ICE Cyber Crimes Removal Help

Delak606 · July 13, 2013

Hello Everyone, I need assistance please in removing this the correct way and advice on how to prevent it from happening again. I have read through many of the topics here already and I have most tools I have seen ready to go (I have not run them yet other than FRST).

Thank you in advance for any help

Here is my log file from my first scan using FRST64.exe

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-07-2013 02
Ran by SYSTEM on 13-07-2013 06:14:42
Running from K:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11855976 2011-05-18] (Realtek Semiconductor)
HKLM\...\Run: [THXCfg64] - C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64 [26624 2011-05-13] (Creative Technology Ltd.)
HKLM\...\Run: [itype] - "c:\Program Files\Microsoft IntelliType Pro\itype.exe" [1873256 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [Launch LCore] - C:\Program Files\Logitech Gaming Software\LCore.exe /minimized [5889816 2011-12-07] (Logitech Inc.)
HKLM\...\Run: [Nvtmru] - "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [1012000 2013-05-16] (NVIDIA Corporation)
HKLM-x32\...\Winlogon: [shell] C:\PROGRA~3\olhodg.bat [x ] () <=== ATTENTION
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [34672 2008-06-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [THX TruStudio NB Settings] - "C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe" /r [909824 2011-05-19] (Creative Technology Ltd)
HKLM-x32\...\Run: [updReg] - C:\Windows\UpdReg.EXE [90112 2000-05-10] (Creative Technology Ltd.)
HKLM-x32\...\Run: [sunJavaUpdateSched] - "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252848 2012-07-03] (Sun Microsystems, Inc.)
HKU\Connor\...\Run: [DAEMON Tools Lite] - "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671904 2012-08-28] (DT Soft Ltd)
HKU\Connor\...\Policies\system: [LogonHoursAction] 2
HKU\Connor\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Costas\...\Run: [steam] - "G:\Installed Games\SteamLibrary\Steam\steam.exe" -silent [x]
HKU\Costas\...\Run: [spybotSD TeaTimer] - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Costas\...\Run: [RESTART_STICKY_NOTES] - C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\Costas\...\Run: [DAEMON Tools Lite] - "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3671904 2012-08-28] (DT Soft Ltd)
HKU\Costas\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Costas\AppData\Local\Temp\bwqcdmjxeyfldleqpjx.bfg [48128 2013-07-12] (NVIDIA Corporation) <===== ATTENTION
HKU\Costas\...\Policies\system: [LogonHoursAction] 2
HKU\Costas\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Costas\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Costas\...\Command Processor: "C:\Users\Costas\AppData\Local\Temp\bwqcdmjxeyfldleqpjx.bfg" <===== ATTENTION!
HKU\Default\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
HKU\UpdatusUser\...\RunOnce: [mctadmin] - C:\Windows\System32\mctadmin.exe [97280 2009-07-13] (Microsoft Corporation)
Startup: C:\Users\Costas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
Startup: C:\Users\Costas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\PROGRA~3\gdohlo.dat (No File)

==================== Services (Whitelisted) =================

S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [49152 2013-03-14] ()
S2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

S2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2012-02-07] ()
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-09-03] (DT Soft Ltd)
S3 LGSHidFilt; C:\Windows\System32\DRIVERS\LGSHidFilt.Sys [66328 2011-10-24] (Logitech Inc.)
S2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2012-02-07] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-13 06:14 - 2013-07-13 06:14 - 00000000 ____D C:\FRST
2013-07-12 17:57 - 2013-07-12 17:57 - 01777811 _____ (Farbar) C:\Users\Connor\Downloads\FRST64.exe
2013-07-12 17:42 - 2013-07-12 17:42 - 02240864 _____ (Kaspersky Lab ZAO) C:\Users\Connor\Downloads\tdsskiller.exe
2013-07-12 17:33 - 2013-07-12 17:33 - 01097635 _____ C:\Users\Costas\AppData\Roaming\2433f433
2013-07-12 17:33 - 2013-07-12 17:33 - 01097632 _____ C:\Users\All Users\2433f433
2013-07-12 17:33 - 2013-07-12 17:33 - 01097589 _____ C:\Users\Costas\AppData\Local\2433f433
2013-07-12 08:51 - 2013-07-12 08:51 - 00000000 ____D C:\Users\Connor\Documents\Klei
2013-07-12 08:43 - 2013-07-12 04:01 - 00000231 _____ C:\Users\Connor\Desktop\Don't Starve.url
2013-07-12 04:04 - 2013-07-12 04:04 - 00000000 ____D C:\Users\Costas\Documents\Klei
2013-07-12 04:01 - 2013-07-12 04:01 - 00000231 _____ C:\Users\Costas\Desktop\Don't Starve.url
2013-07-11 23:03 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-11 23:03 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-11 23:03 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-11 23:03 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-11 23:03 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-11 23:03 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-11 23:03 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-11 23:03 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-11 23:03 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-11 23:03 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-11 23:03 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-11 23:03 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-11 23:03 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-11 23:03 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-11 23:03 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-11 23:03 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-11 23:03 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-11 23:03 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-11 23:03 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-11 23:03 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-11 23:03 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-11 23:03 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-10 23:19 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-10 23:19 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-10 23:19 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-10 23:19 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-10 23:19 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-10 23:19 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-10 23:19 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-08 04:03 - 2013-07-08 12:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-20 08:43 - 2013-07-12 08:44 - 00000000 ____D C:\Users\Connor\AppData\Roaming\.technic
2013-06-20 08:27 - 2013-06-20 08:27 - 00001093 _____ C:\Users\Connor\Desktop\TechnicLauncher.lnk
2013-06-16 02:21 - 2013-05-12 13:42 - 25256224 _____ (NVIDIA Corporation) C:\Windows\System32\nvcompiler.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 21096736 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglv32.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 17560352 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcompiler.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 15143904 _____ (NVIDIA Corporation) C:\Windows\System32\nvd3dumx.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 13403168 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvwgf2um.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 11216160 _____ (NVIDIA Corporation) C:\Windows\System32\Drivers\nvlddmkm.sys
2013-06-16 02:21 - 2013-05-12 13:42 - 09233688 _____ (NVIDIA Corporation) C:\Windows\System32\nvcuda.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 07682960 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuda.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 07641832 _____ (NVIDIA Corporation) C:\Windows\System32\nvopencl.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 06324360 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvopencl.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 02942240 _____ (NVIDIA Corporation) C:\Windows\System32\nvcuvid.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 02754336 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvid.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 02363680 _____ (NVIDIA Corporation) C:\Windows\System32\nvcuvenc.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 02002720 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvcuvenc.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 01832224 _____ (NVIDIA Corporation) C:\Windows\System32\nvdispco6432018.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 01511712 _____ (NVIDIA Corporation) C:\Windows\System32\nvdispgenco6432018.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 00925648 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvumdshim.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 00550176 _____ (NVIDIA Corporation) C:\Windows\System32\NvFBC64.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 00518944 _____ (NVIDIA Corporation) C:\Windows\System32\NvIFR64.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 00443168 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvFBC.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 00421152 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\NvIFR.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 00266448 _____ (NVIDIA Corporation) C:\Windows\System32\nvinitx.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 00218592 _____ (NVIDIA Corporation) C:\Windows\System32\nvoglshim64.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 00214448 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvinit.dll
2013-06-16 02:21 - 2013-05-12 13:42 - 00181488 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvoglshim32.dll
2013-06-16 02:21 - 2013-02-24 21:27 - 00194848 _____ (NVIDIA Corporation) C:\Windows\System32\Drivers\nvhda64v.sys
2013-06-16 02:21 - 2013-02-24 21:27 - 00031520 _____ (NVIDIA Corporation) C:\Windows\System32\nvhdap64.dll

==================== One Month Modified Files and Folders =======

2013-07-13 06:14 - 2013-07-13 06:14 - 00000000 ____D C:\FRST
2013-07-12 18:03 - 2012-01-05 19:02 - 01049167 _____ C:\Windows\WindowsUpdate.log
2013-07-12 17:58 - 2009-07-13 21:13 - 00792590 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-12 17:57 - 2013-07-12 17:57 - 01777811 _____ (Farbar) C:\Users\Connor\Downloads\FRST64.exe
2013-07-12 17:45 - 2009-07-13 20:45 - 00022064 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-12 17:45 - 2009-07-13 20:45 - 00022064 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-12 17:42 - 2013-07-12 17:42 - 02240864 _____ (Kaspersky Lab ZAO) C:\Users\Connor\Downloads\tdsskiller.exe
2013-07-12 17:38 - 2012-01-05 19:19 - 00000000 ____D C:\Users\All Users\NVIDIA
2013-07-12 17:38 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-12 17:38 - 2009-07-13 20:51 - 00063762 _____ C:\Windows\setupact.log
2013-07-12 17:37 - 2009-07-13 21:08 - 00032640 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-12 17:33 - 2013-07-12 17:33 - 01097635 _____ C:\Users\Costas\AppData\Roaming\2433f433
2013-07-12 17:33 - 2013-07-12 17:33 - 01097632 _____ C:\Users\All Users\2433f433
2013-07-12 17:33 - 2013-07-12 17:33 - 01097589 _____ C:\Users\Costas\AppData\Local\2433f433
2013-07-12 17:07 - 2012-04-11 03:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-12 08:51 - 2013-07-12 08:51 - 00000000 ____D C:\Users\Connor\Documents\Klei
2013-07-12 08:44 - 2013-06-20 08:43 - 00000000 ____D C:\Users\Connor\AppData\Roaming\.technic
2013-07-12 06:45 - 2013-03-23 04:02 - 00000000 ____D C:\Users\Costas\AppData\Roaming\.technic
2013-07-12 04:13 - 2012-01-25 01:48 - 00000000 ____D C:\Users\Costas\AppData\Local\CrashDumps
2013-07-12 04:04 - 2013-07-12 04:04 - 00000000 ____D C:\Users\Costas\Documents\Klei
2013-07-12 04:03 - 2012-01-05 20:05 - 00313247 _____ C:\Windows\DirectX.log
2013-07-12 04:01 - 2013-07-12 08:43 - 00000231 _____ C:\Users\Connor\Desktop\Don't Starve.url
2013-07-12 04:01 - 2013-07-12 04:01 - 00000231 _____ C:\Users\Costas\Desktop\Don't Starve.url
2013-07-11 23:21 - 2012-08-12 16:35 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-07-11 23:21 - 2012-08-12 16:35 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2013-07-11 23:21 - 2012-05-06 09:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-07-11 23:21 - 2011-04-12 00:28 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-11 23:21 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-11 23:21 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-11 23:21 - 2009-07-13 20:45 - 00422152 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-11 23:04 - 2009-07-13 18:34 - 00000499 _____ C:\Windows\win.ini
2013-07-11 23:03 - 2012-01-05 19:29 - 78185248 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-07-10 12:18 - 2013-03-06 12:32 - 00000000 ____D C:\Users\Connor\AppData\Roaming\.minecraft
2013-07-08 12:28 - 2013-07-08 04:03 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-29 18:20 - 2012-01-25 01:39 - 00000000 ____D C:\Users\Costas\AppData\Roaming\BitTorrent
2013-06-23 06:52 - 2013-01-22 14:59 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2013-06-23 06:52 - 2012-01-10 05:46 - 00786314 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-06-22 02:27 - 2012-01-05 19:43 - 00000000 ____D C:\Users\UpdatusUser\AppData\Local\CrashDumps
2013-06-20 08:40 - 2013-03-06 05:05 - 00000000 ____D C:\Users\Costas\AppData\Roaming\.minecraft
2013-06-20 08:27 - 2013-06-20 08:27 - 00001093 _____ C:\Users\Connor\Desktop\TechnicLauncher.lnk
2013-06-16 18:07 - 2012-04-15 15:26 - 00000000 ____D C:\Users\Costas\AppData\Roaming\TS3Client
2013-06-16 15:36 - 2012-08-12 16:43 - 00000000 ____D C:\Users\Costas\AppData\Roaming\PrimoPDF
2013-06-16 15:30 - 2012-01-08 07:12 - 00000000 ____D C:\Users\Costas\.maptool
2013-06-16 02:22 - 2012-01-05 19:18 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2013-06-16 02:18 - 2013-01-29 05:08 - 00001351 _____ C:\Users\Public\Desktop\GeForce Experience.lnk
2013-06-16 02:18 - 2012-01-05 19:18 - 00000000 ____D C:\Users\All Users\NVIDIA Corporation

ZeroAccess:
C:\Windows\Installer\{15c4e049-d890-4da1-ded4-ab5ea9791b49}
C:\Windows\Installer\{15c4e049-d890-4da1-ded4-ab5ea9791b49}\L
C:\Windows\Installer\{15c4e049-d890-4da1-ded4-ab5ea9791b49}\U

ZeroAccess:
C:\Users\Costas\AppData\Local\{15c4e049-d890-4da1-ded4-ab5ea9791b49}
C:\Users\Costas\AppData\Local\{15c4e049-d890-4da1-ded4-ab5ea9791b49}\L
C:\Users\Costas\AppData\Local\{15c4e049-d890-4da1-ded4-ab5ea9791b49}\U

Files to move or delete:
====================
C:\Users\Costas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
C:\ProgramData\olhodg.bat
C:\ProgramData\olhodg.pad
C:\ProgramData\olhodg.reg

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-07-11 23:00:14
Restore point made on: 2013-07-12 04:03:21

==================== Memory info ===========================

Percentage of memory in use: 9%
Total physical RAM: 8170.25 MB
Available physical RAM: 7353.54 MB
Total Pagefile: 8168.45 MB
Available Pagefile: 7348.32 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.69 GB) (Free:9.01 GB) NTFS (Disk=1 Partition=2)
Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS (Disk=1 Partition=1) ==>[system with boot components (obtained from reading drive)]
Drive k: (HITMANPRO) (Removable) (Total:0.99 GB) (Free:0.98 GB) FAT32 (Disk=6 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (New Volume) (Fixed) (Total:465.76 GB) (Free:39.98 GB) NTFS (Disk=0 Partition=1)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 79805B9F)
Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 112 GB) (Disk ID: A2E57A08)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=112 GB) - (Type=07 NTFS)

========================================================
Disk: 6 (Size: 1016 MB) (Disk ID: 095338DE)
Partition 1: (Active) - (Size=1012 MB) - (Type=0B)

LastRegBack: 2013-07-08 04:36

==================== End Of Log ============================

Maniac · July 13, 2013

Hello Delak606 and :welcome: ! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
Make sure you read all of the instructions and fixes thoroughly before continuing with them.
Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

I'm afraid I have bad news.

One or more of the identified infections is a rootkit. Rootkits are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

I suggest you disconnect this computer from the Internet immediately you finish reading this post.

If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted.

Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on Internet theft and when to reformat!

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.

Instructions how to format and reinstall Windows can be found here

Delak606 · July 13, 2013

Hello Borislav,

I really didn't want to spend my saturday with a reinstall, however if you feel that is the best course of action I will do that.

What steps can I take to prevent something like from happening in the first place?

Thank you

Delak

Maniac · July 13, 2013

Okay, I'm going to help you.

To prevent malware, take a look here:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKLM-x32\...\Winlogon: [shell] C:\PROGRA~3\olhodg.bat [x ] () <=== ATTENTION
HKU\Costas\...\Run: [qcgce2mrvjq91kk1e7pnbb19m52fx] - C:\Users\Costas\AppData\Local\Temp\bwqcdmjxeyfldleqpjx.bfg [48128 2013-07-12] (NVIDIA Corporation) <===== ATTENTION
HKU\Costas\...\Winlogon: [shell] cmd.exe [345088 2010-11-20] (Microsoft Corporation) <==== ATTENTION
HKU\Costas\...\Command Processor: "C:\Users\Costas\AppData\Local\Temp\bwqcdmjxeyfldleqpjx.bfg" <===== ATTENTION!
Startup: C:\Users\Costas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk
ShortcutTarget: msconfig.lnk -> C:\PROGRA~3\gdohlo.dat (No File)
2013-07-12 17:33 - 2013-07-12 17:33 - 01097635 _____ C:\Users\Costas\AppData\Roaming\2433f433
2013-07-12 17:33 - 2013-07-12 17:33 - 01097632 _____ C:\Users\All Users\2433f433
2013-07-12 17:33 - 2013-07-12 17:33 - 01097589 _____ C:\Users\Costas\AppData\Local\2433f433
C:\Windows\Installer\{15c4e049-d890-4da1-ded4-ab5ea9791b49}
C:\Users\Costas\AppData\Local\{15c4e049-d890-4da1-ded4-ab5ea9791b49}
C:\ProgramData\olhodg.bat
C:\ProgramData\olhodg.pad
C:\ProgramData\olhodg.reg

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Delak606 · July 13, 2013

Hello Borislav,

Thank you for assisting me. This is good as I can't seem to find my Win 7 disc (I know what I will be done today no matter what, searching for that disc )

Okay I run FRST64 with the fixlist you have posted, below is the Fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-07-2013 02
Ran by SYSTEM at 2013-07-13 06:41:15 Run:1
Running from K:\
Boot Mode: Recovery
==============================================

HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
HKU\Costas\Software\Microsoft\Windows\CurrentVersion\Run\\qcgce2mrvjq91kk1e7pnbb19m52fx => Value deleted successfully.
HKU\Costas\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKU\Costas\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\Users\Costas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msconfig.lnk => Moved successfully.
C:\PROGRA~3\gdohlo.dat not found.
C:\Users\Costas\AppData\Roaming\2433f433 => Moved successfully.
C:\Users\All Users\2433f433 => Moved successfully.
C:\Users\Costas\AppData\Local\2433f433 => Moved successfully.
C:\Windows\Installer\{15c4e049-d890-4da1-ded4-ab5ea9791b49} => Moved successfully.
C:\Users\Costas\AppData\Local\{15c4e049-d890-4da1-ded4-ab5ea9791b49} => Moved successfully.
C:\ProgramData\olhodg.bat => Moved successfully.
C:\ProgramData\olhodg.pad => Moved successfully.
C:\ProgramData\olhodg.reg => Moved successfully.

==== End of Fixlog ====

Maniac · July 13, 2013

Do you have access to Normal mode?

Delak606 · July 13, 2013

Sorry, Yes I do.

Maniac · July 13, 2013

Please follow the instructions here and then post the log files in your next reply.

http://forums.malwarebytes.org/index.php?showtopic=9573

Delak606 · July 13, 2013

Here is the Malware Log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.13.03

Windows 7 Service Pack 1 x64 FAT32
Internet Explorer 10.0.9200.16635
Costas :: COSTAS-PC [administrator]

7/13/2013 6:54:54 AM
MBAM-log-2013-07-13 (06-57-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 275463
Time elapsed: 1 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Costas\AppData\Local\Temp\bwqcdmjxeyfldleqpjx.bfg (Trojan.Ransom) -> No action taken.
C:\Users\Costas\Templates\2433f433 (Trojan.Agent.TPL) -> No action taken.

(end)

Here is the DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635 BrowserJavaVersion: 10.15.2
Run by Costas at 6:58:56 on 2013-07-13
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8170.6764 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

uURLSearchHooks: {656461ef-40f6-4115-9ff1-bced9812ccbb} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [steam] "G:\Installed Games\SteamLibrary\Steam\steam.exe" -silent
uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [THX TruStudio NB Settings] "C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe" /r
mRun: [updReg] C:\Windows\UpdReg.EXE
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Costas\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Clip Image - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: E&xport to Microsoft Excel - G:\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{51450B21-4E78-4733-9CEA-1629CA123CF6} : NameServer = 209.18.47.61,209.18.47.62
TCP: Interfaces\{51450B21-4E78-4733-9CEA-1629CA123CF6} : DHCPNameServer = 209.18.47.61 209.18.47.62
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [THXCfg64] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64
x64-Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.

.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Costas\AppData\Roaming\Mozilla\Firefox\Profiles\y1tzp8kc.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\OnLive\Plugin\npolgdet.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\Costas\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2010-9-30 302120]
R1 AsrAppCharger;AsrAppCharger;C:\Windows\System32\drivers\AsrAppCharger.sys [2012-1-5 15368]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-3-1 283200]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-5-12 413472]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2011-2-8 39936]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2011-2-8 64512]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;C:\Windows\System32\drivers\LGSHidFilt.Sys [2011-10-24 66328]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 MBfilt;MBfilt;C:\Windows\System32\drivers\MBfilt64.sys [2012-1-5 32344]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-1-5 471144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-6-28 1153368]
S3 BEService;BattlEye Service;C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [2013-3-14 49152]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-1-5 1255736]
.
=============== Created Last 30 ================
.
2013-07-13 14:14:26   --------   d-----w-   C:\FRST
2013-07-12 14:29:11   9552976   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59FDF844-C064-4B0D-9580-937C84686320}\mpengine.dll
2013-07-11 07:19:42   9216   ----a-w-   C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
2013-07-08 12:03:51   92056   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-06-16 10:21:35   925648   ----a-w-   C:\Windows\SysWow64\nvumdshim.dll
.
==================== Find3M ====================
.
2013-06-12 06:07:10   71048   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 06:07:10   692104   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2013-06-11 23:43:37   1767936   ----a-w-   C:\Windows\SysWow64\wininet.dll
2013-06-11 23:43:00   2877440   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2013-06-11 23:42:58   61440   ----a-w-   C:\Windows\SysWow64\iesetup.dll
2013-06-11 23:42:58   109056   ----a-w-   C:\Windows\SysWow64\iesysprep.dll
2013-06-11 23:26:20   2241024   ----a-w-   C:\Windows\System32\wininet.dll
2013-06-11 23:25:16   3958784   ----a-w-   C:\Windows\System32\jscript9.dll
2013-06-11 23:25:13   67072   ----a-w-   C:\Windows\System32\iesetup.dll
2013-06-11 23:25:13   136704   ----a-w-   C:\Windows\System32\iesysprep.dll
2013-06-11 22:51:45   71680   ----a-w-   C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-06-11 22:50:58   89600   ----a-w-   C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-07 03:22:18   2706432   ----a-w-   C:\Windows\System32\mshtml.tlb
2013-06-07 02:37:52   2706432   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2013-06-05 03:34:27   3153920   ----a-w-   C:\Windows\System32\win32k.sys
2013-06-04 06:00:13   624128   ----a-w-   C:\Windows\System32\qedit.dll
2013-06-04 04:53:07   509440   ----a-w-   C:\Windows\SysWow64\qedit.dll
2013-05-13 05:51:01   184320   ----a-w-   C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00   1464320   ----a-w-   C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00   139776   ----a-w-   C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40   52224   ----a-w-   C:\Windows\System32\certenc.dll
2013-05-13 04:45:55   140288   ----a-w-   C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55   1160192   ----a-w-   C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55   103936   ----a-w-   C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55   1192448   ----a-w-   C:\Windows\System32\certutil.exe
2013-05-13 03:08:10   903168   ----a-w-   C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06   43008   ----a-w-   C:\Windows\SysWow64\certenc.dll
2013-05-12 20:34:14   6491936   ----a-w-   C:\Windows\System32\nvcpl.dll
2013-05-12 20:34:14   3514656   ----a-w-   C:\Windows\System32\nvsvc64.dll
2013-05-12 20:34:12   884512   ----a-w-   C:\Windows\System32\nvvsvc.exe
2013-05-12 20:34:12   63776   ----a-w-   C:\Windows\System32\nvshext.dll
2013-05-12 20:34:11   237856   ----a-w-   C:\Windows\System32\nvmctray.dll
2013-05-12 19:43:36   566048   ----a-w-   C:\Windows\SysWow64\nvStreaming.exe
2013-05-10 05:49:27   30720   ----a-w-   C:\Windows\System32\cryptdlg.dll
2013-05-10 03:20:54   24576   ----a-w-   C:\Windows\SysWow64\cryptdlg.dll
2013-05-08 14:13:10   3165737   ----a-w-   C:\Windows\System32\nvcoproc.bin
2013-05-08 06:39:01   1910632   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
2013-05-06 06:03:49   1887744   ----a-w-   C:\Windows\System32\WMVDECOD.DLL
2013-05-06 04:56:35   1620480   ----a-w-   C:\Windows\SysWow64\WMVDECOD.DLL
2013-05-02 06:06:08   278800   ------w-   C:\Windows\System32\MpSigStub.exe
2013-04-26 05:51:36   751104   ----a-w-   C:\Windows\System32\win32spl.dll
2013-04-26 04:55:21   492544   ----a-w-   C:\Windows\SysWow64\win32spl.dll
2013-04-25 23:30:32   1505280   ----a-w-   C:\Windows\SysWow64\d3d11.dll
2013-04-17 07:02:06   1230336   ----a-w-   C:\Windows\SysWow64\WindowsCodecs.dll
2013-04-17 06:24:46   1424384   ----a-w-   C:\Windows\System32\WindowsCodecs.dll
.
============= FINISH: 6:59:03.01 ===============

Here is the Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 1/5/2012 10:02:02 PM
System Uptime: 7/13/2013 6:42:42 AM (0 hours ago)
.
Motherboard: ASRock | | P67 Extreme4 Gen3
Processor: Intel® Core i5-2500K CPU @ 3.30GHz | CPUSocket | 3301/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 8.994 GiB free.
D: is CDROM ()
E: is Removable
F: is CDROM (UDF)
G: is FIXED (NTFS) - 466 GiB total, 39.984 GiB free.
H: is Removable
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP234: 7/12/2013 3:00:11 AM - Windows Update
RP235: 7/12/2013 8:03:18 AM - Installed DirectX
.
==== Installed Programs ======================
.
7-Zip 9.20 (x64 edition)
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9
applicationupdater
Arma 2
ARMA 2 Army of The Czech Republic - Data cache removal
Arma 2: British Armed Forces
ARMA 2: British Armed Forces - Data cache removal
Arma 2: DayZ Mod
Arma 2: Operation Arrowhead
Arma 2: Operation Arrowhead Beta
Arma 2: Private Military Company
ARMA 2: Private Military Company - Data cache removal
ASRock App Charger v1.0.4
ASRock eXtreme Tuner v0.1.98
ASRock InstantBoot v1.26
Assassin's Creed
BattlEye for OA Uninstall
BattlEye Uninstall
BitTorrent
CCleaner
Compatibility Pack for the 2007 Office system
DAEMON Tools Lite
DayZ Commander
Disciples III
Don't Starve
Etron USB3.0 Host Controller
Evernote v. 4.6.6
EverQuest
EverQuest Titanium
GameFly
gamelauncher-ps2-live
Guild Wars 2
Intel® Management Engine Components
Java 7 Update 15
Java Auto Updater
Java 6 Update 33 (64-bit)
Kingdoms of Amalur: Reckoning
Logitech Gaming Software
Logitech Gaming Software 8.20
Mage Online Launcher version 1.40
Malwarebytes Anti-Malware version 1.75.0.1300
marvell 91xx driver
MechWarrior Online
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft IntelliType Pro 8.2
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Mount&Blade Warband
Mozilla Firefox 22.0 (x86 en-US)
Mozilla Maintenance Service
NCsoft Launcher
Neverwinter
Neverwinter Nights 2 Complete
NVIDIA 3D Vision Controller Driver 320.18
NVIDIA 3D Vision Driver 320.18
NVIDIA Control Panel 320.18
NVIDIA GeForce Experience 1.5
NVIDIA Graphics Driver 320.18
NVIDIA HD Audio Driver 1.3.24.2
NVIDIA Install Application
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.1031
NVIDIA Stereoscopic 3D Driver
NVIDIA Update 4.11.9
NVIDIA Update Components
OnLive
Origin
Pando Media Booster
PlanetSide 2
PrimoPDF -- brought to you by Nitro PDF Software
Realtek Ethernet Controller Driver
Realtek High Definition Audio Driver
RIFT
Salem
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Spybot - Search & Destroy
Star Trek Online
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
Star Wars: The Old Republic
Steam
Stronghold 2
Stronghold Crusader Extreme
Stronghold Legends
TeamSpeak 2 RC2
TeamSpeak 3 Client
The ClueFinders Math Ages 9-12
The Witcher 2: Assassins of Kings Enhanced Edition
THX TruStudio
Total War: SHOGUN 2
Typing Instructor for Kids
Unity Web Player
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
VLC media player 1.1.11
WinZip 16.0
Xfire (remove only)
Xiph.Org Open Codecs 0.85.17777
Zoombinis Logical Journey
.
==== Event Viewer Messages From Past Week ========
.
7/13/2013 6:50:32 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
7/13/2013 6:50:32 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
7/13/2013 6:42:52 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/13/2013 6:42:51 AM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.
7/12/2013 9:37:54 PM, Error: Microsoft-Windows-Directory-Services-SAM [12291] - SAM failed to start the TCP/IP or SPX/IPX listening thread
7/12/2013 9:37:44 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AsrAppCharger DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf ws2ifsl
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
7/12/2013 9:37:44 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/12/2013 9:36:29 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AsrAppCharger discache spldr Wanarpv6
7/12/2013 12:46:19 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
7/12/2013 12:46:19 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

Maniac · July 13, 2013

Step 1

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2

Please uninstall this application: BitTorrent

Step 3

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Step 4

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[s1].txt as well.

Step 5

Download on the desktop RogueKiller
Quit all programs
Start RogueKiller.exe
Wait until Prescan has finished ...
Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.

In your next reply, post the following log files:

Junkware Removal Tool log
AdwCleaner log
RogueKiller log
a new fresh DDS log

Delak606 · July 13, 2013

Okay, I was unable to download the Resetteatimer.exe it gave me a bad url message. I did a quick search but everything came up with the same address. I hope this doesn't affect the results.

If you have another download link I will redo the above steps or new steps if given.

I ran through the above steps and here are my logs;

Junkware Removal Tool Log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.0.9 (07.12.2013:2)
OS: Windows 7 Home Premium x64
Ran by Costas on Sat 07/13/2013 at 17:07:02.91
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\conduit
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\crossrider
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\classes\Toolbar.CT3045275

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Costas\AppData\Roaming\opencandy"
Successfully deleted: [Folder] "C:\Users\Costas\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\Costas\appdata\locallow\conduit"

~~~ FireFox

Successfully deleted the following from C:\Users\Costas\AppData\Roaming\mozilla\firefox\profiles\y1tzp8kc.default\prefs.js

user_pref("extensions.crossrider.bic", "13af5840e5f811d3e7c2adcb73f49cb7");
Emptied folder: C:\Users\Costas\AppData\Roaming\mozilla\firefox\profiles\y1tzp8kc.default\minidumps [19 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 07/13/2013 at 17:09:21.28
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AdwCleaner Log

# AdwCleaner v2.305 - Logfile created 07/13/2013 at 17:10:33
# Updated 11/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Costas - COSTAS-PC
# Boot Mode : Normal
# Running from : C:\Users\Costas\Desktop\AdwCleaner.exe
# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\ProgramData\DeviceVM
Folder Deleted : C:\Users\Costas\AppData\Roaming\DeviceVM

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKLM\Software\InstallIQ

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16635

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\Costas\AppData\Roaming\Mozilla\Firefox\Profiles\y1tzp8kc.default\prefs.js

[OK] File is clean.

File : C:\Users\Connor\AppData\Roaming\Mozilla\Firefox\Profiles\11o5zk04.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [1167 octets] - [13/07/2013 17:10:33]

########## EOF - C:\AdwCleaner[s1].txt - [1227 octets] ##########

RogueKiller Log

RogueKiller V8.6.2 _x64_ [Jul 2 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Costas [Admin rights]
Mode : Scan -- Date : 07/13/2013 17:13:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 13 ¤¤¤
[DNS] HKLM\[...]\CCSet\[...]\{51450B21-4E78-4733-9CEA-1629CA123CF6} : NameServer (209.18.47.61,209.18.47.62) -> FOUND
[DNS] HKLM\[...]\CS001\[...]\{51450B21-4E78-4733-9CEA-1629CA123CF6} : NameServer (209.18.47.61,209.18.47.62) -> FOUND
[DNS] HKLM\[...]\CS002\[...]\{51450B21-4E78-4733-9CEA-1629CA123CF6} : NameServer (209.18.47.61,209.18.47.62) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000AAKX-221CA1 ATA Device +++++
--- User ---
[MBR] edd23ffc473a54b7ec1fa7ff1b4a307f
[bSP] 93e5e1da018231dca6c2fbce967636bf : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476937 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD5000AAKX-221CA1 ATA Device +++++
--- User ---
[MBR] 2e1d2966791c70909fa001df400a9cf3
[bSP] 1b82a33babd6b2dd9efc631c7ffb90cc : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 114371 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_07132013_171323.txt >>

Fresh DDS Log

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16635 BrowserJavaVersion: 10.15.2
Run by Costas at 17:17:49 on 2013-07-13
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8170.6866 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
G:\Installed Games\SteamLibrary\Steam\Steam.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

uURLSearchHooks: {656461ef-40f6-4115-9ff1-bced9812ccbb} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Evernote extension: {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [steam] "G:\Installed Games\SteamLibrary\Steam\steam.exe" -silent
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [THX TruStudio NB Settings] "C:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe" /r
mRun: [updReg] C:\Windows\UpdReg.EXE
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Costas\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\EVERNO~1.LNK - C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Clip Image - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: E&xport to Microsoft Excel - G:\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: New Note - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{51450B21-4E78-4733-9CEA-1629CA123CF6} : NameServer = 209.18.47.61,209.18.47.62
TCP: Interfaces\{51450B21-4E78-4733-9CEA-1629CA123CF6} : DHCPNameServer = 209.18.47.61 209.18.47.62
x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [THXCfg64] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64
x64-Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
x64-Run: [Launch LCore] C:\Program Files\Logitech Gaming Software\LCore.exe /minimized
x64-Run: [Nvtmru] "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.

.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Costas\AppData\Roaming\Mozilla\Firefox\Profiles\y1tzp8kc.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\OnLive\Plugin\npolgdet.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Users\Costas\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2010-9-30 302120]
R1 AsrAppCharger;AsrAppCharger;C:\Windows\System32\drivers\AsrAppCharger.sys [2012-1-5 15368]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-3-1 283200]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-5-12 413472]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2011-2-8 39936]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2011-2-8 64512]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;C:\Windows\System32\drivers\LGSHidFilt.Sys [2011-10-24 66328]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 MBfilt;MBfilt;C:\Windows\System32\drivers\MBfilt64.sys [2012-1-5 32344]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-1-5 471144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-6-28 1153368]
S3 BEService;BattlEye Service;C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [2013-3-14 49152]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-1-5 1255736]
.
=============== Created Last 30 ================
.
2013-07-13 21:07:02   --------   d-----w-   C:\Windows\ERUNT
2013-07-13 14:14:26   --------   d-----w-   C:\FRST
2013-07-12 14:29:11   9552976   ----a-w-   C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59FDF844-C064-4B0D-9580-937C84686320}\mpengine.dll
2013-07-11 07:19:42   9216   ----a-w-   C:\Program Files (x86)\Windows Defender\MpAsDesc.dll
2013-07-08 12:03:51   92056   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe
2013-06-16 10:21:35   925648   ----a-w-   C:\Windows\SysWow64\nvumdshim.dll
.
==================== Find3M ====================
.
2013-06-12 06:07:10   71048   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 06:07:10   692104   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2013-06-11 23:43:37   1767936   ----a-w-   C:\Windows\SysWow64\wininet.dll
2013-06-11 23:43:00   2877440   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2013-06-11 23:42:58   61440   ----a-w-   C:\Windows\SysWow64\iesetup.dll
2013-06-11 23:42:58   109056   ----a-w-   C:\Windows\SysWow64\iesysprep.dll
2013-06-11 23:26:20   2241024   ----a-w-   C:\Windows\System32\wininet.dll
2013-06-11 23:25:16   3958784   ----a-w-   C:\Windows\System32\jscript9.dll
2013-06-11 23:25:13   67072   ----a-w-   C:\Windows\System32\iesetup.dll
2013-06-11 23:25:13   136704   ----a-w-   C:\Windows\System32\iesysprep.dll
2013-06-11 22:51:45   71680   ----a-w-   C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-06-11 22:50:58   89600   ----a-w-   C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-07 03:22:18   2706432   ----a-w-   C:\Windows\System32\mshtml.tlb
2013-06-07 02:37:52   2706432   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2013-06-05 03:34:27   3153920   ----a-w-   C:\Windows\System32\win32k.sys
2013-06-04 06:00:13   624128   ----a-w-   C:\Windows\System32\qedit.dll
2013-06-04 04:53:07   509440   ----a-w-   C:\Windows\SysWow64\qedit.dll
2013-05-13 05:51:01   184320   ----a-w-   C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00   1464320   ----a-w-   C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00   139776   ----a-w-   C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40   52224   ----a-w-   C:\Windows\System32\certenc.dll
2013-05-13 04:45:55   140288   ----a-w-   C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55   1160192   ----a-w-   C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55   103936   ----a-w-   C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55   1192448   ----a-w-   C:\Windows\System32\certutil.exe
2013-05-13 03:08:10   903168   ----a-w-   C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06   43008   ----a-w-   C:\Windows\SysWow64\certenc.dll
2013-05-12 20:34:14   6491936   ----a-w-   C:\Windows\System32\nvcpl.dll
2013-05-12 20:34:14   3514656   ----a-w-   C:\Windows\System32\nvsvc64.dll
2013-05-12 20:34:12   884512   ----a-w-   C:\Windows\System32\nvvsvc.exe
2013-05-12 20:34:12   63776   ----a-w-   C:\Windows\System32\nvshext.dll
2013-05-12 20:34:11   237856   ----a-w-   C:\Windows\System32\nvmctray.dll
2013-05-12 19:43:36   566048   ----a-w-   C:\Windows\SysWow64\nvStreaming.exe
2013-05-10 05:49:27   30720   ----a-w-   C:\Windows\System32\cryptdlg.dll
2013-05-10 03:20:54   24576   ----a-w-   C:\Windows\SysWow64\cryptdlg.dll
2013-05-08 14:13:10   3165737   ----a-w-   C:\Windows\System32\nvcoproc.bin
2013-05-08 06:39:01   1910632   ----a-w-   C:\Windows\System32\drivers\tcpip.sys
2013-05-06 06:03:49   1887744   ----a-w-   C:\Windows\System32\WMVDECOD.DLL
2013-05-06 04:56:35   1620480   ----a-w-   C:\Windows\SysWow64\WMVDECOD.DLL
2013-05-02 06:06:08   278800   ------w-   C:\Windows\System32\MpSigStub.exe
2013-04-26 05:51:36   751104   ----a-w-   C:\Windows\System32\win32spl.dll
2013-04-26 04:55:21   492544   ----a-w-   C:\Windows\SysWow64\win32spl.dll
2013-04-25 23:30:32   1505280   ----a-w-   C:\Windows\SysWow64\d3d11.dll
2013-04-17 07:02:06   1230336   ----a-w-   C:\Windows\SysWow64\WindowsCodecs.dll
2013-04-17 06:24:46   1424384   ----a-w-   C:\Windows\System32\WindowsCodecs.dll
.
============= FINISH: 17:17:56.94 ===============

Again thank you for taking the time to help with make sure that my system is clean.

Delak

Maniac · July 13, 2013

It is okay, Delak. Well done!

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Delak606 · July 13, 2013

Okay, here is the ComboFix Log

ComboFix 13-07-13.01 - Costas 07/13/2013 18:34:08.2.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8170.6793 [GMT -4:00]
Running from: c:\users\Costas\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Costas\AppData\Local\assembly\tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-13 to 2013-07-13 )))))))))))))))))))))))))))))))
.
.
2013-07-13 22:36 . 2013-07-13 22:37   --------   d-----w-   c:\users\UpdatusUser\AppData\Local\temp
2013-07-13 22:36 . 2013-07-13 22:36   --------   d-----w-   c:\users\Public\AppData\Local\temp
2013-07-13 22:36 . 2013-07-13 22:36   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-07-13 22:36 . 2013-07-13 22:36   --------   d-----w-   c:\users\Connor\AppData\Local\temp
2013-07-13 21:07 . 2013-07-13 21:07   --------   d-----w-   c:\windows\ERUNT
2013-07-13 14:14 . 2013-07-13 14:14   --------   d-----w-   C:\FRST
2013-07-12 14:29 . 2013-06-12 03:08   9552976   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{59FDF844-C064-4B0D-9580-937C84686320}\mpengine.dll
2013-07-11 07:19 . 2013-06-04 06:00   624128   ----a-w-   c:\windows\system32\qedit.dll
2013-06-20 16:43 . 2013-07-12 16:44   --------   d-----w-   c:\users\Connor\AppData\Roaming\.technic
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-12 07:03 . 2012-01-06 03:29   78185248   ----a-w-   c:\windows\system32\MRT.exe
2013-06-12 06:07 . 2012-04-11 11:29   692104   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2013-06-12 06:07 . 2012-01-06 13:19   71048   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-05-13 05:51 . 2013-06-11 23:10   184320   ----a-w-   c:\windows\system32\cryptsvc.dll
2013-05-13 05:51 . 2013-06-11 23:10   1464320   ----a-w-   c:\windows\system32\crypt32.dll
2013-05-13 05:51 . 2013-06-11 23:10   139776   ----a-w-   c:\windows\system32\cryptnet.dll
2013-05-13 05:50 . 2013-06-11 23:10   52224   ----a-w-   c:\windows\system32\certenc.dll
2013-05-13 04:45 . 2013-06-11 23:10   140288   ----a-w-   c:\windows\SysWow64\cryptsvc.dll
2013-05-13 04:45 . 2013-06-11 23:10   1160192   ----a-w-   c:\windows\SysWow64\crypt32.dll
2013-05-13 04:45 . 2013-06-11 23:10   103936   ----a-w-   c:\windows\SysWow64\cryptnet.dll
2013-05-13 03:43 . 2013-06-11 23:10   1192448   ----a-w-   c:\windows\system32\certutil.exe
2013-05-13 03:08 . 2013-06-11 23:10   903168   ----a-w-   c:\windows\SysWow64\certutil.exe
2013-05-13 03:08 . 2013-06-11 23:10   43008   ----a-w-   c:\windows\SysWow64\certenc.dll
2013-05-12 21:42 . 2012-10-11 02:22   2597344   ----a-w-   c:\windows\SysWow64\nvapi.dll
2013-05-12 21:42 . 2012-10-11 02:22   12426216   ----a-w-   c:\windows\SysWow64\nvd3dum.dll
2013-05-12 21:42 . 2012-06-10 23:12   1059560   ----a-w-   c:\windows\system32\nvumdshimx.dll
2013-05-12 21:42 . 2012-01-06 03:18   15910736   ----a-w-   c:\windows\system32\nvwgf2umx.dll
2013-05-12 21:42 . 2012-01-06 03:18   27775776   ----a-w-   c:\windows\system32\nvoglv64.dll
2013-05-12 21:42 . 2012-01-06 03:18   2935696   ----a-w-   c:\windows\system32\nvapi64.dll
2013-05-12 20:34 . 2012-01-06 03:18   6491936   ----a-w-   c:\windows\system32\nvcpl.dll
2013-05-12 20:34 . 2012-01-06 03:18   3514656   ----a-w-   c:\windows\system32\nvsvc64.dll
2013-05-12 20:34 . 2012-01-06 03:18   884512   ----a-w-   c:\windows\system32\nvvsvc.exe
2013-05-12 20:34 . 2012-01-06 03:18   63776   ----a-w-   c:\windows\system32\nvshext.dll
2013-05-12 20:34 . 2012-01-06 03:18   237856   ----a-w-   c:\windows\system32\nvmctray.dll
2013-05-12 19:43 . 2013-05-12 19:43   566048   ----a-w-   c:\windows\SysWow64\nvStreaming.exe
2013-05-10 05:49 . 2013-06-11 23:10   30720   ----a-w-   c:\windows\system32\cryptdlg.dll
2013-05-10 03:20 . 2013-06-11 23:10   24576   ----a-w-   c:\windows\SysWow64\cryptdlg.dll
2013-05-08 14:13 . 2012-06-10 23:12   3165737   ----a-w-   c:\windows\system32\nvcoproc.bin
2013-05-08 06:39 . 2013-06-11 23:10   1910632   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2013-05-02 06:06 . 2010-11-21 03:27   278800   ------w-   c:\windows\system32\MpSigStub.exe
2013-04-30 07:20 . 2013-04-30 07:20   1054720   ----a-w-   c:\windows\system32\MsSpellCheckingFacility.exe
2013-04-30 07:20 . 2013-04-30 07:20   97280   ----a-w-   c:\windows\system32\mshtmled.dll
2013-04-30 07:20 . 2013-04-30 07:20   92160   ----a-w-   c:\windows\system32\SetIEInstalledDate.exe
2013-04-30 07:20 . 2013-04-30 07:20   905728   ----a-w-   c:\windows\system32\mshtmlmedia.dll
2013-04-30 07:20 . 2013-04-30 07:20   81408   ----a-w-   c:\windows\system32\icardie.dll
2013-04-30 07:20 . 2013-04-30 07:20   77312   ----a-w-   c:\windows\system32\tdc.ocx
2013-04-30 07:20 . 2013-04-30 07:20   762368   ----a-w-   c:\windows\system32\ieapfltr.dll
2013-04-30 07:20 . 2013-04-30 07:20   73728   ----a-w-   c:\windows\SysWow64\SetIEInstalledDate.exe
2013-04-30 07:20 . 2013-04-30 07:20   719360   ----a-w-   c:\windows\SysWow64\mshtmlmedia.dll
2013-04-30 07:20 . 2013-04-30 07:20   62976   ----a-w-   c:\windows\system32\pngfilt.dll
2013-04-30 07:20 . 2013-04-30 07:20   61952   ----a-w-   c:\windows\SysWow64\tdc.ocx
2013-04-30 07:20 . 2013-04-30 07:20   599552   ----a-w-   c:\windows\system32\vbscript.dll
2013-04-30 07:20 . 2013-04-30 07:20   523264   ----a-w-   c:\windows\SysWow64\vbscript.dll
2013-04-30 07:20 . 2013-04-30 07:20   52224   ----a-w-   c:\windows\system32\msfeedsbs.dll
2013-04-30 07:20 . 2013-04-30 07:20   51200   ----a-w-   c:\windows\system32\imgutil.dll
2013-04-30 07:20 . 2013-04-30 07:20   48640   ----a-w-   c:\windows\SysWow64\mshtmler.dll
2013-04-30 07:20 . 2013-04-30 07:20   48640   ----a-w-   c:\windows\system32\mshtmler.dll
2013-04-30 07:20 . 2013-04-30 07:20   452096   ----a-w-   c:\windows\system32\dxtmsft.dll
2013-04-30 07:20 . 2013-04-30 07:20   441856   ----a-w-   c:\windows\system32\html.iec
2013-04-30 07:20 . 2013-04-30 07:20   38400   ----a-w-   c:\windows\SysWow64\imgutil.dll
2013-04-30 07:20 . 2013-04-30 07:20   361984   ----a-w-   c:\windows\SysWow64\html.iec
2013-04-30 07:20 . 2013-04-30 07:20   281600   ----a-w-   c:\windows\system32\dxtrans.dll
2013-04-30 07:20 . 2013-04-30 07:20   27648   ----a-w-   c:\windows\system32\licmgr10.dll
2013-04-30 07:20 . 2013-04-30 07:20   270848   ----a-w-   c:\windows\system32\iedkcs32.dll
2013-04-30 07:20 . 2013-04-30 07:20   247296   ----a-w-   c:\windows\system32\webcheck.dll
2013-04-30 07:20 . 2013-04-30 07:20   235008   ----a-w-   c:\windows\system32\url.dll
2013-04-30 07:20 . 2013-04-30 07:20   23040   ----a-w-   c:\windows\SysWow64\licmgr10.dll
2013-04-30 07:20 . 2013-04-30 07:20   226304   ----a-w-   c:\windows\system32\elshyph.dll
2013-04-30 07:20 . 2013-04-30 07:20   216064   ----a-w-   c:\windows\system32\msls31.dll
2013-04-30 07:20 . 2013-04-30 07:20   197120   ----a-w-   c:\windows\system32\msrating.dll
2013-04-30 07:20 . 2013-04-30 07:20   185344   ----a-w-   c:\windows\SysWow64\elshyph.dll
2013-04-30 07:20 . 2013-04-30 07:20   173568   ----a-w-   c:\windows\system32\ieUnatt.exe
2013-04-30 07:20 . 2013-04-30 07:20   167424   ----a-w-   c:\windows\system32\iexpress.exe
2013-04-30 07:20 . 2013-04-30 07:20   158720   ----a-w-   c:\windows\SysWow64\msls31.dll
2013-04-30 07:20 . 2013-04-30 07:20   1509376   ----a-w-   c:\windows\system32\inetcpl.cpl
2013-04-30 07:20 . 2013-04-30 07:20   150528   ----a-w-   c:\windows\SysWow64\iexpress.exe
2013-04-30 07:20 . 2013-04-30 07:20   149504   ----a-w-   c:\windows\system32\occache.dll
2013-04-30 07:20 . 2013-04-30 07:20   144896   ----a-w-   c:\windows\system32\wextract.exe
2013-04-30 07:20 . 2013-04-30 07:20   1441280   ----a-w-   c:\windows\SysWow64\inetcpl.cpl
2013-04-30 07:20 . 2013-04-30 07:20   1400416   ----a-w-   c:\windows\system32\ieapfltr.dat
2013-04-30 07:20 . 2013-04-30 07:20   138752   ----a-w-   c:\windows\SysWow64\wextract.exe
2013-04-30 07:20 . 2013-04-30 07:20   13824   ----a-w-   c:\windows\system32\mshta.exe
2013-04-30 07:20 . 2013-04-30 07:20   137216   ----a-w-   c:\windows\SysWow64\ieUnatt.exe
2013-04-30 07:20 . 2013-04-30 07:20   136192   ----a-w-   c:\windows\system32\iepeers.dll
2013-04-30 07:20 . 2013-04-30 07:20   135680   ----a-w-   c:\windows\system32\IEAdvpack.dll
2013-04-30 07:20 . 2013-04-30 07:20   12800   ----a-w-   c:\windows\SysWow64\mshta.exe
2013-04-30 07:20 . 2013-04-30 07:20   12800   ----a-w-   c:\windows\system32\msfeedssync.exe
2013-04-30 07:20 . 2013-04-30 07:20   110592   ----a-w-   c:\windows\SysWow64\IEAdvpack.dll
2013-04-30 07:20 . 2013-04-30 07:20   102912   ----a-w-   c:\windows\system32\inseng.dll
2013-04-26 05:51 . 2013-06-11 23:10   751104   ----a-w-   c:\windows\system32\win32spl.dll
2013-04-26 04:55 . 2013-06-11 23:10   492544   ----a-w-   c:\windows\SysWow64\win32spl.dll
2013-04-25 23:30 . 2013-06-11 23:10   1505280   ----a-w-   c:\windows\SysWow64\d3d11.dll
2013-04-17 07:02 . 2013-06-11 23:10   1230336   ----a-w-   c:\windows\SysWow64\WindowsCodecs.dll
2013-04-17 06:24 . 2013-06-11 23:10   1424384   ----a-w-   c:\windows\system32\WindowsCodecs.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="g:\installed games\SteamLibrary\Steam\steam.exe" [2013-07-10 1672616]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [bU]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2012-08-28 3671904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"THX TruStudio NB Settings"="c:\program files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe" [2011-05-19 909824]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\Costas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2013-5-22 1089888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 BEService;BattlEye Service;c:\program files (x86)\Common Files\BattlEye\BEService.exe;c:\program files (x86)\Common Files\BattlEye\BEService.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys;c:\windows\SYSNATIVE\DRIVERS\mv91xx.sys [x]
S1 AsrAppCharger;AsrAppCharger;c:\windows\system32\DRIVERS\AsrAppCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AsrAppCharger.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys;c:\windows\SYSNATIVE\Drivers\EtronHub3.sys [x]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys;c:\windows\SYSNATIVE\Drivers\EtronXHCI.sys [x]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys;c:\windows\SYSNATIVE\drivers\LGBusEnum.sys [x]
S3 LGSHidFilt;Logitech Gaming KMDF HID Filter Driver;c:\windows\system32\DRIVERS\LGSHidFilt.Sys;c:\windows\SYSNATIVE\DRIVERS\LGSHidFilt.Sys [x]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys;c:\windows\SYSNATIVE\drivers\LGVirHid.sys [x]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 06:07]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-05-18 11855976]
"THXCfg64"="c:\windows\system32\THXCfg64.dll" [2011-05-13 26624]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-12-07 5889816]
"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 1012000]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Clip Image - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: E&xport to Microsoft Excel - g:\micros~1\OFFICE11\EXCEL.EXE/3000
IE: New Note - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{51450B21-4E78-4733-9CEA-1629CA123CF6}: NameServer = 209.18.47.61,209.18.47.62
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Costas\AppData\Roaming\Mozilla\Firefox\Profiles\y1tzp8kc.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{656461ef-40f6-4115-9ff1-bced9812ccbb} - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
WebBrowser-{656461EF-40F6-4115-9FF1-BCED9812CCBB} - (no file)
AddRemove-BattlEye for A2 - g:\installed games\SteamLibrary\Steam\steamapps\common\Arma 2BattlEye\UnInstallBE.exe
AddRemove-{B3D87264-EAC9-4DE8-8D0E-E758CA1413A0}_is1 - e:\installed games\Disciples III\unins000.exe
AddRemove-SOE-EverQuest - e:\installed games\Everquest\Uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_7_700_224.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-07-13 18:38:29 - machine was rebooted
ComboFix-quarantined-files.txt 2013-07-13 22:38
ComboFix2.txt 2012-06-29 19:27
.
Pre-Run: 9,981,059,072 bytes free
Post-Run: 10,608,226,304 bytes free
.
- - End Of File - - 248879925649B1B8FB6035688DE75EDF
A36C5E4F47E84449FF07ED3517B43A31

Maniac · July 13, 2013

Looks good. We are almost ready.

Please scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
  Save it to your Desktop.
- Double click on the to download the ESET Smart Installer. icon on your Desktop.
Check "YES, I accept the Terms of Use."
Click the Start button.
Accept any security warnings from your browser.
Under Scan Settings, check "Scan Archives" and "Remove found threats"
Click Advanced settings and select the following:
- Scan potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

Delak606 · July 14, 2013

Here is the Threats List from the completed scan

C:\Users\All Users\olhodg.js   JS/Agent.NID trojan
C:\FRST\Quarantine\msconfig.lnk   Win32/Reveton.M trojan   cleaned by deleting - quarantined
C:\FRST\Quarantine\olhodg.bat   Win32/Reveton.M trojan   cleaned by deleting - quarantined
C:\ProgramData\olhodg.js   JS/Agent.NID trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{15c4e049-d890-4da1-ded4-ab5ea9791b49}\U\00000004.@.vir   Win64/Conedex.C trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{15c4e049-d890-4da1-ded4-ab5ea9791b49}\U\80000000.@.vir   Win64/Sirefef.AE trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{15c4e049-d890-4da1-ded4-ab5ea9791b49}\U\80000032.@.vir   a variant of Win32/Sirefef.FD trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\Installer\{15c4e049-d890-4da1-ded4-ab5ea9791b49}\U\80000064.@.vir   Win64/Sirefef.AN trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir   Win64/Patched.B.Gen trojan   deleted - quarantined
C:\Users\Costas\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\281c26ce-3f904016   multiple threats   cleaned by deleting - quarantined
C:\Users\Costas\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\7cd1aa4e-1ab3538c   Java/Exploit.Agent.NQR trojan   cleaned by deleting - quarantined
C:\Users\Costas\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\28a375ea-6726c074   a variant of Win32/Kryptik.BFSF trojan   deleted - quarantined
C:\Users\Costas\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\45\5f87866d-306fe3a9   multiple threats   cleaned by deleting - quarantined
C:\Users\Costas\Downloads\DTLite4451-0236.exe   Win32/OpenCandy application   cleaned by deleting - quarantined
C:\Users\Costas\Downloads\DTLite4453-0297.exe   Win32/OpenCandy application   cleaned by deleting - quarantined
C:\Users\Public\Documents\Star Wars Empire at War Gold Pack\daemon4123-lite.exe   Win32/Adware.Toolbar.Shopper application   cleaned by deleting - quarantined
G:\Downloads\cbsidlm-tr1_7-AVI_to_MP4_Converter-SEO2-10912245.exe   Win32/DownloadAdmin.D application   cleaned by deleting - quarantined
G:\Downloads\InternationalPrimoPDF.exe   Win32/OpenCandy application   cleaned by deleting - quarantined
G:\Downloads\WINDOWS XP KEYGEN+VALIDATION PACK.rar   multiple threats   deleted - quarantined
G:\Downloads\WINDOWS XP KEYGEN+VALIDATION PACK\keyfinder.exe   multiple threats   deleted - quarantined
G:\Downloads\WINDOWS XP KEYGEN+VALIDATION PACK\wga-fix.exe   Win32/HackHosts.AC application   cleaned by deleting - quarantined

Maniac · July 14, 2013

I would like one additional scan, because better safe than sorry.

Step 1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application.

Upgrading Java :

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, then click Remove JRE.
Run the built-in uninstallers for all copies of java listed
Click the Next button
Click the Next button again
Click the Java Manual Download link
A browser window will open with the Java download page
Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your browser type)
Run the installer
Close JavaRa

Step 2

Please download the Kaspersky Virus Removal Tool from here to your Desktop.

Double-click the Removal Tool.

Click the cog in the upper right corner:

Select down to and including your main drive.

Once done please select the Automatic Scan tab and press Start Scan.

Allow AVP to delete all infections found.

Once it has finished select the Report tab.

Select the Detected threats report from the left and press the Save button.

Save it to your Desktop and post the contents in your next reply.

Delak606 · July 14, 2013

No detected threats found, so I cannot past the report here.

Is there anything else you need me to run and/or do?

Delak

Maniac · July 14, 2013

Sounds great.

We have to cleanup this mess and that's all.

Step 1

Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Step 2

Double click on AdwCleaner.exe to run the tool.
Click on Uninstall
Confirm with Yes

Step 3

Please uninstall ESET Online Scanner and manually delete Kaspersky AVP.

Step 4

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

Delak606 · July 14, 2013

All steps are done. Thank you Maniac for your help. Don't take this the wrong way but I hope I never have to talk to you again.

The Paypal donate, does that go straight to you and if so what is a customary amount?

Delak

Maniac · July 14, 2013

I completely understand, so I strongly suggest you look at the options and to take preventive measures in order not to end up back here.

Yes, the money comes directly to me, but the actual account is the name of my father. No specific amount, so as you decide, I'll be happy.

Delak606 · July 14, 2013

I am in the process of putting in place better preventive measures:

Windows Security Essentials
SpywareBlaster

Thank you again for all your help.

Delak

Maniac · July 14, 2013

You're welcome!

Good combination!

All the best!

Maurice Naggar · July 14, 2013

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

ICE Cyber Crimes Removal Help

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information