malware.trace infection replaces itself upon deletion

orreso · June 8, 2013

I ran a scan and it came up with this infection and need to get rid of it. I'm extremely scared since I'm trying to get a job coming out of school and I am sure they have my social security number. going to copy paste the quick scan below:

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.06.08.01

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16576

Andrew Nassen :: ANDREWNASSEN [administrator]

6/8/2013 1:14:39 AM

mbam-log-2013-06-08 (01-14-39).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 238415

Time elapsed: 9 minute(s), 45 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 1

C:\Users\Andrew Nassen\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 1

C:\Users\Andrew Nassen\AppData\Roaming\dclogs\2013-06-08-7.dc (Stolen.Data) -> Quarantined and deleted successfully.

(end)

Larusso · June 8, 2013

:welcome:

Please follow the steps outlined here and post the requested logs in your next reply.

http://forums.malwarebytes.org/index.php?showtopic=9573

orreso · June 8, 2013

attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 7/26/2011 8:23:39 PM

System Uptime: 6/8/2013 8:55:07 AM (1 hours ago)

.

Motherboard: Hewlett-Packard | | 1484

Processor: Intel® Celeron® CPU 900 @ 2.20GHz | CPU | 2194/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 281 GiB total, 29.686 GiB free.

D: is FIXED (NTFS) - 17 GiB total, 2.496 GiB free.

E: is CDROM ()

F: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP218: 5/15/2013 8:29:31 PM - Windows Update

RP219: 5/15/2013 11:31:42 PM - Windows Update

RP220: 5/21/2013 9:32:48 PM - Windows Update

RP221: 5/28/2013 6:32:09 PM - Windows Update

RP222: 6/1/2013 10:58:59 PM - Windows Update

RP223: 6/7/2013 10:26:03 PM - Windows Update

.

==== Installed Programs ======================

.

.sol Editor 1.1.0.1

7-Zip 9.22beta

Acrobat.com

ActiveCheck component for HP Active Support Library

ActiveState ActivePython 2.7.2.5 (32-bit)

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.7)

Adobe Shockwave Player 11.5

Adobe Shockwave Player 11.6

Bejeweled 2 Deluxe

Blackhawk Striker 2

Build-a-lot 2

Chuzzle Deluxe

CinemaNow Media Manager

Cisco EAP-FAST Module

Cisco LEAP Module

Cisco PEAP Module

couponamazing

CyberLink MediaShow

CyberLink YouCam

Defraggler

Diner Dash 2 Restaurant Rescue

Dora's Carnival Adventure

Energy Star Digital Logo

Escape Rosecliff Island

ESU for Microsoft Windows 7

FATE

Final Drive Nitro

Freenet

Heroes of Hellas 2 - Olympia

HP Customer Experience Enhancements

HP Documentation

HP Game Console

HP Games

HP MediaSmart CinemaNow 2.0

HP Photo Creations

HP Power Manager

HP Quick Launch

HP Setup

HP Software Framework

HP Wireless Assistant

HPAsset component for HP Active Support Library

Intel® Control Center

Intel® Graphics Media Accelerator Driver

Intel® Rapid Storage Technology

Java 7 Update 10 (64-bit)

Java 7 Update 21

Java Auto Updater

Java 6 Update 20 (64-bit)

Java 6 Update 37

JDownloader 0.9

Jewel Quest 3

Jewel Quest Solitaire 2

Junk Mail filter update

Katawa Shoujo

LabelPrint

LightScribe System Software

Livestream Procaster

Malwarebytes Anti-Malware version 1.75.0.1300

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office 2010

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Office 64-bit Components 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft WSE 3.0 Runtime

Microsoft XNA Framework Redistributable 3.1

Mozilla Firefox 21.0 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Mumble 1.2.3

Norton Online Backup

Penguins!

PhotoNow!

Plants vs. Zombies

Poker Superstars III

Polar Bowler

Polar Golfer

Power2Go

PowerDirector

Realtek Ethernet Controller Driver For Windows 7

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

REALTEK Wireless LAN Software

Recovery Manager

RGSS-RTP Standard

Roxio CinemaNow 2.0

RPGXP

RtVOsd

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

swMSM

Synaptics Pointing Device Driver

System Requirements Lab CYRI

TeamSpeak 3 Client

TumblRipper

Unity Web Player

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Virtual Families

Virtual Villagers - The Secret City

VLC media player 2.0.3

Wheel of Fortune 2

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

WinRAR 4.01 (64-bit)

Yahoo! Detect

Zuma Deluxe

.

==== End Of File ===========================

DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 10.0.9200.16576 BrowserJavaVersion: 10.21.2

Run by Andrew Nassen at 9:16:53 on 2013-06-08

Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.3003.1519 [GMT -7:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe

C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\taskhost.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe

C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe

C:\Program Files\Realtek\RtVOsd\RtVOsd.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.babylon.com/?affID=109935&tt=010712_8&babsrc=HP_ss&mntrId=e21b83cb00000000000068a3c4745211

uURLSearchHooks: {687578b9-7132-4a7a-80e4-30ee31099e03} - <orphaned>

mWinlogon: Userinit = userinit.exe,

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>

BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe

uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

uRun: [C:\Users\Andrew Nassen\Desktop\LivestreamProcaster.exe] "C:\Users\Andrew Nassen\Desktop\LivestreamProcaster.exe" /exenoupdates /exelang 0 /prereqs "0"

uRun: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" -automount

uRun: [zklupdat] C:\Users\Andrew Nassen\AppData\Roaming\milesoft.exe

mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab

TCP: NameServer = 192.168.2.1

TCP: Interfaces\{C14D4070-E15C-4787-9ABE-B28AA2E2827E} : DHCPNameServer = 192.168.2.1

TCP: Interfaces\{C14D4070-E15C-4787-9ABE-B28AA2E2827E}\24562656723702E4564777F627B6 : DHCPNameServer = 10.0.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

SSODL: WebCheck - <orphaned>

SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"

x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s

x64-Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

x64-DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>

x64-Notify: igfxcui - igfxdev.dll

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Andrew Nassen\AppData\Roaming\Mozilla\Firefox\Profiles\kjl6vhit.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - about:home

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Andrew Nassen\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: C:\Windows\System32\Adobe\Director\np32dsw_1165635.dll

FF - plugin: C:\Windows\System32\Adobe\Director\np32dsw_1167637.dll

FF - plugin: C:\Windows\System32\Adobe\Director\np32dsw_1168638.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=010712_8

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.id - e21b83cb00000000000068a3c4745211

FF - user.js: extensions.BabylonToolbar_i.hardId - e21b83cb00000000000068a3c4745211

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15531

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1719:17:08

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

============= SERVICES / DRIVERS ===============

.

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-12-12 98208]

R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-5-21 140272]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-6-18 103992]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-6-25 92216]

R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-6-29 27192]

R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]

R2 RtVOsdService;RtVOsdService Installer;C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [2010-4-19 315392]

R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2009-12-23 370688]

R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-8-2 32880]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]

R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\Windows\System32\drivers\rtl8192se.sys [2011-9-8 1225832]

S2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [2012-1-5 75624]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-22 19456]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2010-12-12 245792]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-22 57856]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-27 1255736]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]

.

=============== Created Last 30 ================

.

2013-06-08 16:07:23 76232 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FF162516-1F4F-4063-971F-3AFB1DDB5F38}\offreg.dll

2013-06-08 15:56:59 -------- d-----w- C:\Users\Andrew Nassen\AppData\Roaming\dclogs

2013-06-08 05:26:58 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{FF162516-1F4F-4063-971F-3AFB1DDB5F38}\mpengine.dll

2013-05-27 07:27:09 9740288 ----a-w- C:\Users\Andrew Nassen\AppData\Roaming\milesoft.exe

2013-05-16 06:32:27 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2013-05-16 03:42:39 983400 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys

2013-05-13 00:42:30 -------- d-----w- C:\Users\Andrew Nassen\AppData\Roaming\SYSTEMAX Software Development

2013-05-13 00:42:30 -------- d-----w- C:\ProgramData\SYSTEMAX Software Development

2013-05-13 00:42:24 -------- d-----w- C:\Users\Andrew Nassen\AppData\Local\Zame

2013-05-13 00:30:35 -------- d-----w- C:\Users\Andrew Nassen\AppData\Local\FireAlpaca

.

==================== Find3M ====================

.

2013-05-15 06:11:22 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-05-15 06:11:22 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-05-02 09:06:08 278800 ------w- C:\Windows\System32\MpSigStub.exe

2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll

2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll

2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll

2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll

2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2013-04-10 06:01:54 265064 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys

2013-04-10 03:30:50 3153920 ----a-w- C:\Windows\System32\win32k.sys

2013-04-05 08:01:27 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-04-05 06:52:14 2242048 ----a-w- C:\Windows\System32\wininet.dll

2013-04-05 06:50:36 3958784 ----a-w- C:\Windows\System32\jscript9.dll

2013-04-05 06:50:31 67072 ----a-w- C:\Windows\System32\iesetup.dll

2013-04-05 06:50:31 136704 ----a-w- C:\Windows\System32\iesysprep.dll

2013-04-05 05:28:24 1767424 ----a-w- C:\Windows\SysWow64\wininet.dll

2013-04-05 05:26:26 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll

2013-04-05 05:26:21 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll

2013-04-05 05:26:21 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll

2013-04-05 04:43:00 2706432 ----a-w- C:\Windows\System32\mshtml.tlb

2013-04-05 03:51:11 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe

2013-04-05 03:38:25 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe

2013-04-04 21:50:32 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-04-04 12:35:05 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll

2013-03-19 06:04:06 5550424 ----a-w- C:\Windows\System32\ntoskrnl.exe

2013-03-19 05:53:58 48640 ----a-w- C:\Windows\System32\wwanprotdim.dll

2013-03-19 05:53:58 230400 ----a-w- C:\Windows\System32\wwansvc.dll

2013-03-19 05:46:56 43520 ----a-w- C:\Windows\System32\csrsrv.dll

2013-03-19 05:04:13 3968856 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2013-03-19 05:04:10 3913560 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2013-03-19 04:47:50 6656 ----a-w- C:\Windows\SysWow64\apisetschema.dll

2013-03-19 03:06:33 112640 ----a-w- C:\Windows\System32\smss.exe

.

============= FINISH: 9:17:22.15 ===============

thank you for you time and patience

Larusso · June 8, 2013

Hy there. I still see some thing which needs our attention.

Before I'll take action on them, I need another scan.

Please download Gmer from here by clicking on the "Download EXE" Button.

Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Show All ( should be unchecked by default )
[*] Leave everything else as it is.
[*] Close all other running programs as well as your Browser.
[*] Click the Scan button & wait for it to finish.
[*] Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
[*] Save it where you can easily find it, such as your desktop.
[*] Please post the content of the ark.txt here.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

orreso · June 8, 2013

contents of ark.txt below:

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-06-08 11:20:13

Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.02.0 298.09GB

Running: xsu6f18h.exe; Driver: C:\Users\ANDREW~1\AppData\Local\Temp\kwlyyfoc.sys

---- Devices - GMER 2.1 ----

Device \Driver\agnbvn6j \Device\Scsi\agnbvn6j1Port1Path0Target0Lun0 fffffa80024e22c0

Device \Driver\agnbvn6j \Device\Scsi\agnbvn6j1 fffffa80024e22c0

Device \FileSystem\Ntfs \Ntfs fffffa8002cfe2c0

Device \FileSystem\fastfat \Fat fffffa80055cb2c0

Device \Driver\usbehci \Device\USBFDO-7 fffffa80056472c0

Device \Driver\usbuhci \Device\USBPDO-5 fffffa80056012c0

Device \Driver\usbuhci \Device\USBFDO-3 fffffa80056012c0

Device \Driver\usbuhci \Device\USBPDO-1 fffffa80056012c0

Device \Driver\cdrom \Device\CdRom0 fffffa800356e2c0

Device \Driver\cdrom \Device\CdRom1 fffffa800356e2c0

Device \Driver\usbuhci \Device\USBPDO-6 fffffa80056012c0

Device \Driver\usbuhci \Device\USBFDO-4 fffffa80056012c0

Device \Driver\usbuhci \Device\USBFDO-0 fffffa80056012c0

Device \Driver\usbehci \Device\USBPDO-2 fffffa80056472c0

Device \Driver\usbehci \Device\USBPDO-7 fffffa80056472c0

Device \Driver\usbuhci \Device\USBFDO-5 fffffa80056012c0

Device \Driver\usbuhci \Device\USBPDO-3 fffffa80056012c0

Device \Driver\usbuhci \Device\USBFDO-1 fffffa80056012c0

Device \Driver\NetBT \Device\NetBT_Tcpip_{C14D4070-E15C-4787-9ABE-B28AA2E2827E} fffffa800548d2c0

Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800548d2c0

Device \Driver\usbuhci \Device\USBFDO-6 fffffa80056012c0

Device \Driver\usbuhci \Device\USBPDO-4 fffffa80056012c0

Device \Driver\usbehci \Device\USBFDO-2 fffffa80056472c0

Device \Driver\agnbvn6j \Device\ScsiPort1 fffffa80024e22c0

Device \Driver\usbuhci \Device\USBPDO-0 fffffa80056012c0

Device \Driver\NetBT \Device\NetBT_Tcpip_{837FAE52-0C3A-49D4-8C08-DC11B228097C} fffffa800548d2c0

---- Modules - GMER 2.1 ----

Module \SystemRoot\System32\Drivers\agnbvn6j.SYS fffff880057a2000-fffff880057ee000 (311296 bytes)

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4E 0xA5 0xA8 0xC0 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE3 0xDC 0xCA 0x69 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x88 0x5A 0x8C 0x0C ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4E 0xA5 0xA8 0xC0 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xE3 0xDC 0xCA 0x69 ...

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x88 0x5A 0x8C 0x0C ...

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Andrew Nassen\Desktop\0--120430-1A-RJ093336\120430-1A-RJ093336\( 1

---- Disk sectors - GMER 2.1 ----

Disk \Device\Harddisk0\DR0 unknown MBR code

---- EOF - GMER 2.1 ----

Larusso · June 8, 2013

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers before your system is considered as clean !!

Download ComboFix from this location:

Link 1

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.

orreso · June 8, 2013

during the running of combofix I got multiple errors saying it cannot the command NIRKMD and I was left with 2 text files, Defogger_disable and catchme.txt. conents below:

defogger_disable.txt:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 11:27 on 08/06/2013 (Andrew Nassen)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

HKCU:AlcoholAutomount -> Removed

Checking for services/drivers...

SPTD -> Disabled (Service running -> reboot required)

-=E.O.F=-

catchme.txt:

driver loading error

Larusso · June 8, 2013

It starts to get funny here. I like competitions

Do you have an USB drive with around 2gb space handy ?

Please download Malwarebytes Anti-Rootkit and save it to your desktop.

Right click on the .zip file and choose "Extract here"
Open the mbar folder.
Launch the mbar.exe.
Click on next.
The tool will now open an Update Window. Please click the Update Button to download the newest definitions.
Press the Scan Button.
When the scan is done, Don't click the "CleanUP" Button.
Click Exit instead.

A logfile ( mbar-log-<YYYY.MM.DD<.txt ) has been created in the mbar folder. Please post its content here

orreso · June 9, 2013

the MBAR scan will not fully complete. The scan will reach a random file on my desktop then will hang there. I've left it to complete for up to 4 hours this latest time and it simply won't move pass whatever file it stops at. I can give you the partial below:

Malwarebytes Anti-Rootkit BETA 1.06.0.1003

www.malwarebytes.org

Database version: v2013.06.08.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16576

Andrew Nassen :: ANDREWNASSEN [administrator]

6/8/2013 8:14:45 PM

-log-2013-06-08 (20-14-45).txt

Scan type: Quick scan

Scan options enabled: PUM | P2P

Objects scanned: 0

Time elapsed:

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Larusso · June 9, 2013

Download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst64 and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log ( FRST.txt ) on the flash drive. Please copy and paste it to your reply.

orreso · June 9, 2013

FRST.txt below:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 09-06-2013

Ran by SYSTEM on 09-06-2013 09:20:53

Running from H:\

Windows 7 Home Premium (X64) OS Language: English(US)

Internet Explorer Version 9

Boot Mode: Recovery

The current controlset is ControlSet001

ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)

HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s [6245408 2010-05-25] (Realtek Semiconductor)

HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)

HKLM\...\Run: [combofix] C:\ComboFix\CF8664.3XE /c C:\ComboFix\Combobatch.bat [8216 2011-10-30] ()

HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602168 2010-06-29] (Hewlett-Packard Company)

HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [31016 2006-10-26] (Microsoft Corporation)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-12] (Oracle Corporation)

HKU\Andrew Nassen\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [x]

HKU\Andrew Nassen\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2736128 2010-05-19] (Hewlett-Packard Company)

HKU\Andrew Nassen\...\Run: [C:\Users\Andrew Nassen\Desktop\LivestreamProcaster.exe] "C:\Users\Andrew Nassen\Desktop\LivestreamProcaster.exe" /exenoupdates /exelang 0 /prereqs "0" [x]

HKU\Andrew Nassen\...\Run: [zklupdat] C:\Users\Andrew Nassen\AppData\Roaming\milesoft.exe [9740288 2013-05-26] (Adobe Systems, Inc.)

HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [x]

HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [x]

==================== Services (Whitelisted) =================

S2 AxAutoMntSrv; C:\Program Files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [75624 2012-01-05] (Alcohol Soft Development Team)

S2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-06-29] ()

S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)

S2 HP Health Check Service; "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]

==================== Drivers (Whitelisted) ====================

S4 sptd; C:\Windows\System32\Drivers\sptd.sys [564824 2012-12-30] (Duplex Secure Ltd.)

S3 catchme; \??\C:\Users\ANDREW~1\AppData\Local\Temp\catchme.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-06-09 09:20 - 2013-06-09 09:20 - 00000000 ____D C:\FRST

2013-06-08 17:20 - 2013-06-08 17:20 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\mbar-1.06.0.1003

2013-06-08 17:18 - 2013-06-08 17:19 - 13169742 ____A C:\Users\Andrew Nassen\Desktop\mbar-1.06.0.1003.zip

2013-06-08 12:30 - 2013-06-08 20:54 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2013-06-08 11:25 - 2013-06-08 11:26 - 00000000 ___SD C:\ComboFix

2013-06-08 11:25 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe

2013-06-08 10:59 - 2013-06-08 10:59 - 00000021 ____A C:\Users\Andrew Nassen\Desktop\catchme.log

2013-06-08 10:58 - 2013-06-08 10:58 - 00000000 ____D C:\Device

2013-06-08 10:40 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe

2013-06-08 10:40 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe

2013-06-08 10:40 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2013-06-08 10:40 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2013-06-08 10:40 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2013-06-08 10:40 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe

2013-06-08 10:40 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe

2013-06-08 10:33 - 2013-06-08 10:39 - 00000000 ____D C:\Qoobox

2013-06-08 10:32 - 2013-06-08 11:00 - 00000000 ____D C:\Windows\erdnt

2013-06-08 10:32 - 2013-06-08 10:32 - 05078669 ____R (Swearware) C:\Users\Andrew Nassen\Desktop\ComboFix.exe

2013-06-08 10:27 - 2013-06-08 10:27 - 00050477 ____A C:\Users\Andrew Nassen\Desktop\Defogger.exe

2013-06-08 10:27 - 2013-06-08 10:27 - 00000666 ____A C:\Users\Andrew Nassen\Desktop\defogger_disable.log

2013-06-08 10:27 - 2013-06-08 10:27 - 00000216 ____A C:\Users\Andrew Nassen\defogger_reenable

2013-06-08 10:20 - 2013-06-08 10:20 - 00009857 ____A C:\Users\Andrew Nassen\Documents\ark.txt

2013-06-08 10:08 - 2013-06-08 10:08 - 00377856 ____A C:\Users\Andrew Nassen\Desktop\xsu6f18h.exe

2013-06-08 08:17 - 2013-06-08 08:17 - 00016833 ____A C:\Users\Andrew Nassen\Desktop\dds.txt

2013-06-08 08:17 - 2013-06-08 08:17 - 00006677 ____A C:\Users\Andrew Nassen\Desktop\attach.txt

2013-06-08 08:00 - 2013-06-08 08:00 - 00688992 ____R (Swearware) C:\Users\Andrew Nassen\Desktop\dds.scr

2013-06-05 18:33 - 2013-06-06 19:45 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\Pokemon SoulSilver

2013-06-05 18:33 - 2013-06-06 19:42 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\UPRandomizer-120a

2013-06-05 18:33 - 2013-06-05 18:51 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\desmume-0.9.9-win32

2013-06-05 18:33 - 2013-06-05 18:33 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\VisualBoyAdvance-1.8.0-beta3

2013-06-05 18:33 - 2013-06-05 18:33 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\Pokemon Emerald

2013-06-05 18:32 - 2013-06-05 19:33 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\pb2-us-fixed

2013-05-26 23:27 - 2013-05-26 23:27 - 09740288 ____A (Adobe Systems, Inc.) C:\Users\Andrew Nassen\AppData\Roaming\milesoft.exe

2013-05-23 21:06 - 2013-05-23 21:06 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-05-15 22:32 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2013-05-15 22:32 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2013-05-15 22:32 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe

2013-05-15 22:32 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2013-05-15 22:32 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll

2013-05-15 22:32 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2013-05-15 22:32 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2013-05-15 22:32 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll

2013-05-15 22:32 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2013-05-15 22:32 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2013-05-15 22:32 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe

2013-05-15 22:32 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe

2013-05-15 19:42 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys

2013-05-15 19:42 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys

2013-05-15 19:42 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2013-05-15 19:42 - 2013-03-18 21:53 - 00230400 ____A (Microsoft Corporation) C:\Windows\System32\wwansvc.dll

2013-05-15 19:42 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll

2013-05-15 19:42 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe

2013-05-15 19:42 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll

2013-05-15 19:42 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll

2013-05-15 19:42 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll

2013-05-15 19:42 - 2013-02-26 21:47 - 00070144 ____A (Microsoft Corporation) C:\Windows\System32\appinfo.dll

2013-05-15 19:42 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2013-05-15 19:42 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll

2013-05-15 19:42 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll

2013-05-15 19:42 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll

2013-05-13 21:56 - 2013-05-13 21:56 - 00066743 ____A C:\Users\Andrew Nassen\Documents\ts3_clientui-win64-1365064384-2013-05-13 22_56_13.763160.dmp

2013-05-13 19:06 - 2013-05-13 19:06 - 00067568 ____A C:\Users\Andrew Nassen\Documents\ts3_clientui-win64-1365064384-2013-05-13 20_06_21.524273.dmp

2013-05-12 16:42 - 2013-05-12 16:42 - 00002276 ____A C:\Users\Andrew Nassen\Desktop\PaintTool SAI.lnk

2013-05-12 16:42 - 2013-05-12 16:42 - 00000000 ____D C:\Users\Andrew Nassen\AppData\Roaming\SYSTEMAX Software Development

2013-05-12 16:42 - 2013-05-12 16:42 - 00000000 ____D C:\Users\Andrew Nassen\AppData\Local\Zame

2013-05-12 16:42 - 2013-05-12 16:42 - 00000000 ____D C:\ProgramData\SYSTEMAX Software Development

2013-05-12 16:30 - 2013-05-14 15:43 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\pwnypony psd files

2013-05-12 16:30 - 2013-05-12 16:30 - 00000000 ____D C:\Users\Andrew Nassen\AppData\Local\FireAlpaca

2013-05-10 20:35 - 2013-05-10 20:35 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\Off translation V. 2.0

==================== One Month Modified Files and Folders =======

2013-06-09 09:20 - 2013-06-09 09:20 - 00000000 ____D C:\FRST

2013-06-09 08:07 - 2009-07-13 20:51 - 00126471 ____A C:\Windows\setupact.log

2013-06-09 08:03 - 2009-07-13 20:45 - 00023024 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2013-06-09 08:03 - 2009-07-13 20:45 - 00023024 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2013-06-09 07:59 - 2010-12-12 00:40 - 01542047 ____A C:\Windows\WindowsUpdate.log

2013-06-08 20:54 - 2013-06-08 12:30 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2013-06-08 17:20 - 2013-06-08 17:20 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\mbar-1.06.0.1003

2013-06-08 17:19 - 2013-06-08 17:18 - 13169742 ____A C:\Users\Andrew Nassen\Desktop\mbar-1.06.0.1003.zip

2013-06-08 11:27 - 2011-07-26 03:18 - 00210278 ____A C:\Windows\PFRO.log

2013-06-08 11:26 - 2013-06-08 11:25 - 00000000 ___SD C:\ComboFix

2013-06-08 11:01 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini

2013-06-08 11:00 - 2013-06-08 10:32 - 00000000 ____D C:\Windows\erdnt

2013-06-08 10:59 - 2013-06-08 10:59 - 00000021 ____A C:\Users\Andrew Nassen\Desktop\catchme.log

2013-06-08 10:59 - 2009-07-13 18:34 - 74186752 ____A C:\Windows\System32\config\SOFTWARE.bak

2013-06-08 10:59 - 2009-07-13 18:34 - 14942208 ____A C:\Windows\System32\config\SYSTEM.bak

2013-06-08 10:59 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak

2013-06-08 10:59 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\SAM.bak

2013-06-08 10:59 - 2009-07-13 18:34 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bak

2013-06-08 10:58 - 2013-06-08 10:58 - 00000000 ____D C:\Device

2013-06-08 10:39 - 2013-06-08 10:33 - 00000000 ____D C:\Qoobox

2013-06-08 10:32 - 2013-06-08 10:32 - 05078669 ____R (Swearware) C:\Users\Andrew Nassen\Desktop\ComboFix.exe

2013-06-08 10:28 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2013-06-08 10:27 - 2013-06-08 10:27 - 00050477 ____A C:\Users\Andrew Nassen\Desktop\Defogger.exe

2013-06-08 10:27 - 2013-06-08 10:27 - 00000666 ____A C:\Users\Andrew Nassen\Desktop\defogger_disable.log

2013-06-08 10:27 - 2013-06-08 10:27 - 00000216 ____A C:\Users\Andrew Nassen\defogger_reenable

2013-06-08 10:27 - 2011-07-26 19:23 - 00000000 ____D C:\users\Andrew Nassen

2013-06-08 10:20 - 2013-06-08 10:20 - 00009857 ____A C:\Users\Andrew Nassen\Documents\ark.txt

2013-06-08 10:10 - 2012-04-03 14:33 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2013-06-08 10:08 - 2013-06-08 10:08 - 00377856 ____A C:\Users\Andrew Nassen\Desktop\xsu6f18h.exe

2013-06-08 08:17 - 2013-06-08 08:17 - 00016833 ____A C:\Users\Andrew Nassen\Desktop\dds.txt

2013-06-08 08:17 - 2013-06-08 08:17 - 00006677 ____A C:\Users\Andrew Nassen\Desktop\attach.txt

2013-06-08 08:00 - 2013-06-08 08:00 - 00688992 ____R (Swearware) C:\Users\Andrew Nassen\Desktop\dds.scr

2013-06-07 23:33 - 2013-03-25 20:04 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\rar files

2013-06-07 23:33 - 2012-08-09 19:20 - 00000000 ____D C:\Users\Andrew Nassen\AppData\Roaming\TS3Client

2013-06-06 19:45 - 2013-06-05 18:33 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\Pokemon SoulSilver

2013-06-06 19:42 - 2013-06-05 18:33 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\UPRandomizer-120a

2013-06-06 19:27 - 2013-04-23 20:54 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\DanbooruDownloader20130223

2013-06-05 19:33 - 2013-06-05 18:32 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\pb2-us-fixed

2013-06-05 18:51 - 2013-06-05 18:33 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\desmume-0.9.9-win32

2013-06-05 18:33 - 2013-06-05 18:33 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\VisualBoyAdvance-1.8.0-beta3

2013-06-05 18:33 - 2013-06-05 18:33 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\Pokemon Emerald

2013-06-03 21:12 - 2011-08-14 18:05 - 00000000 ____D C:\Users\Andrew Nassen\AppData\Roaming\vlc

2013-05-30 22:30 - 2012-02-17 23:07 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\random stuff

2013-05-28 17:45 - 2009-07-13 21:13 - 00779266 ____A C:\Windows\System32\PerfStringBackup.INI

2013-05-27 19:10 - 2009-07-13 20:45 - 00436008 ____A C:\Windows\System32\FNTCACHE.DAT

2013-05-26 23:27 - 2013-05-26 23:27 - 09740288 ____A (Adobe Systems, Inc.) C:\Users\Andrew Nassen\AppData\Roaming\milesoft.exe

2013-05-26 23:26 - 2011-07-26 19:27 - 00117096 ____A C:\Users\Andrew Nassen\AppData\Local\GDIPFONTCACHEV1.DAT

2013-05-25 16:39 - 2012-05-03 20:31 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

2013-05-23 21:06 - 2013-05-23 21:06 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2013-05-20 18:53 - 2009-07-13 21:08 - 00032564 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2013-05-15 22:38 - 2011-08-01 10:28 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

2013-05-14 22:11 - 2012-04-03 14:33 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2013-05-14 22:11 - 2011-07-26 19:39 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2013-05-14 15:43 - 2013-05-12 16:30 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\pwnypony psd files

2013-05-13 21:56 - 2013-05-13 21:56 - 00066743 ____A C:\Users\Andrew Nassen\Documents\ts3_clientui-win64-1365064384-2013-05-13 22_56_13.763160.dmp

2013-05-13 19:06 - 2013-05-13 19:06 - 00067568 ____A C:\Users\Andrew Nassen\Documents\ts3_clientui-win64-1365064384-2013-05-13 20_06_21.524273.dmp

2013-05-13 15:10 - 2011-07-26 19:28 - 00000000 ____D C:\Users\Andrew Nassen\AppData\Local\VirtualStore

2013-05-12 16:42 - 2013-05-12 16:42 - 00002276 ____A C:\Users\Andrew Nassen\Desktop\PaintTool SAI.lnk

2013-05-12 16:42 - 2013-05-12 16:42 - 00000000 ____D C:\Users\Andrew Nassen\AppData\Roaming\SYSTEMAX Software Development

2013-05-12 16:42 - 2013-05-12 16:42 - 00000000 ____D C:\Users\Andrew Nassen\AppData\Local\Zame

2013-05-12 16:42 - 2013-05-12 16:42 - 00000000 ____D C:\ProgramData\SYSTEMAX Software Development

2013-05-12 16:30 - 2013-05-12 16:30 - 00000000 ____D C:\Users\Andrew Nassen\AppData\Local\FireAlpaca

2013-05-10 20:35 - 2013-05-10 20:35 - 00000000 ____D C:\Users\Andrew Nassen\Desktop\Off translation V. 2.0

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-05-15 19:30:33

Restore point made on: 2013-05-15 22:31:53

Restore point made on: 2013-05-21 20:33:27

Restore point made on: 2013-05-28 17:32:41

Restore point made on: 2013-06-01 21:59:44

Restore point made on: 2013-06-07 21:26:37

==================== Memory info ===========================

Percentage of memory in use: 22%

Total physical RAM: 3002.92 MB

Available physical RAM: 2339.24 MB

Total Pagefile: 3001.07 MB

Available Pagefile: 2328.93 MB

Total Virtual: 8192 MB

Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (Hard Drive) (Fixed) (Total:280.54 GB) (Free:30.72 GB) NTFS (Disk=0 Partition=2) ==>[system with boot components (obtained from reading drive)]

Drive e: (RECOVERY) (Fixed) (Total:17.25 GB) (Free:2.5 GB) NTFS (Disk=0 Partition=3) ==>[system with boot components (obtained from reading drive)]

Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32 (Disk=0 Partition=4)

Drive h: (NASSENS USB) (Removable) (Total:7.2 GB) (Free:7.19 GB) FAT32 (Disk=1 Partition=1)

Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS (Disk=0 Partition=1) ==>[system with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (Size: 298 GB) (Disk ID: BBC0899A)

Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=281 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=17 GB) - (Type=07 NTFS)

Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

========================================================

Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)

Partition 1: (Not Active) - (Size=7 GB) - (Type=0C)

LastRegBack: 2009-09-06 16:58

==================== End Of Log ============================

Larusso · June 9, 2013

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKU\Andrew Nassen\...\Run: [zklupdat] C:\Users\Andrew Nassen\AppData\Roaming\milesoft.exe [9740288 2013-05-26] (Adobe Systems, Inc.)
C:\Users\Andrew Nassen\AppData\Roaming\milesoft.exe
C:\Users\Andrew Nassen\AppData\Roaming\dclogs

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST by typing F:\frst64 and press the Fix button just once and wait.

Note: You might need to choose a different drive letter.

The tool will make a log on the flashdrive ( Fixlog.txt ) please post it to your reply.

Please delete the current version from Combofix.

Download ComboFix from this location:

Link 1

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

*Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.

orreso · June 9, 2013

fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-06-2013

Ran by SYSTEM at 2013-06-09 13:43:09 Run:1

Running from H:\

Boot Mode: Recovery

==============================================

HKU\Andrew Nassen\Software\Microsoft\Windows\CurrentVersion\Run\\zklupdat => Value deleted successfully.

C:\Users\Andrew Nassen\AppData\Roaming\milesoft.exe => Moved successfully.

C:\Users\Andrew Nassen\AppData\Roaming\dclogs => Moved successfully.

==== End of Fixlog ====

combofix.txt:

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-06-30 602168]

"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe;c:\program files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]

R2 RtVOsdService;RtVOsdService Installer;c:\program files\Realtek\RtVOsd\RtVOsdService.exe;c:\program files\Realtek\RtVOsd\RtVOsdService.exe [x]

R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]

R4 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]

S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [x]

S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]

S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]

S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]

S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2010-05-19 18:36 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-06-08 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 06:11]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2010-05-26 6245408]

"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.babylon.com/?affID=109935&tt=010712_8&babsrc=HP_ss&mntrId=e21b83cb00000000000068a3c4745211

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\users\Andrew Nassen\AppData\Roaming\Mozilla\Firefox\Profiles\kjl6vhit.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - about:home

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935&tt=010712_8

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.id - e21b83cb00000000000068a3c4745211

FF - user.js: extensions.BabylonToolbar_i.hardId - e21b83cb00000000000068a3c4745211

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15531

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1719:17

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{687578b9-7132-4a7a-80e4-30ee31099e03} - (no file)

Wow6432Node-HKCU-Run-HPAdvisorDock - c:\program files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe

Wow6432Node-HKCU-Run-c:\users\Andrew Nassen\Desktop\LivestreamProcaster.exe - c:\users\Andrew Nassen\Desktop\LivestreamProcaster.exe

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_202_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_202.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]

@="???楴??汐杵?愠???敗?汐杵? v1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]

@="???楴??汐杵?愠???敗?汐杵? v2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe

c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

.

**************************************************************************

.

Completion time: 2013-06-09 14:29:48 - machine was rebooted

ComboFix-quarantined-files.txt 2013-06-09 21:29

.

Pre-Run: 33,055,510,528 bytes free

Post-Run: 32,768,581,632 bytes free

.

- - End Of File - - 07B85D87A4723634D1CEF2184AEF161C

D41D8CD98F00B204E9800998ECF8427E

Larusso · June 10, 2013

Hy there,

The Combofix.txt is incomplete

Please,

double-click on a Logfile to open it.
Right click with your mouse or touchpad.
Choose Select All from the shortcut menu.
Right click again, then chose Copy from the shortcut menu.
Go the window where you are typing your new topic. Select an area after the text.
Right click and select Paste from the shortcut menu.

orreso · June 10, 2013

this is the full extent of the ComboFix.txt. There is also a log.txt file in the same area, which I can also post if you request: