FBI "Computer Crime and Intellectual Property" ransomware - help

vhe9606 · May 15, 2013

Hi All, This is a determined piece of malware. I am infected and presented intiially with the FBI screen after logging on. This is the variant asking for $300 Moneypak. I intially tried Hitmanpro and on its second scan showed and quarantined an executable in my documents folder, 7a8205fe.exe. After rebooting and logging on i now stop at a failing command window trying to execute that exe. I am able to execute commands from this window but some like Explorer yield the Malware screen. Next, I ran Malwarebytes but it found nothing. After reading this forum I downloaded and ran FRST from the command window and here are the results:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013

Ran by David (administrator) on 15-05-2013 11:32:36

Running from L:\

Windows 7 Ultimate Service Pack 1 (X86) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe

(Trusteer Ltd.) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe

(Amazon.com) C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

(American Power Conversion Corporation) C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Microsoft Corporation) C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(InterVideo Inc.) C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

(Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

() C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe

(Juniper Networks) C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

() c:\hp\HPEZBTN\HPBtnSrv.exe

(Verizon) C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe

(InterVideo) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

(Hewlett-Packard Company) c:\Program Files\Common Files\LightScribe\LSSrvc.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS32.exe

() C:\Windows\system32\PSIService.exe

(Secunia) C:\Program Files\Secunia\PSI\PSIA.exe

(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

(Splashtop Inc.) C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe

(SupportSoft, Inc.) C:\Program Files\VERIZONDM\bin\sprtsvc.exe

(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

(Splashtop Inc.) C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe

(SupportSoft, Inc.) C:\Program Files\VERIZONDM\bin\tgsrvc.exe

(Viewpoint Corporation) C:\Program Files\Viewpoint\Common\ViewpointService.exe

(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

(Amazon.com) C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe

(Secunia) C:\Program Files\Secunia\PSI\sua.exe

(Hewlett-Packard) c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

(Microsoft Corporation) C:\Windows\system32\cmd.exe

(Splashtop Inc.) C:\Program Files\Splashtop\Splashtop Remote\Server\SRServer.exe

(Splashtop Inc.) C:\Program Files\Splashtop\Splashtop Remote\Server\SRFeature.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

(Trusteer Ltd.) C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

(Farbar) L:\FRST.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe [246272 2009-02-02] (Amazon.com)

HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [47392 2010-03-16] (Apple Inc.)

HKLM\...\Run: [CamserviceDP] C:\Program Files\Hercules\Dualpix Infinite\Camservice.exe /startup [345384 2008-09-26] (Guillemot Corporation S.A.)

HKLM\...\Run: [Corel Photo Downloader] "C:\Program Files\Corel\Corel MediaOne\Corel Photo Downloader.exe" -startup [483144 2007-08-17] (Corel, Inc.)

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)

HKLM\...\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-16] (Hewlett-Packard)

HKLM\...\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)

HKLM\...\Run: [KBD] C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()

HKLM\...\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" [118640 2009-07-24] (Microsoft Corporation)

HKLM\...\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [118784 2007-02-15] (OsdMaestro)

HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]

HKLM\...\Run: [uVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe [341232 2007-07-23] (InterVideo Digital Technology Corporation)

HKLM\...\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" [158448 2010-01-07] (Microsoft Corporation)

HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)

HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)

HKLM\...\Run: [VERIZONDM] "C:\Program Files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM [206120 2011-12-01] (SupportSoft, Inc.)

HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)

HKLM\...\Run: [] [x]

HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [947152 2013-01-27] (Microsoft Corporation)

HKLM\...\Run: [navservice] "C:\Program Files\Navionics World\NavService.exe" [40960 2012-04-29] ()

HKLM\...\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1065032 2012-09-13] (Carbonite, Inc.)

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM\...\Run: [DivXMediaServer] C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe [450560 2012-11-13] ()

HKLM\...\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1263512 2012-11-01] ()

HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)

HKLM\...\Runonce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq [x]

HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)

HKCU\...\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun [1174016 2010-11-20] (Microsoft Corporation)

HKCU\...\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US [4331392 2012-05-30] (AOL Inc.)

HKCU\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [144384 2010-11-20] (Microsoft Corporation)

HKCU\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY [1644088 2009-08-05] (Hewlett-Packard)

HKCU\...\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler [213936 2006-03-20] (Macrovision Corporation)

HKCU\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [451872 2007-07-18] (Hewlett-Packard Company)

HKCU\...\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer [2264336 2010-08-24] (TiVo Inc.)

HKCU\...\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe [608528 2010-08-24] (TiVo Inc.)

HKCU\...\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify [437520 2010-08-24] (TiVo Inc.)

HKCU\...\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe [856336 2010-08-24] (TiVo Inc.)

HKCU\...\Run: [Facebook Update] "C:\Users\David\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-07-11] (Facebook Inc.)

HKCU\...\Run: [Verizon Media Manager] C:\Program Files\Verizon\Verizon Media Manager\Release\Verizon Media Manager.exe 0 [1523712 2012-10-10] ()

HKCU\...\Winlogon: [shell] cmd.exe [302592 2010-11-20] (Microsoft Corporation) <==== ATTENTION

HKU\IUSR_NMPR\...\RunOnce: [WAB Migrate] %ProgramFiles%\Windows Mail\wab.exe /Upgrade [ 2010-11-20] (Microsoft Corporation)

HKU\IUSR_NMPR\...\RunOnce: [DPAPIKeyMig] %SystemRoot%\system32\dpapimig.exe -quiet [ 2009-07-13] (Microsoft Corporation)

HKU\Mcx1\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [ 2010-11-20] (Microsoft Corporation)

HKU\Mcx1\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [ 2009-08-05] (Hewlett-Packard)

HKU\Mcx1\...\RunOnce: [WAB Migrate] %ProgramFiles%\Windows Mail\wab.exe /Upgrade [ 2010-11-20] (Microsoft Corporation)

HKU\Mcx1\...\RunOnce: [DPAPIKeyMig] %SystemRoot%\system32\dpapimig.exe -quiet [ 2009-07-13] (Microsoft Corporation)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Amazon Unbox.lnk

ShortcutTarget: Amazon Unbox.lnk -> C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe (Amazon.com)

Startup: C:\ProgramData\Start Menu\Programs\Startup\APC UPS Status.lnk

ShortcutTarget: APC UPS Status.lnk -> C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)

Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Secunia PSI Tray.lnk

ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)

Startup: C:\ProgramData\Start Menu\Programs\Startup\Snapfish Media Detector.lnk

ShortcutTarget: Snapfish Media Detector.lnk -> C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ig?hl=en

http://www.facebook.com/home.php?sk=lf#!

http://aprs.fi/?call=K1YQZ

http://riyachting.com/

http://my.boatus.com//memberpage.asp?pageid=

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop

HKLM SearchScopes: DefaultScope {92484F68-4810-4D30-B9C9-5588B2E09779} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

SearchScopes: HKLM - {92484F68-4810-4D30-B9C9-5588B2E09779} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

SearchScopes: HKLM - {A67AC368-D438-42E5-92E5-FE1EC2715FCF} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

SearchScopes: HKLM - {C3D61A17-A11F-43DF-AAAE-9C343A1C66B6} URL = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7

SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =

SearchScopes: HKCU - {92484F68-4810-4D30-B9C9-5588B2E09779} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

SearchScopes: HKCU - {A67AC368-D438-42E5-92E5-FE1EC2715FCF} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

SearchScopes: HKCU - {C3D61A17-A11F-43DF-AAAE-9C343A1C66B6} URL = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7

BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)

BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

BHO: DivX Plus Web Player HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)

BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)

BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKCU -&Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)

PDF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab

PDF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

PDF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

PDF: {115B1886-2AE0-4259-9FE4-E32A5DEE5451} http://www.wowweesupport.com/download/rovio/WebSee_4.0.cab

PDF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

PDF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

PDF: {49232000-16E4-426C-A231-62846947304B} https://wimpro2.cce.hp.com/ChatEntry/downloads/sysinfo.cab

PDF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab

PDF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

PDF: {71D413D7-38C5-4035-8548-976522CF11D5} http://www.crucial.com/controls/cpcVistaBeta.cab

PDF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

PDF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

PDF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} https://sslvpn.amica.com/InternalSite/WhlCompMgr.cab

PDF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

PDF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

PDF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

PDF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://sslvpn.amica.com/dana-cached/sc/JuniperSetupClient.cab

PDF: {F5131C24-E56D-11CF-B78A-444553540000} http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

Winsock: Catalog5 01 C:\PROGRA~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlNSP.dll File Not found ()

Winsock: Catalog5 10 C:\Program Files\Bonjour\mdnsNSP.dll [20992] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:

========

FF ProfilePath: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s0lwqsxt.default

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()

FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)

FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF Plugin: @canon.com/EPPEX - C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)

FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)

FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF Plugin: @google.com/npPicasa2,version=2.0.0 - C:\Program Files\Picasa2\npPicasa2.dll No File

FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)

FF Plugin: @java.com/DTPlugin,version=10.17.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.17.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)

FF Plugin: @microsoft.com/GENUINE - disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 - C:\Program Files\Virtual Earth 3D\ ()

FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF Plugin: @microsoft.com/WPF,version=3.5 - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF Plugin: @movenetworks.com/Quantum Media Player - C:\Users\David\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll (Move Networks)

FF Plugin: @nvidia.com/3DVision - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)

FF Plugin: @nvidia.com/3DVisionStreaming - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

FF Plugin: @pack.google.com/Google Updater;version=14 - C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)

FF Plugin: @real.com/RhapsodyPlayerEngine,version=1.0 - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @viewpoint.com/VMP - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()

FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Extension: Google Toolbar for Firefox - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s0lwqsxt.default\Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF Extension: No Name - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s0lwqsxt.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi

Chrome:

=======

CHR HomePage: hxxp://www.google.com/

CHR RestoreOnStartup: "hxxp://www.google.com/"

CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}

CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}

CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\26.0.1410.64\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\26.0.1410.64\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\26.0.1410.64\pdf.dll ()

CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)

CHR Plugin: (downloadUpdater) - C:\Program Files\Mozilla Firefox\plugins\npdnu.dll (AOL LLC)

CHR Plugin: (downloadUpdater2) - C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll (AOL LLC)

CHR Plugin: (Navionics NavIn) - C:\Program Files\Mozilla Firefox\plugins\npNavIn.dll (Navionics)

CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll (Apple Inc.)

CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll (Apple Inc.)

CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll ()

CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)

CHR Plugin: (CANON iMAGE GATEWAY Album Plugin Utility for IJ) - C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)

CHR Plugin: (DivX VOD Helper Plug-in) - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)

CHR Plugin: (DivX Plus Web Player) - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)

CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

CHR Plugin: (Google Updater) - C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)

CHR Plugin: (Picasa) - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)

CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File

CHR Plugin: (Java Platform SE 7 U17) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)

CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)

CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

CHR Plugin: (RealNetworks Rhapsody Player Engine) - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

CHR Plugin: (Unity Player) - C:\Users\David\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\David\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)

CHR Plugin: (Move Streaming Media Player) - C:\Users\David\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll (Move Networks)

CHR Plugin: (Move Streaming Media Player) - C:\Users\David\AppData\Roaming\Move Networks\plugins\npqmp071701000008.dll (Move Networks)

CHR Plugin: (Windows Presentation Foundation) - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1200112.dll No File

CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File

CHR Plugin: (Java Deployment Toolkit 7.0.170.2) - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)

CHR Extension: (Google Docs) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0

CHR Extension: (Google Drive) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0

CHR Extension: (YouTube) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0

CHR Extension: (Google Search) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0

CHR Extension: (Skype Click to Call) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.7.0.12055_0

CHR Extension: (DivX Plus Web Player HTML5 \u003Cvideo\u003E) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.145_0

CHR Extension: (Gmail) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

========================== Services (Whitelisted) =================

R2 ADVService; C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe [25704 2010-03-04] (Amazon.com)

S3 AlertService; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [188416 2006-09-11] (Intel® Corporation)

R2 Amazon Download Agent; C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [317440 2009-02-02] (Amazon.com)

R2 APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [689408 2007-07-19] (American Power Conversion Corporation)

R2 Capture Device Service; C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe [198168 2007-03-06] (InterVideo Inc.)

R2 CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [4646472 2012-09-13] (Carbonite, Inc. (www.carbonite.com))

S3 DMService; C:\Windows\Downloaded Program Files\DMService.exe [423576 2008-04-05] (Whale Communications, a Microsoft subsidiary)

R2 DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [208896 2006-09-03] ()

R2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [670792 2011-09-08] (Juniper Networks)

S2 gupdate1c9e8a748642a0; C:\Program Files\Google\Update\GoogleUpdate.exe [133104 2009-06-08] (Google Inc.)

R2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-06-16] (Hewlett-Packard)

R2 HPBtnSrv; c:\hp\HPEZBTN\HPBtnSrv.exe [198240 2007-05-29] ()

R2 IHA_MessageCenter; C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [352248 2012-08-03] (Verizon)

S2 IntelDHSvcConf; C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [29696 2006-05-10] (Intel® Corporation)

S3 ISSM; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [75264 2006-09-11] (Intel® Corporation)

S3 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [26624 2006-09-01] ()

R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)

R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)

S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)

S3 MCLServiceATL; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [167936 2006-09-11] (Intel® Corporation)

R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [20456 2013-01-27] (Microsoft Corporation)

R3 MSSQL$MSSMLBIZ; c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)

R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [295232 2013-01-27] (Microsoft Corporation)

S2 ProtexisLicensing; C:\Windows\system32\PSIService.exe [177704 2007-06-05] ()

S3 Remote UI Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [544256 2006-09-11] (Intel® Corporation)

R2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [994360 2011-10-14] (Secunia)

R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-10-14] (Secunia)

R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3289208 2013-04-15] (Skype Technologies S.A.)

R2 SplashtopRemoteService; C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe [548264 2012-06-15] (Splashtop Inc.)

R2 sprtsvc_verizondm; C:\Program Files\VERIZONDM\bin\sprtsvc.exe [206120 2011-12-01] (SupportSoft, Inc.)

R2 SSUService; C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe [370504 2012-03-15] (Splashtop Inc.)

R2 tgsrvc_verizondm; C:\Program Files\VERIZONDM\bin\tgsrvc.exe [185640 2011-12-01] (SupportSoft, Inc.)

S4 TivoBeacon2; C:\Program Files\TiVo\Desktop\TiVoBeacon.exe [1104656 2010-08-24] (TiVo Inc.)

R2 Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [24652 2007-01-04] (Viewpoint Corporation)

S3 whliocsv; C:\Program Files\Whale Communications\Client Components\3.1.0\whliocsv.exe [134808 2007-08-29] (Whale Communications, a Microsoft subsidiary)

S3 ZuneWlanCfgSvc; C:\Windows\system32\ZuneWlanCfgSvc.exe [447216 2010-01-07] (Microsoft Corporation)

S3 WPFFontCache_v0400; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [x]

==================== Drivers (Whitelisted) ====================

S3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [238208 2012-06-15] (Aladdin Knowledge Systems Ltd.)

S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [289152 2012-06-15] (SafeNet Inc.)

R3 camfilt2; C:\Windows\System32\Drivers\camfilt2.sys [94208 2008-08-13] (Guillemot Corporation)

R3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [26624 2011-09-08] (Juniper Networks)

S3 FLMckUsb; C:\Windows\System32\DRIVERS\ATTchDrv.sys [84360 2006-12-22] (AuthenTec, Inc.)

R2 hardlock; C:\Windows\system32\drivers\hardlock.sys [596424 2011-08-10] (SafeNet Inc.)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [195296 2013-01-20] (Microsoft Corporation)

R1 MpKsl2b78e5a3; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DD13E2B1-CC7A-41DC-BC6E-ED190D87612F}\MpKsl2b78e5a3.sys [29904 2013-05-15] (Microsoft Corporation)

R1 MpKsl9820d9ad; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DD13E2B1-CC7A-41DC-BC6E-ED190D87612F}\MpKsl9820d9ad.sys [29904 2013-05-15] (Microsoft Corporation)

R1 NEOFLTR_710_19243; C:\Windows\system32\Drivers\NEOFLTR_710_19243.SYS [85064 2011-09-08] (Juniper Networks)

R3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)

R1 RapportCerberus_51755; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys [317112 2013-04-22] ()

R1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [103120 2013-04-30] (Trusteer Ltd.)

R1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [174320 2013-04-30] (Trusteer Ltd.)

R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [9602944 2008-08-13] ()

S3 xcbdaNtscV; C:\Windows\System32\DRIVERS\xcbdaV.sys [157568 2009-07-13] (ViXS Systems Inc.)

S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [x]

S3 tsusbhub; system32\drivers\tsusbhub.sys [x]

S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-05-15 11:28 - 2013-05-15 11:28 - 00000000 ____D C:\FRST

2013-05-15 03:33 - 2013-04-04 18:11 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 03:33 - 2013-04-04 18:02 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2013-05-15 03:33 - 2013-04-04 18:02 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 03:33 - 2013-04-04 18:02 - 01104384 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 03:33 - 2013-04-04 18:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2013-05-15 03:33 - 2013-04-04 17:59 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 03:33 - 2013-04-04 17:58 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 03:33 - 2013-04-04 17:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2013-05-15 03:33 - 2013-04-04 17:57 - 00420864 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2013-05-15 03:33 - 2013-04-04 17:56 - 00607744 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 03:33 - 2013-04-04 17:55 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 03:33 - 2013-04-04 17:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2013-05-15 03:33 - 2013-04-04 17:50 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 03:32 - 2013-04-04 18:09 - 09738752 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 03:28 - 2013-05-05 15:25 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 03:28 - 2013-05-05 15:12 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 00:13 - 2013-04-10 01:18 - 00728424 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 00:13 - 2013-04-10 01:18 - 00218984 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 00:13 - 2013-04-09 23:14 - 02347520 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 00:13 - 2013-03-19 00:53 - 00186368 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 00:13 - 2013-03-18 23:33 - 00040960 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-15 00:13 - 2013-02-27 01:05 - 00101720 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 00:13 - 2013-02-27 00:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 00:13 - 2013-02-27 00:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 00:13 - 2013-02-27 00:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 00:13 - 2013-02-27 00:49 - 00047104 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-14 21:46 - 2013-05-14 21:46 - 00001065 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-14 21:46 - 2013-05-14 21:46 - 00000000 ____D C:\Users\David\AppData\Roaming\Malwarebytes

2013-05-14 21:46 - 2013-05-14 21:46 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-05-14 21:46 - 2013-05-14 21:46 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-05-14 21:46 - 2013-04-04 14:50 - 00022856 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2013-05-14 20:36 - 2013-05-14 20:36 - 00000742 ____A C:\Windows\System32\.crusader

2013-05-14 19:37 - 2013-05-14 19:37 - 00000000 ____D C:\Program Files\HitmanPro

2013-05-14 18:37 - 2013-05-14 20:36 - 00000000 ____D C:\ProgramData\HitmanPro

2013-05-14 18:37 - 2013-05-14 18:37 - 00153328 ____A C:\Windows\Minidump\051413-59389-01.dmp

2013-05-14 18:37 - 2013-05-14 18:37 - 00000000 ____D C:\Windows\Minidump

2013-05-14 18:36 - 2013-05-14 18:36 - 307725991 ____A C:\Windows\MEMORY.DMP

2013-05-14 16:40 - 2013-05-14 16:40 - 00404828 ____A C:\Users\David\AppData\Roaming\2433f433

2013-05-14 16:40 - 2013-05-14 16:40 - 00404817 ____A C:\ProgramData\2433f433

2013-05-14 16:40 - 2013-05-14 16:40 - 00404812 ____A C:\Users\David\AppData\Local\2433f433

2013-05-14 16:40 - 2013-05-14 16:40 - 00025088 ____A C:\Users\David\Documents\7a8205fe.dll

2013-04-30 01:28 - 2013-04-30 01:28 - 00102448 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys

2013-04-29 15:20 - 2013-04-29 15:20 - 00000000 ____D C:\Users\David\AppData\Local\Macromedia

2013-04-29 14:41 - 2013-05-03 21:33 - 00002006 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk

2013-04-29 14:41 - 2013-05-03 21:32 - 00000000 ____D C:\Program Files\McAfee Security Scan

2013-04-29 14:41 - 2013-04-29 14:41 - 00000000 ____D C:\ProgramData\McAfee Security Scan

2013-04-24 02:15 - 2013-04-12 09:45 - 01211752 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ntfs.sys

==================== One Month Modified Files and Folders ========

2013-05-15 11:28 - 2013-05-15 11:28 - 00000000 ____D C:\FRST

2013-05-15 11:26 - 2009-06-26 23:08 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2013-05-15 11:18 - 2012-03-31 12:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-05-15 11:03 - 2009-06-26 23:08 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2013-05-15 10:33 - 2010-11-13 00:25 - 00009712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-05-15 10:33 - 2010-11-13 00:25 - 00009712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-05-15 10:31 - 2010-11-13 01:28 - 01657301 ____A C:\Windows\WindowsUpdate.log

2013-05-15 10:25 - 2009-07-14 00:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-05-15 10:25 - 2009-07-14 00:39 - 04808094 ____A C:\Windows\setupact.log

2013-05-15 10:25 - 2008-01-24 19:33 - 00000000 ____D C:\ProgramData\NVIDIA

2013-05-15 08:52 - 2011-09-22 23:41 - 00000928 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1269665831-4724830-4121108689-1001UA.job

2013-05-15 06:18 - 2012-03-31 12:57 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe

2013-05-15 06:18 - 2011-08-19 21:14 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2013-05-15 05:18 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache

2013-05-15 04:03 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Microsoft.NET

2013-05-15 03:52 - 2009-07-14 00:33 - 00507136 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-15 03:34 - 2008-04-07 20:56 - 00000000 ____D C:\ProgramData\Microsoft Help

2013-05-15 03:30 - 2010-11-13 01:39 - 00835398 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-15 03:02 - 2011-06-16 22:27 - 72607752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-14 21:46 - 2013-05-14 21:46 - 00001065 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2013-05-14 21:46 - 2013-05-14 21:46 - 00000000 ____D C:\Users\David\AppData\Roaming\Malwarebytes

2013-05-14 21:46 - 2013-05-14 21:46 - 00000000 ____D C:\ProgramData\Malwarebytes

2013-05-14 21:46 - 2013-05-14 21:46 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2013-05-14 20:36 - 2013-05-14 20:36 - 00000742 ____A C:\Windows\System32\.crusader

2013-05-14 20:36 - 2013-05-14 18:37 - 00000000 ____D C:\ProgramData\HitmanPro

2013-05-14 19:37 - 2013-05-14 19:37 - 00000000 ____D C:\Program Files\HitmanPro

2013-05-14 18:37 - 2013-05-14 18:37 - 00153328 ____A C:\Windows\Minidump\051413-59389-01.dmp

2013-05-14 18:37 - 2013-05-14 18:37 - 00000000 ____D C:\Windows\Minidump

2013-05-14 18:36 - 2013-05-14 18:36 - 307725991 ____A C:\Windows\MEMORY.DMP

2013-05-14 17:53 - 2011-09-22 23:41 - 00000906 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1269665831-4724830-4121108689-1001Core.job

2013-05-14 16:40 - 2013-05-14 16:40 - 00404828 ____A C:\Users\David\AppData\Roaming\2433f433

2013-05-14 16:40 - 2013-05-14 16:40 - 00404817 ____A C:\ProgramData\2433f433

2013-05-14 16:40 - 2013-05-14 16:40 - 00404812 ____A C:\Users\David\AppData\Local\2433f433

2013-05-14 16:40 - 2013-05-14 16:40 - 00025088 ____A C:\Users\David\Documents\7a8205fe.dll

2013-05-14 14:53 - 2009-06-08 22:03 - 00000868 ____A C:\Windows\Tasks\Google Software Updater.job

2013-05-12 16:18 - 2012-12-11 16:21 - 00000000 ____D C:\Users\David\AppData\Roaming\Dropbox

2013-05-09 14:27 - 2009-10-15 14:44 - 00000052 ____A C:\Windows\System32\DOErrors.log

2013-05-05 15:25 - 2013-05-15 03:28 - 12324864 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-05 15:12 - 2013-05-15 03:28 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-03 21:33 - 2013-04-29 14:41 - 00002006 ____A C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk

2013-05-03 21:32 - 2013-04-29 14:41 - 00000000 ____D C:\Program Files\McAfee Security Scan

2013-05-02 11:28 - 2010-08-13 00:45 - 00238872 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2013-04-30 01:28 - 2013-04-30 01:28 - 00102448 ____A (Trusteer Ltd.) C:\Windows\System32\Drivers\RapportKELL.sys

2013-04-29 15:20 - 2013-04-29 15:20 - 00000000 ____D C:\Users\David\AppData\Local\Macromedia

2013-04-29 14:41 - 2013-04-29 14:41 - 00000000 ____D C:\ProgramData\McAfee Security Scan

2013-04-29 14:41 - 2008-01-24 19:45 - 00000000 ____D C:\ProgramData\Adobe

2013-04-29 14:15 - 2009-03-23 22:14 - 00000000 ____D C:\Program Files\Big Kahuna Reef

2013-04-29 13:53 - 2013-04-02 15:20 - 00000000 ____D C:\Program Files\Mozilla Firefox

2013-04-29 13:53 - 2012-04-02 22:14 - 00000000 ___RD C:\Program Files\Skype

2013-04-29 13:53 - 2008-05-05 21:36 - 00000000 ____D C:\ProgramData\Skype

2013-04-29 13:50 - 2012-12-11 16:24 - 00000000 ___RD C:\Users\David\Dropbox

2013-04-22 13:35 - 2010-11-13 01:02 - 00093000 ____A C:\Windows\PFRO.log

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

Last Boot: 2013-05-14 00:43

==================== End Of Log ============================

there is also an additional txt file if needed.

Thanks in advance for any assistance you can provide, dave

Maniac · May 15, 2013

Hello vhe9606 and :welcome: ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
Make sure you read all of the instructions and fixes thoroughly before continuing with them.
Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

C:\Users\David\AppData\Roaming\2433f433
C:\ProgramData\2433f433
C:\Users\David\AppData\Local\2433f433
C:\Users\David\Documents\7a8205fe.dll

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

vhe9606 · May 15, 2013

Hello Maniac, You are the man! Followed your instructions, log to follow. Once done I rebooted and then logged on. As before the ascreen remained blank with a failed command window open that had tried to execute the moved 7a8205fe.exe. This time I brought up task manager and executed Explorer which loaded the normal desktop. I must still have the cmd to execute the malware in the startup process somewhere. Here's the log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-05-2013

Ran by SYSTEM at 2013-05-15 17:32:20 Run:1

Running from M:\

Boot Mode: Recovery

==============================================

C:\Users\David\AppData\Roaming\2433f433 => Moved successfully.

C:\ProgramData\2433f433 => Moved successfully.

C:\Users\David\AppData\Local\2433f433 => Moved successfully.

C:\Users\David\Documents\7a8205fe.dll => Moved successfully.

==== End of Fixlog ====

thanks for your continued efforts!, dave

vhe9606 · May 16, 2013

Hi Maniac,

A quick update. I was poking arround in my registry and found serveral instances of the exe that is trying to be executed at logon time. Most of them are in CLSID entries like this one :HKEY_USERS\S-1-5-21-1269665831-4724830-4121108689-1001\Software\Classes\CLSID\{89391514-9641-2045-4368-059355495537}\InProcServer32} with a default data value of C:\Users\David\Documents\7a8205fe.dll. One of the hits was in HKEY_USERS\S-1-5-21-1269665831-4724830-4121108689-1001\Software\Microsoft\Command Processor with an autorun value of C:\Users\David\Documents\7a8205fe.dll so I blanked it out and now when I reboot and logon it stops on a blank screen with a CMD window and prompt, no longer trying to autorun the executable. Something is still running the command prompt halting the logon although using task manager to start Explorer seems to bring everything up fine. And of course there are those other CLSID entries.

I will await your input - dave

Maniac · May 16, 2013

Please do not take any action while working together.

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

vhe9606 · May 16, 2013

Hello Maniac,

Here is the ComboFix.txt:

ComboFix 13-05-16.02 - David 05/16/2013 15:39:06.1.4 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3071.1593 [GMT -4:00]

Running from: c:\users\David\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\David\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk

c:\users\David\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk

c:\users\David\Documents\~WRL0001.tmp

.

((((((((((((((((((((((((( Files Created from 2013-04-16 to 2013-05-16 )))))))))))))))))))))))))))))))

.

2013-05-16 19:51 . 2013-05-16 19:54 -------- d-----w- c:\users\David\AppData\Local\temp

2013-05-16 19:51 . 2013-05-16 19:51 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-05-16 19:51 . 2013-05-16 19:51 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2013-05-16 19:51 . 2013-05-16 19:51 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp

2013-05-16 19:51 . 2013-05-16 19:51 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-05-16 19:02 . 2013-05-16 19:02 43600 ----a-w- c:\windows\system32\drivers\iugpaakq.sys

2013-05-16 14:23 . 2013-05-16 14:23 60872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{196A5639-8D5E-4973-A5B9-219028984806}\offreg.dll

2013-05-16 14:23 . 2013-05-16 14:23 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{196A5639-8D5E-4973-A5B9-219028984806}\MpKsl6a8a6ab4.sys

2013-05-16 14:19 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{196A5639-8D5E-4973-A5B9-219028984806}\mpengine.dll

2013-05-15 21:52 . 2013-05-13 06:19 7016152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-05-15 15:28 . 2013-05-15 15:28 -------- d-----w- C:\FRST

2013-05-15 07:28 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-05-15 04:13 . 2013-03-19 04:53 186368 ----a-w- c:\windows\system32\wwansvc.dll

2013-05-15 04:13 . 2013-03-19 03:33 40960 ----a-w- c:\windows\system32\wwanprotdim.dll

2013-05-15 04:13 . 2013-04-10 03:14 2347520 ----a-w- c:\windows\system32\win32k.sys

2013-05-15 04:13 . 2013-04-10 05:18 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-05-15 04:13 . 2013-04-10 05:18 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2013-05-15 04:13 . 2013-02-27 05:05 101720 ----a-w- c:\windows\system32\consent.exe

2013-05-15 04:13 . 2013-02-27 04:49 1796096 ----a-w- c:\windows\system32\authui.dll

2013-05-15 04:13 . 2013-02-27 04:49 47104 ----a-w- c:\windows\system32\appinfo.dll

2013-05-15 01:46 . 2013-05-15 01:46 -------- d-----w- c:\users\David\AppData\Roaming\Malwarebytes

2013-05-15 01:46 . 2013-05-15 01:46 -------- d-----w- c:\programdata\Malwarebytes

2013-05-15 01:46 . 2013-05-15 01:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-05-15 01:46 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-05-15 01:45 . 2013-05-15 01:45 -------- d-----w- c:\users\David\AppData\Local\Programs

2013-05-14 23:37 . 2013-05-14 23:37 -------- d-----w- c:\program files\HitmanPro

2013-05-14 22:37 . 2013-05-15 00:36 -------- d-----w- c:\programdata\HitmanPro

2013-04-30 05:28 . 2013-04-30 05:28 102448 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

2013-04-29 19:20 . 2013-04-29 19:20 -------- d-----w- c:\users\David\AppData\Local\Macromedia

2013-04-29 18:41 . 2013-04-29 18:41 -------- d-----w- c:\programdata\McAfee Security Scan

2013-04-29 18:41 . 2013-05-04 01:32 -------- d-----w- c:\program files\McAfee Security Scan

2013-04-24 06:15 . 2013-04-12 13:45 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-23 18:09 . 2013-04-23 18:08 706640 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0FB24BE0-A4AE-4318-8FD9-AB86B2F5673C}\gapaengine.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-15 14:16 . 2010-06-24 16:33 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2013-05-15 10:18 . 2012-03-31 16:57 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-05-15 10:18 . 2011-08-20 01:14 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-05-02 15:28 . 2010-08-13 04:45 238872 ------w- c:\windows\system32\MpSigStub.exe

2013-04-13 04:45 . 2013-05-15 04:13 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45 . 2013-05-15 04:13 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-04-11 15:43 . 2013-04-11 15:43 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-04-11 15:43 . 2012-06-18 13:44 861088 ----a-w- c:\windows\system32\npdeployJava1.dll

2013-04-11 15:43 . 2012-02-04 06:15 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-04-02 14:09 . 2013-04-02 14:09 4550656 ----a-w- c:\windows\system32\GPhotos.scr

2013-03-19 05:04 . 2013-04-10 08:53 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-19 05:04 . 2013-04-10 08:53 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-19 04:48 . 2013-04-10 08:53 38912 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 02:49 . 2013-04-10 08:53 69632 ----a-w- c:\windows\system32\smss.exe

2013-02-26 04:22 . 2013-02-26 04:22 1985824 ----a-w- c:\windows\system32\nvcuvenc.dll

2013-02-26 04:22 . 2012-10-11 02:14 1017120 ----a-w- c:\windows\system32\nvdispco32.dll

2013-02-26 04:22 . 2013-02-26 04:22 6262608 ----a-w- c:\windows\system32\nvopencl.dll

2013-02-26 04:22 . 2012-10-11 02:14 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll

2013-02-26 04:22 . 2009-07-15 05:54 2505144 ----a-w- c:\windows\system32\nvapi.dll

2013-02-26 04:22 . 2009-07-13 22:09 12641992 ----a-w- c:\windows\system32\nvwgf2um.dll

2013-02-26 04:22 . 2009-06-10 21:19 15129960 ----a-w- c:\windows\system32\nvd3dum.dll

2013-02-26 04:22 . 2013-02-26 04:22 7932256 ----a-w- c:\windows\system32\nvcuda.dll

2013-02-26 04:22 . 2013-02-26 04:22 17560352 ----a-w- c:\windows\system32\nvcompiler.dll

2013-02-26 04:22 . 2013-02-26 04:22 20449056 ----a-w- c:\windows\system32\nvoglv32.dll

2013-02-26 04:22 . 2013-02-26 04:22 8939296 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys

2013-02-26 04:22 . 2013-02-26 04:22 2720544 ----a-w- c:\windows\system32\nvcuvid.dll

2013-05-15 16:10 . 2013-05-15 16:09 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2012-09-14 01:14 1014856 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2012-09-14 01:14 1014856 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\David\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

"Aim"="c:\program files\AIM\aim.exe" [2012-05-30 4331392]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]

"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-19 451872]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-24 2264336]

"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-24 608528]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-24 437520]

"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-24 856336]

"Facebook Update"="c:\users\David\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-11 138096]

"Verizon Media Manager"="c:\program files\Verizon\Verizon Media Manager\Release\Verizon Media Manager.exe" [2012-10-10 1523712]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-02-02 246272]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"CamserviceDP"="c:\program files\Hercules\Dualpix Infinite\Camservice.exe" [2008-09-26 345384]

"Corel Photo Downloader"="c:\program files\Corel\Corel MediaOne\Corel Photo Downloader.exe" [2007-08-17 483144]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]

"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-07-23 341232]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]

"VERIZONDM"="c:\program files\VERIZONDM\bin\sprtcmd.exe" [2011-12-01 206120]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]

"navservice"="c:\program files\Navionics World\NavService.exe" [2012-04-29 40960]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-09-14 1065032]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]

"DivXMediaServer"="c:\program files\DivX\DivX Media Server\DivXMediaServer.exe" [2012-11-13 450560]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2012-11-01 1263512]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-3-4 97384]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-1-12 267520]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]

Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]

Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R1 iugpaakq;iugpaakq;c:\windows\system32\drivers\iugpaakq.sys [x]

R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [x]

R2 gupdate1c9e8a748642a0;Google Update Service (gupdate1c9e8a748642a0);c:\program files\Google\Update\GoogleUpdate.exe [x]

R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [x]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]

R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]

R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]

R3 DMService;Whale Component Manager;c:\windows\Downloaded Program Files\DMService.exe [x]

R3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\DRIVERS\ATTchDrv.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 whliocsv;Whale Network Connector Client;c:\program files\Whale Communications\Client Components\3.1.0\whliocsv.exe [x]

R3 xcbdaNtscV;ViXS Tuner Card (NTSC) - V;c:\windows\system32\DRIVERS\xcbdaV.sys [x]

R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [x]

R4 TivoBeacon2;TiVo Beacon Service;c:\program files\TiVo\Desktop\TiVoBeacon.exe [x]

S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [x]

S1 MpKsl6a8a6ab4;MpKsl6a8a6ab4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{196A5639-8D5E-4973-A5B9-219028984806}\MpKsl6a8a6ab4.sys [x]

S1 NEOFLTR_710_19243;Juniper Networks TDI Filter Driver (NEOFLTR_710_19243);c:\windows\system32\Drivers\NEOFLTR_710_19243.SYS [x]

S1 RapportCerberus_51755;RapportCerberus_51755;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_51755.sys [x]

S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [x]

S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [x]

S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [x]

S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [x]

S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [x]

S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [x]

S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [x]

S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [x]

S2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\Splashtop\Splashtop Remote\Server\SRService.exe [x]

S2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [x]

S2 SSUService;Splashtop Software Updater Service;c:\program files\Splashtop\Splashtop Software Updater\SSUService.exe [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

S2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [x]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]

S3 camfilt2;camfilt2;c:\windows\system32\Drivers\camfilt2.sys [x]

S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [x]

S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]

S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]

S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [x]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL1A0619D6

*NewlyCreated* - MPKSL6A8A6AB4

*Deregistered* - MpKsl1a0619d6

*Deregistered* - NEOFLTR_650_14951

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService

FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-04-11 17:59 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-16 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 10:18]

.

2013-05-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1269665831-4724830-4121108689-1001Core.job

- c:\users\David\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-23 21:47]

.

2013-05-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1269665831-4724830-4121108689-1001UA.job

- c:\users\David\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-09-23 21:47]

.

2013-05-16 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-06 20:12]

.

2013-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 02:07]

.

2013-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-09 02:07]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: amazon.com\www

TCP: DhcpNameServer = 192.168.1.1

DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5451} - hxxp://www.wowweesupport.com/download/rovio/WebSee_4.0.cab

DPF: {71D413D7-38C5-4035-8548-976522CF11D5} - hxxp://www.crucial.com/controls/cpcVistaBeta.cab

FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\s0lwqsxt.default\

FF - ExtSQL: !HIDDEN! 2010-11-12 23:40; {3112ca9c-de6d-4884-a869-9855de68056c}; c:\programdata\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - ExtSQL: !HIDDEN! 2010-11-12 23:41; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{95A27763-F62A-4114-9072-E81D87DE3B68} - c:\users\David\Documents\7a8205fe.dll

HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe

AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\UIU32m.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,

34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,

76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,

2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85

"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,

fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:31,15,d1,74,6e,bf,cc,01

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,2e,8b,c1,7b,24,75,4a,bc,cb,3b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,2e,8b,c1,7b,24,75,4a,bc,cb,3b,\

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.HTM"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.HTM"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.MHT"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.MHT"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.partial\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.PARTIAL"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.SVG"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.URL"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.website\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.WEBSITE"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.XHT"

.

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="IE.AssocFile.XHT"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-05-16 15:56:17

ComboFix-quarantined-files.txt 2013-05-16 19:56

.

Pre-Run: 247,970,365,440 bytes free

Post-Run: 249,474,576,384 bytes free

.

- - End Of File - - F173D783B71148EC2797D359BEF56CC6

Maniac · May 16, 2013

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Driver::
iugpaakq
File::
c:\windows\system32\drivers\iugpaakq.sys
JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

vhe9606 · May 16, 2013

Hello Maniac,

CombFix.txt:

ComboFix 13-05-16.02 - David 05/16/2013 17:16:31.2.4 - x86

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3071.1479 [GMT -4:00]

Running from: c:\users\David\Desktop\ComboFix.exe

Command switches used :: c:\users\David\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\windows\system32\drivers\iugpaakq.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\David\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk

c:\users\David\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_iugpaakq

.

((((((((((((((((((((((((( Files Created from 2013-04-16 to 2013-05-16 )))))))))))))))))))))))))))))))

.

2013-05-16 21:28 . 2013-05-16 21:47 -------- d-----w- c:\users\David\AppData\Local\temp

2013-05-16 21:28 . 2013-05-16 21:34 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-05-16 21:28 . 2013-05-16 21:28 -------- d-----w- c:\users\Mcx1\AppData\Local\temp

2013-05-16 21:28 . 2013-05-16 21:28 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp