Need Help with Virus:Win64/Alureon.gen!A

NSCodeRed · November 11, 2013

I've been fighting with this thing the past few days and I know that if I don't do something soon it is probably going to get worse but I don't feel like taking my laptop somewhere unless I have to so any help I can get on here would be awesome!

Anyway, I have an Asus G74 that has been clean just until a few days ago when Microsoft Security Essentials picked up Virus:Win64/Alureon.gen!A. It's recommendation was of course to use their windows defender offline but I can't get my laptop to boot from any of the multiple usb's or the cd I made, and I have doubts as to whether it would work or not either.

I'm sure it would help if I zipped some log files on here but I don't really have any idea what or from where lol (I'm hardware savvy but not when it comes to software or the inner workings of windows. So I guess I need some help with even the first steps...

Psychotic · November 11, 2013

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Show All ( should be unchecked by default )
[*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

NSCodeRed · November 11, 2013

Thank you very much, I will do everything exactly as instructed.

NSCodeRed · November 11, 2013

I can't seem to figure out how to post the DDS.txt to my topic but here is the text from Gmer with the attach.txt from DDS attached.

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-11-11 10:04:18

Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.01.0 698.64GB

Running: 7qlg5su8.exe; Driver: C:\Users\Nick\AppData\Local\Temp\pxldqpoc.sys

---- Devices - GMER 2.1 ----

Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 fffffa800c7315e8

---- Trace I/O - GMER 2.1 ----

Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800c7315e8]<< fffffa800c7315e8

Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800a811790] fffffa800a811790

Trace 3 CLASSPNP.SYS[fffff88001b9943f] -> nt!IofCallDriver -> [0xfffffa800a23a520] fffffa800a23a520

Trace 5 ACPI.sys[fffff88000f127a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800a239050] fffffa800a239050

Trace \Driver\iaStor[0xfffffa800a728b40] -> IRP_MJ_CREATE -> 0xfffffa800c7315e8 fffffa800c7315e8

---- Threads - GMER 2.1 ----

Thread C:\Windows\SysWOW64\regsvr32.exe [7004:6388] 000000006e3d2f10

Thread C:\Windows\SysWOW64\regsvr32.exe [7004:7132] 000000006e3d2f10

Thread C:\Windows\SysWOW64\regsvr32.exe [7004:2428] 000000006e3d2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [10160:10196] 0000000003ac2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [10160:10152] 0000000003ac2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:4956] 00000000034a2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:5852] 00000000034a2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:8288] 00000000034a2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:9916] 00000000034a2f10

Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [608:9016] 00000000034a2f10

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485d6021838a

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15@fca13e3af15d 0x25 0x2F 0x5C 0x8F ...

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15@fca13e9e093f 0x9D 0x4E 0x37 0x29 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15@c819f70d1d17 0x80 0xC7 0xF4 0x09 ...

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68846d15@7c8ee4a06798 0x8C 0x3C 0x31 0xD5 ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485d6021838a (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15@fca13e3af15d 0x25 0x2F 0x5C 0x8F ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15@fca13e9e093f 0x9D 0x4E 0x37 0x29 ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15@c819f70d1d17 0x80 0xC7 0xF4 0x09 ...

Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68846d15@7c8ee4a06798 0x8C 0x3C 0x31 0xD5 ...

---- EOF - GMER 2.1 ----

attach.txt

Psychotic · November 11, 2013

Combofix

Combofix should only be run when adviced by a team member!

Link

Important - Save the file to your desktop!

Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
Run Combofix.exe

When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

NSCodeRed · November 11, 2013

ComboFix 13-11-10.02 - Nick 11/11/2013 10:35:48.1.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12265.9197 [GMT -5:00]

Running from: c:\users\Nick\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}

SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\AsPatch10430001.exe

.

((((((((((((((((((((((((( Files Created from 2013-10-11 to 2013-11-11 )))))))))))))))))))))))))))))))

.

2013-11-11 15:42 . 2013-11-11 15:42 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2013-11-11 15:42 . 2013-11-11 15:42 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-11-11 15:42 . 2013-11-11 15:42 -------- d-----w- c:\users\Nick\AppData\Local\temp

2013-11-11 15:42 . 2013-11-11 15:42 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-11-11 14:25 . 2013-11-11 14:25 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\offreg.dll

2013-11-11 14:25 . 2013-11-11 14:25 46768 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\MpKsl36b90f39.sys

2013-11-11 04:58 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\mpengine.dll

2013-11-10 00:34 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-11-08 16:53 . 2013-11-08 17:06 -------- d-----w- c:\users\Nick\AppData\Local\Bgtion

2013-11-07 02:36 . 2013-10-18 06:58 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69F15E0A-4EC0-4FB0-8EF6-C33DB3315AFD}\gapaengine.dll

2013-10-31 11:05 . 2013-10-31 11:05 -------- d-----w- c:\users\Nick\AppData\Roaming\Guild Wars 2

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-11-11 14:28 . 2012-03-29 06:45 376 ----a-w- c:\users\Nick\AppData\Roaming\sp_data.sys

2013-10-18 06:58 . 2012-06-13 15:45 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2013-10-15 15:48 . 2012-03-29 05:01 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-10-15 15:48 . 2012-02-17 21:58 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-10-04 19:09 . 2011-08-24 03:54 45056 ----a-w- c:\windows\SysWow64\acovcnt.exe

2013-09-26 06:46 . 2012-02-18 06:47 80541720 ----a-w- c:\windows\system32\MRT.exe

2013-09-22 23:28 . 2013-10-10 00:07 1767936 ----a-w- c:\windows\SysWow64\wininet.dll

2013-09-22 23:27 . 2013-10-10 00:07 2876928 ----a-w- c:\windows\SysWow64\jscript9.dll

2013-09-22 23:27 . 2013-10-10 00:07 61440 ----a-w- c:\windows\SysWow64\iesetup.dll

2013-09-22 23:27 . 2013-10-10 00:07 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll

2013-09-22 22:55 . 2013-10-10 00:07 51712 ----a-w- c:\windows\system32\ie4uinit.exe

2013-09-22 22:55 . 2013-10-10 00:07 2241024 ----a-w- c:\windows\system32\wininet.dll

2013-09-22 22:55 . 2013-10-10 00:07 1365504 ----a-w- c:\windows\system32\urlmon.dll

2013-09-22 22:54 . 2013-10-10 00:07 603136 ----a-w- c:\windows\system32\msfeeds.dll

2013-09-22 22:54 . 2013-10-10 00:07 19252224 ----a-w- c:\windows\system32\mshtml.dll

2013-09-22 22:54 . 2013-10-10 00:07 855552 ----a-w- c:\windows\system32\jscript.dll

2013-09-22 22:54 . 2013-10-10 00:07 3959296 ----a-w- c:\windows\system32\jscript9.dll

2013-09-22 22:54 . 2013-10-10 00:07 53248 ----a-w- c:\windows\system32\jsproxy.dll

2013-09-22 22:54 . 2013-10-10 00:07 526336 ----a-w- c:\windows\system32\ieui.dll

2013-09-22 22:54 . 2013-10-10 00:07 67072 ----a-w- c:\windows\system32\iesetup.dll

2013-09-22 22:54 . 2013-10-10 00:07 39936 ----a-w- c:\windows\system32\iernonce.dll

2013-09-22 22:54 . 2013-10-10 00:07 2647552 ----a-w- c:\windows\system32\iertutil.dll

2013-09-22 22:54 . 2013-10-10 00:07 136704 ----a-w- c:\windows\system32\iesysprep.dll

2013-09-22 22:54 . 2013-10-10 00:07 15404544 ----a-w- c:\windows\system32\ieframe.dll

2013-09-21 03:38 . 2013-10-10 00:07 2706432 ----a-w- c:\windows\system32\mshtml.tlb

2013-09-21 03:30 . 2013-10-10 00:07 2706432 ----a-w- c:\windows\SysWow64\mshtml.tlb

2013-09-21 02:48 . 2013-10-10 00:07 89600 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2013-09-21 02:39 . 2013-10-10 00:07 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe

2013-09-14 01:10 . 2013-10-09 23:20 497152 ----a-w- c:\windows\system32\drivers\afd.sys

2013-09-08 02:30 . 2013-10-09 23:20 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-09-08 02:27 . 2013-10-09 23:20 327168 ----a-w- c:\windows\system32\mswsock.dll

2013-09-08 02:03 . 2013-10-09 23:20 231424 ----a-w- c:\windows\SysWow64\mswsock.dll

2013-09-04 12:12 . 2013-10-11 05:14 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys

2013-09-04 12:11 . 2013-10-11 05:14 325120 ----a-w- c:\windows\system32\drivers\usbport.sys

2013-09-04 12:11 . 2013-10-11 05:14 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2013-09-04 12:11 . 2013-10-11 05:14 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys

2013-09-04 12:11 . 2013-10-11 05:14 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2013-09-04 12:11 . 2013-10-11 05:14 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys

2013-09-04 12:11 . 2013-10-11 05:14 7808 ----a-w- c:\windows\system32\drivers\usbd.sys

2013-08-29 02:17 . 2013-10-09 23:20 5549504 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-08-29 02:16 . 2013-10-09 23:20 1732032 ----a-w- c:\windows\system32\ntdll.dll

2013-08-29 02:16 . 2013-10-09 23:20 243712 ----a-w- c:\windows\system32\wow64.dll

2013-08-29 02:16 . 2013-10-09 23:20 859648 ----a-w- c:\windows\system32\tdh.dll

2013-08-29 02:13 . 2013-10-09 23:20 878080 ----a-w- c:\windows\system32\advapi32.dll

2013-08-29 01:51 . 2013-10-09 23:20 3969472 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-08-29 01:51 . 2013-10-09 23:20 3914176 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-08-29 01:50 . 2013-10-09 23:20 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2013-08-29 01:50 . 2013-10-09 23:20 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll

2013-08-29 01:50 . 2013-10-09 23:20 619520 ----a-w- c:\windows\SysWow64\tdh.dll

2013-08-29 01:48 . 2013-10-09 23:20 640512 ----a-w- c:\windows\SysWow64\advapi32.dll

2013-08-29 01:48 . 2013-10-09 23:20 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2013-08-29 00:49 . 2013-10-09 23:20 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2013-08-29 00:49 . 2013-10-09 23:20 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2013-08-29 00:49 . 2013-10-09 23:20 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2013-08-29 00:49 . 2013-10-09 23:20 2048 ----a-w- c:\windows\SysWow64\user.exe

2013-08-28 01:21 . 2013-10-09 23:20 3155968 ----a-w- c:\windows\system32\win32k.sys

2013-08-28 01:12 . 2013-10-09 23:20 461312 ----a-w- c:\windows\system32\scavengeui.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SearchProtection"="c:\users\Nick\AppData\Roaming\Search Protection\SearchProtection.EXE" [2013-09-03 832360]

"EPLTarget\P0000000000000000"="c:\windows\system32\spool\DRIVERS\x64\3\E_IATILBE.EXE" [2013-01-24 297024]

"Bgtion Update"="c:\users\Nick\AppData\Local\Bgtion\pkcs11-helper-1.dll" [2013-11-08 795136]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Nuance PDF Reader-reminder"="c:\program files (x86)\Nuance\PDF Reader\Ereg\Ereg.exe" [2008-11-03 328992]

"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2011-04-02 2018032]

"ASUSWebStorage"="c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSPanel.exe" [2011-02-23 731472]

"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2011-08-24 3058304]

"THX TruStudio NB Settings"="c:\program files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe" [2011-03-17 909312]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"VAWinAgent"="c:\expressgateutil\VAWinAgent.exe" [2011-04-08 45448]

"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2011-12-22 318080]

"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2011-10-24 174720]

"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]

"ACMON"="c:\program files (x86)\ASUS\Splendid\ACMON.exe" [2012-02-06 102568]

"Wireless Console 3"="c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe" [2012-02-02 2321072]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"FLxHCIm64"="c:\program files\Fresco Logic\Fresco Logic USB3.0 Host Controller\amd64_host\FLxHCIm.exe" [2012-07-19 48128]

"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2013-03-28 1058880]

.

c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]

.

c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Intel® Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

AsusVibeLauncher.lnk - c:\program files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe /start [2011-4-1 548528]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R1 elzurman;elzurman;c:\windows\system32\drivers\elzurman.sys;c:\windows\SYSNATIVE\drivers\elzurman.sys [x]

R1 jrpkxolv;jrpkxolv;c:\windows\system32\drivers\jrpkxolv.sys;c:\windows\SYSNATIVE\drivers\jrpkxolv.sys [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]

R3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x]

R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x]

R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x]

R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x]

R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x]

R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS;c:\windows\SYSNATIVE\drivers\BVRPMPR5a64.SYS [x]

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]

R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]

R3 HawkesUpdater;Hawkes Unattended Updater;c:\program files (x86)\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe;c:\program files (x86)\Hawkes Learning Systems\Hawkes Update Service Manager\srvany.exe [x]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUVStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUVStor.sys [x]

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys;c:\windows\SYSNATIVE\DRIVERS\SiSG664.sys [x]

R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]

R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]

R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S1 ATKWMIACPIIO_;ATKWMIACPI Driver_;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [x]

S1 MpKsl36b90f39;MpKsl36b90f39;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\MpKsl36b90f39.sys;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B1AD25AF-4FF7-4C76-9EFB-3A079E0242F4}\MpKsl36b90f39.sys [x]

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [x]

S2 AsusUacSvc;Asus process privilege adjust service;c:\program files\Asus\Rotation Desktop for G Series\AsusUacSvc.exe;c:\program files\Asus\Rotation Desktop for G Series\AsusUacSvc.exe [x]

S2 Atheros Bt&Wlan Coex Agent;Atheros Bt&Wlan Coex Agent;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [x]

S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Bluetooth Suite\adminservice.exe [x]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]

S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]

S2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc64.exe;c:\windows\SYSNATIVE\EscSvc64.exe [x]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]

S2 VideAceWindowsService;VideAceWindowsService;c:\expressgateutil\VAWinService.exe;c:\expressgateutil\VAWinService.exe [x]

S3 AiCharger;ASUS Charger Driver;c:\windows\system32\DRIVERS\AiCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AiCharger.sys [x]

S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x]

S3 FLxHCIc;Fresco Logic xHCI (USB3) Device Driver;c:\windows\system32\DRIVERS\FLxHCIc.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIc.sys [x]

S3 FLxHCIh;Fresco Logic xHCI (USB3) Hub Device Driver;c:\windows\system32\DRIVERS\FLxHCIh.sys;c:\windows\SYSNATIVE\DRIVERS\FLxHCIh.sys [x]

S3 fspad_win764;Finger Sensing Pad Driver for Windows 2000/XP/Vista/Win7_win764;c:\windows\system32\DRIVERS\fspad_win764.sys;c:\windows\SYSNATIVE\DRIVERS\fspad_win764.sys [x]

S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]

S3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSL36B90F39

*NewlyCreated* - PXLDQPOC

*Deregistered* - pxldqpoc

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-10-16 07:15 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-11-11 c:\windows\Tasks\EPSON XP-310 Series Invitation {000F3676-290B-4C0B-BEB2-A06E917FD94D}.job

- c:\windows\system32\spool\DRIVERS\x64\3\E_ITSLBE.EXE [2013-10-04 05:20]

.

2013-11-11 c:\windows\Tasks\EPSON XP-310 Series Update {000F3676-290B-4C0B-BEB2-A06E917FD94D}.job

- c:\windows\system32\spool\DRIVERS\x64\3\E_ITSLBE.EXE [2013-10-04 05:20]

.

2013-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-15 21:54]

.

2013-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-15 21:54]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]

@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"

[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]

@="{64174815-8D98-4CE6-8646-4C039977D808}"

[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]

2010-09-02 08:41 220160 ----a-w- c:\program files (x86)\ASUS\ASUS WebStorage\3.0.84.161\AsusWSShellExt64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-01-31 12446824]

"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2011-03-13 617120]

"AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2011-03-13 379552]

"IntelTBRunOnce"="wscript.exe" [2009-07-14 168960]

"THXCfg64"="c:\windows\system32\THXCfg64.dll" [2010-09-14 25600]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 1356240]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

HKLM-Run-fspuip - c:\program files (x86)\FSP\fspuip.exe

HKLM-Run-Setwallpaper - c:\programdata\SetWallpaper.cmd

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1909249093-874876743-655935046-1000\Software\SecuROM\License information*]

"datasecu"=hex:44,12,e0,d6,5a,52,4c,3c,1c,84,41,41,52,11,4d,df,3c,38,35,ca,1c,

72,90,d0,9c,13,63,04,68,f8,f1,df,7a,cb,98,03,08,64,27,52,96,6e,e6,65,cc,4c,\

"rkeysecu"=hex:ac,c1,19,fa,90,50,f6,03,d2,b5,8b,39,8c,ad,6d,6d

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-11-11 10:51:31

ComboFix-quarantined-files.txt 2013-11-11 15:51

.

Pre-Run: 118,543,765,504 bytes free

Post-Run: 120,662,986,752 bytes free

.

- - End Of File - - 0D420C39E08FE3FD4751DEEE62FD6B88

Psychotic · November 12, 2013

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

CFScript.txt

NSCodeRed · November 12, 2013

I am trying too but even though all virus/malware programs are turned off every attachment I try to download won't go though because windows says it has a virus and deletes it (part of the virus?). Will try to download it from another computer and use a usb...

NSCodeRed · November 12, 2013

I got it to work, ComboFix said it had an update available but I ran it without updating. Partway though the process I got a notification saying "pev.3XE" has stopped working. After closing the window on that the process continued and then while it was preparing the logs my laptop restarted and presented me with an Asus application error to which I closed and continued to wait for the logs. ComboFix asked that I send a submission of my logs but I didn't, it did save the submission form. Here is what I got...

ComboFix 13-11-10.02 - Nick 11/12/2013 10:00:17.2.8 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.12265.10252 [GMT -5:00]

Running from: c:\users\Nick\Desktop\ComboFix.exe

Command switches used :: c:\users\Nick\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Nick\AppData\Roaming\Search Protection

c:\users\Nick\AppData\Roaming\Search Protection\SearchProtection.exe

c:\users\Nick\AppData\Roaming\Search Protection\Uninstall.exe

c:\windows\assembly\GAC_32\Desktop.ini

c:\windows\assembly\GAC_64\Desktop.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_elzurman

-------\Service_jrpkxolv

.

((((((((((((((((((((((((( Files Created from 2013-10-12 to 2013-11-12 )))))))))))))))))))))))))))))))

.

2013-11-12 15:19 . 2013-11-12 15:19 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2013-11-12 15:19 . 2013-11-12 15:19 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2013-11-12 15:19 . 2013-11-12 15:19 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-11-11 19:08 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E3C1FFEF-567D-4384-890A-2CA52D550EA0}\mpengine.dll

2013-11-11 15:51 . 2013-11-12 15:21 -------- d-----w- c:\users\Nick\AppData\Local\temp

2013-11-10 00:34 . 2013-10-14 07:12 10280728 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-11-08 16:53 . 2013-11-08 17:06 -------- d-----w- c:\users\Nick\AppData\Local\Bgtion

2013-11-07 02:36 . 2013-10-18 06:58 965000 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{69F15E0A-4EC0-4FB0-8EF6-C33DB3315AFD}\gapaengine.dll

2013-10-31 11:05 . 2013-10-31 11:05 -------- d-----w- c:\users\Nick\AppData\Roaming\Guild Wars 2

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-11-12 14:43 . 2012-03-29 06:45 376 ----a-w- c:\users\Nick\AppData\Roaming\sp_data.sys