Self-replicating folders

[black_lilies]

Hi, OCD

I know this is a minor detail, but would you kindly post the logs in the sequence requested. It makes reviewing them easier if I don't have to scroll back and forth to see what items have been removed.
I appreciate your cooperation.

I'm so sorry for that, won't do it again .

Here's the log:


ComboFix 13-11-22.01 - Korisnik 2.11.2013. 21:33:52.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.385.1033.18.1935.1323 [GMT 1:00]
Running from: c:\users\Korisnik\Desktop\ComboFix.exe
Command switches used :: c:\users\Korisnik\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions

)))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Korisnik\AppData\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\extensions\{158d7cb3-7039-

4a75-8e0b-3bd0a464edd2}.xpi
c:\windows\iun6002.exe
c:\windows\system32\FlashPlayerApp.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-10-22 to 2013-11-22

)))))))))))))))))))))))))))))))
.
.
2013-11-22 20:42 . 2013-11-22 20:43 -------- d-----w- c:\users\Korisnik\AppData

\Local\temp
2013-11-22 20:42 . 2013-11-22 20:42 -------- d-----w- c:\users\Default\AppData\Local

\temp
2013-11-22 15:59 . 2013-11-22 15:59 -------- d-----w- C:\_OTL
2013-11-22 15:49 . 2013-11-22 15:49 26624 ----a-w- c:\windows\system32\TrueSight.sys
2013-11-21 19:50 . 2013-11-21 19:50 -------- d-----w- c:\program files

\SystemRequirementsLab
2013-11-21 19:50 . 2013-11-21 19:50 -------- d-----w- c:\users\Korisnik\AppData

\Roaming\SystemRequirementsLab
2013-11-19 17:38 . 2013-11-19 17:38 -------- d-----w- c:\users\Korisnik\AppData

\Roaming\AVAST Software
2013-11-08 08:23 . 2013-11-08 08:23 -------- d-----w- c:\program files\iPod
2013-11-08 08:23 . 2013-11-08 08:25 -------- d-----w- c:\programdata\188F1432-103A-

4ffb-80F1-36B633C5C9E1
2013-11-08 08:23 . 2013-11-08 08:25 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report

))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-22 17:09 . 2013-05-22 00:00 71048 ----a-w- c:\windows

\system32\FlashPlayerCPLApp.cpl
2013-11-19 17:31 . 2013-05-21 09:43 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-11-19 17:31 . 2013-05-21 09:43 35656 ----a-w- c:\windows\system32\drivers

\aswFsBlk.sys
2013-11-19 17:31 . 2013-05-21 09:43 403440 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-11-19 17:31 . 2013-05-21 09:43 774392 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-11-19 17:31 . 2013-05-21 09:43 178304 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-11-19 17:31 . 2013-05-21 09:42 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-11-19 17:31 . 2013-05-21 09:42 70384 ----a-w- c:\windows\system32\drivers

\aswMonFlt.sys
2013-11-19 17:31 . 2013-05-21 09:43 79720 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-11-19 17:31 . 2013-05-21 09:42 269216 ----a-w- c:\windows\system32\aswBoot.exe
2013-11-19 17:31 . 2013-05-21 09:41 43152 ----a-w- c:\windows\avastSS.scr
2013-10-20 22:50 . 2013-10-20 22:51 94632 ----a-w- c:\windows

\system32\WindowsAccessBridge.dll
2013-08-24 21:41 . 2013-06-27 14:08 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-08-24 21:41 . 2013-06-27 14:08 348160 ----a-w- c:\windows\system32\msvcr71.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points

))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers

\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-11-19 17:30 321752 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2013-07-09

1591808]
"SearchProtection"="c:\users\Korisnik\AppData\Roaming\Search Protection\SearchProtection.EXE" [2013-09

-03 832360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI.exe" [2012-03-06 5655144]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 146032]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 181360]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 190064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-10-14 2299176]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" [2012-09-

12 56128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21

59720]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2013-04-16 3667600]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2013-04-16 71312]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-08-30 979328]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2013-08-24 295512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-11-01 152392]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-11-19 3568312]
.
c:\users\Korisnik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date#

/noconfirmdelete /noprogresswindow [2005-10-20 38912]
Wipe tray agent 2013.lnk - c:\program files\Wipe 2013\wipetray.exe startup [2013-10-15 216880]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CodeMeter Control Center.lnk - c:\program files\CodeMeter\Runtime\bin\CodeMeterCC.exe [2012-11-21

8443832]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-05-08 16:24 18678376 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-07-02 07:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update

\jusched.exe
.
R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [2012-08-20 110408]
R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [2012-08-20 331080]
R3 b06diag;Broadcom NetXtreme II Diag Driver;c:\windows\system32\drivers\bxdiagx.sys [2012-03-08 75816]
R3 BFN7x86;Bigfoot Networks Killer Gaming Service;c:\windows\system32\drivers\Xeno7x86.sys [2012-02-22

130152]
R3 bxfcoe;bxfcoe;c:\windows\system32\drivers\bxfcoe.sys [2012-02-22 150568]
R3 bxois;bxois;c:\windows\system32\drivers\bxois.sys [2012-02-22 435240]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\System32\Drivers\EtronHub3.sys [2012-07-24

65152]
R3 EtronSTOR;Etron Enhance USB BOT/UASP Mass Storage Driver;c:\windows\System32\Drivers\EtronSTOR.sys

[2012-07-24 32512]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\System32\Drivers\EtronXHCI.sys

[2012-07-24 88832]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys [2012-12-04 351288]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers\iusb3xhc.sys

[2012-12-04 796216]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-10-25

73984]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys

[2011-10-25 165120]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers

\rdpvideominiport.sys [2013-03-23 14848]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2013-03-23

24064]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-03-23 49664]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-03-23 27136]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys [2012-09-01 532536]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys [2012-09-01 25656]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-11-19 774392]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-11-19 403440]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program

files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-05-14 759048]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-11-17

87968]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-11-19 35656]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-11-19 70384]
S2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [2012-

11-21 2571704]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage

Technology\IAStorDataMgrSvc.exe [2012-09-01 14904]
S2 IconMan_R;IconMan_R;c:\program files\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2012-09-13

1830544]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files

\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-08-14 39056]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe

[2009-01-26 1153368]
S3 MEI;Intel(R) Management Engine Interface ;c:\windows\system32\DRIVERS\HECI.sys [2012-07-17 55104]
S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\DRIVERS\RtsP2Stor.sys [2012-09-19

209552]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2012-06-12 552080]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-

A69D9E530F96}]
2013-11-15 14:44 1210320 ----a-w- c:\program files\Google\Chrome\Application

\31.0.1650.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-22 17:09]
.
2013-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-21 09:26]
.
2013-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-05-21 09:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.hr/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Korisnik\AppData\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - prefs.js: browser.startup.homepage - hxxp://mindmillion.com/inspiration.html
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-

8&ilc=12&type=512435&p=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-09-28 21:17; notreal.ccoptions@environmentalchemistry.com; c:\users\Korisnik\AppData

\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\extensions

\notreal.ccoptions@environmentalchemistry.com.xpi
FF - ExtSQL: 2013-10-02 18:42; {1280606b-2510-4fe0-97ef-9b5a22eafe30}; c:\users\Korisnik\AppData

\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\extensions\{1280606b-2510-4fe0-97ef-

9b5a22eafe30}.xpi
FF - ExtSQL: 2013-10-02 19:27; {24cea704-946d-11da-a72b-0800200c9a66}; c:\users\Korisnik\AppData

\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\extensions\{24cea704-946d-11da-a72b-

0800200c9a66}.xpi
FF - ExtSQL: 2013-10-02 19:27; {03B08592-E5B4-45ff-A0BE-C1D975458688}; c:\users\Korisnik\AppData

\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688}
FF - ExtSQL: 2013-10-05 15:06; {158d7cb3-7039-4a75-8e0b-3bd0a464edd2}; c:\users\Korisnik\AppData

\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\extensions\{158d7cb3-7039-4a75-8e0b-

3bd0a464edd2}.xpi
FF - ExtSQL: 2013-10-05 15:16; {139a120b-c2ea-41d2-bf70-542d9f063dfd}; c:\users\Korisnik\AppData

\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\extensions\{139a120b-c2ea-41d2-bf70-

542d9f063dfd}.xpi
FF - ExtSQL: 2013-10-05 15:25; {54BB9F3F-07E5-486c-9B39-C7398B99391C}; c:\users\Korisnik\AppData

\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\extensions\{54BB9F3F-07E5-486c-9B39-

C7398B99391C}.xpi
FF - ExtSQL: 2013-11-08 02:07; {5546F97E-11A5-46b0-9082-32AD74AAA920}; c:\users\Korisnik\AppData

\Roaming\Mozilla\Firefox\Profiles\x1sb23sa.default\extensions\{5546F97E-11A5-46b0-9082-32AD74AAA920}
FF - ExtSQL: 2013-11-22 20:52; foxcconverter@gmail.com; c:\users\Korisnik\AppData\Roaming\Mozilla

\Firefox\Profiles\x1sb23sa.default\extensions\foxcconverter@gmail.com.xpi
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref

('security.OCSP.enabled', 0);user_pref('extensions.blocklist.enabled', false);FF - user.js:

extentions.webcake.installId - 4c25f721-dde9-4592-8c09-c5e91446a22b
FF - user.js: extentions.webcake.defaultEnableAppsList -

layers/banner,layers/inline,layers/search,layers/shopping,newOffers/wc
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-SouthParkMario2.1 - c:\windows\iun6002.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-11-22 21:47:19
ComboFix-quarantined-files.txt 2013-11-22 20:47
ComboFix2.txt 2013-11-22 16:25
.
Pre-Run: 27.562.418.176 bytes free
Post-Run: 27.260.485.632 bytes free
.
- - End Of File - - B97B1E0DA2CC988BA47CDC0F651DFB8E
A36C5E4F47E84449FF07ED3517B43A31