I Do? http://www.microsoft...gmt/sm0504.mspx

Help: I Got Hacked. Now What Do I Do? Part II http://www.microsoft...gmt/sm0704.mspx

Microsoft Says Recovery from Malware Becoming Impossible http://www.eweek.com...,1945808,00.asp

Let me know what you decide.

If you decide to try hunting for and removing malware, start & do as much as possible of the following.

If you did not buy SpywareHunter, un-install it.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.

• 
  

Link 2
Link 3
Link 4
Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7, right-click on it and Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Copy & Paste contents of Rkill.txt into a reply.

More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html

Run a Batch Script

1. Press the Windows-key on keyboard.
   
2. In the box, type notepad and press Enter.
   
3. Highlight the contents of the following codebox, and copy and paste that text into NOTEPAD.
   

   sc stop F.lux
   sc delete F.lux
   rd /s /q C:\Users\Leo\Local Settings\Apps\F.lux
   del /f /q "%~f0"

   
   

4. Select File -> Save AS.
   
5. Press the Desktop button on the left side of the save dialog.
   
6. In the box, type in Fix.bat.
   
7. Press .
   
8. Close Notepad.
   
9. Right click on your desktop, and choose .
   
10. Press Yes if prompted by User Account Control.
    

Delete the previous copy of TDSSKILLER.

Turn off your antivirus program so that it does not interfere.

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Double-Click on TDSSKiller.exe to run the application, then on Start Scan.
  If running Vista or Windows 7, do a RIGHT-Click and select Run as Administrator to start TDSSKILLER.exe.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
  Skip and click on Continue
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[Maurice Naggar]

{{ ping }}

Are you still with me? If you still need help, do the items I outlined above and post the logs.

IF you need more time, please advise me.

IF I do not hear back from you by the next two days, I will close this.

[Siemnok]

Hi Maurice, thanks for the help. I decided to make a fresh windows install.

I have a few questions:

I have 2 disks, and every disk has 2 partitions. On one disk I have Win7 and WinXP. The other disk is for Downloads and games.

My question is I need to format all my disks? or only the partition with Windows 7? If y format the partition with Windows 7, the trojan is deleted too?

Many thanks for the help

[Maurice Naggar]

One cannot be certain just where the trojan is or if you have a rootkit.

If you will run the tools I listed we might get a better sense.

Assuming (and that is dangerous) that only Windows 7 is infected, and if you do reformat, then reformatting WIN7 and doing a new WIN7 install would suffice.

Do the tools I outlined, and after, run this

Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

Download aswMBR.exe ( 511KB ) to your desktop.

On Windows 7 or Vista, RIGHT click on aswMBR.exe and select Run As Administrator to start.

On Windows XP, double click the exe to start.

change the a-v scan to None.

uncheck trace disk IO calls

Click the "Scan" button to start scan

On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply

[Siemnok]

Hi Maurice, these are the logs:

LIistParts:

ListParts by Farbar Version: 17-09-2012

Ran by Home (administrator) on 17-09-2012 at 19:45:04

Windows 7 (X64)

Running From: C:\Users\Home\Desktop

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 30%

Total physical RAM: 4094.49 MB

Available physical RAM: 2856.17 MB

Total Pagefile: 8187.13 MB

Available Pagefile: 6694.69 MB

Total Virtual: 4095.88 MB

Available Virtual: 3984.57 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:165.74 GB) (Free:148.64 GB) NTFS ==>[system with boot components (obtained from reading drive)]

2 Drive d: (Back Up) (Fixed) (Total:443.23 GB) (Free:443.13 GB) NTFS

3 Drive e: (Windows XP) (Fixed) (Total:300 GB) (Free:187.18 GB) NTFS ==>[system with boot components (obtained from reading drive)]

4 Drive f: (Downloads) (Fixed) (Total:488.28 GB) (Free:186.23 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 13 MB

Disk 1 Online 931 GB 1024 KB

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 300 GB 31 KB

Partition 2 Primary 165 GB 300 GB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 E Windows XP NTFS Partition 300 GB Healthy

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 165 GB Healthy System (partition with boot components)

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 443 GB 1024 KB

Partition 2 Primary 488 GB 443 GB

======================================================================================================

Disk: 1

Partition 1

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 D Back Up NTFS Partition 443 GB Healthy

======================================================================================================

Disk: 1

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 F Downloads NTFS Partition 488 GB Healthy

======================================================================================================

****** End Of Log ******

aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-09-17 19:50:48

-----------------------------

19:50:48.809 OS Version: Windows x64 6.1.7600

19:50:48.809 Number of processors: 2 586 0x6B02

19:50:48.824 ComputerName: HOME-PC UserName: Home

19:50:49.433 Initialize success

19:50:49.495 AVAST engine defs: 12091701

19:51:21.530 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063

19:51:21.530 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3

19:51:21.530 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000066

19:51:21.530 Disk 1 Vendor: WDC_WD10 51.0 Size: 953869MB BusType: 3

19:51:21.546 Disk 0 MBR read successfully

19:51:21.561 Disk 0 MBR scan

19:51:21.561 Disk 0 Windows 7 default MBR code

19:51:21.561 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 307203 MB offset 63

19:51:21.577 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 169721 MB offset 629153595

19:51:21.593 Disk 0 scanning C:\Windows\system32\drivers

19:51:24.432 Service scanning

19:51:32.747 Modules scanning

19:51:32.747 Scan finished successfully

19:54:28.542 Disk 0 MBR has been saved successfully to "C:\Users\Home\Desktop\MBR.dat"

19:54:28.547 The log file has been saved successfully to "C:\Users\Home\Desktop\aswMBR.txt"

On aswMBR the "Fix" button was disabled.

[Maurice Naggar]

That looks ok.

[Siemnok]

Nice, many thanks for the help

Do you have some tip to prevent this happen again?

Which antivirus? anti malware do you recommend?

[Maurice Naggar]

I am very favorably biased towards MBAM.

As to antivirus, For free antivirus, Avira or MS Security Essentials.

For paid antivirus, ESET or Kaspersky.

Prevention is a whole lot of different things, mainly prudent surfing, & very very careful "selected" clicking (meaning, don't be in a rush to click on a web link).

Safer practices & malware prevention

• Have a hardware router between the incoming internet-modem and your computer.
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in Windows
  http://support.microsoft.com/kb/306525
  
• Check on other update issues as well, visit Secunia Online Software Inspector (OSI)
  See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  Tutorial for Spywareblaster: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  Having a total image backup of your system stored on DVD/CD is highly important.
  Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if another disaster hits.
  Examples of image backup software: Acronis True Image, or the free (for personal use) Macrium Reflect http://www.macrium.com/reflectfree.asp
  or Paragon Backup & Recovery http://www.paragon-software.com/home/br-free/download.html
  
• Consider using Web of Trust WOT add-on for your browser(s)
  http://www.mywot.com/en/download
  http://www.mywot.com/en/faq/add-on
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  ESET Online Scanner
  BitDefender Quickscan
  Trend Micro Housecall
  F-Secure Online Scanner
  Microsoft Safety Scanner
  Panda ActiveScan
  
• See Six tips to help you stay safer online
  
• Never, ever download free games, free tools, videos, mutli-media files or anything free unless you can be absolutely sure the source is safe !
  

[Siemnok]

Many many thanks for the tips.

I think the infection was for use Splashtop to connect to my computer through the phone.

Again many thanks.

[Maurice Naggar]

Stay safe. I am closing this thread.