Jump to content

Someone (or Something) Has Intruded into My System


yukio

Recommended Posts

Hi there,

Yesterday I've got an email from PayPal (REAL PayPal)

telling me that they've got complaints on phising

rooting from one of my websites.

Long story short, I've proven it to be the case and

my hosting's tech guy told me that the files (webpages

for phising) were uploaded from my current IP and computer.

So, someone is using my computer to hack my website

and install a phising script there...

I've got Avira Premium with latest def since day one.

I've just done MBAM, DeFogger, DDS and GMER.

For the MBAM, it found 4 malwares, I've removed them all.

For the GMER, it said "didn't find any system modification"

and I don't get the log, did I do it wrong?

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7710

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

14/09/2011 00:41:35
mbam-log-2011-09-14 (00-41-35).txt

Scan type: Quick scan
Objects scanned: 193979
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Ray\AppData\Local\Temp\winrar3.93.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\Users\Ray\local settings\keygenerator.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\Users\Ray\local settings\application data\keygenerator.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\Users\Ray\AppData\Local\Temp\Opera.exe (Trojan.PWS) -> Quarantined and deleted successfully.

Here's the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_20
Run by Ray at 1:24:08 on 2011-09-14
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.1437 [GMT 7:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
FW: Avira FireWall *Enabled* {31341D0C-2EA1-6D37-1CC3-F0344A49C2CC}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Avira\AntiVir Desktop\avfwsvc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\SysWOW64\SupportAppXL\cdrom_mon.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\DU Meter\DUMeterSvc.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe
C:\Windows\SysWOW64\NLSSRV32.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
C:\Program Files\CyberLink\Shared files\RichVideo64.exe
C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\StkCSrv.exe
C:\Program Files\Modem AC2726 UI\bin\MonServiceUDisk64.exe
C:\Program Files (x86)\Spotmau\Data Recovery Kit\DRtray.exe
C:\PROGRA~1\BITNAM~1\apache2\bin\httpd.exe
C:\Program Files\BitNami WordPress Stack\mysql\bin\mysqld.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\Genie-Soft\GBMPro8\GBMAgent.exe
C:\Program Files (x86)\Free Download Manager\fdm.exe
C:\Program Files (x86)\ClipMate7\ClipMate.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files (x86)\Lingoes\Translator2\Lingoes.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~2\DUMETE~1\DUMeter.exe
C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Users\Ray\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\FSL\FSL_Launcher\FSL_Launcher.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\BITNAM~1\apache2\bin\httpd.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\Program Files (x86)\Everything\Everything.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files (x86)\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Modem AC2726 UI\bin\App.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\XYplorer\XYplorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: : {1624f640-49ac-11d3-8abd-00c04fa95ee0} - C:\PROGRA~2\iFinger\IFINGE~1.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - C:\PROGRA~2\IDM\QUICKF~1\PlugIns\IEHelp.dll
BHO: Free Download Manager: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: TextAloud: {f053c368-5458-45b2-9b4d-d8914bdddbff} - C:\PROGRA~2\TEXTAL~1\TAForIE.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: iFinger: {0cbd5120-990b-11d3-8abd-00c04fa95ee0} - C:\Windows\SysWow64\SHDOCVW.DLL
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Messenger (Yahoo!)] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [GBMPro8Agent] C:\Program Files (x86)\Genie-Soft\GBMPro8\GBMAgent.exe
uRun: [Free Download Manager] C:\Program Files (x86)\Free Download Manager\fdm.exe -autorun
uRun: [DU Meter] C:\Program Files (x86)\DU Meter\DUMeter.exe
uRun: [ClipMate7] C:\Program Files (x86)\ClipMate7\ClipMate.exe
uRun: [ISUSPM Startup] C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
uRun: [Lingoes] C:\Program Files (x86)\Lingoes\Translator2\Lingoes.exe -minimize
uRun: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
uRun: [AdobeBridge]
mRun: [WatcherHelper] "C:\Program Files (x86)\Sierra Wireless Inc\3G Watcher\WaHelper.exe"
mRun: [Everything] "C:\Program Files (x86)\Everything\Everything.exe" -startup
mRun: [Display] C:\Program Files (x86)\APC\APC PowerChute Personal Edition\DataCollectionLauncher.exe
mRun: [DelReg] C:\Program Files (x86)\MSI\OverclockingCenter\DelReg.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun: [EnvyHFCPL] C:\Program Files (x86)\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\Ray\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Ray\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Ray\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\FSLLAU~1.LNK - C:\Program Files (x86)\FSL\FSL_Launcher\FSL_Launcher.exe
StartupFolder: C:\Users\Ray\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
StartupFolder: C:\Users\Ray\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\APCUPS~1.LNK - C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SERVIC~1.LNK - C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Customize Menu - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send To &Bluetooth - C:\Program Files (x86)\Billionton\Bluetooth Software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {936E5D60-596C-11D3-BB96-00600816DF55} - {0CBD5120-990B-11D3-8ABD-00C04FA95EE0} - C:\Windows\SysWow64\SHDOCVW.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
LSP: C:\Program Files (x86)\Avira\AntiVir Desktop\avsda.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{32CD068B-6787-4017-90A5-CD56F18A1B66} : DhcpNameServer = 10.0.18.38 10.0.18.42
TCP: Interfaces\{721AA68F-DE66-42A9-B766-8E4C81AFB6FB} : NameServer = 10.17.3.244 10.17.3.252
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~1\Office12\GRA32A~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - C:\Program Files (x86)\DVD Region+CSS Free\DVDShell.dll
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - C:\Program Files (x86)\PixiePack Codec Pack\InstallerHelper.exe
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: : {1624F640-49AC-11D3-8ABD-00C04FA95EE0} - C:\PROGRA~2\iFinger\IFINGE~1.DLL
BHO-X64: iFinger - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
BHO-X64: RoboForm BHO - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: QUICKfind BHO Object: {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~2\IDM\QUICKF~1\PlugIns\IEHelp.dll
BHO-X64: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: TextAloud: {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~2\TEXTAL~1\TAForIE.dll
TB-X64: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB-X64: {0CBD5120-990B-11D3-8ABD-00C04FA95EE0} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [WatcherHelper] "C:\Program Files (x86)\Sierra Wireless Inc\3G Watcher\WaHelper.exe"
mRun-x64: [Everything] "C:\Program Files (x86)\Everything\Everything.exe" -startup
mRun-x64: [Display] C:\Program Files (x86)\APC\APC PowerChute Personal Edition\DataCollectionLauncher.exe
mRun-x64: [DelReg] C:\Program Files (x86)\MSI\OverclockingCenter\DelReg.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun-x64: [EnvyHFCPL] C:\Program Files (x86)\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
IE-X64: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE-X64: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE-X64: {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office12\GR469A~1.DLL
SEH-X64: DVDIdleShell Class: {93994DE8-8239-4655-B1D1-5F4E91300429} - C:\Program Files (x86)\DVD Region+CSS Free\DVDShell.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.ray\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - plugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Opera\program\plugins\np_gp.dll
FF - plugin: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\Program Files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
FF - plugin: C:\Program Files\Opera\program\plugins\NPSWF32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 avfwot;avfwot;C:\Windows\System32\drivers\avfwot.sys [2011-7-20 131336]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirFirewallService;Avira FireWall;C:\Program Files (x86)\Avira\AntiVir Desktop\avfwsvc.exe [2011-7-20 567464]
R2 AntiVirMailService;Avira AntiVir MailGuard;C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc.exe [2011-7-20 340136]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-7-20 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-7-20 269480]
R2 AntiVirWebService;Avira AntiVir WebGuard;C:\Program Files (x86)\Avira\AntiVir Desktop\avwebgrd.exe [2011-7-20 428200]
R2 AODService;AODService;C:\Program Files (x86)\AMD\OverDrive\AODAssist.exe [2009-5-5 124256]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;C:\Windows\System32\SupportAppXL\cdrom_mon.exe [2008-11-26 81920]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 cpuz132;cpuz132;\??\C:\Windows\system32\drivers\cpuz132_x64.sys --> C:\Windows\system32\drivers\cpuz132_x64.sys [?]
R2 DUMeterSvc;DU Meter Service;C:\Program Files (x86)\DU Meter\DUMeterSvc.exe [2010-3-21 1411616]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-7 191000]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-9-14 366152]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;C:\Program Files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [2009-12-16 324928]
R2 nlsX86cc;NLS Service;C:\Windows\SysWOW64\NLSSRV32.EXE [2009-12-16 65856]
R2 PDFSFilter;PDFSFilter;C:\Windows\system32\DRIVERS\PDFsFilter.sys --> C:\Windows\system32\DRIVERS\PDFsFilter.sys [?]
R2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\CyberLink\Shared files\RichVideo64.exe [2011-7-3 386344]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-4-26 1153368]
R2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2009-12-24 370688]
R2 StkSSrv;Syntek AVStream USB2.0 ATV Service;C:\Windows\System32\StkCSrv.exe --> C:\Windows\System32\StkCSrv.exe [?]
R2 UDisk Monitor;UDisk Monitor;C:\Program Files\Modem AC2726 UI\bin\MonServiceUDisk64.exe [2010-2-25 409088]
R2 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2011-4-1 428640]
R2 wordpressApache;wordpressApache;C:\PROGRA~1\BITNAM~1\apache2\bin\httpd.exe [2011-7-18 20549]
R2 wordpressMySQL;wordpressMySQL;C:\Program Files\BitNami WordPress Stack\mysql\bin\mysqld.exe [2011-7-18 6107136]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AODDriver;AODDriver;C:\Program Files (x86)\AMD\OverDrive\amd64\AODDriver.sys [2009-10-22 21048]
R3 avfwim;AvFw Packet Filter Miniport;C:\Windows\system32\DRIVERS\avfwim.sys --> C:\Windows\system32\DRIVERS\avfwim.sys [?]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM 64 bit;C:\Windows\system32\drivers\Envy24HF.sys --> C:\Windows\system32\drivers\Envy24HF.sys [?]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
R3 LVUVC64;Logitech Webcam 500(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 swivsp;AC8xx Virtual Serial Port;C:\Windows\system32\DRIVERS\swivspnt.sys --> C:\Windows\system32\DRIVERS\swivspnt.sys [?]
R3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
R3 ztemtusbser;ZTEMT Legacy Serial Communication;C:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys --> C:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [?]
S2 trackcam;TrackerCam Video Capture Driver;C:\Windows\system32\DRIVERS\trackcam.sys --> C:\Windows\system32\DRIVERS\trackcam.sys [?]
S3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;C:\Program Files (x86)\DU Meter\DUMetr64.sys [2010-9-13 20904]
S3 ICDUSB3;ICDUSB3;C:\Windows\system32\Drivers\ICDUSB3.sys --> C:\Windows\system32\Drivers\ICDUSB3.sys [?]
S3 nmwcdcx64;Nokia USB Generic;C:\Windows\system32\drivers\ccdcmbox64.sys --> C:\Windows\system32\drivers\ccdcmbox64.sys [?]
S3 nmwcdnsucx64;Nokia USB Flashing Generic;C:\Windows\system32\drivers\nmwcdnsucx64.sys --> C:\Windows\system32\drivers\nmwcdnsucx64.sys [?]
S3 nmwcdnsux64;Nokia USB Flashing Phone Parent;C:\Windows\system32\drivers\nmwcdnsux64.sys --> C:\Windows\system32\drivers\nmwcdnsux64.sys [?]
S3 nmwcdx64;Nokia USB Phone Parent;C:\Windows\system32\drivers\ccdcmbx64.sys --> C:\Windows\system32\drivers\ccdcmbx64.sys [?]
S3 StkCMini;Syntek AVStream USB2.0 ATV;C:\Windows\system32\Drivers\StkCMini.sys --> C:\Windows\system32\Drivers\StkCMini.sys [?]
S3 StkTMini;StkTMini;C:\Windows\system32\Drivers\StkTMini.sys --> C:\Windows\system32\Drivers\StkTMini.sys [?]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);C:\Windows\system32\DRIVERS\swnc8u12.sys --> C:\Windows\system32\DRIVERS\swnc8u12.sys [?]
S3 SWUMX12;Sierra Wireless USB MUX Driver (UMTS12);C:\Windows\system32\DRIVERS\swumx12.sys --> C:\Windows\system32\DRIVERS\swumx12.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-09-13 17:20:27 -------- d-----w- C:\Users\Ray\AppData\Roaming\Malwarebytes
2011-09-13 17:20:18 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-13 17:20:13 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-09-13 17:20:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-01 19:19:14 -------- d-----w- C:\Program Files (x86)\The KMPlayer
2011-08-23 17:14:17 -------- d-----w- C:\Users\Ray\AppData\Roaming\OpenOffice.org
2011-08-23 17:10:58 7424000 ----a-r- C:\Users\Ray\AppData\Roaming\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2011-08-23 17:09:24 -------- d-----w- C:\Program Files (x86)\JRE
2011-08-23 17:09:14 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
.
==================== Find3M ====================
.
2011-09-03 15:24:21 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-01 04:56:06 37374 ----a-w- C:\Program Files\ffdsvsetts.reg
2011-07-20 05:22:59 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2011-07-20 05:22:59 131336 ----a-w- C:\Windows\SysWow64\drivers\avfwot.sys
2011-07-20 05:22:59 131336 ----a-w- C:\Windows\System32\drivers\avfwot.sys
2011-07-20 05:22:59 101984 ----a-w- C:\Windows\System32\drivers\avfwim.sys
2011-07-02 22:09:20 86016 ----a-w- C:\Windows\System32\ff_vfw.dll
2011-06-26 16:04:08 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2010-04-20 16:25:17 37142 ----a-w- C:\Program Files (x86)\ffdsvsetts.reg
.
============= FINISH: 1:25:15.45 ===============

The rest is attached below.

Thanks for your help,

Yukio

Attach.zip

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Thanks LDTate. Here's the log:

ComboFix 11-09-15.05 - Ray 16/09/2011 16:32:38.1.4 - x64

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2240 [GMT 7:00]

Running from: c:\users\Ray\Desktop\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

FW: Avira FireWall *Enabled* {31341D0C-2EA1-6D37-1CC3-F0344A49C2CC}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\test.txt

c:\users\Ray\AppData\Roaming\chrtmp

c:\users\Ray\AppData\Roaming\EurekaLog

c:\users\Ray\AppData\Roaming\FFSJ

c:\users\Ray\AppData\Roaming\FFSJ\FFSJ.cfg

c:\users\Ray\AppData\Roaming\inst.exe

c:\users\Ray\AppData\Roaming\Setup.exe

c:\windows\dasetup.log

c:\windows\system32\drivers\etc\lmhosts

c:\windows\SysWow64\comct332.ocx

c:\windows\SysWow64\IcdCddaDve.dll

c:\windows\winhelp.ini

G:\install.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))

.

.

2011-09-16 09:41 . 2011-09-16 09:41 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-14 12:54 . 2011-09-14 12:54 -------- d-----w- c:\users\Ray\AppData\Roaming\FLEXnet

2011-09-14 12:50 . 2011-09-14 12:50 -------- d-----w- c:\users\Ray\AppData\Roaming\Nuance

2011-09-14 12:46 . 2011-09-14 12:46 -------- d-----w- c:\program files (x86)\Common Files\IVA

2011-09-14 12:45 . 2011-09-14 12:46 -------- d-----w- c:\program files (x86)\Common Files\Nuance

2011-09-14 12:44 . 2011-09-14 12:44 -------- d-----w- c:\programdata\Nuance

2011-09-14 12:44 . 2011-09-14 12:44 -------- d-----w- c:\program files (x86)\Nuance

2011-09-13 17:20 . 2011-09-13 17:20 -------- d-----w- c:\users\Ray\AppData\Roaming\Malwarebytes

2011-09-13 17:20 . 2011-09-13 17:20 -------- d-----w- c:\programdata\Malwarebytes

2011-09-13 17:20 . 2011-09-13 17:20 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-09-13 17:20 . 2011-08-31 10:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-01 19:19 . 2011-09-09 14:24 -------- d-----w- c:\program files (x86)\The KMPlayer

2011-08-23 17:14 . 2011-08-23 17:14 -------- d-----w- c:\users\Ray\AppData\Roaming\OpenOffice.org

2011-08-23 17:10 . 2011-08-23 17:10 7424000 ----a-r- c:\users\Ray\AppData\Roaming\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe

2011-08-23 17:09 . 2011-08-23 17:09 -------- d-----w- c:\program files (x86)\JRE

2011-08-23 17:09 . 2011-08-23 17:09 -------- d-----w- c:\program files (x86)\OpenOffice.org 3

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-03 15:24 . 2011-07-19 05:55 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-08-01 04:56 . 2011-08-01 04:56 37374 ----a-w- c:\program files\ffdsvsetts.reg

2011-07-20 05:22 . 2011-07-20 04:43 88288 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-07-20 05:22 . 2011-07-20 04:43 131336 ----a-w- c:\windows\SysWow64\drivers\avfwot.sys

2011-07-20 05:22 . 2011-07-20 04:43 131336 ----a-w- c:\windows\system32\drivers\avfwot.sys

2011-07-20 05:22 . 2011-07-20 04:43 123784 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-07-20 05:22 . 2011-07-20 04:43 101984 ----a-w- c:\windows\system32\drivers\avfwim.sys

2011-07-10 20:41 . 2011-07-10 20:41 413696 ----a-r- c:\users\Ray\AppData\Roaming\Microsoft\Installer\{8D9BCD69-3711-4CC3-80DB-12EF4A2EE7C0}\BlackBerry.exe

2011-07-02 22:09 . 2011-07-02 22:09 86016 ----a-w- c:\windows\system32\ff_vfw.dll

2011-06-26 16:25 . 2011-06-26 16:25 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll

2011-06-26 16:25 . 2011-06-26 16:25 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe

2011-06-26 16:25 . 2011-06-26 16:25 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe

2011-06-26 16:25 . 2011-06-26 16:25 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll

2011-06-26 16:25 . 2011-06-26 16:25 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll

2011-06-26 16:25 . 2011-06-26 16:25 161792 ----a-w- c:\windows\SysWow64\msls31.dll

2011-06-26 16:25 . 2011-06-26 16:25 1126912 ----a-w- c:\windows\SysWow64\wininet.dll

2011-06-26 16:25 . 2011-06-26 16:25 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll

2011-06-26 16:25 . 2011-06-26 16:25 74752 ----a-w- c:\windows\SysWow64\iesetup.dll

2011-06-26 16:25 . 2011-06-26 16:25 63488 ----a-w- c:\windows\SysWow64\tdc.ocx

2011-06-26 16:25 . 2011-06-26 16:25 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

2011-06-26 16:25 . 2011-06-26 16:25 367104 ----a-w- c:\windows\SysWow64\html.iec

2011-06-26 16:25 . 2011-06-26 16:25 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll

2011-06-26 16:25 . 2011-06-26 16:25 152064 ----a-w- c:\windows\SysWow64\wextract.exe

2011-06-26 16:25 . 2011-06-26 16:25 150528 ----a-w- c:\windows\SysWow64\iexpress.exe

2011-06-26 16:25 . 2011-06-26 16:25 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2011-06-26 16:25 . 2011-06-26 16:25 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2011-06-26 16:25 . 2011-06-26 16:25 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2011-06-26 16:25 . 2011-06-26 16:25 76800 ----a-w- c:\windows\system32\tdc.ocx

2011-06-26 16:25 . 2011-06-26 16:25 49664 ----a-w- c:\windows\system32\imgutil.dll

2011-06-26 16:25 . 2011-06-26 16:25 48640 ----a-w- c:\windows\system32\mshtmler.dll

2011-06-26 16:25 . 2011-06-26 16:25 448512 ----a-w- c:\windows\system32\html.iec

2011-06-26 16:25 . 2011-06-26 16:25 35840 ----a-w- c:\windows\SysWow64\imgutil.dll

2011-06-26 16:25 . 2011-06-26 16:25 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-06-26 16:25 . 2011-06-26 16:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-06-26 16:25 . 2011-06-26 16:25 2303488 ----a-w- c:\windows\system32\jscript9.dll

2011-06-26 16:25 . 2011-06-26 16:25 222208 ----a-w- c:\windows\system32\msls31.dll

2011-06-26 16:25 . 2011-06-26 16:25 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2011-06-26 16:25 . 2011-06-26 16:25 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2011-06-26 16:25 . 2011-06-26 16:25 1389056 ----a-w- c:\windows\system32\wininet.dll

2011-06-26 16:25 . 2011-06-26 16:25 135168 ----a-w- c:\windows\system32\IEAdvpack.dll

2011-06-26 16:25 . 2011-06-26 16:25 12288 ----a-w- c:\windows\system32\mshta.exe

2011-06-26 16:25 . 2011-06-26 16:25 11776 ----a-w- c:\windows\SysWow64\mshta.exe

2011-06-26 16:25 . 2011-06-26 16:25 114176 ----a-w- c:\windows\system32\admparse.dll

2011-06-26 16:25 . 2011-06-26 16:25 111616 ----a-w- c:\windows\system32\iesysprep.dll

2011-06-26 16:25 . 2011-06-26 16:25 101888 ----a-w- c:\windows\SysWow64\admparse.dll

2011-06-26 16:25 . 2011-06-26 16:25 85504 ----a-w- c:\windows\system32\iesetup.dll

2011-06-26 16:25 . 2011-06-26 16:25 603648 ----a-w- c:\windows\system32\vbscript.dll

2011-06-26 16:25 . 2011-06-26 16:25 30720 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-26 16:25 . 2011-06-26 16:25 165888 ----a-w- c:\windows\system32\iexpress.exe

2011-06-26 16:25 . 2011-06-26 16:25 160256 ----a-w- c:\windows\system32\wextract.exe

2011-06-26 16:25 . 2011-06-26 16:25 1492992 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-26 16:04 . 2011-06-26 16:04 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-06-26 16:04 . 2011-06-26 16:04 902656 ----a-w- c:\windows\system32\d2d1.dll

2011-06-26 16:04 . 2011-06-26 16:04 739840 ----a-w- c:\windows\SysWow64\d2d1.dll

2011-06-26 16:04 . 2011-06-26 16:04 662528 ----a-w- c:\windows\system32\XpsPrint.dll

2011-06-26 16:04 . 2011-06-26 16:04 470016 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-06-26 16:04 . 2011-06-26 16:04 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll

2011-06-26 16:04 . 2011-06-26 16:04 4068864 ----a-w- c:\windows\system32\mf.dll

2011-06-26 16:04 . 2011-06-26 16:04 320512 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-06-26 16:04 . 2011-06-26 16:04 3181568 ----a-w- c:\windows\SysWow64\mf.dll

2011-06-26 16:04 . 2011-06-26 16:04 283648 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll

2011-06-26 16:04 . 2011-06-26 16:04 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2011-06-26 16:04 . 2011-06-26 16:04 257024 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-06-26 16:04 . 2011-06-26 16:04 229888 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-06-26 16:04 . 2011-06-26 16:04 218624 ----a-w- c:\windows\SysWow64\d3d10_1core.dll

2011-06-26 16:04 . 2011-06-26 16:04 206848 ----a-w- c:\windows\system32\mfps.dll

2011-06-26 16:04 . 2011-06-26 16:04 197120 ----a-w- c:\windows\system32\d3d10_1.dll

2011-06-26 16:04 . 2011-06-26 16:04 196608 ----a-w- c:\windows\SysWow64\mfreadwrite.dll

2011-06-26 16:04 . 2011-06-26 16:04 1888256 ----a-w- c:\windows\system32\WMVDECOD.DLL

2011-06-26 16:04 . 2011-06-26 16:04 1863680 ----a-w- c:\windows\system32\ExplorerFrame.dll

2011-06-26 16:04 . 2011-06-26 16:04 1837568 ----a-w- c:\windows\system32\d3d10warp.dll

2011-06-26 16:04 . 2011-06-26 16:04 1619456 ----a-w- c:\windows\SysWow64\WMVDECOD.DLL

2011-06-26 16:04 . 2011-06-26 16:04 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll

2011-06-26 16:04 . 2011-06-26 16:04 1540608 ----a-w- c:\windows\system32\DWrite.dll

2011-06-26 16:04 . 2011-06-26 16:04 1495040 ----a-w- c:\windows\SysWow64\ExplorerFrame.dll

2011-06-26 16:04 . 2011-06-26 16:04 144384 ----a-w- c:\windows\system32\cdd.dll

2011-06-26 16:04 . 2011-06-26 16:04 135168 ----a-w- c:\windows\SysWow64\XpsRasterService.dll

2011-06-26 16:04 . 2011-06-26 16:04 1170944 ----a-w- c:\windows\SysWow64\d3d10warp.dll

2011-06-26 16:04 . 2011-06-26 16:04 1133568 ----a-w- c:\windows\system32\FntCache.dll

2011-06-26 16:04 . 2011-06-26 16:04 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll

2011-06-23 18:13 . 2010-12-14 20:33 165232 ---ha-w- c:\users\Ray\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll

2010-04-20 16:25 . 2010-04-20 16:25 37142 ----a-w- c:\program files (x86)\ffdsvsetts.reg

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Ray\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Ray\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Ray\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Ray\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe" [2011-06-16 6276408]

"GBMPro8Agent"="c:\program files (x86)\Genie-Soft\GBMPro8\GBMAgent.exe" [2008-09-10 189056]

"Free Download Manager"="c:\program files (x86)\Free Download Manager\fdm.exe" [2011-06-07 3797039]

"DU Meter"="c:\program files (x86)\DU Meter\DUMeter.exe" [2010-08-21 2931744]

"ClipMate7"="c:\program files (x86)\ClipMate7\ClipMate.exe" [2009-01-31 3760424]

"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]

"Lingoes"="c:\program files (x86)\Lingoes\Translator2\Lingoes.exe" [2010-07-23 2252800]

"RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-06-29 107000]

"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2010-11-14 222496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"WatcherHelper"="c:\program files (x86)\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2008-01-30 120088]

"Everything"="c:\program files (x86)\Everything\Everything.exe" [2009-03-13 602624]

"DelReg"="c:\program files (x86)\MSI\OverclockingCenter\DelReg.exe" [2008-12-04 196608]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]

"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-25 98304]

"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-12 69632]

"EnvyHFCPL"="c:\program files (x86)\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe" [2010-01-05 532480]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-14 421160]

"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

"DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]

.

c:\users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Ray\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-26 24176560]

FSL Launcher.lnk - c:\program files (x86)\FSL\FSL_Launcher\FSL_Launcher.exe [2010-2-26 1287168]

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

OpenOffice.org 3.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

APC UPS Status.lnk - c:\program files (x86)\APC\APC PowerChute Personal Edition\Display.exe [2009-1-6 267576]

HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

Service Manager.lnk - c:\program files (x86)\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-8-6 69632]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files (x86)\DVD Region+CSS Free\DVDShell.dll" [2004-10-09 49152]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux9"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

.

R2 trackcam;TrackerCam Video Capture Driver;c:\windows\system32\DRIVERS\trackcam.sys [x]

R2 wordpressMySQL;wordpressMySQL;c:\program files\BitNami WordPress Stack\mysql\bin\mysqld.exe [2011-02-12 6107136]

R3 cpuz130;cpuz130;c:\users\Ray\AppData\Local\Temp\cpuz130\cpuz_x64.sys [x]

R3 DUMeterDrv;Hagel Technologies DU Meter traffic accounting driver;c:\program files (x86)\DU Meter\DUMETR64.SYS [2010-08-19 20904]

R3 ICDUSB3;ICDUSB3;c:\windows\system32\Drivers\ICDUSB3.sys [x]

R3 nmwcdcx64;Nokia USB Generic;c:\windows\system32\drivers\ccdcmbox64.sys [x]

R3 nmwcdnsucx64;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsucx64.sys [x]

R3 nmwcdnsux64;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsux64.sys [x]

R3 nmwcdx64;Nokia USB Phone Parent;c:\windows\system32\drivers\ccdcmbx64.sys [x]

R3 StkCMini;Syntek AVStream USB2.0 ATV;c:\windows\system32\Drivers\StkCMini.sys [x]

R3 StkTMini;StkTMini;c:\windows\system32\Drivers\StkTMini.sys [x]

R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\DRIVERS\swnc8u12.sys [x]

R3 SWUMX12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\DRIVERS\swumx12.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]

S0 hotcore3;hotcore3;c:\windows\SysWOW64\drivers\hotcore3.sys [2008-01-21 36368]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S1 avfwot;avfwot;c:\windows\system32\DRIVERS\avfwot.sys [2011-07-20 131336]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 AntiVirFirewallService;Avira FireWall;c:\program files (x86)\Avira\AntiVir Desktop\avfwsvc.exe [2011-07-20 567464]

S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files (x86)\Avira\AntiVir Desktop\avmailc.exe [2011-07-20 340136]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-07-20 136360]

S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [2011-07-20 428200]

S2 AODService;AODService;c:\program files (x86)\AMD\OverDrive\AODAssist.exe [2009-05-04 124256]

S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [2010-07-23 296808]

S2 DUMeterSvc;DU Meter Service;c:\program files (x86)\DU Meter\DUMeterSvc.exe [2010-08-21 1411616]

S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-06 191000]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Professional\6.0\NitroPDFDriverServicex64.exe [2009-12-16 324928]

S2 nlsX86cc;NLS Service;c:\windows\SysWOW64\NLSSRV32.EXE [2009-12-16 65856]

S2 PDFSFilter;PDFSFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys [x]

S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2010-08-19 386344]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S2 StkSSrv;Syntek AVStream USB2.0 ATV Service;c:\windows\System32\StkCSrv.exe [x]

S2 UDisk Monitor;UDisk Monitor;c:\program files\Modem AC2726 UI\bin\MonServiceUDisk64.exe [2009-05-21 409088]

S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-03-31 428640]

S2 wordpressApache;wordpressApache;c:\progra~1\BITNAM~1\apache2\bin\httpd.exe [2010-10-17 20549]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 AODDriver;AODDriver;c:\program files (x86)\AMD\OverDrive\amd64\AODDriver.sys [2009-10-21 21048]

S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys [x]

S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM 64 bit;c:\windows\system32\drivers\Envy24HF.sys [x]

S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]

S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]

S3 LVUVC64;Logitech Webcam 500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

S3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\DRIVERS\swivspnt.sys [x]

S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]

2010-02-16 12:02 114688 ----a-w- c:\program files (x86)\PixiePack Codec Pack\InstallerHelper.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-11 c:\windows\Tasks\GBM - Main Backup-Full.job

- c:\program files (x86)\Genie-Soft\GBMPro8\GBM8.exe [2010-02-26 22:27]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Ray\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Ray\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Ray\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 97792 ----a-w- c:\users\Ray\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-26 9650720]

"DRtray"="c:\program files (x86)\Spotmau\Data Recovery Kit\DRtray.exe" [2011-03-09 274240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x1

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Customize Menu - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Download all with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files (x86)\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: Send To &Bluetooth - c:\program files (x86)\Billionton\Bluetooth Software\btsendto_ie_ctx.htm

LSP: c:\program files (x86)\Avira\AntiVir Desktop\avsda.dll

FF - ProfilePath - c:\users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\febeprof.ray\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr

.

.

------- File Associations -------

.

.txt=

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-AdobeBridge - (no file)

Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe

AddRemove-{0886900B-B2F3-452C-B580-60F1253F7F80} - c:\programdata\{0CC51CB2-911C-40BB-BC1B-BD3CAC590222}\Controller Editor Setup.exe

.

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\DUMeterSvc]

"ImagePath"="c:\program files (x86)\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"

"ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z

[\]^_a\00\00a\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~a\00\00a\00\00\00\00y\00\00\00\00\00\00\00\00¡®¡¯¡°"

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1793988044-2459401604-2689240586-1000\Software\SecuROM\License information*]

"datasecu"=hex:46,e9,12,b0,80,d7,fa,2d,b5,b0,37,bc,cc,dc,48,80,0e,02,e4,a8,f6,

d7,f6,de,85,a5,3d,b9,f9,87,7e,8b,1e,92,73,07,db,2d,38,1f,ae,0c,27,19,22,36,\

"rkeysecu"=hex:19,e2,15,05,0e,15,8b,bc,dc,12,a0,93,53,f7,51,a4

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-09-16 16:45:29

ComboFix-quarantined-files.txt 2011-09-16 09:45

.

Pre-Run: 103,869,063,168 bytes free

Post-Run: 119,560,892,416 bytes free

.

- - End Of File - - 804B825C1D74AA148416119D5E49ACF9

Link to post
Share on other sites

It is running okay, I guess...

not that it was ever messed up, though.

I just have no idea how could phishing files got uploaded

from my IP to my websites, TWICE, without my authorization...

(I'm not sharing my PC with family members or anyone else)

and I really don't want it to happen the third time :(

Do you find something in the log, LDTate ?

Link to post
Share on other sites

Do you find something in the log, LDTate ?
Nothing other than what CF removed.

Be sure to uninstall CF.

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.