s1kx Posted January 22, 2013 ID:637772 Share Posted January 22, 2013 Hey everyone!This morning I woke up to my PC having lots of programs (such as Skype) frozen, the Kaspersky PURE 2.0 tray icon being grey with the label "Required modules have been unloaded from memory" and many programs failed to open TCP connections until a reboot.I immediatly ran a Kaspersky scan and a MalwareBytes Anti-Malware scan, which both couldn't find anything of interest. Afterwards, I downloaded GMER which showed me something more interesting (Screenshot attached) - many psapi.dll functions seem to be hooked, which to me looks a lot like a rootkit. Sadly, I could not restore the original code in the affected functions, as GMER complained "Restore code: The parameters are invalid."I also ran a scan with the dds.com utility and here is the dds.txt and Attach.log attached.Is there any chance of getting rid of it or do I have to reinstall Windows?Thanks in advance, I would really appreciate your help!DDS (Ver_2012-11-20.01) - NTFS_AMD64Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.10.2Run by Patrick at 8:33:35 on 2013-01-22Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16367.10995 [GMT 1:00].AV: Kaspersky PURE 2.0 *Enabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}SP: Kaspersky PURE 2.0 *Enabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}FW: Kaspersky PURE 2.0 *Enabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}.============== Running Processes ===============.C:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\system32\atiesrxx.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Program Files\Sandboxie\SbieSvc.exeC:\Windows\system32\atieclxx.exeC:\Program Files\NVIDIA Corporation\Display\nvxdsync.exeC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exeC:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exeC:\Program Files (x86)\GNU\GnuPG\dirmngr.exeC:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exeC:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exeC:\Program Files (x86)\LogMeIn\x64\RaMaint.exeC:\Program Files (x86)\LogMeIn\x64\LogMeIn.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exec:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exeC:\Windows\SysWOW64\PnkBstrA.exeC:\Windows\SysWOW64\PnkBstrB.exeC:\Program Files\Serviio\bin\ServiioService.exeC:\Program Files\Serviio\bin\ServiioService.exeC:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestrictedC:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exeC:\Windows\SysWOW64\vmnat.exeC:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Windows\SysWOW64\vmnetdhcp.exeC:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\taskhost.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exeC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\Dwm.exeC:\Program Files (x86)\TeamViewer\Version8\tv_w32.exeC:\Program Files (x86)\TeamViewer\Version8\tv_x64.exeC:\Windows\Explorer.EXEC:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exeC:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeC:\Program Files\TrueCrypt\TrueCrypt.exeC:\Program Files\Sandboxie\SbieCtrl.exeC:\Users\Patrick\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exeC:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exeC:\Users\Patrick\AppData\Local\Akamai\netsession_win.exeC:\Program Files\TortoiseSVN\bin\TSVNCache.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Akamai\netsession_win.exeC:\Users\Patrick\AppData\Local\Apps\2.0\0PBDY1M7.BO1\VE8GKWQL.6EQ\clou..tion_0000000000000000_0002.0001_6d893b9abb4e2d41\CloudShot.exeC:\Users\Patrick\AppData\Roaming\Dropbox\bin\Dropbox.exeC:\Program Files (x86)\Pidgin\pidgin.exeC:\Program Files (x86)\SABnzbd\SABnzbd.exeC:\Program Files\Serviio\bin\ServiioConsole.exeC:\Users\Patrick\AppData\Local\Apps\2.0\0PBDY1M7.BO1\VE8GKWQL.6EQ\curs..tion_9e9e83ddf3ed3ead_0005.0001_f88ee66177b243ac\CurseClient.exeC:\Program Files\NVIDIA Corporation\Display\nvtray.exeC:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exeC:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files (x86)\WebMoney Agent\wmagent.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exeC:\Program Files (x86)\Browny02\Brother\BrStMonW.exeC:\Program Files (x86)\iTunes\iTunesHelper.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Program Files (x86)\Browny02\BrYNSvc.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Windows\System32\mobsync.exeC:\Program Files\iPod\bin\iPodService.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exeC:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\x64\klwtblfs.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\SysWOW64\WinMsgBalloonServer.exeC:\Windows\SysWOW64\WinMsgBalloonClient.exeC:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exeC:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exeC:\Windows\System32\svchost.exe -k swprvC:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exeC:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exeC:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exeC:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\x64\wmi64.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\System32\cscript.exe.============== Pseudo HJT Report ===============.uStart Page = about:blankmStart Page = about:blankuProxyServer = 198.133.224.147:3127uURLSearchHooks: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - <orphaned>mURLSearchHooks: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - <orphaned>BHO: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dllBHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\ievkbd.dllBHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dllBHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllBHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllBHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLLBHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dllBHO: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - c:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dllBHO: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\klwtbbho.dllBHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllTB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllTB: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5.1\Plugins\IEPlugin\contributeieplugin.dllTB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllTB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dllEB: Web Test Recorder 10.0: {5802D092-1784-4908-8CDB-99B6842D353D} -uRun: [TrueCrypt] "C:\Program Files\TrueCrypt\TrueCrypt.exe" /q preferences /a logonuRun: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"uRun: [Google Update] "C:\Users\Patrick\AppData\Local\Google\Update\GoogleUpdate.exe" /cuRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exeuRun: [Spotify Web Helper] "C:\Users\Patrick\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exeuRun: [Akamai NetSession Interface] "C:\Users\Patrick\AppData\Local\Akamai\netsession_win.exe"uRun: [Facebook Update] "C:\Users\Patrick\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserveruRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZEDuRun: [GoogleChromeAutoLaunch_133FC10A42EC311A0885C7B36F719938] "C:\Users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exe" --no-startup-windowuRun: [CloudShot] C:\Users\Patrick\AppData\Local\Apps\2.0\0PBDY1M7.BO1\VE8GKWQL.6EQ\clou..tion_0000000000000000_0002.0001_6d893b9abb4e2d41\CloudShot.exeuRun: [AdobeBridge] <no file>mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exemRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbyloginmRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe"mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hidemRun: [wmagent.exe] "C:\Program Files (x86)\WebMoney Agent\wmagent.exe"mRun: [vmware-tray.exe] "D:\Programme\VMWare\vmware-tray.exe"mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" amlmRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-startmRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRun: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorunmRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUNmRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbyloginmRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preloadStartupFolder: C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccipStartupFolder: C:\Users\Patrick\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Patrick\AppData\Roaming\Dropbox\bin\Dropbox.exeStartupFolder: C:\Users\Patrick\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pidgin.lnk - C:\Program Files (x86)\Pidgin\pidgin.exeStartupFolder: C:\Users\Patrick\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SABnzbd.lnk - C:\Program Files (x86)\SABnzbd\SABnzbd.exeStartupFolder: C:\Users\Patrick\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Serviio.lnk - C:\Program Files\Serviio\bin\ServiioConsole.exeuPolicies-Explorer: NoDriveTypeAutoRun = dword:145mPolicies-Explorer: NoActiveDesktop = dword:1mPolicies-Explorer: NoActiveDesktopChanges = dword:1mPolicies-Explorer: NoDriveTypeAutoRun = dword:28mPolicies-System: ConsentPromptBehaviorAdmin = dword:0mPolicies-System: ConsentPromptBehaviorUser = dword:3mPolicies-System: EnableLUA = dword:0mPolicies-System: EnableUIADesktopToggle = dword:0mPolicies-System: PromptOnSecureDesktop = dword:0IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\ie_banner_deny.htmIE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: LastPass - C:\Program Files (x86)\LastPass\context.html?cmd=lastpassIE: LastPass Fill Forms - C:\Program Files (x86)\LastPass\context.html?cmd=fillformsIE: Sothink SWF Catcher - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmIE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\ievkbd.dllIE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dllIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllIE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\klwtbbho.dllIE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmLSP: %SystemRoot%\system32\PrxerDrv.dllLSP: %windir%\system32\vsocklib.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cabTCP: NameServer = 192.168.178.1TCP: Interfaces\{0382EAC4-0933-4813-A4E4-E7340E4EE0E2} : DHCPNameServer = 193.189.244.225 193.189.244.206TCP: Interfaces\{5B27990B-5E13-42A5-9C66-16237A8F1619} : NameServer = 8.8.8.8,8.8.4.4TCP: Interfaces\{5B27990B-5E13-42A5-9C66-16237A8F1619} : DHCPNameServer = 192.168.178.1TCP: Interfaces\{D6576156-54E4-4523-BF2D-D0E670FDEBD0} : DHCPNameServer = 192.168.178.1Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLHandler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dllSSODL: WebCheck - <orphaned>x64-BHO: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\x64\ievkbd.dllx64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dllx64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllx64-BHO: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar64.dllx64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dllx64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLLx64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dllx64-BHO: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\x64\klwtbbho.dllx64-TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar64.dllx64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -sx64-IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\x64\ievkbd.dllx64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar64.dllx64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dllx64-IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\x64\klwtbbho.dllx64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLLx64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dllx64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>x64-Notify: klogon - C:\Windows\System32\klogon.dllx64-SSODL: WebCheck - <orphaned>Hosts: 192.168.178.22 newznab================= FIREFOX ===================.FF - ProfilePath - C:\Users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\729immec.default\FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLLFF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLLFF - plugin: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dllFF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dllFF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.102.0\npesnlaunch.dllFF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dllFF - plugin: C:\Program Files (x86)\Common Files\VMware\VMware VMRC Plug-in\Firefox\np-vmware-vmrc.dllFF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dllFF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dllFF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dllFF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dllFF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dllFF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dllFF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dllFF - plugin: C:\ProgramData\NexonEU\NGM\npNxGameeu.dllFF - plugin: C:\Users\Patrick\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dllFF - plugin: C:\Users\Patrick\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dllFF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_287.dllFF - plugin: C:\Windows\SysWOW64\npdeployJava1.dllFF - plugin: C:\Windows\SysWOW64\npmproxy.dll.============= SERVICES / DRIVERS ===============.R0 CSCrySec;InfoWatch Encrypt Sector Library driver;C:\Windows\System32\drivers\CSCrySec.sys [2012-6-29 85048]R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-6-27 56208]R0 vsock;vSockets Driver;C:\Windows\System32\drivers\vsock.sys [2012-8-27 70256]R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;C:\Windows\System32\drivers\CSVirtualDiskDrv.sys [2012-6-29 66104]R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-7-23 283200]R1 kl2;kl2;C:\Windows\System32\drivers\kl2.sys [2011-10-20 13616]R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2011-3-10 29488]R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-7-4 238080]R2 AMD_RAIDXpert;AMD RAIDXpert;C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-9-19 122880]R2 AVP;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe [2011-12-24 202296]R2 CSObjectsSrv;CryptoStorage control service;C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]R2 DirMngr;DirMngr;C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [2011-3-2 224256]R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-11-19 2462128]R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-7-5 375728]R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2012-6-8 15928]R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2012-7-25 72216]R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-1-22 398184]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-1-22 682344]R2 Serviio;Serviio;C:\Program Files\Serviio\bin\ServiioService.exe [2012-12-19 348160]R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896]R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-2 382824]R2 TeamViewer8;TeamViewer 8;C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2012-12-14 3467768]R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-1-18 450848]R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-8-1 917656]R3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2012-12-6 245760]R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\drivers\klmouflt.sys [2009-11-2 22544]R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-1-22 24176]R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-24 344680]R3 RzSynapse;Razer Driver;C:\Windows\System32\drivers\RzSynapse.sys [2011-5-12 154624]R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2011-8-27 156288]S2 AutoSSHLF;AutoSSHLF;C:\cygwin\bin\cygrunsrv.exe [2012-7-27 129550]S2 AutoSSHTunnel;AutoSSHTunnel;C:\cygwin\bin\cygrunsrv.exe [2012-7-27 129550]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S2 puppet;Puppet Agent;D:\Program Files\Puppet Labs\Puppet Enterprise\service\daemon.bat [2012-7-24 87]S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-11-9 160944]S2 VMwareHostd;VMware Workstation Server;D:\Programme\VMWare\vmware-hostd.exe -u "C:\ProgramData\VMware\hostd\config.xml" --> D:\Programme\VMWare\vmware-hostd.exe -u C:\ProgramData\VMware\hostd\config.xml [?]S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-2-23 95760]S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;C:\Windows\System32\drivers\LEqdUsb.sys [2011-9-2 76056]S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;C:\Windows\System32\drivers\LHidEqd.sys [2011-9-2 15128]S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-1-18 351136]S3 LVUVC64;Logitech QuickCam Pro 9000(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-1-18 4865568]S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\drivers\netaapl64.sys [2011-5-10 22528]S3 npggsvc;nProtect GameGuard Service;C:\Windows\System32\GameMon.des -service --> C:\Windows\System32\GameMon.des -service [?]S3 PSM_AgentServer;Shaiya Agent Server;D:\temp\Shaiya\PSM_Server\PSMServer_Agent.exe [2012-7-15 516096]S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-7-11 20992]S3 RTCore64;RTCore64;C:\Program Files (x86)\EVGA Precision\RTCore64.sys [2011-5-3 14440]S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\System32\drivers\tap0801.sys [2005-4-13 30720]S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-11 59392]S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]S3 xsherlock;xsherlock;C:\Windows\System32\xsherlock.xem --> C:\Windows\System32\xsherlock.xem [?]S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]S4 RsFx0103;RsFx0103 Driver;C:\Windows\System32\drivers\RsFx0103.sys [2009-3-30 311656]S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880].=============== File Associations ===============.FileExt: .txt: Applications\notepad++.exe="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1" [UserChoice]FileExt: .js: Applications\notepad++.exe="C:\Program Files (x86)\Notepad++\notepad++.exe" "%1" [UserChoice]ShellExec: dreamweaver.exe: Open="D:\Program Files\Adobe\Adobe Dreamweaver CS6\dreamweaver.exe", "%1".=============== Created Last 30 ================.2013-01-22 07:03:26 -------- d-----w- C:\Users\Patrick\AppData\Roaming\Malwarebytes2013-01-22 07:03:22 -------- d-----w- C:\ProgramData\Malwarebytes2013-01-22 07:03:21 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys2013-01-22 07:03:21 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2013-01-20 05:26:36 -------- d-----w- C:\LivelyFeed2013-01-18 08:40:53 9161176 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5A33CEA7-C6E3-4DBB-BC2F-39E0BB5BA1A6}\mpengine.dll2013-01-17 10:25:29 -------- d-----w- C:\Users\Patrick\AppData\Roaming\KeePass2013-01-17 10:23:24 -------- d-----w- C:\Program Files (x86)\KeePass Password Safe 22013-01-15 05:20:57 -------- d-----w- C:\Users\Patrick\AppData\Local\name1ess0ne2013-01-14 02:14:21 1081760 ----a-w- C:\Windows\System32\npDeployJava1.dll2013-01-14 02:14:12 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll2013-01-09 20:59:06 2002432 ----a-w- C:\Windows\System32\msxml6.dll2013-01-09 20:59:06 1882624 ----a-w- C:\Windows\System32\msxml3.dll2013-01-09 20:59:06 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll2013-01-09 20:59:05 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll2013-01-09 20:59:03 750592 ----a-w- C:\Windows\System32\win32spl.dll2013-01-09 20:59:03 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll2013-01-09 20:59:02 307200 ----a-w- C:\Windows\System32\ncrypt.dll2013-01-09 20:59:02 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll2013-01-09 20:58:59 68608 ----a-w- C:\Windows\System32\taskhost.exe2013-01-09 20:58:59 3149824 ----a-w- C:\Windows\System32\win32k.sys2013-01-09 19:26:47 -------- d-----w- C:\mbar2013-01-07 23:59:18 -------- d-----w- C:\Ruby1932013-01-07 23:59:14 -------- d-----w- C:\Users\Patrick\AppData\Local\Programs2013-01-07 18:43:50 -------- d-----w- C:\Users\Patrick\AppData\Roaming\name1ess0ne2013-01-05 19:03:30 -------- d-----w- C:\hashcat-utils-0.92013-01-03 02:44:56 -------- d-----w- C:\hashcat-0.422013-01-03 02:26:56 -------- d-----w- C:\oclHashcat-plus-0.122012-12-29 16:28:23 -------- d-----w- C:\Users\Patrick\AppData\Roaming\Microsoft Corporation2012-12-29 16:16:06 -------- d-----w- C:\Program Files (x86)\Microsoft Data Access SDK 2.82012-12-27 20:07:13 -------- d-----w- C:\ProgramData\Elcomsoft Password Recovery2012-12-27 20:07:13 -------- d-----w- C:\Program Files (x86)\Elcomsoft Password Recovery2012-12-27 20:07:13 -------- d-----w- C:\Program Files (x86)\Elcomsoft.==================== Find3M ====================.2013-01-14 02:14:08 960416 ----a-w- C:\Windows\System32\deployJava1.dll2013-01-09 19:28:28 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2013-01-09 19:28:28 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll2012-11-28 09:35:19 95184 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll2012-11-19 02:06:37 0 ----a-w- C:\Windows\System32\SETF14D.tmp2012-11-19 02:06:35 0 ----a-w- C:\Windows\SysWow64\SETECD2.tmp2012-11-19 02:06:34 0 ----a-w- C:\Windows\SysWow64\SETE888.tmp2012-11-19 02:06:34 0 ----a-w- C:\Windows\System32\SETE6FD.tmp2012-11-19 02:06:31 0 ----a-w- C:\Windows\System32\SETDCC3.tmp2012-11-12 12:28:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb2012-11-12 11:52:18 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll2012-11-03 13:00:06 88008 ----a-w- C:\Windows\System32\LMIRfsClientNP.dll2012-11-03 13:00:06 83880 ----a-w- C:\Windows\System32\LMIinit.dll2012-11-03 13:00:06 35240 ----a-w- C:\Windows\System32\LMIport.dll2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll2012-10-27 06:26:55 981504 ----a-w- C:\Windows\SysWow64\wininet.dll2012-10-27 05:51:21 1188864 ----a-w- C:\Windows\System32\wininet.dll2012-10-25 02:12:26 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx2012-10-25 02:12:26 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts2011-11-29 00:22:11 13844000 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe2010-08-15 21:14:18 1892864 ----a-w- C:\Program Files\eac3to.exe2008-02-10 14:42:50 95232 ----a-w- C:\Program Files\HookSurcode.dll2005-08-14 07:49:04 219136 ----a-w- C:\Program Files\r8b.dll.============= FINISH: 8:33:55.49 ===============P.s.: C:\Users\Patrick\AppData\Local\name1ess0ne is just the configuration folder for CloudShotattach.txt Link to post Share on other sites More sharing options...
s1kx Posted January 22, 2013 Author ID:637774 Share Posted January 22, 2013 By the way, I tried to run the BETA of Malwarebytes Anti-Rootkit, but even though I download the most recent version, it complains that this version expired and I should download the newer one (from the link I just used!). Any workaround for this? Link to post Share on other sites More sharing options...
kevinf80 Posted January 22, 2013 ID:637782 Share Posted January 22, 2013 Upload a File to VirustotalGo to http://www.virustotal.com/ Click the Browse... button Navigate to the file C:\Program Files\HookSurcode.dll or just copy/paste it in. Click the Scan it tab If you get a message saying File has already been analyzed: click Reanalyze file now Copy and paste the results back here please. Repeat the above steps for the following filesC:\Program Files\r8b.dllNext,Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from the following link :-http://download.bleepingcomputer.com/sUBs/ComboFix.exe Ensure that Combofix is saved directly to the Desktop <--- Very important Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask. Close any open browsers and any other programs you might have running Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator) Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required. If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.*EXTRA NOTES* If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so. If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)Post the logs in next reply please...Kevin Link to post Share on other sites More sharing options...
s1kx Posted January 22, 2013 Author ID:637791 Share Posted January 22, 2013 The files HookSurcode.dll and r8b.dll are both from a tool called eac3to, which is just an audio conversion tool.Nevertheless, here are the scan results:https://www.virustotal.com/file/5dc230efada61205a3a6bbb94a3591238a7116e7875aff62037e7dd132b16e0f/analysis/File name: 17bd9c08c0facdedafb2c4ec8fbc5d06_HookSurcode.dllDetection ratio: 1 / 45Sophos MadCodeHook 20121231https://www.virustotal.com/file/add6c096422bb7c80f1f9a25eae3a9efc7de15206e373e91420c5830bf3a0ae2/analysis/File name: r8b.dllDetection ratio: 0 / 45Sadly, even after ComboFix ran, GMER is still showing all these hooks and unknown libraries loaded into avp.exe etc. I attached the log of that aswell.ComboFix 13-01-21.04 - Patrick 01/22/2013 11:21:15.1.8 - x64Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16367.12503 [GMT 1:00]Running from: C:\ComboFix.exeAV: Kaspersky PURE 2.0 *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}FW: Kaspersky PURE 2.0 *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}SP: Kaspersky PURE 2.0 *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}* Created a new restore point..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\programdata\1325091197.bdinstall.binc:\programdata\1325549799.bdinstall.binC:\readme.txtc:\users\Patrick\AppData\Local\Apps\2.0\0PBDY1M7.BO1\VE8GKWQL.6EQ\clou..tion_0000000000000000_0002.0001_6d893b9abb4e2d41\CloudShot.exec:\users\Patrick\AppData\Local\assembly\tmpc:\windows\SysWow64\MSCOMCTL.1c:\windows\SysWow64\Packet.dllc:\windows\SysWow64\pthreadVC.dllc:\windows\SysWow64\SET6DF2.tmpc:\windows\SysWow64\SET6EAF.tmpc:\windows\SysWow64\SET6EF2.tmpc:\windows\SysWow64\SET7241.tmpc:\windows\SysWow64\SET7553.tmpc:\windows\SysWow64\SET7585.tmpc:\windows\SysWow64\SET7597.tmpc:\windows\SysWow64\SET7659.tmpc:\windows\SysWow64\wpcap.dllc:\windows\wininit.ini..((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Legacy_NPF-------\Service_NPF..((((((((((((((((((((((((( Files Created from 2012-12-22 to 2013-01-22 )))))))))))))))))))))))))))))))..2013-01-22 10:30 . 2013-01-22 10:30 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp2013-01-22 10:30 . 2013-01-22 10:30 -------- d-----w- c:\users\Mcx1-PATRICKPC\AppData\Local\temp2013-01-22 10:30 . 2013-01-22 10:30 -------- d-----w- c:\users\Guest\AppData\Local\temp2013-01-22 10:18 . 2012-11-28 14:44 65536 ----a-w- C:\cports.exe2013-01-22 07:03 . 2013-01-22 07:03 -------- d-----w- c:\users\Patrick\AppData\Roaming\Malwarebytes2013-01-22 07:03 . 2013-01-22 07:03 -------- d-----w- c:\programdata\Malwarebytes2013-01-22 07:03 . 2013-01-22 07:03 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2013-01-22 07:03 . 2012-12-14 15:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys2013-01-20 05:26 . 2013-01-21 18:04 -------- d-----w- C:\LivelyFeed2013-01-18 08:40 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5A33CEA7-C6E3-4DBB-BC2F-39E0BB5BA1A6}\mpengine.dll2013-01-17 10:25 . 2013-01-17 10:25 -------- d-----w- c:\users\Patrick\AppData\Roaming\KeePass2013-01-17 10:23 . 2013-01-17 10:23 -------- d-----w- c:\program files (x86)\KeePass Password Safe 22013-01-15 13:37 . 2013-01-04 15:53 9060864 ----a-w- c:\windows\system32\mshtml.dll2013-01-15 05:20 . 2013-01-15 05:20 -------- d-----w- c:\users\Patrick\AppData\Local\name1ess0ne2013-01-14 02:14 . 2013-01-14 02:14 308640 ----a-w- c:\windows\system32\javaws.exe2013-01-14 02:14 . 2013-01-14 02:14 1081760 ----a-w- c:\windows\system32\npDeployJava1.dll2013-01-14 02:14 . 2013-01-14 02:14 188832 ----a-w- c:\windows\system32\javaw.exe2013-01-14 02:14 . 2013-01-14 02:14 188832 ----a-w- c:\windows\system32\java.exe2013-01-14 02:14 . 2013-01-14 02:14 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll2013-01-09 20:59 . 2012-11-01 05:43 2002432 ----a-w- c:\windows\system32\msxml6.dll2013-01-09 20:59 . 2012-11-01 05:43 1882624 ----a-w- c:\windows\system32\msxml3.dll2013-01-09 20:59 . 2012-11-01 04:47 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll2013-01-09 20:59 . 2012-11-01 04:47 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll2013-01-09 20:59 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll2013-01-09 20:59 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll2013-01-09 20:59 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll2013-01-09 20:59 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll2013-01-09 20:58 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys2013-01-09 20:58 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe2013-01-09 19:26 . 2013-01-22 07:18 -------- d-----w- C:\mbar2013-01-09 04:53 . 2013-01-14 09:19 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird2013-01-07 23:59 . 2013-01-07 23:59 -------- d-----w- C:\Ruby1932013-01-07 23:59 . 2013-01-07 23:59 -------- d-----w- c:\users\Patrick\AppData\Local\Programs2013-01-07 18:43 . 2013-01-07 18:43 -------- d-----w- c:\users\Patrick\AppData\Roaming\name1ess0ne2013-01-05 19:03 . 2013-01-05 19:08 -------- d-----w- C:\hashcat-utils-0.92013-01-03 02:44 . 2013-01-03 02:48 -------- d-----w- C:\hashcat-0.422013-01-03 02:26 . 2013-01-09 23:20 -------- d-----w- C:\oclHashcat-plus-0.122012-12-29 16:28 . 2012-12-29 16:28 -------- d-----w- c:\users\Patrick\AppData\Roaming\Microsoft Corporation2012-12-29 16:16 . 2012-12-29 16:16 -------- d-----w- c:\program files (x86)\Microsoft Data Access SDK 2.82012-12-27 20:07 . 2012-12-27 20:07 -------- d-----w- c:\program files (x86)\Elcomsoft Password Recovery2012-12-27 20:07 . 2012-12-27 20:07 -------- d-----w- c:\programdata\Elcomsoft Password Recovery2012-12-27 20:07 . 2012-12-27 20:07 -------- d-----w- c:\program files (x86)\Elcomsoft...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-01-14 02:14 . 2011-11-13 00:43 960416 ----a-w- c:\windows\system32\deployJava1.dll2013-01-14 02:03 . 2011-12-14 09:17 67599240 ----a-w- c:\windows\system32\MRT.exe2013-01-09 19:28 . 2012-04-09 00:09 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe2013-01-09 19:28 . 2011-06-24 02:15 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2012-12-16 17:11 . 2012-12-22 17:49 46080 ----a-w- c:\windows\system32\atmlib.dll2012-12-16 14:45 . 2012-12-22 17:49 367616 ----a-w- c:\windows\system32\atmfd.dll2012-12-16 14:13 . 2012-12-22 17:49 295424 ----a-w- c:\windows\SysWow64\atmfd.dll2012-12-16 14:13 . 2012-12-22 17:49 34304 ----a-w- c:\windows\SysWow64\atmlib.dll2012-11-28 09:35 . 2012-09-17 12:08 95184 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll2012-11-19 02:06 . 2012-11-19 02:06 0 ----a-w- c:\windows\system32\SETF14D.tmp2012-11-19 02:06 . 2012-11-19 02:06 0 ----a-w- c:\windows\SysWow64\SETECD2.tmp2012-11-19 02:06 . 2012-11-19 02:06 0 ----a-w- c:\windows\SysWow64\SETE888.tmp2012-11-19 02:06 . 2012-11-19 02:06 0 ----a-w- c:\windows\system32\SETE6FD.tmp2012-11-19 02:06 . 2012-11-19 02:06 0 ----a-w- c:\windows\system32\SETDCC3.tmp2012-11-12 12:28 . 2012-12-13 00:46 1638912 ----a-w- c:\windows\system32\mshtml.tlb2012-11-12 11:52 . 2012-12-13 00:46 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb2012-11-09 05:45 . 2012-12-13 00:46 2048 ----a-w- c:\windows\system32\tzres.dll2012-11-09 04:42 . 2012-12-13 00:46 2048 ----a-w- c:\windows\SysWow64\tzres.dll2012-11-03 13:00 . 2012-07-25 07:57 88008 ----a-w- c:\windows\system32\LMIRfsClientNP.dll2012-11-03 13:00 . 2012-07-25 07:57 35240 ----a-w- c:\windows\system32\LMIport.dll2012-11-03 13:00 . 2012-07-25 07:57 83880 ----a-w- c:\windows\system32\LMIinit.dll2012-11-02 05:59 . 2012-12-13 00:46 478208 ----a-w- c:\windows\system32\dpnet.dll2012-11-02 05:11 . 2012-12-13 00:46 376832 ----a-w- c:\windows\SysWow64\dpnet.dll2012-10-27 06:26 . 2012-12-13 00:46 981504 ----a-w- c:\windows\SysWow64\wininet.dll2012-10-27 05:51 . 2012-12-13 00:46 1188864 ----a-w- c:\windows\system32\wininet.dll2012-10-27 05:51 . 2012-12-13 00:46 1494528 ----a-w- c:\windows\system32\urlmon.dll2012-10-27 05:51 . 2012-12-13 00:46 134144 ----a-w- c:\windows\system32\url.dll2012-10-27 05:49 . 2012-12-13 00:46 97792 ----a-w- c:\windows\system32\mshtmled.dll2012-10-27 05:49 . 2012-12-13 00:46 735744 ----a-w- c:\windows\system32\msfeeds.dll2012-10-27 05:49 . 2012-12-13 00:46 64512 ----a-w- c:\windows\system32\jsproxy.dll2012-10-27 05:49 . 2012-12-13 00:46 247808 ----a-w- c:\windows\system32\ieui.dll2012-10-27 05:49 . 2012-12-13 00:46 2453504 ----a-w- c:\windows\system32\iertutil.dll2012-10-27 05:49 . 2012-12-13 00:46 12295680 ----a-w- c:\windows\system32\ieframe.dll2012-10-25 09:28 . 2011-09-12 14:17 636760 ----a-w- c:\windows\system32\drivers\klif.sys2012-10-25 02:12 . 2012-10-25 02:12 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx2012-10-25 02:12 . 2012-10-25 02:12 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts2011-11-29 00:22 . 2011-11-29 00:22 13844000 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe2010-08-15 21:14 . 2012-01-22 11:38 1892864 ----a-w- c:\program files\eac3to.exe2008-02-10 14:42 . 2012-01-22 11:38 95232 ----a-w- c:\program files\HookSurcode.dll2005-08-14 07:49 . 2012-01-22 11:38 219136 ----a-w- c:\program files\r8b.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]@="{C5994560-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]@="{C5994561-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]@="{C5994562-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]@="{C5994563-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]@="{C5994564-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]@="{C5994565-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]@="{C5994566-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]@="{C5994567-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]@="{C5994568-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 64792 ----a-w- c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2012-11-13 23:32 129272 ----a-w- c:\users\Patrick\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2012-11-13 23:32 129272 ----a-w- c:\users\Patrick\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2012-11-13 23:32 129272 ----a-w- c:\users\Patrick\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]2012-11-13 23:32 129272 ----a-w- c:\users\Patrick\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]@="{dd230880-495a-11d1-b064-008048ec2fc5}"[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]2012-10-25 09:27 496056 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\shellex.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TrueCrypt"="c:\program files\TrueCrypt\TrueCrypt.exe" [2011-06-24 1496528]"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-08-27 638736]"Spotify Web Helper"="c:\users\Patrick\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-12-01 1199576]"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-12-17 59872]"Akamai NetSession Interface"="c:\users\Patrick\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]"Facebook Update"="c:\users\Patrick\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-12-09 969104]"GoogleChromeAutoLaunch_133FC10A42EC311A0885C7B36F719938"="c:\users\Patrick\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-01-08 1248360].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2012-12-18 39136]"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2012-12-18 825560]"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe" [2011-12-24 202296]"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-11-11 205336]"wmagent.exe"="c:\program files (x86)\WebMoney Agent\wmagent.exe" [2009-10-19 210400]"vmware-tray.exe"="d:\programme\VMWare\vmware-tray.exe" [2012-08-15 104088]"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-11-19 2254768]"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]"ControlCenter3"="c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]"KeePass 2 PreLoad"="c:\program files (x86)\KeePass Password Safe 2\KeePass.exe" [2012-10-04 1912832].c:\users\Mcx1-PATRICKPC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-11-29 13844000]Install LastPass IE RunOnce.lnk - c:\program files (x86)\Common Files\lpuninstall.exe [2011-11-29 13844000].c:\users\Patrick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip [2012-10-7 0]Dropbox.lnk - c:\users\Patrick\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-12-29 28539392]Pidgin.lnk - c:\program files (x86)\Pidgin\pidgin.exe [2011-12-15 49340]SABnzbd.lnk - c:\program files (x86)\SABnzbd\SABnzbd.exe [2011-6-13 102912]Serviio.lnk - c:\program files\Serviio\bin\ServiioConsole.exe [2012-12-19 629760].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001.R2 AutoSSHLF;AutoSSHLF;c:\cygwin\bin\cygrunsrv.exe [2012-04-25 129550]R2 AutoSSHTunnel;AutoSSHTunnel;c:\cygwin\bin\cygrunsrv.exe [2012-04-25 129550]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]R2 DirMngr;DirMngr;c:\program files (x86)\GNU\GnuPG\dirmngr.exe [2011-03-02 224256]R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [2012-06-08 15928]R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]R2 puppet;Puppet Agent;d:\program files\Puppet Labs\Puppet Enterprise\service\daemon.bat [2012-07-24 87]R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-11-09 160944]R2 VMwareHostd;VMware Workstation Server;d:\programme\VMWare\vmware-hostd.exe [2012-08-15 15680000]R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys [2011-09-02 76056]R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys [2011-09-02 15128]R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [2012-01-18 351136]R3 LVUVC64;Logitech QuickCam Pro 9000(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [2012-01-18 4865568]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528]R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]R3 PSM_AgentServer;Shaiya Agent Server;d:\temp\Shaiya\PSM_Server\PSMServer_Agent.exe [2008-04-01 516096]R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]R3 RTCore64;RTCore64;c:\program files (x86)\EVGA Precision\RTCore64.sys [2011-05-03 14440]R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2005-04-13 30720]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-09-28 53760]R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-01-18 68440]R3 vtany;vtany;c:\windows\vtany.sys [x]R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [x]R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 311656]R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 427880]S0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\DRIVERS\CSCrySec.sys [2009-12-14 85048]S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2011-11-03 56208]S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2012-07-06 85104]S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2012-07-06 70256]S1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\DRIVERS\CSVirtualDiskDrv.sys [2009-12-14 66104]S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-07-23 283200]S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-10-20 13616]S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 29488]S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2012-03-13 224048]S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2012-03-13 130864]S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-04 238080]S2 AMD_RAIDXpert;AMD RAIDXpert;c:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe [2009-09-19 122880]S2 CSObjectsSrv;CryptoStorage control service;c:\program files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2012-11-19 2462128]S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2012-11-03 375728]S2 Serviio;Serviio;c:\program files\Serviio\bin\ServiioService.exe [2012-12-19 348160]S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-12-13 3290896]S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-10-02 382824]S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [2012-12-14 3467768]S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2012-08-01 917656]S2 vstor2-mntapi10-shared;Vstor2 MntApi 1.0 Driver (shared);SysWOW64\drivers\vstor2-mntapi10-shared.sys [x]S3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-25 245760]S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 22544]S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]S3 RzSynapse;Razer Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [2011-05-12 154624]S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2012-03-13 147248]S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2012-03-13 166192]..Contents of the 'Scheduled Tasks' folder.2013-01-22 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 19:28].2013-01-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3621719022-3588801629-2505587224-1000Core.job- c:\users\Patrick\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-03 22:50].2013-01-22 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3621719022-3588801629-2505587224-1000UA.job- c:\users\Patrick\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-03 22:50].2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-03 01:24].2013-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-06-03 01:24].2013-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3621719022-3588801629-2505587224-1000Core.job- c:\users\Patrick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-24 16:08].2013-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3621719022-3588801629-2505587224-1000UA.job- c:\users\Patrick\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-24 16:08]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]@="{C5994560-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]@="{C5994561-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]@="{C5994562-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]@="{C5994563-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]@="{C5994564-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]@="{C5994565-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]@="{C5994566-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]@="{C5994567-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]@="{C5994568-53D9-4125-87C9-F193FC689CB2}"[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]2011-06-13 08:20 75544 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2012-11-13 23:32 162552 ----a-w- c:\users\Patrick\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2012-11-13 23:32 162552 ----a-w- c:\users\Patrick\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2012-11-13 23:32 162552 ----a-w- c:\users\Patrick\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]2012-11-13 23:32 162552 ----a-w- c:\users\Patrick\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]2012-12-17 18:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]2012-12-17 18:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]2012-12-17 18:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]2012-12-17 18:50 755816 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]@="{dd230880-495a-11d1-b064-008048ec2fc5}"[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]2012-10-25 09:28 565688 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\x64\shellex.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2012-06-08 57928]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800].------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmuStart Page = about:blankmStart Page = about:blankmLocal Page = c:\windows\SysWOW64\blank.htmuInternet Settings,ProxyServer = 198.133.224.147:3127uInternet Settings,ProxyOverride = *.local;<local>IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\ie_banner_deny.htmIE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: LastPass - file://c:\program files (x86)\LastPass\context.html?cmd=lastpassIE: LastPass Fill Forms - file://c:\program files (x86)\LastPass\context.html?cmd=fillformsIE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmTCP: Interfaces\{5B27990B-5E13-42A5-9C66-16237A8F1619}: NameServer = 8.8.8.8,8.8.4.4FF - ProfilePath - c:\users\Patrick\AppData\Roaming\Mozilla\Firefox\Profiles\729immec.default\.- - - - ORPHANS REMOVED - - - -.URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exeWow6432Node-HKCU-Run-CloudShot - c:\users\Patrick\AppData\Local\Apps\2.0\0PBDY1M7.BO1\VE8GKWQL.6EQ\clou..tion_0000000000000000_0002.0001_6d893b9abb4e2d41\CloudShot.exeWow6432Node-HKCU-Run-AdobeBridge - (no file)Wow6432Node-HKLM-Run-<NO NAME> - (no file)WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)AddRemove-FileZilla Client - c:\program files (x86)\FileZilla FTP Client\uninstall.exe...[HKEY_LOCAL_MACHINE\system\ControlSet001\services\npggsvc]"ImagePath"="c:\windows\system32\GameMon.des -service".[HKEY_LOCAL_MACHINE\system\ControlSet001\services\puppet]"ImagePath"="\"d:\program files\Puppet Labs\Puppet Enterprise\service\daemon.bat\"".[HKEY_LOCAL_MACHINE\system\ControlSet001\services\xsherlock]"ImagePath"="c:\windows\system32\xsherlock.xem".--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]"Version"=hex:ff,6e,86,ba,b2,7f,2a,8c,1d,22,19,88,32,fb,0a,14,91,04,6a,36,1a, a2,51,ae,e2,a7,4f,8d,1c,1a,1f,0a,60,ba,96,7e,d8,9b,3a,88,59,74,85,04,48,b7,\.[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]"Enabled"=dword:00000001.[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Shockwave Flash Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]@="0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]@="ShockwaveFlash.ShockwaveFlash.11".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="ShockwaveFlash.ShockwaveFlash".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]@Denied: (A 2) (Everyone)@="Macromedia Flash Factory Object".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx""ThreadingModel"="Apartment".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]@="FlashFactory.FlashFactory.1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]@="1.0".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]@="FlashFactory.FlashFactory".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]@Denied: (A 2) (Everyone)@="IFlashBroker5".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}".[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]@="?????????????????? v1".[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}".[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]@="?????????????????? v2".[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}".[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]"Version"=hex:ff,6e,86,ba,b2,7f,2a,8c,1d,22,19,88,32,fb,0a,14,91,04,6a,36,1a, a2,51,ae,e2,a7,4f,8d,1c,1a,1f,0a,60,ba,96,7e,d8,9b,3a,88,59,74,85,04,48,b7,\.[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exec:\program files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exec:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\windows\SysWOW64\PnkBstrA.exec:\windows\SysWOW64\PnkBstrB.exec:\windows\SysWOW64\vmnat.exec:\program files (x86)\RealVNC\VNC4\WinVNC4.exec:\windows\SysWOW64\vmnetdhcp.exec:\program files (x86)\TeamViewer\Version8\TeamViewer.exec:\program files (x86)\TeamViewer\Version8\tv_w32.exec:\program files (x86)\Brother\ControlCenter3\brccMCtl.exec:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe.**************************************************************************.Completion time: 2013-01-22 11:54:08 - machine was rebootedComboFix-quarantined-files.txt 2013-01-22 10:54.Pre-Run: 5,807,853,568 bytes freePost-Run: 17,859,375,104 bytes free.- - End Of File - - 90411D30D4639002966ED1F016715D0BGMER.log Link to post Share on other sites More sharing options...
kevinf80 Posted January 22, 2013 ID:637861 Share Posted January 22, 2013 I do not see anything unusual in the GMER log. Do you know about or recognize this proxy server?uInternet Settings,ProxyServer = 198.133.224.147:3127Run the following online AV scan:Run Eset Online Scanner**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as adminGo Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scanner from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scan click on the Run ESET Online Scanner button Tick the box next to YES, I accept the Terms of Use.Click Start When asked, allow the add/on to be installedClick Start Make sure that the option Remove found threats is unticked Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.Click Scan wait for the virus definitions to be downloaded Wait for the scan to finishWhen the scan is complete If no threats were found put a checkmark in "Uninstall application on close" close program report to me that nothing was foundIf threats were found click on "list of threats found" click on "export to text file" and save it as ESET SCAN and save to the desktop Click on back put a checkmark in "Uninstall application on close" click on finishclose programcopy and paste the report hereThanks,Kevin Link to post Share on other sites More sharing options...
LDTate Posted January 25, 2013 ID:638964 Share Posted January 25, 2013 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts