Trojan.Agent.DL Reoccurance

Jedarius · February 13, 2013

Here's the Extras.txt log:

OTL Extras logfile created on: 2/12/2013 8:11:54 PM - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Hai\Desktop

64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

15.96 Gb Total Physical Memory | 13.96 Gb Available Physical Memory | 87.52% Memory free

15.95 Gb Paging File | 14.08 Gb Available in Paging File | 88.24% Paging File free

Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 223.57 Gb Total Space | 144.36 Gb Free Space | 64.57% Space Free | Partition Type: NTFS

Drive D: | 465.66 Gb Total Space | 341.65 Gb Free Space | 73.37% Space Free | Partition Type: NTFS

Drive F: | 2794.51 Gb Total Space | 1758.01 Gb Free Space | 62.91% Space Free | Partition Type: NTFS

Computer Name: HAI-HPC | User Name: Hai | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "D:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)

InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [Winamp.Bookmark] -- "D:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)

Directory [Winamp.Enqueue] -- "D:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)

Directory [Winamp.Play] -- "D:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "D:\Program Files (x86)\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [Winamp.Bookmark] -- "D:\Program Files (x86)\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft, Inc.)

Directory [Winamp.Enqueue] -- "D:\Program Files (x86)\Winamp\winamp.exe" /ADD "%1" (Nullsoft, Inc.)

Directory [Winamp.Play] -- "D:\Program Files (x86)\Winamp\winamp.exe" "%1" (Nullsoft, Inc.)

Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [explore] -- Reg Error: Value error.

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0E621994-1818-48B3-8383-FCD8CD370BF3}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{1F7C2814-5835-4879-88CA-5AA00113855C}" = lport=56234 | protocol=17 | dir=in | name=pando media booster |

"{211425F1-DE7A-4D74-9841-E5D4A5CFA2B4}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe |

"{298070C4-0AB3-42BE-8540-5A5CDFE14930}" = rport=137 | protocol=17 | dir=out | app=system |

"{3D9AD405-BA3B-4A3B-AA88-20E925F758B9}" = rport=445 | protocol=6 | dir=out | app=system |

"{40F34A88-E6C5-4D0B-9077-DD03CD988E9E}" = rport=139 | protocol=6 | dir=out | app=system |

"{44DA16FE-6014-4841-8729-E497EB7B59D6}" = lport=56234 | protocol=6 | dir=in | name=pando media booster |

"{46C87F75-A2D2-40C5-BB37-906649B9E57F}" = lport=56234 | protocol=17 | dir=in | name=pando media booster |

"{7F6E0A7A-D1AD-45B3-8861-52931C4F2254}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

"{9F272D99-63DD-4CBE-BEC0-702F708A5587}" = lport=445 | protocol=6 | dir=in | app=system |

"{ABAEC07D-B5DC-4812-A52F-8814BFCBB5A2}" = lport=56234 | protocol=6 | dir=in | name=pando media booster |

"{AE666F4F-905D-42E7-8B71-52398A7211D1}" = lport=138 | protocol=17 | dir=in | app=system |

"{B084A52A-DF95-418F-ACA8-307253D609FA}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{D10C5A99-0006-4986-AA07-D5B6CF3868C9}" = lport=139 | protocol=6 | dir=in | app=system |

"{DC302E03-3167-4469-8856-59B2EDB0F7D7}" = lport=137 | protocol=17 | dir=in | app=system |

"{E217B0A6-2B58-45BE-8F98-7A5FA763213F}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{FED6F870-0DD7-45D4-BF5B-3FCDE8E134DC}" = rport=138 | protocol=17 | dir=out | app=system |

"{FF6C7396-24A9-4E89-8F33-FA2D4F245C20}" = lport=6004 | protocol=17 | dir=in | app=d:\program files (x86)\microsoft office\office14\outlook.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0102C2EC-0A01-4FBD-A19D-8B62DEC38F02}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\cdas2pc\cdas2pc.exe |

"{01110929-D998-440E-9583-98EC3FB4218C}" = protocol=6 | dir=in | app=d:\program files (x86)\microsoft office\office14\onenote.exe |

"{053C0201-0CC2-4D48-A661-7FE786DE84B7}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{0BD83879-777E-48D2-B26B-04994829E72C}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{0C8837CE-291A-48C4-AE42-F278C813B767}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\ids.application.exe |

"{1557E716-FF74-4E7A-BA2D-1F9C356AAF61}" = protocol=6 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |

"{17119E8D-6F35-46CF-B899-104DD2BE8CA4}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\ordersupplies.exe |

"{1892236A-7BCB-4A33-A898-07E676BAB2F1}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{2644265D-D50C-4754-BDD3-662BCB0E623B}" = protocol=17 | dir=in | app=d:\program files\ventrilo\ventrilo.exe |

"{26815519-69E2-4A78-9BE7-1B449B29A7DC}" = protocol=6 | dir=in | app=d:\program files (x86)\steam\steamapps\common\portal 2\portal2.exe |

"{34023EF1-CEA4-44D3-B0F4-A00E3C0D3F33}" = protocol=17 | dir=in | app=d:\program files (x86)\steam\steamapps\common\assassin's creed 3\ac3mp.exe |

"{3D0B6088-849E-4DD6-883B-74624CE74F39}" = protocol=6 | dir=in | app=d:\program files (x86)\steam\steamapps\common\deus ex - human revolution\dxhr.exe |

"{3F90BC15-51D3-4F6D-8A44-8B7E30935988}" = protocol=17 | dir=in | app=c:\windows\twain_32\samsung\clx3300\scnsearch\usdagent.exe |

"{42C274F3-D79A-4141-80B0-98A06013F256}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |

"{42C40E68-F1F2-4940-9618-5C2087763F54}" = protocol=17 | dir=in | app=c:\users\hai\appdata\roaming\dropbox\bin\dropbox.exe |

"{42F5F654-1C40-4D8D-B908-BDA9267FBCA0}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |

"{4A224B41-F67F-4074-8A26-478E21602474}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{52FABA23-CA4B-41E3-8190-F048DE3F9556}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |

"{548558E4-8935-4A73-85C6-1C7CE494D017}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{5497BE0D-1F1E-4BED-AE3A-AC4CFED744C2}" = protocol=6 | dir=in | app=d:\program files (x86)\microsoft office\office14\groove.exe |

"{558D38AD-808B-48F9-BA4A-1486383C1A2E}" = protocol=17 | dir=in | app=d:\program files (x86)\steam\steamapps\common\assassin's creed 3\ac3sp.exe |

"{5A5C018D-9989-4F71-A765-71BC9C94E3CF}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{5E35C738-0FBF-49BF-8BC5-2E9E4B350E54}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{5E62B852-DB46-411A-8A5C-90B85245B1AA}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\cdas2pc\cdas2pc.exe |

"{6A05F27E-87DD-499D-A39A-3B915DAA1311}" = protocol=17 | dir=in | app=d:\program files (x86)\steam\steam.exe |

"{714657D2-358D-4A1C-ACB5-C1EAD1CC8C83}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |

"{739244AD-8ED9-4591-B04F-1E5A3F6CF553}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |

"{781BAE79-A7C9-40DC-9BB0-7FEFA2F6384D}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{7FAEACDC-9EA8-4DD9-855D-0BBC12010B1D}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |

"{80537E4A-CF18-42FC-A4E2-919BC0CC1EAE}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\ubisoft game launcher\ubisoftgamelauncher.exe |

"{85D29418-743A-46EA-BD1C-089090179403}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\ordersupplies.exe |

"{8F46381C-0833-4DBF-96DD-93FB19DFE575}" = protocol=17 | dir=in | app=d:\program files (x86)\microsoft office\office14\groove.exe |

"{A2F456CF-6E8A-42EA-8BA3-6DB52C89EDB8}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |

"{A65CB2BE-88DA-4521-9DDE-3A11C7FD7514}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\idsalert.exe |

"{A8B90AC7-100C-45A3-B3EF-B5C0927C2F63}" = protocol=6 | dir=in | app=c:\windows\twain_32\samsung\clx3300\scnsearch\usdagent.exe |

"{A922D666-52E3-4BDF-A2B0-91B1EF11728E}" = protocol=17 | dir=in | app=d:\program files (x86)\microsoft office\office14\onenote.exe |

"{B658F2E3-7D5F-4380-A1EF-39E257610CD5}" = protocol=6 | dir=in | app=d:\program files (x86)\steam\steamapps\common\assassin's creed 3\ac3mp.exe |

"{BE67FDF2-9563-4149-AA9A-877C70E0FDD0}" = protocol=6 | dir=in | app=d:\program files (x86)\steam\steamapps\common\torchlight ii\torchlight2.exe |

"{BF904EFB-DAF0-4CEA-969E-B6BADC16904F}" = protocol=17 | dir=in | app=d:\program files (x86)\steam\steamapps\common\deus ex - human revolution\dxhr.exe |

"{C08EC35A-4E2F-4358-A1AD-D47D62846BC9}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{C255309F-D9C8-4B9D-AC40-40C5DC674F73}" = protocol=17 | dir=in | app=c:\program files (x86)\mcafee\common framework\frameworkservice.exe |

"{C3E59382-0FA0-49D1-9733-BB08F859FD1D}" = protocol=6 | dir=in | app=d:\program files (x86)\steam\steamapps\common\assassin's creed 3\ac3sp.exe |

"{CDF7CD7E-AB0C-4384-B0B1-8011C5A9A685}" = protocol=17 | dir=in | app=c:\program files (x86)\asus\ai suite ii\ai suite ii.exe |

"{D2C29917-BBFF-41FC-B2D2-966836D7C120}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\easy document creator\usdagent.exe |

"{D3B5584B-49E1-4A92-B2E8-84C599F96917}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\easy document creator\usdagent.exe |

"{D57C40C5-07B4-446D-94E3-86070AE20D3C}" = protocol=17 | dir=in | app=d:\program files (x86)\steam\steamapps\common\portal 2\portal2.exe |

"{D5EB5165-737E-4CC2-8E1E-498F35FBDC48}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |

"{D68AA9AA-D2CF-482C-A5C8-C0825CE2C696}" = protocol=6 | dir=in | app=c:\program files (x86)\asus\ai suite ii\ai suite ii.exe |

"{D8563B7A-6BEB-4F9B-8B73-D2EDB20EC252}" = protocol=6 | dir=in | app=d:\program files\ventrilo\ventrilo.exe |

"{D882BC59-D1C4-4FC7-B95C-7ADBB0731353}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{DE03D896-F71A-4B1E-B284-F3A95E2FC71C}" = protocol=6 | dir=in | app=d:\program files (x86)\steam\steam.exe |

"{EEEE4CE8-CB9D-400C-BD53-2B973703865C}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\ids.application.exe |

"{F396386E-8690-4DE5-8806-F5A758467A21}" = protocol=6 | dir=in | app=c:\users\hai\appdata\roaming\dropbox\bin\dropbox.exe |

"{F619C672-858E-4BB8-8FAF-BA872612358B}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\idsalert.exe |

"{FDB6B15A-7063-4C62-A5F4-D67E8E259679}" = protocol=17 | dir=in | app=d:\program files (x86)\steam\steamapps\common\torchlight ii\torchlight2.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{031A0E14-0413-4C97-9772-2639B782F46F}" = Common Desktop Agent

"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)

"{23170F69-40C1-2702-0920-000001000000}" = 7-Zip 9.20 (x64 edition)

"{26A24AE4-039D-4CA4-87B4-2F86416021FF}" = Java 6 Update 21 (64-bit)

"{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1" = Media Player Classic - Home Cinema 1.6.1.4235 x64

"{357A82F9-B5FF-46C8-ABA2-104695E0F1D1}" = Intel® Network Connections 16.6.126.0

"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

"{538B98C3-773F-4F20-9C66-802D104DCBE2}" = Intel® Trusted Connect Service Client

"{550331CC-C34B-494F-BCDA-37CE4EF6E924}" = Garmin Communicator Plugin x64

"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

"{690285C2-2481-44FB-8402-162EA970A6DD}" = Logitech Gaming Software

"{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)

"{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)

"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended

"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010

"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010

"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010

"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision" = NVIDIA 3D Vision Driver 310.90

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 310.90

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 310.90

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB" = NVIDIA 3D Vision Controller Driver 310.90

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.12.1031

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD Audio Driver 1.3.18.0

"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application

"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware

"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones

"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319

"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64

"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile

"6af12c54-643b-4752-87d0-8335503010de_is1" = Nexus Mod Manager

"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin 64-bit

"CCleaner" = CCleaner

"CPUID CPU-Z_is1" = CPUID CPU-Z 1.60.1

"CPUID HWMonitor_is1" = CPUID HWMonitor 1.19

"Logitech Gaming Software" = Logitech Gaming Software 8.20

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended

"PROSetDX" = Intel® Network Connections 16.6.126.0

"Unigine Heaven DX11 Benchmark (Basic Edition)_is1" = Heaven DX11 Benchmark version 3.0

"WinRAR archiver" = WinRAR 4.11 (64-bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise

"{148D9D03-5D23-4D4F-B5D0-BA6030C45DCF}" = Adobe Flash Player 10 ActiveX

"{14FA6DD9-92ED-493D-A937-81A78870E08A}_is1" = Free Video Joiner

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{240C3DDD-C5E9-4029-9DF7-95650D040CF2}" = Intel® USB 3.0 eXtensible Host Controller Driver

"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java 6 Update 21

"{34D3688E-A737-44C5-9E2A-FF73618728E1}" = AI Suite II

"{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF010}" = Tribes Ascend

"{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}" = Hi-Rez Studios Authenticate and Update Service

"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel® Rapid Storage Technology

"{3FD0C489-0F02-481a-A3E1-9754CD396761}" = Intel® Watchdog Timer Driver (Intel® WDT)

"{46EDCFA5-7EDB-46A9-B093-1C6237470CEC}" = 3DMark 11

"{4CB0307C-565E-4441-86BE-0DF2E4FB828C}" = Microsoft Games for Windows Marketplace

"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411

"{61942EF5-2CD8-47D4-869C-2E9A8BB085F1}" = Asmedia ASM106x SATA Host Controller Driver

"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies

"{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}" = Microsoft Games for Windows - LIVE Redistributable

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{888F1505-C2B3-4FDE-835D-36353EBD4754}" = Ubisoft Game Launcher

"{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}" = NVIDIA PhysX

"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010

"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010

"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010

"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010

"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010

"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010

"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010

"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010

"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010

"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010

"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010

"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010

"{90140000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2010

"{90140000-0054-0409-0000-0000000FF1CE}_Office14.VISIO_{CDC4310F-8189-485F-B47D-D972217CE173}" = Microsoft Office 2010 Language Pack Service Pack 1 (SP1)

"{90140000-0057-0000-0000-0000000FF1CE}" = Microsoft Office Visio 2010

"{90140000-0057-0000-0000-0000000FF1CE}_Office14.VISIO_{01D8AE4B-A04D-47E5-81BF-E3F98B81B8C3}" = Microsoft Visio 2010 Service Pack 1 (SP1)

"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010

"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010

"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010

"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010

"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010

"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster

"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9AAD03E8-4F65-4DE2-8F6C-1B079C0C8521}" = Garmin Lifetime Updater

"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

"{9ECF7817-DB11-4FBA-9DF1-296A578D513A}" = Adobe Shockwave Player 11.5

"{AA951B10-7089-4D60-B288-516E641F48E6}" = McAfee Agent

"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)

"{B6B5F07C-88D5-49D3-A1A7-A6D4BC37DCCC}" = SNS Upload for Easy Document Creator

"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo

"{C40C3C3D-97CF-44B5-836C-766E374464B3}" = 3DMark Vantage

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{D7BF9739-8A68-4335-BBEE-37752AD9E86B}" = NEC Electronics USB 3.0 Host Controller Driver

"{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}" = Asmedia ASM104x USB 3.0 Host Controller Driver

"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver

"{F1A6C690-C12C-4E7A-B4BD-958678215418}" = 3DMark

"{FA66CFD7-0977-4C45-AACD-A8BB994B1A05}" = Quake Live Mozilla Plugin

"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

"A New Dawn" = NVIDIA A New Dawn demo

"Afterburner" = MSI Afterburner 2.2.1

"AIDA64 Extreme Edition_is1" = AIDA64 Extreme Edition v2.00

"Android SDK Tools" = Android SDK Tools

"DAEMON Tools Lite" = DAEMON Tools Lite

"Fraps" = Fraps

"GoogleNexus7ToolKit46" = Package: Google Nexus 7 ToolKit

"InstallShield_{758C8301-2696-4855-AF45-534B1200980A}" = Samsung Kies

"InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}" = NEC Electronics USB 3.0 Host Controller Driver

"KLiteCodecPack_is1" = K-Lite Codec Pack 8.7.0 (Basic)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Mozilla Firefox 18.0.2 (x86 en-US)" = Mozilla Firefox 18.0.2 (x86 en-US)

"MozillaMaintenanceService" = Mozilla Maintenance Service

"NVIDIAStereo" = NVIDIA Stereoscopic 3D Driver

"Office14.PROPLUS" = Microsoft Office Professional Plus 2010

"Office14.VISIO" = Microsoft Visio Premium 2010

"OpenAL" = OpenAL

"Origin" = Origin

"pcsx2-r4600" = PCSX2 - Playstation 2 Emulator

"PS3 Media Server" = PS3 Media Server

"Samsung CLX-3300 Series" = Samsung CLX-3300 Series

"Samsung Easy Document Creator" = Samsung Easy Document Creator

"Samsung Easy Printer Manager" = Samsung Easy Printer Manager

"Samsung Network PC Fax" = Samsung Network PC Fax

"Samsung Printer Live Update" = Samsung Printer Live Update

"Samsung Scan Process Machine" = Samsung Scan Process Machine

"Steam App 200710" = Torchlight II

"Steam App 208480" = Assassin’s Creed® III

"Steam App 28050" = Deus Ex: Human Revolution

"Steam App 400" = Portal

"Steam App 620" = Portal 2

"The Witcher 2 - Assassins of Kings Enhanced Edition_is1" = The Witcher 2 - Assassins of Kings Enhanced Edition

"Uplay" = Uplay

"uTorrent" = µTorrent

"Vpskeys_is1" = Vpskeys 4.3

"Winamp" = Winamp

"Winamp Essentials Pack" = Winamp Essentials Pack

"WinPcapInst" = WinPcap 4.1.2

"World of Warcraft" = World of Warcraft

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"101a9f93b8f0bb6f" = Curse Client

"Dropbox" = Dropbox

"Winamp Detect" = Winamp Detector Plug-in

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 2/6/2013 10:16:51 PM | Computer Name = Hai-HPC | Source = McLogEvent | ID = 1008

Description = The McShield service terminated unexpectedly. Please review event 5019

or 5051 for details. The McShield service will be restarted in 5 seconds;

Error - 2/8/2013 9:04:31 AM | Computer Name = Hai-HPC | Source = McLogEvent | ID = 5051

Description = A thread in process C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe

took longer than 90000 ms to complete a request. The process will be terminated.

Thread

id : 2248 (0x8c8) Thread address : 0x0000000076EE135A Thread message : Build VSCORE.14.1.0.515

/ 5400.1158 Object being scanned = \Device\HarddiskVolume3\Program Files (x86)\McAfee\VirusScan

Enterprise\x64\vsodscpl.dll by C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scan64.exe

17017(0)(1) 7007(0)(0) 5006(0)(0) 5004(0)(0) 5003(0)(0) 5002(0)(1) 15002(0)(0)

5000(0)(0)

Error - 2/8/2013 9:04:31 AM | Computer Name = Hai-HPC | Source = McLogEvent | ID = 5051

Description = A thread in process C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe

took longer than 90000 ms to complete a request. The process will be terminated.

Thread

id : 5072 (0x13d0) Thread address : 0x0000000076EE135A Thread message : Build VSCORE.14.1.0.515

/ 5400.1158 Object being scanned = \Device\HarddiskVolume3\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf

by C:\Windows\system32\taskhost.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0)

7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 2/8/2013 9:04:31 AM | Computer Name = Hai-HPC | Source = McLogEvent | ID = 1008

Description = The McShield service terminated unexpectedly. Please review event 5019

or 5051 for details. The McShield service will be restarted in 10 seconds;

Error - 2/9/2013 2:48:55 AM | Computer Name = Hai-HPC | Source = McLogEvent | ID = 5051

Description = A thread in process C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe

took longer than 90000 ms to complete a request. The process will be terminated.

Thread

id : 2996 (0xbb4) Thread address : 0x00000000773A164A Thread message : Build VSCORE.14.1.0.515

/ 5400.1158 Object being scanned = \Device\HarddiskVolume3\Users\Hai\Desktop\adwcleaner.exe

by C:\Windows\Explorer.EXE 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0)

5006(0)(0) 5004(0)(0)

Error - 2/9/2013 2:48:55 AM | Computer Name = Hai-HPC | Source = McLogEvent | ID = 5051

Description = A thread in process C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe

took longer than 90000 ms to complete a request. The process will be terminated.

Thread

id : 3008 (0xbc0) Thread address : 0x00000000773A135A Thread message : Build VSCORE.14.1.0.515

/ 5400.1158 Object being scanned = \Device\HarddiskVolume2\Program Files (x86)\Samsung\Kies\Kies\Theme\Kies.Theme.dll

by D:\Program Files (x86)\Samsung\Kies\Kies\KiesHelper.exe 4(0)(0) 4(0)(0) 7200(0)(0)

7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 2/9/2013 2:48:55 AM | Computer Name = Hai-HPC | Source = McLogEvent | ID = 1008

Description = The McShield service terminated unexpectedly. Please review event 5019

or 5051 for details. The McShield service will be restarted in 5 seconds;

Error - 2/10/2013 2:06:59 PM | Computer Name = Hai-HPC | Source = McLogEvent | ID = 5051

Description = A thread in process C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe

took longer than 90000 ms to complete a request. The process will be terminated.

Thread

id : 2216 (0x8a8) Thread address : 0x0000000076D3164A Thread message : Build VSCORE.14.1.0.515

/ 5400.1158 Object being scanned = \Device\HarddiskVolume3\Users\Hai\Desktop\TFC.exe

by C:\Windows\Explorer.EXE 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0)

5006(0)(0) 5004(0)(0)

Error - 2/10/2013 2:06:59 PM | Computer Name = Hai-HPC | Source = McLogEvent | ID = 1008

Description = The McShield service terminated unexpectedly. Please review event 5019

or 5051 for details. The McShield service will be restarted in 5 seconds;

Error - 2/11/2013 2:16:16 AM | Computer Name = Hai-HPC | Source = Application Error | ID = 1000

Description = Faulting application name: SUPERAntiSpyware.exe, version: 5.6.0.1014,

time stamp: 0x5092d064 Faulting module name: ntdll.dll, version: 6.1.7601.17725,

time stamp: 0x4ec4aa8e Exception code: 0xc0000374 Fault offset: 0x00000000000c40f2

Faulting

process id: 0x16dc Faulting application start time: 0x01ce081e665ee51f Faulting application

path: D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Faulting module path:

C:\Windows\SYSTEM32\ntdll.dll Report Id: 8a43261f-7412-11e2-b634-c860008a6d1c

[ System Events ]

Error - 1/31/2013 12:19:31 AM | Computer Name = Hai-HPC | Source = Service Control Manager | ID = 7001

Description = The Network List Service service depends on the Network Location Awareness

service which failed to start because of the following error: %%1068

Error - 1/31/2013 12:19:40 AM | Computer Name = Hai-HPC | Source = Service Control Manager | ID = 7001

Description = The Network List Service service depends on the Network Location Awareness

service which failed to start because of the following error: %%1068

Error - 1/31/2013 12:43:19 AM | Computer Name = Hai-HPC | Source = DCOM | ID = 10005

Description =

Error - 1/31/2013 12:43:19 AM | Computer Name = Hai-HPC | Source = DCOM | ID = 10005

Description =

Error - 1/31/2013 12:43:19 AM | Computer Name = Hai-HPC | Source = Service Control Manager | ID = 7001

Description = The Network List Service service depends on the Network Location Awareness

service which failed to start because of the following error: %%1068

Error - 1/31/2013 12:46:32 AM | Computer Name = Hai-HPC | Source = Service Control Manager | ID = 7001

Description = The Network List Service service depends on the Network Location Awareness

service which failed to start because of the following error: %%1068

Error - 1/31/2013 12:48:51 AM | Computer Name = Hai-HPC | Source = volmgr | ID = 262190

Description = Crash dump initialization failed!

Error - 1/31/2013 12:48:55 AM | Computer Name = Hai-HPC | Source = Service Control Manager | ID = 7000

Description = The NEWDRIVER service failed to start due to the following error:

%%2

Error - 2/1/2013 1:06:03 PM | Computer Name = Hai-HPC | Source = volmgr | ID = 262190

Description = Crash dump initialization failed!

Error - 2/1/2013 1:06:07 PM | Computer Name = Hai-HPC | Source = Service Control Manager | ID = 7000

Description = The NEWDRIVER service failed to start due to the following error:

%%2

< End of report >

Jedarius · February 13, 2013

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.12.10

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Hai :: HAI-HPC [administrator]

Protection: Enabled

2/12/2013 11:30:27 PM

mbam-log-2013-02-12 (23-30-27).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 215763

Time elapsed: 52 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|WindowsLiveUpdate (Trojan.Agent.DL) -> Data: C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe (Trojan.Agent.DL) -> Quarantined and deleted successfully.

(end)

TheDarkKnight · February 13, 2013

Good evening Jedarius,

Please run OTL.exe.

Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:OTL
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
@Alternate Data Stream - 5120 bytes -> C:\ProgramData:gs5sys
@Alternate Data Stream - 1536 bytes -> C:\Users\Public\Documents\desktop.ini:gs5sys
@Alternate Data Stream - 1536 bytes -> C:\Users\Hai\Documents\desktop.ini:gs5sys
@Alternate Data Stream - 126 bytes -> C:\ProgramData\TEMP:553CA6CA
:Commands
[EmptyTemp]
Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
Click the red Run Fix button.
A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

====

Now try MBAM please.

Jedarius · February 14, 2013

Thanks for the help, I will run MBAM tonight after 11:30PM PST to see if the Trojan re-emerges.

Here's the OTL.exe log:

All processes killed

========== OTL ==========

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.

Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.

Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.

ADS C:\ProgramData:gs5sys deleted successfully.

ADS C:\Users\Public\Documents\desktop.ini:gs5sys deleted successfully.

ADS C:\Users\Hai\Documents\desktop.ini:gs5sys deleted successfully.

ADS C:\ProgramData\TEMP:553CA6CA deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Hai

->Temp folder emptied: 17626806 bytes

->Temporary Internet Files folder emptied: 2660148 bytes

->FireFox cache emptied: 4836725 bytes

->Flash cache emptied: 14313 bytes

User: Public

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 608 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 24.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 02132013_191415

Files\Folders moved on Reboot...

C:\Users\Hai\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Jedarius · February 14, 2013

Looks like it's still at large:

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.13.05

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Hai :: HAI-HPC [administrator]

Protection: Enabled

2/14/2013 12:13:35 AM

mbam-log-2013-02-14 (00-13-35).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 215831

Time elapsed: 1 minute(s), 28 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|WindowsLiveUpdate (Trojan.Agent.DL) -> Data: C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe (Trojan.Agent.DL) -> Quarantined and deleted successfully.

(end)

TheDarkKnight · February 14, 2013

Howdy Jedarius,

Please download to your Desktop SystemLook by jpshortstuff from here.

Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:

:filefind
WindowsLiveUpdate.exe

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt.

Jedarius · February 15, 2013

SystemLook 30.07.11 by jpshortstuff

Log created at 21:08 on 14/02/2013 by Hai

Administrator - Elevation successful

========== filefind ==========

Searching for "WindowsLiveUpdate.exe"

No files found.

-= EOF =-

TheDarkKnight · February 15, 2013

Hello Jedarius,

OK weird that the file wasn't found.

Please run SystemLook again but with this command:

:regfind
WindowsLiveUpdate

Please post the results.

Jedarius · February 15, 2013

I think it's because MBAM just removed it...but it's resistant to cleaning and eventually returns.

I ran SystemLook again:

SystemLook 30.07.11 by jpshortstuff

Log created at 08:17 on 15/02/2013 by Hai

Administrator - Elevation successful

========== regfind ==========

Searching for "WindowsLiveUpdate"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce]

"WindowsLiveUpdate"="C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe"

[HKEY_USERS\S-1-5-21-1761019082-4143762969-2227933991-1000\Software\Microsoft\Windows\CurrentVersion\runonce]

"WindowsLiveUpdate"="C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe"

-= EOF =-

TheDarkKnight · February 15, 2013

Good morning Jedarius,

OK the scan found two Registry Keys, so let's see how that goes.

Please follow these instructions to remove the remaining malicious entries:

Please close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open Notepad and copy/paste the text in the quotebox below into it:
Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

killall::
File::
C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\runonce]
"WindowsLiveUpdate"=-
[HKEY_USERS\S-1-5-21-1761019082-4143762969-2227933991-1000\Software\Microsoft\Windows\CurrentVersion\runonce]
"WindowsLiveUpdate"=-
Save this as CFScript.txt, in the same location as ComboFix.exe.
Referring to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post the ComboFix.txt in your next reply.

=====

Also, please run a new MBAM scan and see what it finds. Post that in your reply, along with the contents of ComboFix.txt.

Jedarius · February 16, 2013

Here's the ComboFix.txt log:

ComboFix 13-02-15.01 - Hai 02/15/2013 23:33:34.4.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16339.13425 [GMT -8:00]

Running from: c:\users\Hai\Desktop\ComboFix.exe

Command switches used :: c:\users\Hai\Desktop\CFScript.txt

AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

* Resident AV is active

.

FILE ::

"c:\users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Hai\AppData\Local\Temp\26b4a1dd-e07b-48af-be4e-9642b273284b\CliSecureRT.dll

c:\users\Hai\AppData\Local\Temp\jna8123850758693307692.dll

.

((((((((((((((((((((((((( Files Created from 2013-01-16 to 2013-02-16 )))))))))))))))))))))))))))))))

.

2013-02-16 07:35 . 2013-02-16 07:35 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-14 03:14 . 2013-02-14 03:14 -------- d-----w- C:\_OTL

2013-02-12 07:15 . 2013-02-12 07:16 -------- d-----w- c:\windows\SysWow64\wbem\Performance

2013-02-12 07:05 . 2013-02-12 07:17 181064 ----a-w- c:\windows\PSEXESVC.EXE

2013-02-12 07:03 . 2013-02-12 07:17 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs

2013-02-11 05:42 . 2013-02-11 05:42 -------- d-----w- c:\program files\CCleaner

2013-02-06 07:12 . 2013-02-06 07:12 -------- d-----w- c:\users\Hai\AppData\Local\Futuremark

2013-02-06 06:31 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4326CDFA-7DE5-4A98-8004-087A3FB46E4C}\mpengine.dll

2013-02-02 07:18 . 2013-02-02 07:18 -------- d-----w- c:\users\Hai\AppData\Roaming\SUPERAntiSpyware.com

2013-02-02 07:17 . 2013-02-02 07:17 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2013-01-31 05:00 . 2012-06-05 07:37 256904 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys

2013-01-28 08:08 . 2013-01-28 08:08 -------- d-----w- c:\programdata\id Software

2013-01-23 07:45 . 2013-01-23 07:45 -------- d-----w- c:\users\Hai\AppData\Local\4A Games

2013-01-20 17:33 . 2013-01-20 17:33 -------- d-----w- c:\users\Hai\AppData\Local\The Witcher 2

2013-01-18 03:51 . 2012-11-23 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

2013-01-18 03:51 . 2012-11-22 05:44 800768 ----a-w- c:\windows\system32\usp10.dll

2013-01-18 03:51 . 2012-11-22 04:45 626688 ----a-w- c:\windows\SysWow64\usp10.dll

2013-01-18 03:51 . 2012-11-20 05:48 307200 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-18 03:51 . 2012-11-20 04:51 220160 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-01-18 03:51 . 2012-11-23 03:13 68608 ----a-w- c:\windows\system32\taskhost.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-15 04:37 . 2012-05-01 09:41 70004024 ----a-w- c:\windows\system32\MRT.exe

2013-02-14 03:16 . 2012-05-04 04:11 1048576 ----a-w- c:\windows\PE_Rom.dll

2013-01-17 09:28 . 2012-05-01 10:10 273840 ------w- c:\windows\system32\MpSigStub.exe

2012-12-29 10:54 . 2012-12-29 10:54 550328 ----a-w- c:\windows\SysWow64\nvStreaming.exe

2012-12-29 10:34 . 2013-01-05 22:24 1813432 ----a-w- c:\windows\system32\nvdispco64.dll

2012-12-29 10:34 . 2013-01-05 22:24 1504696 ----a-w- c:\windows\system32\nvdispgenco64.dll

2012-12-29 10:34 . 2013-01-05 22:24 7565240 ----a-w- c:\windows\system32\nvopencl.dll

2012-12-29 10:34 . 2013-01-05 22:24 6263784 ----a-w- c:\windows\SysWow64\nvopencl.dll

2012-12-29 10:34 . 2013-01-05 22:24 15052368 ----a-w- c:\windows\system32\nvwgf2umx.dll

2012-12-29 10:34 . 2013-01-05 22:24 12641120 ----a-w- c:\windows\SysWow64\nvwgf2um.dll

2012-12-29 10:34 . 2013-01-05 22:24 958272 ----a-w- c:\windows\SysWow64\nvumdshim.dll

2012-12-29 10:34 . 2013-01-05 22:24 26931128 ----a-w- c:\windows\system32\nvoglv64.dll

2012-12-29 10:34 . 2013-01-05 22:24 1107592 ----a-w- c:\windows\system32\nvumdshimx.dll

2012-12-29 10:34 . 2013-01-05 22:24 10997176 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2012-12-29 10:34 . 2013-01-05 22:24 9389888 ----a-w- c:\windows\system32\nvcuda.dll

2012-12-29 10:34 . 2013-01-05 22:24 7931896 ----a-w- c:\windows\SysWow64\nvcuda.dll

2012-12-29 10:34 . 2013-01-05 22:24 364984 ----a-w- c:\windows\SysWow64\nvEncodeAPI.dll

2012-12-29 10:34 . 2013-01-05 22:24 2504248 ----a-w- c:\windows\SysWow64\nvapi.dll

2012-12-29 10:34 . 2013-01-05 22:24 246024 ----a-w- c:\windows\system32\nvinitx.dll

2012-12-29 10:34 . 2013-01-05 22:24 2344888 ----a-w- c:\windows\system32\nvcuvenc.dll

2012-12-29 10:34 . 2013-01-05 22:24 20450232 ----a-w- c:\windows\SysWow64\nvoglv32.dll

2012-12-29 10:34 . 2013-01-05 22:24 201728 ----a-w- c:\windows\SysWow64\nvinit.dll

2012-12-29 10:34 . 2013-01-05 22:24 1985976 ----a-w- c:\windows\SysWow64\nvcuvenc.dll

2012-12-29 10:34 . 2013-01-05 22:24 18054312 ----a-w- c:\windows\system32\nvd3dumx.dll

2012-12-29 10:34 . 2013-01-05 22:24 420280 ----a-w- c:\windows\system32\nvEncodeAPI64.dll

2012-12-29 10:34 . 2013-01-05 22:24 2904504 ----a-w- c:\windows\system32\nvcuvid.dll

2012-12-29 10:34 . 2013-01-05 22:24 2824656 ----a-w- c:\windows\system32\nvapi64.dll

2012-12-29 10:34 . 2013-01-05 22:24 2720696 ----a-w- c:\windows\SysWow64\nvcuvid.dll

2012-12-29 10:34 . 2013-01-05 22:24 25256376 ----a-w- c:\windows\system32\nvcompiler.dll

2012-12-29 10:34 . 2013-01-05 22:24 17560504 ----a-w- c:\windows\SysWow64\nvcompiler.dll

2012-12-29 10:34 . 2013-01-05 22:24 15129064 ----a-w- c:\windows\SysWow64\nvd3dum.dll

2012-12-29 08:40 . 2013-01-05 22:24 6382008 ----a-w- c:\windows\system32\nvcpl.dll

2012-12-29 08:40 . 2013-01-05 22:24 3455416 ----a-w- c:\windows\system32\nvsvc64.dll

2012-12-29 08:40 . 2013-01-05 22:24 2923201 ----a-w- c:\windows\system32\nvcoproc.bin

2012-12-29 08:40 . 2013-01-05 22:24 884152 ----a-w- c:\windows\system32\nvvsvc.exe

2012-12-29 08:40 . 2013-01-05 22:24 63928 ----a-w- c:\windows\system32\nvshext.dll

2012-12-29 08:40 . 2013-01-05 22:24 118712 ----a-w- c:\windows\system32\nvmctray.dll

2012-12-23 04:42 . 2012-05-21 03:29 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr

2012-12-23 02:33 . 2012-05-21 03:27 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0

2012-12-16 17:11 . 2012-12-29 04:34 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 14:45 . 2012-12-29 04:34 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-16 14:13 . 2012-12-29 04:34 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-16 14:13 . 2012-12-29 04:34 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-15 00:49 . 2012-09-15 08:08 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-12-03 15:47 . 2013-01-04 05:53 60776 ----a-w- c:\windows\system32\OpenCL.dll

2012-12-03 15:47 . 2013-01-04 05:53 52584 ----a-w- c:\windows\SysWow64\OpenCL.dll

2012-11-30 04:45 . 2013-01-18 03:52 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-11-22 20:47 . 2012-11-22 22:22 3123272 ----a-w- c:\windows\SysWow64\pbsvc.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{2adefb8e-b923-35e6-86e2-2b7841f5d6a4}]

2010-11-05 01:58 297808 ----a-w- c:\windows\System32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-12-12 969104]

"KiesHelper"="d:\program files (x86)\Samsung\Kies\Kies\KiesHelper.exe" [2012-06-08 958392]

"KiesPDLR"="d:\program files (x86)\Samsung\Kies\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-06-08 21432]

"DAEMON Tools Lite"="d:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Samsung Network PC Fax.lnk - c:\windows\System32\spool\drivers\x64\3\NetFaxTray64.exe [2012-9-17 273408]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-11-30 13592]

R2 MBAMScheduler;MBAMScheduler;d:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-15 398184]

R2 MBAMService;MBAMService;d:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-15 682344]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-01-20 363800]

R3 AiCharger;AiCharger;SysWow64\drivers\AiCharger.sys [x]

R3 cpuz136;cpuz136;c:\windows\TEMP\cpuz136\cpuz136_x64.sys [x]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-09-19 102368]

R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2012-12-17 137488]

R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [2011-05-27 160768]

R3 LADF_CaptureOnly;LADF Capture Filter Driver;c:\windows\system32\DRIVERS\ladfGSCamd64.sys [2011-04-11 410184]

R3 LADF_RenderOnly;LADF Render Filter Driver;c:\windows\system32\DRIVERS\ladfGSRamd64.sys [2011-04-11 341832]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-15 24176]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-23 77104]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2012-09-19 203104]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-15 1255736]

S0 asahci64;asahci64;c:\windows\system32\DRIVERS\asahci64.sys [2012-01-06 49760]

S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2012-01-04 16152]

S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-10-20 283200]

S1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]

S1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]

S2 !SASCORE;SAS Core Service;d:\program files\SUPERAntiSpyware\SASCORE64.EXE [2012-07-11 140672]

S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.18\atkexComSvc.exe [2011-10-29 918448]

S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [2012-02-02 951936]

S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [2010-10-21 586880]

S2 AsusFanControlService;AsusFanControlService;c:\program files (x86)\ASUS\AsusFanControlService\1.00.24\AsusFanControlService.exe [2012-02-01 1489024]

S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [2012-03-09 23816]

S2 DTSAudioSvc;DTSAudioSvc;c:\program files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [2011-08-05 225280]

S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2012-01-11 627936]

S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-08-16 178344]

S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2012-01-20 161560]

S2 McAfeeEngineService;McAfee Engine Service;c:\program files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe [2009-10-23 19720]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-23 79504]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]

S2 Samsung Network Fax Server;Samsung Network Fax Server;c:\windows\system32\spool\drivers\x64\3\NetFaxServer64.exe [2012-04-26 237056]

S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2012-02-15 11576]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-12-29 383416]

S2 WinFLdrv;WinFLdrv;SysWOW64\WinFLdrv.sys [x]

S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [2011-11-03 130536]

S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [2011-11-03 395752]

S3 ASUSFILTER;ASUSFILTER;SysWow64\drivers\ASUSFILTER.sys [x]

S3 ICCWDT;Intel® Watchdog Timer Driver (Intel® WDT);c:\windows\system32\DRIVERS\ICCWDT.sys [2010-08-17 26136]

S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2012-01-04 355096]

S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2012-01-04 786200]

S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-24 22408]

S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-24 16008]

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-16 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 18:54]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Hai\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-12-28 6457960]

"RtHDVBg_DTS"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-11-15 1156712]

"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-12-07 5889816]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - d:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - d:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Hai\AppData\Roaming\Mozilla\Firefox\Profiles\c4g4sdlg.default\

FF - ExtSQL: !HIDDEN! 2012-05-07 18:22; hotfix@mozilla.org; c:\users\Hai\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\McAfee\Common Framework\FrameworkService.exe

c:\program files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files (x86)\McAfee\Common Framework\naPrdMgr.exe

.

**************************************************************************

.

Completion time: 2013-02-15 23:38:17 - machine was rebooted

ComboFix-quarantined-files.txt 2013-02-16 07:38

ComboFix2.txt 2013-02-06 15:29

ComboFix3.txt 2013-02-06 07:10

ComboFix4.txt 2013-02-06 06:30

.

Pre-Run: 152,273,502,208 bytes free

Post-Run: 152,246,972,416 bytes free

.

- - End Of File - - 47DE6004AB69B5B3273B2AED6207992F

TheDarkKnight · February 16, 2013

Hello Jedarius,

A new log from MBAM please.

Jedarius · February 16, 2013

Here's the latest MBAM log:

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.15.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Hai :: HAI-HPC [administrator]

Protection: Enabled

2/16/2013 2:00:11 PM

mbam-log-2013-02-16 (14-00-11).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 216147

Time elapsed: 37 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

------------------

Looks clean

I will run another sweep tonight after 11:30PM to see if it re-emerges. Thanks for the help!

TheDarkKnight · February 16, 2013

Howdy Jedarius,

In the meantime please run this scan.

Please run a free online scan with the ESET Online Scanner.

Note: You can use Internet Explorer or Mozilla Firefox for this scan.

Tick the box next to YES, I accept the Terms of Use.
Click Start.
When asked, allow the ActiveX control to install.
Click Start.
Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked.
Click Scan.
Wait for the scan to finish.
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Jedarius · February 17, 2013

ESETSmartInstaller@High as downloader log:

all ok

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=7d28c1370c3b3e4795de059000301358

# engine=13173

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2013-02-17 01:35:34

# local_time=2013-02-16 05:35:34 (-0800, Pacific Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode=5893 16776574 100 94 8265 112608384 0 0

# scanned=216295

# found=3

# cleaned=0

# scan_time=6412

sh=E2810B9B3BB9B77A9D9C368F5667D75C8C5E7856 ft=1 fh=a2566cf690f106ad vn="a variant of MSIL/Adware.BHO.B application" ac=I fn="C:\Users\Hai\AppData\Roaming\WinLive\WinLive.dll"

sh=B2790B1DEE00BA7EEC07B4E0868E32FB1B330941 ft=1 fh=97dd9fbbdab00a6c vn="a variant of Win32/HackTool.CheatEngine.AG application" ac=I fn="D:\cht\ac30-Jedarius.exe"

sh=F860B0DD592E60596327089E8A76101626EE3303 ft=1 fh=46b2cbe6b4eb892e vn="a variant of Win32/GameHack.S application" ac=I fn="F:\cht\pztrain.exe"

ESETSmartInstaller@High as downloader log:

all ok

TheDarkKnight · February 17, 2013

Hello Jedarius,

To do this, please set Win7 to show hidden/system files and folders so that you can find them:

Please click Start and open My Computer.
On the Organize tab, click on Folder and search options.
On the View tab, uncheck Hide file extensions for known file types.
Also uncheck Hide protected operating system files (Recommended) and click Yes on the warning message.
Under Hidden files and folders, check Show hidden files, folders, or drives.
Click Apply.
Click OK and close My Computer.

I will give you instructions for hiding them again after it looks like your computer is clean.

Then, please delete this file:

C:\Users\Hai\AppData\Roaming\WinLive\WinLive.dll

=====

Also, please download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Jedarius · February 17, 2013

I've deleted the WinLive.dll file and here's the SecurityCheck.exe log

Results of screen317's Security Check version 0.99.57

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Windows Firewall Disabled!

McAfee VirusScan Enterprise

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Java 6 Update 21

Java version out of Date!

Adobe Flash Player 10 Flash Player out of Date!

Adobe Flash Player 11.2.202.233 Flash Player out of Date!

Adobe Reader 10.1.3 Adobe Reader out of Date!

Mozilla Firefox (18.0.2)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

McAfee VirusScan Enterprise x64 EngineServer.exe

McAfee VirusScan Enterprise VsTskMgr.exe

McAfee VirusScan Enterprise x64 McShield.exe

McAfee VirusScan Enterprise x64 mfeann.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 41% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

----------------------------

Here's the latest MBAM log, looks like things are good:

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.15.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Hai :: HAI-HPC [administrator]

Protection: Enabled

2/17/2013 12:00:36 AM

mbam-log-2013-02-17 (00-00-36).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 216399

Time elapsed: 38 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Jedarius · February 17, 2013

Looks like it's back again.

Malwarebytes Anti-Malware (PRO) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.02.17.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Hai :: HAI-HPC [administrator]

Protection: Enabled

2/17/2013 11:41:54 AM

mbam-log-2013-02-17 (11-41-54).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 208830

Time elapsed: 36 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|WindowsLiveUpdate (Trojan.Agent.DL) -> Data: C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Users\Hai\AppData\Roaming\MCommon\WindowsLiveUpdate.exe (Trojan.Agent.DL) -> Quarantined and deleted successfully.

(end)

TheDarkKnight · February 17, 2013

Good morning Jedarius,

Run MBAM and fix anything it finds before proceeding.

Then, please follow these instructions to remove the remaining malicious entries:

Please close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open Notepad and copy/paste the text in the quotebox below into it:
Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.

killall::
Firefox::
FF - ProfilePath - c:\users\Hai\AppData\Roaming\Mozilla\Firefox\Profiles\c4g4sdlg.default\
FF - ExtSQL: !HIDDEN! 2012-05-07 18:22; hotfix@mozilla.org; C:\Users\Hai\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix
Save this as CFScript.txt, in the same location as ComboFix.exe.
Referring to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at C:\ComboFix.txt.

Please post the ComboFix.txt in your next reply.

Run MBAM again and let me know what it finds please.

Jedarius · February 17, 2013

Here's the ComboFix.txt log:

ComboFix 13-02-15.01 - Hai 02/17/2013 15:48:17.5.4 - x64

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.16339.14167 [GMT -8:00]

Running from: c:\users\Hai\Desktop\ComboFix.exe

Command switches used :: c:\users\Hai\Desktop\CFScript.txt

AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Hai\AppData\Local\Temp\26b4a1dd-e07b-48af-be4e-9642b273284b\CliSecureRT.dll

.

((((((((((((((((((((((((( Files Created from 2013-01-17 to 2013-02-17 )))))))))))))))))))))))))))))))

.

2013-02-17 23:50 . 2013-02-17 23:50 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-16 23:45 . 2013-02-16 23:45 -------- d-----w- c:\program files (x86)\ESET

2013-02-15 04:35 . 2013-01-09 01:10 996352 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll

2013-02-15 04:35 . 2013-01-08 22:01 768000 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll