I know I'm infected

Malc1966 · May 23, 2013

Cannot copy and paste log files, therefore I have attached them. Thanks for any assistance I am going out of my head with this, its been over a week trying to repair.

dds.txt

attach.txt

D-FRED-BROWN · May 23, 2013

Hello Malc1966 and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you.

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------Step 5----------------

In your next reply, please include the following:

TDSSKiller's logfile
MBAR mbar-log.txt and system-log.txt
ComboFix's report (C:\ComboFix.txt)
Security Check checkup.txt

After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Malc1966 · May 26, 2013

Thanks for the assistance, I have attached all required logs. Can you please let me know the outcome. Thanks again

Saying post too long, therefore I have uploaded the files, hope this is ok.

TDSSKiller.2.8.17.0_26.05.2013_06.46.11_log.txt

TDSSKiller.2.8.17.0_26.05.2013_06.47.08_log.txt

mbar-log-2013-05-26 (06-53-24).txt

system-log.txt

ComboFix.txt

checkup.txt

Malc1966 · May 26, 2013

Malwarebytes Anti-Malware (Trial) 1.75.0.1300

www.malwarebytes.org

Database version: v2013.05.26.02

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

Malc :: MALC-PC [administrator]

Protection: Enabled

26/05/2013 09:38:46

mbam-log-2013-05-26 (09-38-46).txt

Scan type: Custom scan (C:\Z™?|)

Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P

Objects scanned: 0

Time elapsed: 12 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Could you possibly tell me what this file (C:\Z™?|) is please?

D-FRED-BROWN · May 26, 2013

Could you possibly tell me what this file (C:\Z™?|) is please?

Never heard of it, I'd just delete it if I were you.

Please run TDSSKiller one more time.

If you see the following entries:

06:49:15.0635 4608 \Device\Harddisk1\DR1 ( TDSS File System )
06:49:15.0635 4608 \Device\Harddisk1\DR1 ( TDSS File System )

I need you to select "Cure" for them. Leave all the other entries alone. Let me know how things go.

Malc1966 · May 26, 2013

Ran TDSSKiller again, no reported problems. The above file mentioned, I cannot delete.

Thanks

Malcolm

D-FRED-BROWN · May 26, 2013

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::
File::
C:\Z™?|
Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

Malc1966 · May 27, 2013

ComboFix 13-05-27.02 - Malc 27/05/2013 17:17:53.2.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4095.2773 [GMT 1:00]

Running from: c:\users\Malc\Downloads\ComboFix.exe

Command switches used :: c:\users\Malc\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2013-04-27 to 2013-05-27 )))))))))))))))))))))))))))))))

.

2013-05-27 16:29 . 2013-05-27 16:29 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-05-27 16:05 . 2013-05-27 16:05 964552 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A5938773-3E47-46F8-B73A-FF7BC2477528}\gapaengine.dll

2013-05-27 16:05 . 2013-05-14 00:48 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C923E9FF-510D-49BE-AA7D-84641E9B7750}\mpengine.dll

2013-05-26 06:14 . 2013-05-26 06:14 -------- d-----w- c:\users\Malc\AppData\Roaming\DSite

2013-05-26 05:53 . 2013-05-26 06:12 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)

2013-05-26 05:50 . 2013-05-14 00:48 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-05-23 17:40 . 2013-05-23 17:40 -------- d-----w- c:\program files (x86)\Tweaking.com

2013-05-23 17:32 . 2013-05-23 17:32 12872 ----a-w- c:\windows\system32\bootdelete.exe

2013-05-23 17:25 . 2013-05-23 17:25 -------- d-----w- c:\program files\HitmanPro

2013-05-23 17:25 . 2013-05-23 17:33 -------- d-----w- c:\programdata\HitmanPro

2013-05-23 17:08 . 2013-05-26 08:08 -------- d-----w- c:\program files (x86)\MyPC Backup

2013-05-23 17:06 . 2013-05-23 17:06 -------- d-----w- c:\program files (x86)\Microsoft Security Client

2013-05-23 17:05 . 2013-05-23 17:06 -------- d-----w- c:\program files\Microsoft Security Client

2013-05-22 06:38 . 2013-05-22 06:38 -------- d-----w- c:\users\Malc\AppData\Roaming\CheckPoint

2013-05-22 06:28 . 2013-05-22 06:28 -------- d-----w- c:\programdata\CheckPoint

2013-05-18 15:04 . 2013-05-18 15:04 -------- d-----w- c:\users\Malc\AppData\Roaming\Malwarebytes

2013-05-18 15:03 . 2013-05-18 15:03 -------- d-----w- c:\programdata\Malwarebytes

2013-05-18 15:03 . 2013-05-23 18:10 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-05-18 15:03 . 2013-04-04 13:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-05-15 21:58 . 2013-05-05 21:36 17818624 ----a-w- c:\windows\system32\mshtml.dll

2013-05-15 21:58 . 2013-05-05 21:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-05-15 21:58 . 2013-05-05 19:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2013-05-15 20:58 . 2013-04-10 06:01 983400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-05-12 12:57 . 2012-06-05 07:37 256904 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys

2013-05-12 11:46 . 2012-04-20 15:40 196440 ----a-w- c:\windows\system32\drivers\HipShieldK.sys

2013-05-12 11:45 . 2013-02-19 12:55 10728 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2013-05-12 11:45 . 2013-05-12 11:46 -------- d-----w- c:\program files (x86)\Common Files\McAfee

2013-05-12 11:45 . 2013-02-19 12:59 70112 ----a-w- c:\windows\system32\drivers\cfwids.sys

2013-05-12 11:45 . 2013-02-19 12:55 106552 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2013-05-12 11:45 . 2013-02-19 12:53 515968 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2013-05-12 11:45 . 2013-02-19 12:53 309840 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2013-05-12 11:45 . 2013-05-12 11:46 -------- d-----w- c:\program files\Common Files\McAfee

2013-05-12 11:45 . 2013-05-14 07:04 -------- d-----w- c:\program files\McAfee

2013-05-12 11:45 . 2013-05-23 21:41 -------- d-----w- c:\program files (x86)\McAfee

2013-05-12 11:38 . 2013-02-19 12:56 182752 ----a-w- c:\windows\system32\mfevtps.exe

2013-05-12 11:38 . 2013-05-14 11:24 -------- d-----w- c:\programdata\McAfee

2013-05-12 11:24 . 2013-05-12 11:24 -------- d-----w- c:\programdata\Citrix

2013-05-10 23:23 . 2013-05-10 23:23 -------- d-----w- c:\program files (x86)\Citrix

2013-05-10 23:23 . 2013-05-10 23:23 -------- d-----w- c:\users\Malc\AppData\Local\Citrix

2013-05-10 23:18 . 2013-05-10 23:18 -------- d-----w- c:\users\Malc\AppData\Roaming\McAfee

2013-05-10 19:40 . 2013-05-10 19:40 -------- d-----w- c:\users\Malc\AppData\Roaming\Simply Super Software

2013-05-10 19:10 . 2003-02-02 19:06 153088 ----a-w- c:\windows\SysWow64\UNRAR3.dll

2013-05-10 19:10 . 2002-03-06 00:00 75264 ----a-w- c:\windows\SysWow64\unacev2.dll

2013-05-10 19:10 . 2013-05-10 19:10 -------- d-----w- c:\programdata\Simply Super Software

2013-05-10 19:09 . 2013-05-10 19:09 -------- d-----w- c:\users\Malc\AppData\Local\WPFBChanger

2013-05-10 19:04 . 2013-05-12 12:30 -------- d-----w- c:\program files (x86)\Trojan Remover

2013-05-10 18:47 . 2013-05-27 16:04 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer

2013-05-10 17:30 . 2013-05-10 17:30 -------- d-----w- c:\users\Malc\AppData\Roaming\SparkTrust

2013-05-10 17:30 . 2013-05-10 17:30 -------- d-----w- c:\users\Malc\AppData\Roaming\DriverCure

2013-05-10 17:30 . 2013-05-10 17:41 -------- d-----w- c:\programdata\SparkTrust

2013-05-10 07:57 . 2013-05-10 07:57 187456 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2013-05-08 19:00 . 2013-04-10 03:46 9317456 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{76EA5EC2-2E18-4466-A36F-87E27BADBC46}\mpengine.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-05-17 20:32 . 2012-04-01 09:33 692104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-05-17 20:32 . 2011-05-14 16:47 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-15 22:03 . 2011-02-13 14:38 75016696 ----a-w- c:\windows\system32\MRT.exe

2013-05-10 19:42 . 2012-07-20 19:35 22240 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2013-05-09 21:13 . 2013-02-25 08:13 24576 ----a-w- c:\windows\SysWow64\spcvchm.dll

2013-05-02 15:29 . 2011-02-10 21:32 278800 ------w- c:\windows\system32\MpSigStub.exe

2013-04-13 05:49 . 2013-05-15 20:58 135168 ----a-w- c:\windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49 . 2013-05-15 20:58 350208 ----a-w- c:\windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49 . 2013-05-15 20:58 308736 ----a-w- c:\windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49 . 2013-05-15 20:58 111104 ----a-w- c:\windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45 . 2013-05-15 20:58 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45 . 2013-05-15 20:58 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-04-12 14:45 . 2013-04-24 20:36 1656680 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-03-19 06:04 . 2013-04-11 17:32 5550424 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-19 05:46 . 2013-04-11 17:32 43520 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 05:04 . 2013-04-11 17:32 3968856 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04 . 2013-04-11 17:32 3913560 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47 . 2013-04-11 17:32 6656 ----a-w- c:\windows\SysWow64\apisetschema.dll

2013-03-19 03:06 . 2013-04-11 17:32 112640 ----a-w- c:\windows\system32\smss.exe

2009-12-06 09:18 26624 --sh--w- c:\windows\bfcs2.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccleaner"="c:\program files\CCleaner\CCleaner64.exe" [2013-04-23 6070040]

"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-04-05 59720]

"15EDEB4BE9AC98F66CE83161A51D7C6EE293BF37._service_run"="c:\users\Malc\AppData\Local\Google\Chrome\Application\chrome.exe" [2013-05-23 825808]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-07-04 641704]

"AsioThk32Reg"="CTASIO.DLL" [2010-03-18 47104]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-02-20 152392]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"TrojanScanner"="c:\program files (x86)\Trojan Remover\Trjscan.exe" [2013-05-12 1648400]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-03-13 1532992]

"Trend Micro RUBotted V2.0 Beta"="c:\program files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSearchFilesInStartMenu"= 0 (0x0)

"NoSearchProgramsInStartMenu"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" -atboottime

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2010-03-18 158808]

R3 cpuz134;cpuz134;c:\users\Malc\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [x]

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2012-01-19 79360]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-10-03 79360]

R3 Creative Dolby Digital Live Pack Licensing Service;Creative Dolby Digital Live Pack Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\DDLLicensing.exe [2012-01-19 79360]

R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2010-03-18 706648]

R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2010-03-18 141912]

R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2010-03-18 141912]

R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2010-03-18 681048]

R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [2013-02-05 235216]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-02-19 106552]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]

R4 EaseUS Agent;EaseUS Agent Service;c:\program files (x86)\EaseUS\Todo Backup\bin\Agent.exe [2012-12-19 69192]

R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [x]

R4 RUBotSrv;Trend Micro RUBotted Service;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2010-12-17 439632]

R4 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-11 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2012-12-19 58952]

S0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2012-12-19 48200]

S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2013-02-19 340216]

S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [2013-01-21 236248]

S1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2012-12-19 18504]

S1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2012-12-19 189000]

S1 RapportCerberus_50414;RapportCerberus_50414;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\50414\RapportCerberus64_50414.sys [2013-02-09 585944]

S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2013-01-21 228760]

S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2013-01-21 357272]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-04 238080]

S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-07-04 361984]

S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2012-03-05 53888]

S2 Guard Agent;Guard Agent Service;c:\program files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe [2012-12-19 23624]

S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2013-05-26 109352]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]

S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2013-02-19 218760]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-02-19 182752]

S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 47632]

S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2013-01-21 1124184]

S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [2010-02-18 46136]

S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-02-23 95760]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2013-02-19 70112]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2010-03-18 158808]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2010-03-18 706648]

S3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2010-03-18 26328]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2010-03-18 681048]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 25928]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2013-02-19 515968]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-10 22528]

S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2013-05-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 20:32]

.

2013-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-479276331-2682851880-1986698195-1001Core.job

- c:\users\Malc\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-26 18:31]

.

2013-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-479276331-2682851880-1986698195-1001UA.job

- c:\users\Malc\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-26 18:31]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService

FontCache

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=d5aaffebb3c04a17bebc62b79b03fe8c&tu=11JL0008B2B000s&sku=&tstsId=&ver=&

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\users\Malc\AppData\Roaming\Mozilla\Firefox\Profiles\g6lzvssg.default-1358192917276\

FF - prefs.js: browser.search.defaulturl -

FF - prefs.js: browser.search.selectedEngine - Search By ZoneAlarm

FF - prefs.js: browser.startup.homepage - hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=d5aaffebb3c04a17bebc62b79b03fe8c&tu=11JL0008B2B000s&sku=&tstsId=&ver=&

FF - ExtSQL: 2013-04-17 16:03; pricepeep@getpricepeep.com; c:\users\Malc\AppData\Roaming\Mozilla\Firefox\Profiles\g6lzvssg.default-1358192917276\extensions\pricepeep@getpricepeep.com.xpi

FF - ExtSQL: 2013-05-22 07:38; donottrack@checkpoint.com; c:\users\Malc\AppData\Roaming\Mozilla\Firefox\Profiles\g6lzvssg.default-1358192917276\extensions\donottrack@checkpoint.com

FF - ExtSQL: 2013-05-22 07:38; ffxtlbr@zonealarm.com; c:\users\Malc\AppData\Roaming\Mozilla\Firefox\Profiles\g6lzvssg.default-1358192917276\extensions\ffxtlbr@zonealarm.com

FF - ExtSQL: !HIDDEN! 2012-10-17 17:19; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=8c87dd910000000000000025226f3af6&q=

FF - user.js: extensions.BabylonToolbar.id - 8c87dd910000000000000025226f3af6

FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}

FF - user.js: extensions.BabylonToolbar.instlDay - 15724

FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.7.2

FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.7.2

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.7.221:02

FF - user.js: extensions.BabylonToolbar.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar.tlbrId - base

FF - user.js: extensions.BabylonToolbar.instlRef - sst

FF - user.js: extensions.BabylonToolbar.dfltLng - en

FF - user.js: extensions.BabylonToolbar_i.excTlbr - false

FF - user.js: extensions.BabylonToolbar.excTlbr - false

FF - user.js: extensions.BabylonToolbar.admin - false

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109220&tt=0313_5

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar.autoRvrt - false

FF - user.js: extensions.BabylonToolbar.rvrt - false

FF - user.js: extensions.BabylonToolbar_i.newTab - false

FF - user.js: extensions.zonealarm.autoRvrt - false

FF - user.js: extensions.zonealarm_i.hmpg - true

FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=d5aaffebb3c04a17bebc62b79b03fe8c&tu=11JL0008B2B000s&sku=&tstsId=&ver=&

FF - user.js: extensions.zonealarm.dfltSrch - true

FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm

FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?src=sp&tbid=base2013&Lan=en&q={searchTerms}&gu=d5aaffebb3c04a17bebc62b79b03fe8c&tu=11JL0008B2B000s&sku=&tstsId=&ver=&

FF - user.js: extensions.zonealarm_i.dnsErr - true

FF - user.js: extensions.zonealarm_i.newTab - true

FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?src=nt&tbid=base2013&Lan=en&gu=d5aaffebb3c04a17bebc62b79b03fe8c&tu=11JL0008B2B000s&sku=&tstsId=&ver=&

FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=base2013&Lan={dfltLng}&gu=d5aaffebb3c04a17bebc62b79b03fe8c&tu=11JL0008B2B000s&sku=&tstsId=&ver=&&q=

FF - user.js: extensions.zonealarm.id - 8c87dd910000000000000025226f3af6

FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}

FF - user.js: extensions.zonealarm.instlDay - 15847

FF - user.js: extensions.zonealarm.vrsn - 1.8.3.16

FF - user.js: extensions.zonealarm.vrsni - 1.8.3.16

FF - user.js: extensions.zonealarm_i.vrsnTs - 1.8.3.167:29

FF - user.js: extensions.zonealarm.prtnrId - checkpoint

FF - user.js: extensions.zonealarm.prdct - zonealarm

FF - user.js: extensions.zonealarm.aflt - 5043

FF - user.js: extensions.zonealarm_i.smplGrp - none

FF - user.js: extensions.zonealarm.tlbrId - base2013

FF - user.js: extensions.zonealarm.instlRef - ZLN118157157996617-5043

FF - user.js: extensions.zonealarm.dfltLng - en

FF - user.js: extensions.zonealarm.excTlbr - false

FF - user.js: extensions.zonealarm.admin - false

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-10 - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}"=hex:51,66,7a,6c,4c,1d,38,12,26,bd,a8,

0a,e6,f4,22,0e,f1,4c,12,2a,bb,94,a4,70

"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,

07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75

"{0E8A89AD-95D7-40EB-8D9D-083EF7066A01}"=hex:51,66,7a,6c,4c,1d,38,12,c3,8a,99,

0a,e5,db,85,05,f2,8b,4b,7e,f2,58,2e,15

"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,

1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7

"{27B4851A-3207-45A2-B947-BE8AFE6163AB}"=hex:51,66,7a,6c,4c,1d,38,12,74,86,a7,

23,35,7c,cc,00,c6,51,fd,ca,fb,3f,27,bf

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,

76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,

72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57

"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"=hex:51,66,7a,6c,4c,1d,38,12,ce,d6,a1,

79,73,3c,17,0b,c9,9b,20,49,f5,42,16,25

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{B164E929-A1B6-4A06-B104-2CD0E90A88FF}"=hex:51,66,7a,6c,4c,1d,38,12,47,ea,77,

b5,84,ef,68,0f,ce,12,6f,90,ec,54,cc,eb

"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,

b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,

fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,

2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85

"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,

51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:05,eb,d3,b9,37,02,ce,01

.

[HKEY_USERS\S-1-5-21-479276331-2682851880-1986698195-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-479276331-2682851880-1986698195-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DbgagD\1*]

"value"="?\08\00\05\0d\04$?"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\ExpressFiles\EFUpdater.exe

c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

c:\windows\SysWOW64\rundll32.exe

.

**************************************************************************

.

Completion time: 2013-05-27 17:37:18 - machine was rebooted

ComboFix-quarantined-files.txt 2013-05-27 16:37

ComboFix2.txt 2013-05-26 06:42

.

Pre-Run: 115,185,623,040 bytes free

Post-Run: 115,087,450,112 bytes free

.

- - End Of File - - E26AF3FA4B697C6D927B8854C3448FF5

Managed to delete file via booting in Safe mode, still a few minor glitches but thing working a lot better thanks Malcolm

D-FRED-BROWN · May 27, 2013

Glad to hear you were able to delete that file.

I'd like to get a few more scans to get rid of any leftover malware:

We need to create a New FULL OTL Report

Please download OTL from here if you have not done so already:
- Main Mirror
[*]Save it to your desktop.
[*]Double click on the icon on your desktop.
[*]Click the "Scan All Users" checkbox.
[*]Change the "Extra Registry" option to "SafeList"
[*]Push the button.
[*]Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extra.txt <-- Will be minimized

Malc1966 · May 27, 2013

Unable to copy and paste, post too big, please see attached thanks malcolm

Extras.Txt

OTL.Txt

D-FRED-BROWN · May 27, 2013

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the

textbox.


:OTL
@Alternate Data Stream - 460 bytes -> C:\Users\Malc\Documents\Regulars Clive.ppp:SummaryInformation
@Alternate Data Stream - 460 bytes -> C:\Users\Malc\Documents\club tropicana.ppp:SummaryInformation
@Alternate Data Stream - 452 bytes -> C:\Users\Malc\Documents\Clive Poker.ppp:SummaryInformation
@Alternate Data Stream - 140 bytes -> C:\ProgramData\TEMP:CB0AACC9
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:B3D74A13
IE - HKU\S-1-5-21-479276331-2682851880-1986698195-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109220&tt=0313_5&babsrc=SP_ss&mntrId=8c87dd910000000000000025226f3af6
[2013/01/19 22:02:21 | 000,002,349 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.

--------------------------------

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::
Firefox::
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=8c87dd910000000000000025226f3af6&q=
FF - user.js: extensions.BabylonToolbar.id - 8c87dd910000000000000025226f3af6
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15724
FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.7.2
FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.7.2
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.7.221:02
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - base
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar_i.excTlbr - false
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109220&tt=0313_5
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar.rvrt - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

Malc1966 · May 28, 2013

All processes killed

========== OTL ==========

Unable to delete ADS C:\Users\Malc\Documents\Regulars .

Unable to delete ADS C:\Users\Malc\Documents\club .

Unable to delete ADS C:\Users\Malc\Documents\Clive .

ADS C:\ProgramData\TEMP:CB0AACC9 deleted successfully.

ADS C:\ProgramData\TEMP:B3D74A13 deleted successfully.

Registry key HKEY_USERS\S-1-5-21-479276331-2682851880-1986698195-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.

File C:\Program Files not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Lauren

->Temp folder emptied: 0 bytes

User: Malc

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 524355 bytes

->Java cache emptied: 11666 bytes

->FireFox cache emptied: 64581455 bytes

->Google Chrome cache emptied: 200231060 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 36750 bytes

User: Public

->Temp folder emptied: 0 bytes

User: Sarah

->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 10972 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 367450 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 253.00 mb

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Lauren

User: Malc

->Java cache emptied: 0 bytes

User: Public

User: Sarah

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Lauren

User: Malc

->Flash cache emptied: 0 bytes

User: Public

User: Sarah

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 05282013_212608

Files\Folders moved on Reboot...

C:\Users\Malc\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

ComboFix 13-05-28.02 - Malc 28/05/2013 20:54:32.3.2 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4095.2227 [GMT 1:00]

Running from: c:\users\Malc\Downloads\ComboFix.exe

Command switches used :: c:\users\Malc\Documents\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}

FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2013-04-28 to 2013-05-28 )))))))))))))))))))))))))))))))

.

2013-05-28 20:06 . 2013-05-28 20:06 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-05-28 13:31 . 2013-05-28 13:31 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll

2013-05-28 13:31 . 2013-05-28 13:31 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll

2013-05-28 13:31 . 2013-05-28 13:30 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll

2013-05-28 13:31 . 2013-05-28 13:30 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll

2013-05-28 13:31 . 2013-05-28 13:30 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll

2013-05-28 13:31 . 2013-05-28 13:30 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll

2013-05-28 13:31 . 2013-05-28 13:30 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll

2013-05-28 13:31 . 2013-05-28 13:30 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll

2013-05-28 13:31 . 2013-05-28 13:30 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin.dll

2013-05-28 13:31 . 2013-05-28 13:30 159744 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll

2013-05-28 13:30 . 2013-05-28 13:30 -------- d-----w- c:\program files (x86)\QuickTime

2013-05-28 13:27 . 2013-05-28 13:27 -------- d-----w- c:\program files\iPod

2013-05-28 13:27 . 2013-05-28 13:28 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2013-05-28 13:27 . 2013-05-28 13:28 -------- d-----w- c:\program files\iTunes

2013-05-27 17:10 . 2013-05-14 00:48 9460464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{14D8C76B-FCC7-46A6-9806-70A1CCF941DE}\mpengine.dll