PDA

View Full Version : Win32/VB.QOX trojan



theboywhospokeclouds
2012-09-18, 04:03
Hi there,

Eset Smart Security is continually finding a trojan operating in my memory, but cannot clean it.

It is located in c:\windows\sysWOW64\svchost.exe - and is given the name: Win32/VB.QOX trojan

At this point, my computer doesn't seem to be adversely affected, it's maybe a little sluggish compared to normal? I am more worried that my security is being compromised in some way.

Here is the DDS log and please find 'attach.txt' attached as a zip file:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.7.2
Run by Adam Casey at 10:37:14 on 2012-09-18
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.6143.3546 [GMT 10:00]
.
AV: ESET Smart Security 5.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 5.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\SysWOW64\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
C:\Program Files\LaCie\Desktop Manager\lacie_dm_service.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Users\Adam Casey\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Users\Adam Casey\AppData\Local\Akamai\netsession_win.exe
C:\Users\Adam Casey\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files (x86)\MOTU\Audio\MFWAKeys.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
"C:\Windows\system32\svchost.exe"
C:\Users\Adam Casey\AppData\Roaming\AnyDVD.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Windows\splwow64.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [googletalk] C:\Users\Adam Casey\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
uRun: [Google Update] "C:\Users\Adam Casey\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Akamai NetSession Interface] "C:\Users\Adam Casey\AppData\Local\Akamai\netsession_win.exe"
uRun: [AdobeBridge]
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [SlySoft] C:\Users\Adam Casey\AppData\Roaming\AnyDVD.exe
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MOTUPE~1.LNK - C:\Program Files (x86)\MOTU\Audio\MFWAKeys.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 211.31.138.11 211.29.132.12
TCP: Interfaces\{ADBC1785-9A23-4088-B258-206CAAA7ACD4} : DhcpNameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{C12FFEF7-FE00-4E94-A696-AE911DA716F9} : DhcpNameServer = 198.142.0.51 61.88.88.88
TCP: Interfaces\{F907E1BF-CC5A-43D6-8FCA-32738CB2B923} : DhcpNameServer = 211.31.138.11 211.29.132.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
STS: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - C:\Program Files (x86)\Qualcomm\Eudora\EuShlExt.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
BHO-X64: Virtual Storage Mount Notification: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
BHO-X64: Virtual Storage Mount Notification - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [SlySoft] C:\Users\Adam Casey\AppData\Roaming\AnyDVD.exe
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
SSODL-X64: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
STS-X64: Virtual Storage Mount Notification: {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll
SEH-X64: Eudora's Shell Extension: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files (x86)\Qualcomm\Eudora\EuShlExt.dll
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Adam Casey\AppData\Roaming\Mozilla\Firefox\Profiles\u88r5vt9.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au (http://www.google.com.au)
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: C:\Program Files (x86)\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Adam Casey\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Users\Adam Casey\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\Adam Casey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Adam Casey\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 epfwwfp;epfwwfp;C:\Windows\system32\DRIVERS\epfwwfp.sys --> C:\Windows\system32\DRIVERS\epfwwfp.sys [?]
R1 eamonm;eamonm;C:\Windows\system32\DRIVERS\eamonm.sys --> C:\Windows\system32\DRIVERS\eamonm.sys [?]
R1 EpfwLWF;Epfw NDIS LightWeight Filter;C:\Windows\system32\DRIVERS\EpfwLWF.sys --> C:\Windows\system32\DRIVERS\EpfwLWF.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-23 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-13 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-12 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-7-28 63960]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-14 20992]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2012-3-7 913144]
R2 LaCieDesktopManagerService;LaCieDesktopManagerService;C:\Program Files\LaCie\Desktop Manager\lacie_dm_service.exe [2011-8-29 1118208]
R2 NIHardwareService;NIHardwareService;C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2010-3-26 5018624]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-7-21 1153368]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-8-13 3064000]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 MFWAMIDI64;MOTU Audio MIDI for 64 bit;C:\Windows\system32\drivers\MFWAMIDI64.sys --> C:\Windows\system32\drivers\MFWAMIDI64.sys [?]
R3 MFWAWAVE64;MOTU Audio Wave for 64 bit;C:\Windows\system32\drivers\MFWAWAVE64.sys --> C:\Windows\system32\drivers\MFWAWAVE64.sys [?]
R3 motubus;MOTU Audio MIDI Extension;C:\Windows\system32\drivers\MotuBus64.sys --> C:\Windows\system32\drivers\MotuBus64.sys [?]
R3 MotuFWA64;MotuFWA64;C:\Windows\system32\drivers\Motufwa64.sys --> C:\Windows\system32\drivers\Motufwa64.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 135664]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-3 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-3 250568]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2012-5-18 245760]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 135664]
S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\system32\DRIVERS\ivusb.sys --> C:\Windows\system32\DRIVERS\ivusb.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-25 114144]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
S3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);C:\Windows\system32\DRIVERS\OXSDIDRV_x64.sys --> C:\Windows\system32\DRIVERS\OXSDIDRV_x64.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8192cu.sys --> C:\Windows\system32\DRIVERS\RTL8192cu.sys [?]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 SynUSB64;SynUSB64;C:\Windows\system32\DRIVERS\SynUSB64.sys --> C:\Windows\system32\DRIVERS\SynUSB64.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
.
=============== Created Last 30 ================
.
2012-09-18 00:10:40 647168 ----a-w- C:\Windows\AutoKMS.exe
2012-09-18 00:10:17 78848 ----a-w- C:\Windows\KMSEmulator.exe
2012-09-18 00:09:56 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-09-18 00:09:18 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-18 00:09:18 -------- d-----w- C:\Program Files\iTunes
2012-09-18 00:09:18 -------- d-----w- C:\Program Files\iPod
2012-09-18 00:09:18 -------- d-----w- C:\Program Files (x86)\iTunes
2012-09-12 11:44:06 720896 ----a-w- C:\Users\Adam Casey\AppData\Roaming\90KC17I5UF8Y1p2o3e.exe
2012-09-12 11:28:49 104960 ----a-w- C:\Users\Adam Casey\AppData\Roaming\AnyDVD.exe
2012-09-12 11:28:46 108451 --sh--w- C:\Users\Adam Casey\AppData\Roaming\mswinsck.ocx
2012-09-12 11:28:33 104960 ----a-w- C:\Users\Adam Casey\AppData\Roaming\EI5H5TT5JV8A1T1r2e3v.exe
2012-09-11 20:21:59 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys
2012-09-11 20:21:58 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys
2012-09-11 20:21:57 574464 ----a-w- C:\Windows\System32\d3d10level9.dll
2012-09-11 20:21:57 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll
2012-09-11 20:21:55 376688 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-09-11 20:21:55 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-09-11 20:21:55 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-09-11 10:12:29 -------- d-----w- C:\Users\Adam Casey\AppData\Roaming\MyFolder
2012-09-10 11:01:26 -------- d-----w- C:\Cakewalk Projects
2012-09-04 05:16:09 -------- d-----w- C:\Users\Adam Casey\AppData\Roaming\ESET
2012-09-04 05:16:09 -------- d-----w- C:\Users\Adam Casey\AppData\Local\ESET
2012-09-04 05:12:52 -------- d-----w- C:\Program Files\ESET
2012-09-04 05:09:49 514560 ----a-w- C:\Windows\SysWow64\qdvd.dll
2012-09-04 05:09:49 366592 ----a-w- C:\Windows\System32\qdvd.dll
2012-09-02 14:38:31 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-31 23:45:12 16 ----a-w- C:\Windows\SysWow64\msvcsv60.dll
2012-08-31 23:41:23 -------- d-----w- C:\Program Files (x86)\IK Multimedia
2012-08-31 05:12:50 73696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-30 06:01:01 -------- d-----w- C:\Program Files (x86)\ZAR
2012-08-27 23:36:16 -------- d-----w- C:\Program Files\MOTU
2012-08-27 23:36:16 -------- d-----w- C:\Program Files (x86)\MOTU
2012-08-26 21:02:35 -------- d-----w- C:\Windows\pss
2012-08-22 23:42:40 -------- d-----w- C:\Program Files (x86)\Winamp Detect
2012-08-21 20:31:55 206336 ----a-w- C:\Windows\System32\unrar.dll
2012-08-21 20:31:55 148992 ----a-w- C:\Windows\System32\lagarith.dll
2012-08-21 20:31:52 127488 ----a-w- C:\Windows\System32\ff_vfw.dll
2012-08-21 20:31:50 -------- d-----w- C:\Program Files\K-Lite Codec Pack x64
2012-08-21 20:15:36 650752 ----a-w- C:\Windows\SysWow64\xvidcore.dll
2012-08-21 20:15:36 243200 ----a-w- C:\Windows\SysWow64\xvidvfw.dll
2012-08-21 20:15:36 216064 ----a-w- C:\Windows\SysWow64\lagarith.dll
2012-08-21 20:15:32 151552 ----a-w- C:\Windows\SysWow64\ac3acm.acm
2012-08-21 20:15:28 112640 ----a-w- C:\Windows\SysWow64\ff_vfw.dll
2012-08-21 05:45:21 -------- d-----w- C:\Users\Adam Casey\AppData\Roaming\4Front
2012-08-19 10:52:23 -------- dc-h--w- C:\ProgramData\{0F90C280-4264-421D-B061-171A009C45E3}
2012-08-19 10:51:07 -------- dc-h--w- C:\ProgramData\{FB9DCDD5-FDBE-4EED-A03A-BA8F086DC950}
2012-08-19 10:49:45 -------- dc-h--w- C:\ProgramData\{A088C926-8EF0-4CFF-A473-EB879919E63A}
2012-08-19 10:48:35 -------- dc-h--w- C:\ProgramData\{84BD2490-E07B-459A-85CD-649AABFCE52D}
2012-08-19 10:47:01 -------- dc-h--w- C:\ProgramData\{E2CB91C4-F65B-43A3-AF20-333B2663A78A}
2012-08-19 10:38:08 -------- d-----w- C:\Users\Adam Casey\TruePianos Settings
2012-08-19 10:34:51 -------- d-----w- C:\ProgramData\Native Instruments
2012-08-19 10:30:39 -------- dc-h--w- C:\ProgramData\{D7CFB71A-972A-44FF-AE44-8780EB53ABB2}
2012-08-19 10:30:36 -------- d-----w- C:\Program Files\Native Instruments
2012-08-19 10:30:36 -------- d-----w- C:\Program Files\Common Files\Native Instruments
2012-08-19 10:22:53 368640 ----a-w- C:\Windows\SysWow64\ReWire.dll
2012-08-19 10:22:50 487424 ----a-w- C:\Windows\SysWow64\msvcp70.dll
2012-08-19 10:22:50 344064 ----a-w- C:\Windows\SysWow64\msvcr70.dll
2012-08-19 10:22:50 1047552 ----a-w- C:\Windows\SysWow64\mfc71u.dll
2012-08-19 10:14:04 -------- d-----w- C:\Cakewalk Content
2012-08-19 10:08:52 -------- d-----w- C:\ProgramData\Cakewalk
.
==================== Find3M ====================
.
2012-09-03 08:17:43 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-03 08:17:43 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-09-02 14:38:19 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-09-02 14:38:19 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-08-21 03:01:20 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-08-21 03:01:20 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
2012-08-18 12:53:12 14848 ----a-w- C:\Windows\System32\slwga.dll
2012-08-18 12:53:12 13824 ----a-w- C:\Windows\SysWow64\slwga.dll
2012-08-18 12:53:11 833024 ----a-w- C:\Windows\SysWow64\user32.dll
2012-08-18 12:53:11 1008640 ----a-w- C:\Windows\System32\user32.dll
2012-07-18 18:15:06 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll
2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll
2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll
2012-07-04 17:43:02 419840 ----a-w- C:\Windows\System32\systemcpl.dll
2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-01-07 01:28:38 102400 ----a-w- C:\Program Files\RemoteVolumeControl.exe
.
============= FINISH: 10:43:26.70 ===============

Hi there,

I ran a scan with 'aswMBR' as you suggested and the computer froze mid-scan (after it had found a couple of viruses it seems). I tried running it again after resetting and the same thing happened, so my apologies, but I can't upload a log from that scan. After I rebooted the second time the computer wanted to do a pre-boot scan of the C: and it was getting frozen at 49% every time.

regards,

Adam

jeffce
2012-09-18, 23:43
:snwelcome:

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)

Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan but do nothing else as we are just looking for what is there.
If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
Attach the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

theboywhospokeclouds
2012-09-19, 00:28
Please find TDSSKiller log attached in a zip file.

jeffce
2012-09-19, 00:48
Hi,

Download Combofix from the link below, and save it to your desktop.
Link (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html)

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.
----------

theboywhospokeclouds
2012-09-19, 10:34
ComboFix 12-09-18.06 - Adam Casey 19/09/2012 8:18.3.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.6143.3667 [GMT 10:00]
Running from: c:\users\Adam Casey\Desktop\ComboFix.exe
AV: ESET Smart Security 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 24 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Adam Casey\AppData\Local\Microsoft\Windows\Temporary Internet Files\{6E7E49B6-1129-4B71-8B97-609B431696D1}.xps
c:\users\Adam Casey\AppData\Roaming\90KC17I5UF8Y1p2o3e.exe
c:\users\Adam Casey\AppData\Roaming\Anuqk
c:\users\Adam Casey\AppData\Roaming\Anuqk\comyg.ixb
c:\users\Adam Casey\AppData\Roaming\AnyDVD.exe
c:\users\Adam Casey\AppData\Roaming\EI5H5TT5JV8A1T1r2e3v.exe
c:\users\Adam Casey\AppData\Roaming\mswinsck.ocx
c:\users\Adam Casey\AppData\Roaming\MyFolder
c:\windows\iun6002.exe
c:\windows\SysWow64\msvcsv60.dll
c:\windows\XSxS
G:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-08-18 to 2012-09-18 )))))))))))))))))))))))))))))))
.
.
2012-09-18 23:06 . 2012-09-18 23:06 78848 ----a-w- c:\windows\KMSEmulator.exe
2012-09-18 00:10 . 2012-09-18 00:10 647168 ----a-w- c:\windows\AutoKMS.exe
2012-09-18 00:09 . 2012-08-21 03:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\program files\iTunes
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\program files (x86)\iTunes
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\program files\iPod
2012-09-11 20:21 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-11 20:21 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-11 20:21 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-11 20:21 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-09-11 20:21 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-11 20:21 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-11 20:21 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-10 11:01 . 2012-09-10 11:01 -------- d-----w- C:\Cakewalk Projects
2012-09-04 05:16 . 2012-09-04 05:16 -------- d-----w- c:\users\Adam Casey\AppData\Local\ESET
2012-09-04 05:12 . 2012-09-04 05:12 -------- d-----w- c:\program files\ESET
2012-09-04 05:09 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-09-04 05:09 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-09-02 14:39 . 2012-09-02 14:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-02 14:38 . 2012-09-02 14:38 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-31 23:41 . 2012-08-31 23:41 -------- d-----w- c:\program files (x86)\IK Multimedia
2012-08-31 05:12 . 2012-08-31 05:12 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-30 06:01 . 2012-08-31 04:40 -------- d-----w- c:\program files (x86)\ZAR
2012-08-27 23:36 . 2012-08-27 23:36 -------- d-----w- c:\program files\MOTU
2012-08-27 23:36 . 2012-08-27 23:36 -------- d-----w- c:\program files (x86)\MOTU
2012-08-25 10:43 . 2012-08-25 22:27 -------- d-----w- c:\users\Adam Casey\AppData\Roaming\dvdcss
2012-08-22 23:42 . 2012-08-22 23:42 -------- d-----w- c:\program files (x86)\Winamp Detect
2012-08-22 23:42 . 2012-08-23 05:45 -------- d-----w- c:\users\Adam Casey\AppData\Roaming\Winamp
2012-08-22 23:42 . 2012-08-23 00:39 -------- d-----w- c:\program files (x86)\Winamp
2012-08-21 20:31 . 2012-06-09 17:21 206336 ----a-w- c:\windows\system32\unrar.dll
2012-08-21 20:31 . 2011-12-07 17:37 148992 ----a-w- c:\windows\system32\lagarith.dll
2012-08-21 20:31 . 2012-08-17 18:00 127488 ----a-w- c:\windows\system32\ff_vfw.dll
2012-08-21 20:31 . 2012-08-21 20:31 -------- d-----w- c:\program files\K-Lite Codec Pack x64
2012-08-21 20:15 . 2011-12-07 17:32 216064 ----a-w- c:\windows\SysWow64\lagarith.dll
2012-08-21 20:15 . 2011-06-24 14:44 243200 ----a-w- c:\windows\SysWow64\xvidvfw.dll
2012-08-21 20:15 . 2011-06-24 14:28 650752 ----a-w- c:\windows\SysWow64\xvidcore.dll
2012-08-21 20:15 . 2011-12-21 17:14 151552 ----a-w- c:\windows\SysWow64\ac3acm.acm
2012-08-21 20:15 . 2012-08-17 18:00 112640 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2012-08-21 05:45 . 2012-08-21 05:45 -------- d-----w- c:\users\Adam Casey\AppData\Roaming\4Front
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-11 20:24 . 2011-07-24 03:56 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-09-03 08:17 . 2012-04-02 20:12 696520 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-03 08:17 . 2011-07-21 06:33 73416 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-02 14:38 . 2012-07-29 12:45 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-09-02 14:38 . 2011-07-21 08:24 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-21 03:01 . 2011-07-21 06:44 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 03:01 . 2011-07-21 06:44 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-08-18 12:53 . 2011-07-22 11:00 14848 ----a-w- c:\windows\system32\slwga.dll
2012-08-18 12:53 . 2011-07-22 11:00 13824 ----a-w- c:\windows\SysWow64\slwga.dll
2012-08-18 12:53 . 2011-07-22 11:02 1008640 ----a-w- c:\windows\system32\user32.dll
2012-08-18 12:53 . 2011-07-22 11:01 833024 ----a-w- c:\windows\SysWow64\user32.dll
2012-07-30 14:27 . 2012-07-30 14:27 65536 ----a-r- c:\users\Adam Casey\AppData\Roaming\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
2012-07-18 18:15 . 2012-08-15 08:11 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-09 03:42 . 2012-07-09 03:42 4547984 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-07-09 03:42 . 2012-07-09 03:42 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-07-04 22:16 . 2012-08-15 08:11 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:13 . 2012-08-15 08:11 59392 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:13 . 2012-08-15 08:11 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-15 08:11 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-07-04 17:43 . 2012-07-04 17:43 419840 ----a-w- c:\windows\system32\systemcpl.dll
2012-06-29 04:55 . 2012-08-15 12:12 17809920 ----a-w- c:\windows\system32\mshtml.dll
2012-06-29 04:09 . 2012-08-15 12:12 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-06-29 03:56 . 2012-08-15 12:12 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 03:49 . 2012-08-15 12:12 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-29 03:49 . 2012-08-15 12:12 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 03:48 . 2012-08-15 12:12 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 03:47 . 2012-08-15 12:12 237056 ----a-w- c:\windows\system32\url.dll
2012-06-29 03:45 . 2012-08-15 12:12 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-29 03:44 . 2012-08-15 12:12 816640 ----a-w- c:\windows\system32\jscript.dll
2012-06-29 03:43 . 2012-08-15 12:12 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 03:42 . 2012-08-15 12:12 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-29 03:40 . 2012-08-15 12:12 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-29 03:39 . 2012-08-15 12:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-29 03:35 . 2012-08-15 12:12 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-29 00:16 . 2012-08-15 12:12 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-29 00:09 . 2012-08-15 12:12 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-29 00:08 . 2012-08-15 12:12 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-29 00:04 . 2012-08-15 12:12 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-29 00:00 . 2012-08-15 12:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-01-07 01:28 . 2012-01-07 01:28 102400 ----a-w- c:\program files\RemoteVolumeControl.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-08-18 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\Adam Casey\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Akamai NetSession Interface"="c:\users\Adam Casey\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-11 1523360]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-09 421776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MOTU Pedal Service.lnk - c:\program files (x86)\MOTU\Audio\MFWAKeys.exe [2012-6-4 1457552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files (x86)\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 135664]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-03 250568]
R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-24 245760]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 135664]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [x]
R3 huawei_cdcecm;huawei_cdcecm;c:\windows\system32\DRIVERS\ew_jucdcecm.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 29720]
R3 MFWAMIDI64;MOTU Audio MIDI for 64 bit;c:\windows\system32\drivers\MFWAMIDI64.sys [2012-06-04 32408]
R3 MFWAWAVE64;MOTU Audio Wave for 64 bit;c:\windows\system32\drivers\MFWAWAVE64.sys [2012-06-04 82584]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MotuFWA64;MotuFWA64;c:\windows\system32\drivers\Motufwa64.sys [2012-06-04 609944]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-31 114144]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-09 22528]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-27 51760]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2010-04-09 627744]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 SynUSB64;SynUSB64;c:\windows\system32\DRIVERS\SynUSB64.sys [2007-10-24 29432]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-18 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2012-03-13 62496]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-03-13 209768]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-13 148528]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [2012-03-13 38288]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-19 203776]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2012-03-07 913144]
S2 LaCieDesktopManagerService;LaCieDesktopManagerService;c:\program files\LaCie\Desktop Manager\lacie_dm_service.exe [2009-12-02 1118208]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2010-03-25 5018624]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-19 9319936]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-19 306176]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-17 47616]
S3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\MotuBus64.sys [2012-06-04 29848]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-27 395264]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-12-06 13:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 08:17]
.
2012-09-18 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS.exe [2012-09-18 00:10]
.
2012-09-18 c:\windows\Tasks\AutoKMSDaily.job
- c:\windows\AutoKMS.exe [2012-09-18 00:10]
.
2012-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 11:51]
.
2012-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 11:51]
.
2012-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2815916078-2259092287-661349574-1000Core.job
- c:\users\Adam Casey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 10:53]
.
2012-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2815916078-2259092287-661349574-1000UA.job
- c:\users\Adam Casey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 10:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-09-04 4081008]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.au/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 211.31.138.11 211.29.132.12
FF - ProfilePath - c:\users\Adam Casey\AppData\Roaming\Mozilla\Firefox\Profiles\u88r5vt9.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
ShellIconOverlayIdentifiers-{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} - c:\windows\SysWOW64\CbFsMntNtf3.dll
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-Run-SlySoft - c:\users\Adam Casey\AppData\Roaming\AnyDVD.exe
AddRemove-dBpoweramp FLAC Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp m4a Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp Monkeys Audio Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp Ogg Vorbis Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-dBpoweramp WavPack Codec - c:\windows\system32\SpoonUninstall.exe
AddRemove-Drumagog 4 Platinum4.11 - c:\windows\iun6002.exe
AddRemove-Native Instruments GuitarRig Mobile IO Driver - c:\programdata\{4F32CAF7-963B-404D-BF13-C48BA3F5F6A7}\GuitarRig Mobile IO Driver Setup.exe
AddRemove-Native Instruments Session IO Driver - c:\programdata\{AC46DC4F-66BD-4733-A8B4-0B69418C12D0}\Session IO Driver Setup.exe
AddRemove-XPort 360_is1 - g:\downloads\XPort 360\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_5891ae0.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\bgsvcgen.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
.
**************************************************************************
.
Completion time: 2012-09-19 09:20:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-18 23:20
.
Pre-Run: 26,211,696,640 bytes free
Post-Run: 26,720,079,872 bytes free
.
- - End Of File - - B19A9A7A2AF0310B5B1C0D64D79DD71A

jeffce
2012-09-19, 14:58
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

**If you are using a 64bit system please use either of the following links for your download instead:
Link 1 (http://jpshortstuff.247fixes.com/SystemLook_x64.exe)
Link 2 (http://images.malwareremoval.com/jpshortstuff/SystemLook_x64.exe)


Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content within the following codebox into the main textfield:


:filefind
*user32*


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

theboywhospokeclouds
2012-09-20, 00:31
Hi there,

Yes: I'm using 64 bit Windows 7. Forgot to mention that: apologies. :confused:

Here is the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 07:24 on 20/09/2012 by Adam Casey
Administrator - Elevation successful

========== filefind ==========

Searching for "*user32*"
C:\Windows\ERDNT\cache64\user32.dll --a---- 1008128 bytes [14:16 18/08/2011] [13:27 20/11/2010] FE70103391A64039A921DBFFF9C7AB1B
C:\Windows\ERDNT\cache86\user32.dll --a---- 833024 bytes [14:16 18/08/2011] [12:08 20/11/2010] 5E0DB2D8B2750543CD2EBB9EA8E6CDD3
C:\Windows\System32\user32.dll --a---- 1008640 bytes [11:02 22/07/2011] [12:53 18/08/2012] 2C353B6CE0C8D03225CAA2AF33B68D79
C:\Windows\System32\user32.dll.bak --a---- 1008128 bytes [11:02 22/07/2011] [13:27 20/11/2010] FE70103391A64039A921DBFFF9C7AB1B
C:\Windows\System32\en-US\user32.dll.mui --a---- 17920 bytes [10:59 22/07/2011] [12:58 20/11/2010] EF9BC0D92F9AF6A446CA3179EFDA0CE0
C:\Windows\System32\manifeststore\user32.amx --a---- 342524 bytes [10:59 22/07/2011] [09:50 20/11/2010] 2FFFCC20E95D9DF2A4046328F6BB7AEC
C:\Windows\SysWOW64\user32.dll --a---- 833024 bytes [11:01 22/07/2011] [12:53 18/08/2012] 861C4346F9281DC0380DE72C8D55D6BE
C:\Windows\SysWOW64\user32.dll.bak --a---- 833024 bytes [11:01 22/07/2011] [12:08 20/11/2010] 5E0DB2D8B2750543CD2EBB9EA8E6CDD3
C:\Windows\SysWOW64\en-US\user32.dll.mui --a---- 17920 bytes [10:59 22/07/2011] [11:59 20/11/2010] 6B63EA7979F501C37FC55A26CA162ACD
C:\Windows\SysWOW64\manifeststore\user32.amx --a---- 367164 bytes [11:01 22/07/2011] [09:06 20/11/2010] DE03DD1A689B53FB2B4A5E480AC7AA4F
C:\Windows\winsxs\amd64_microsoft-windows-a..structure-manifests_31bf3856ad364e35_6.1.7600.16385_none_f9c056b9cd0366f5\user32.amx --a---- 342512 bytes [23:38 13/07/2009] [23:38 13/07/2009] 3B091A3E23D263AD36787541F528B59C
C:\Windows\winsxs\amd64_microsoft-windows-a..structure-manifests_31bf3856ad364e35_6.1.7601.17514_none_fbf16a81c9f1ea8f\user32.amx --a---- 342524 bytes [10:59 22/07/2011] [09:50 20/11/2010] 2FFFCC20E95D9DF2A4046328F6BB7AEC
C:\Windows\winsxs\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_99f2e97144ce40b4\user32.dll.mui --a---- 17920 bytes [05:35 14/07/2009] [02:26 14/07/2009] 7CA57982056C7BCED0B96A892F595802
C:\Windows\winsxs\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9c23fd3941bcc44e\user32.dll.mui --a---- 17920 bytes [10:59 22/07/2011] [12:58 20/11/2010] EF9BC0D92F9AF6A446CA3179EFDA0CE0
C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll --a---- 1008640 bytes [23:38 13/07/2009] [01:41 14/07/2009] 72D7B3EA16946E8F0CF7458150031CC6
C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll --a---- 1008128 bytes [11:02 22/07/2011] [13:27 20/11/2010] FE70103391A64039A921DBFFF9C7AB1B
C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9c23fd3941bcc44e.manifest --a---- 2380 bytes [07:34 24/07/2011] [03:53 24/07/2011] FCF0C7FBF64A5B153F63B68A9D1587A2
C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9c23fd3941bcc44e_user32.dll.mui_14652dbb --a---- 17920 bytes [07:34 24/07/2011] [03:53 24/07/2011] EF9BC0D92F9AF6A446CA3179EFDA0CE0
C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973.manifest --a---- 2735 bytes [07:34 24/07/2011] [03:52 24/07/2011] 15E19DF34278CE935EBA06DC1ACD2CC8
C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973_user32.dll_55f4ed20 --a---- 1008128 bytes [07:34 24/07/2011] [03:52 24/07/2011] FE70103391A64039A921DBFFF9C7AB1B
C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a678a78b761d8649.manifest --a---- 2388 bytes [07:35 24/07/2011] [03:55 24/07/2011] 1CECD60B9F87140B907C8A94695322E3
C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a678a78b761d8649_user32.dll.mui_14652dbb --a---- 17920 bytes [07:35 24/07/2011] [03:55 24/07/2011] 6B63EA7979F501C37FC55A26CA162ACD
C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e.manifest --a---- 2743 bytes [07:34 24/07/2011] [03:53 24/07/2011] 95DE794ABE239191A81508A617C359A1
C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e_user32.dll_55f4ed20 --a---- 833024 bytes [07:34 24/07/2011] [03:53 24/07/2011] 5E0DB2D8B2750543CD2EBB9EA8E6CDD3
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_99f2e97144ce40b4.manifest --a---- 2380 bytes [05:35 14/07/2009] [02:44 14/07/2009] D158A8077128FBC1064621A53C592687
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_9c23fd3941bcc44e.manifest ------- 2380 bytes [10:38 22/07/2011] [19:31 19/11/2010] FCF0C7FBF64A5B153F63B68A9D1587A2
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9.manifest --a---- 2735 bytes [02:33 14/07/2009] [02:27 14/07/2009] 3DEA0F7C04BC5EFD14A5394C78519ADA
C:\Windows\winsxs\Manifests\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973.manifest ------- 2735 bytes [10:38 22/07/2011] [20:22 19/11/2010] 15E19DF34278CE935EBA06DC1ACD2CC8
C:\Windows\winsxs\Manifests\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a44793c3792f02af.manifest --a---- 2388 bytes [05:35 14/07/2009] [02:28 14/07/2009] 59AB29211504364A7B74570CB76C5A20
C:\Windows\winsxs\Manifests\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a678a78b761d8649.manifest ------- 2388 bytes [10:37 22/07/2011] [18:27 19/11/2010] 1CECD60B9F87140B907C8A94695322E3
C:\Windows\winsxs\Manifests\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4.manifest --a---- 2743 bytes [02:33 14/07/2009] [01:42 14/07/2009] F7C77BB466026FC29CFD83601477A600
C:\Windows\winsxs\Manifests\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e.manifest ------- 2743 bytes [10:37 22/07/2011] [18:58 19/11/2010] 95DE794ABE239191A81508A617C359A1
C:\Windows\winsxs\wow64_microsoft-windows-a..structure-manifests_31bf3856ad364e35_6.1.7600.16385_none_0415010c016428f0\user32.amx --a---- 367152 bytes [23:25 13/07/2009] [23:25 13/07/2009] EB5C28C6794A89EF22CB20FB92980C19
C:\Windows\winsxs\wow64_microsoft-windows-a..structure-manifests_31bf3856ad364e35_6.1.7601.17514_none_064614d3fe52ac8a\user32.amx --a---- 367164 bytes [11:01 22/07/2011] [09:06 20/11/2010] DE03DD1A689B53FB2B4A5E480AC7AA4F
C:\Windows\winsxs\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a44793c3792f02af\user32.dll.mui --a---- 17920 bytes [05:35 14/07/2009] [02:03 14/07/2009] D448B52149F95F1250100F9BD0ED7152
C:\Windows\winsxs\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a678a78b761d8649\user32.dll.mui --a---- 17920 bytes [10:59 22/07/2011] [11:59 20/11/2010] 6B63EA7979F501C37FC55A26CA162ACD
C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll --a---- 833024 bytes [23:24 13/07/2009] [01:11 14/07/2009] E8B0FFC209E504CB7E79FC24E6C085F0
C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll --a---- 833024 bytes [11:01 22/07/2011] [12:08 20/11/2010] 5E0DB2D8B2750543CD2EBB9EA8E6CDD3

-= EOF =-

jeffce
2012-09-20, 14:59
Just to keep you aware...I am talking with some colleagues about your system. I will return as soon as I can. :)

theboywhospokeclouds
2012-09-20, 15:18
No problem, Jeff! Thanks for letting me know! :thanks:

jeffce
2012-09-21, 17:50
Hi,

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

DDS::
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update; please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
[/list]
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

theboywhospokeclouds
2012-09-22, 03:18
ComboFix 12-09-18.06 - Adam Casey 22/09/2012 9:32.4.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.6143.4365 [GMT 10:00]
Running from: c:\users\Adam Casey\Desktop\ComboFix.exe
Command switches used :: c:\users\Adam Casey\Desktop\CFScript.txt
AV: ESET Smart Security 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-08-22 to 2012-09-22 )))))))))))))))))))))))))))))))
.
.
2012-09-22 00:02 . 2012-09-22 00:02 78848 ----a-w- c:\windows\KMSEmulator.exe
2012-09-22 00:00 . 2012-09-22 00:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-22 00:00 . 2012-09-22 00:00 -------- d-----w- c:\users\Mcx1-ADAMCASEY-PC\AppData\Local\temp
2012-09-22 00:00 . 2012-09-22 00:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-18 00:10 . 2012-09-18 00:10 647168 ----a-w- c:\windows\AutoKMS.exe
2012-09-18 00:09 . 2012-08-21 03:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\program files\iTunes
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\program files (x86)\iTunes
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\program files\iPod
2012-09-11 20:21 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-11 20:21 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-11 20:21 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-11 20:21 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-09-11 20:21 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-11 20:21 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-11 20:21 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-10 11:01 . 2012-09-10 11:01 -------- d-----w- C:\Cakewalk Projects
2012-09-04 05:16 . 2012-09-04 05:16 -------- d-----w- c:\users\Adam Casey\AppData\Local\ESET
2012-09-04 05:12 . 2012-09-04 05:12 -------- d-----w- c:\program files\ESET
2012-09-04 05:09 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-09-04 05:09 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-09-02 14:39 . 2012-09-02 14:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-02 14:38 . 2012-09-02 14:38 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-31 23:41 . 2012-08-31 23:41 -------- d-----w- c:\program files (x86)\IK Multimedia
2012-08-31 05:12 . 2012-08-31 05:12 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-30 06:01 . 2012-08-31 04:40 -------- d-----w- c:\program files (x86)\ZAR
2012-08-27 23:36 . 2012-08-27 23:36 -------- d-----w- c:\program files\MOTU
2012-08-27 23:36 . 2012-08-27 23:36 -------- d-----w- c:\program files (x86)\MOTU
2012-08-25 10:43 . 2012-09-21 11:34 -------- d-----w- c:\users\Adam Casey\AppData\Roaming\dvdcss
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-21 08:31 . 2012-04-02 20:12 696240 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-21 08:31 . 2011-07-21 06:33 73136 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-11 20:24 . 2011-07-24 03:56 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-09-02 14:38 . 2012-07-29 12:45 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-09-02 14:38 . 2011-07-21 08:24 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-21 03:01 . 2011-07-21 06:44 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 03:01 . 2011-07-21 06:44 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-08-18 12:53 . 2011-07-22 11:00 14848 ----a-w- c:\windows\system32\slwga.dll
2012-08-18 12:53 . 2011-07-22 11:00 13824 ----a-w- c:\windows\SysWow64\slwga.dll
2012-08-18 12:53 . 2011-07-22 11:02 1008640 ----a-w- c:\windows\system32\user32.dll
2012-08-18 12:53 . 2011-07-22 11:01 833024 ----a-w- c:\windows\SysWow64\user32.dll
2012-08-17 18:00 . 2012-08-21 20:31 127488 ----a-w- c:\windows\system32\ff_vfw.dll
2012-08-17 18:00 . 2012-08-21 20:15 112640 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2012-07-30 14:27 . 2012-07-30 14:27 65536 ----a-r- c:\users\Adam Casey\AppData\Roaming\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
2012-07-18 18:15 . 2012-08-15 08:11 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-09 03:42 . 2012-07-09 03:42 4547984 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-07-09 03:42 . 2012-07-09 03:42 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-07-04 22:16 . 2012-08-15 08:11 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:13 . 2012-08-15 08:11 59392 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:13 . 2012-08-15 08:11 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-15 08:11 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-07-04 17:43 . 2012-07-04 17:43 419840 ----a-w- c:\windows\system32\systemcpl.dll
2012-06-29 04:55 . 2012-08-15 12:12 17809920 ----a-w- c:\windows\system32\mshtml.dll
2012-06-29 04:09 . 2012-08-15 12:12 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-06-29 03:56 . 2012-08-15 12:12 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 03:49 . 2012-08-15 12:12 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-29 03:49 . 2012-08-15 12:12 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 03:48 . 2012-08-15 12:12 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 03:47 . 2012-08-15 12:12 237056 ----a-w- c:\windows\system32\url.dll
2012-06-29 03:45 . 2012-08-15 12:12 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-29 03:44 . 2012-08-15 12:12 816640 ----a-w- c:\windows\system32\jscript.dll
2012-06-29 03:43 . 2012-08-15 12:12 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 03:42 . 2012-08-15 12:12 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-29 03:40 . 2012-08-15 12:12 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-29 03:39 . 2012-08-15 12:12 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-29 03:35 . 2012-08-15 12:12 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-29 00:16 . 2012-08-15 12:12 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-29 00:09 . 2012-08-15 12:12 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-29 00:08 . 2012-08-15 12:12 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-29 00:04 . 2012-08-15 12:12 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-29 00:00 . 2012-08-15 12:12 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-01-07 01:28 . 2012-01-07 01:28 102400 ----a-w- c:\program files\RemoteVolumeControl.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-08-18 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-18_23.06.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-22 00:01 . 2012-09-22 00:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-09-18 23:05 . 2012-09-18 23:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-09-22 00:01 . 2012-09-22 00:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-09-18 23:05 . 2012-09-18 23:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 05:01 . 2012-09-22 00:00 478676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-09-18 23:04 478676 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-23 06:42 . 2012-09-22 00:00 36669854 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2815916078-2259092287-661349574-1000-12288.dat
- 2011-07-23 06:42 . 2012-09-18 23:04 36669854 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2815916078-2259092287-661349574-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\Adam Casey\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Akamai NetSession Interface"="c:\users\Adam Casey\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-11 1523360]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-09 421776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MOTU Pedal Service.lnk - c:\program files (x86)\MOTU\Audio\MFWAKeys.exe [2012-6-4 1457552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files (x86)\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 135664]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-21 250288]
R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-24 245760]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 135664]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [x]
R3 huawei_cdcecm;huawei_cdcecm;c:\windows\system32\DRIVERS\ew_jucdcecm.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 29720]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-31 114144]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-09 22528]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-27 51760]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2010-04-09 627744]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 SynUSB64;SynUSB64;c:\windows\system32\DRIVERS\SynUSB64.sys [2007-10-24 29432]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-18 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2012-03-13 62496]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-03-13 209768]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-13 148528]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [2012-03-13 38288]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-19 203776]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2012-03-07 913144]
S2 LaCieDesktopManagerService;LaCieDesktopManagerService;c:\program files\LaCie\Desktop Manager\lacie_dm_service.exe [2009-12-02 1118208]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2010-03-25 5018624]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-19 9319936]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-19 306176]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-17 47616]
S3 MFWAMIDI64;MOTU Audio MIDI for 64 bit;c:\windows\system32\drivers\MFWAMIDI64.sys [2012-06-04 32408]
S3 MFWAWAVE64;MOTU Audio Wave for 64 bit;c:\windows\system32\drivers\MFWAWAVE64.sys [2012-06-04 82584]
S3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\MotuBus64.sys [2012-06-04 29848]
S3 MotuFWA64;MotuFWA64;c:\windows\system32\drivers\Motufwa64.sys [2012-06-04 609944]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-27 395264]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-12-06 13:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 08:31]
.
2012-09-22 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS.exe [2012-09-18 00:10]
.
2012-09-22 c:\windows\Tasks\AutoKMSDaily.job
- c:\windows\AutoKMS.exe [2012-09-18 00:10]
.
2012-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 11:51]
.
2012-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 11:51]
.
2012-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2815916078-2259092287-661349574-1000Core.job
- c:\users\Adam Casey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 10:53]
.
2012-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2815916078-2259092287-661349574-1000UA.job
- c:\users\Adam Casey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 10:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-09-04 4081008]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.au/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 211.31.138.11 211.29.132.12
FF - ProfilePath - c:\users\Adam Casey\AppData\Roaming\Mozilla\Firefox\Profiles\u88r5vt9.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_5891ae0.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\bgsvcgen.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
.
**************************************************************************
.
Completion time: 2012-09-22 10:14:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-22 00:14
ComboFix2.txt 2012-09-18 23:20
.
Pre-Run: 26,244,075,520 bytes free
Post-Run: 26,018,148,352 bytes free
.
- - End Of File - - 576AD43DE3DCA5F762A9B611EB3FB807

jeffce
2012-09-22, 03:33
Hi,

Clear Java Cache

See this page (http://www.java.com/en/download/help/5000020300.xml) for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Other Files Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel.
----------

Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.

Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan as shown below.

http://i1224.photobucket.com/albums/ee380/jeffce74/mbam-1.jpg

When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.



The log can also be found here:

Windows 2000 & Windows XP:
C:\Documents and Settings\<USERNAME>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Windows Vista & Win7:
C:\Users\<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs
----------

ESET Online Scanner

Go here (http://go.eset.com/us/online-scanner) to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts. Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked. Click Scan Wait for the scan to finish When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..." Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic. Close the ESET online scan, and let me know how things are now.----------

theboywhospokeclouds
2012-09-22, 03:47
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.21.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Adam Casey :: ADAMCASEY-PC [administrator]

22/09/2012 10:40:26 AM
mbam-log-2012-09-22 (10-40-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222892
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\KMSEmulator.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

(end)

theboywhospokeclouds
2012-09-22, 12:40
C:\Users\Adam Casey\Downloads\winzip155.exe Win32/OpenCandy application
C:\Windows\KMSEmulator.exe a variant of Win32/HackKMS.A application

jeffce
2012-09-22, 16:57
Hi,



Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:


ClearJavaCache::

File::
C:\Users\Adam Casey\Downloads\winzip155.exe
C:\Windows\KMSEmulator.exe


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update; please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

Please post the new ComboFix log and let me know how your system is running now. :)

theboywhospokeclouds
2012-09-24, 00:42
ComboFix 12-09-23.02 - Adam Casey 23/09/2012 21:46:07.5.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.6143.4696 [GMT 10:00]
Running from: c:\users\Adam Casey\Desktop\ComboFix.exe
Command switches used :: c:\users\Adam Casey\Desktop\CFscript.txt
AV: ESET Smart Security 5.2 *Disabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
SP: ESET Smart Security 5.2 *Disabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Adam Casey\Downloads\winzip155.exe"
"c:\windows\KMSEmulator.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\KMSEmulator.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-23 to 2012-09-23 )))))))))))))))))))))))))))))))
.
.
2012-09-23 12:42 . 2012-09-23 12:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-23 12:42 . 2012-09-23 12:42 -------- d-----w- c:\users\Mcx1-ADAMCASEY-PC\AppData\Local\temp
2012-09-23 12:42 . 2012-09-23 12:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-22 03:16 . 2012-09-22 07:04 -------- d-----w- c:\users\Adam Casey\AppData\Roaming\uTorrent
2012-09-18 00:10 . 2012-09-18 00:10 647168 ----a-w- c:\windows\AutoKMS.exe
2012-09-18 00:09 . 2012-08-21 03:01 33240 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\program files\iTunes
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\program files (x86)\iTunes
2012-09-18 00:09 . 2012-09-18 00:09 -------- d-----w- c:\program files\iPod
2012-09-11 20:21 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-11 20:21 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-11 20:21 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-11 20:21 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2012-09-11 20:21 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-11 20:21 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-11 20:21 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-10 11:01 . 2012-09-10 11:01 -------- d-----w- C:\Cakewalk Projects
2012-09-04 05:16 . 2012-09-04 05:16 -------- d-----w- c:\users\Adam Casey\AppData\Local\ESET
2012-09-04 05:12 . 2012-09-04 05:12 -------- d-----w- c:\program files\ESET
2012-09-04 05:09 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-09-04 05:09 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-09-02 14:39 . 2012-09-02 14:39 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-09-02 14:38 . 2012-09-02 14:38 95208 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2012-08-31 23:41 . 2012-08-31 23:41 -------- d-----w- c:\program files (x86)\IK Multimedia
2012-08-31 05:12 . 2012-08-31 05:12 73696 ----a-w- c:\program files (x86)\Mozilla Firefox\breakpadinjector.dll
2012-08-30 06:01 . 2012-08-31 04:40 -------- d-----w- c:\program files (x86)\ZAR
2012-08-27 23:36 . 2012-08-27 23:36 -------- d-----w- c:\program files\MOTU
2012-08-27 23:36 . 2012-08-27 23:36 -------- d-----w- c:\program files (x86)\MOTU
2012-08-25 10:43 . 2012-09-23 09:00 -------- d-----w- c:\users\Adam Casey\AppData\Roaming\dvdcss
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-23 12:44 . 2012-09-23 12:44 78848 ----a-w- c:\windows\KMSEmulator.exe
2012-09-21 08:31 . 2012-04-02 20:12 696240 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-09-21 08:31 . 2011-07-21 06:33 73136 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-09-11 20:24 . 2011-07-24 03:56 64462936 ----a-w- c:\windows\system32\MRT.exe
2012-09-02 14:38 . 2012-07-29 12:45 821736 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-09-02 14:38 . 2011-07-21 08:24 746984 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-21 03:01 . 2011-07-21 06:44 125872 ----a-w- c:\windows\system32\GEARAspi64.dll
2012-08-21 03:01 . 2011-07-21 06:44 106928 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2012-08-18 12:53 . 2011-07-22 11:00 14848 ----a-w- c:\windows\system32\slwga.dll
2012-08-18 12:53 . 2011-07-22 11:00 13824 ----a-w- c:\windows\SysWow64\slwga.dll
2012-08-18 12:53 . 2011-07-22 11:02 1008640 ----a-w- c:\windows\system32\user32.dll
2012-08-18 12:53 . 2011-07-22 11:01 833024 ----a-w- c:\windows\SysWow64\user32.dll
2012-08-17 18:00 . 2012-08-21 20:31 127488 ----a-w- c:\windows\system32\ff_vfw.dll
2012-08-17 18:00 . 2012-08-21 20:15 112640 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2012-07-30 14:27 . 2012-07-30 14:27 65536 ----a-r- c:\users\Adam Casey\AppData\Roaming\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
2012-07-18 18:15 . 2012-08-15 08:11 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-09 03:42 . 2012-07-09 03:42 4547984 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-07-09 03:42 . 2012-07-09 03:42 52736 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-07-04 22:16 . 2012-08-15 08:11 73216 ----a-w- c:\windows\system32\netapi32.dll
2012-07-04 22:13 . 2012-08-15 08:11 59392 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 22:13 . 2012-08-15 08:11 136704 ----a-w- c:\windows\system32\browser.dll
2012-07-04 21:14 . 2012-08-15 08:11 41984 ----a-w- c:\windows\SysWow64\browcli.dll
2012-07-04 17:43 . 2012-07-04 17:43 419840 ----a-w- c:\windows\system32\systemcpl.dll
2012-01-07 01:28 . 2012-01-07 01:28 102400 ----a-w- c:\program files\RemoteVolumeControl.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-08-18 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 94208 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\users\Adam Casey\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Akamai NetSession Interface"="c:\users\Adam Casey\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-11 1523360]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-27 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-09 421776]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MOTU Pedal Service.lnk - c:\program files (x86)\MOTU\Audio\MFWAKeys.exe [2012-6-4 1457552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files (x86)\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 135664]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-03 160944]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-21 250288]
R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe [2010-01-24 245760]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 135664]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys [x]
R3 huawei_cdcecm;huawei_cdcecm;c:\windows\system32\DRIVERS\ew_jucdcecm.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys [x]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 29720]
R3 MFWAMIDI64;MOTU Audio MIDI for 64 bit;c:\windows\system32\drivers\MFWAMIDI64.sys [2012-06-04 32408]
R3 MFWAWAVE64;MOTU Audio Wave for 64 bit;c:\windows\system32\drivers\MFWAWAVE64.sys [2012-06-04 82584]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MotuFWA64;MotuFWA64;c:\windows\system32\drivers\Motufwa64.sys [2012-06-04 609944]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-31 114144]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [2011-05-09 22528]
R3 OXSDIDRV_x64;Oxford Semi eSATA Filter (x64);c:\windows\system32\DRIVERS\OXSDIDRV_x64.sys [2009-09-27 51760]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992]
R3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2010-04-09 627744]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 SynUSB64;SynUSB64;c:\windows\system32\DRIVERS\SynUSB64.sys [2007-10-24 29432]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-07-09 52736]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-18 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
S0 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2012-03-13 62496]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2012-03-13 209768]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2012-03-13 148528]
S1 EpfwLWF;Epfw NDIS LightWeight Filter;c:\windows\system32\DRIVERS\EpfwLWF.sys [2012-03-13 38288]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-19 203776]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\x86\ekrn.exe [2012-03-07 913144]
S2 LaCieDesktopManagerService;LaCieDesktopManagerService;c:\program files\LaCie\Desktop Manager\lacie_dm_service.exe [2009-12-02 1118208]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [2010-03-25 5018624]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2012-08-13 3064000]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-19 9319936]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-19 306176]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-17 47616]
S3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\MotuBus64.sys [2012-06-04 29848]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-09-27 395264]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-12-06 13:18 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 08:31]
.
2012-09-23 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS.exe [2012-09-18 00:10]
.
2012-09-23 c:\windows\Tasks\AutoKMSDaily.job
- c:\windows\AutoKMS.exe [2012-09-18 00:10]
.
2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 11:51]
.
2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-12-22 11:51]
.
2012-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2815916078-2259092287-661349574-1000Core.job
- c:\users\Adam Casey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 10:53]
.
2012-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2815916078-2259092287-661349574-1000UA.job
- c:\users\Adam Casey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-08-19 10:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-06-30 04:19 97792 ----a-w- c:\users\Adam Casey\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-19 444904]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2012-09-04 4081008]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.au/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 211.31.138.11 211.29.132.12
FF - ProfilePath - c:\users\Adam Casey\AppData\Roaming\Mozilla\Firefox\Profiles\u88r5vt9.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_5891ae0.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_278.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SysWOW64\bgsvcgen.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
.
**************************************************************************
.
Completion time: 2012-09-23 22:54:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-23 12:54
ComboFix2.txt 2012-09-22 00:14
ComboFix3.txt 2012-09-18 23:20
.
Pre-Run: 34,171,072,512 bytes free
Post-Run: 34,019,348,480 bytes free
.
- - End Of File - - 5FF6400FB2B826247C085364BC27C8E8

theboywhospokeclouds
2012-09-24, 00:44
System seems to be running very well. Wasn't running terribly initially, but does seem a bit speedier now, particularly on the web. :bigthumb:

theboywhospokeclouds
2012-09-24, 11:26
Hi there,

I just turned my computer back on this afternoon and ESET Smart Security found a 'potential threat'. 'A variant of Win32/HackKMS', the object "C:\Windows\KMSEmulator.exe".

Does this mean the cleaning hasn't worked?

jeffce
2012-09-24, 14:49
Hi,

No not necessarily. Sometimes antivirus programs will pick up entries that are "false positives". Let's get a better look.

Please go to: VirusTotal (http://www.virustotal.com)
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.

C:\Windows\KMSEmulator.exe

Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.
----------

theboywhospokeclouds
2012-09-25, 01:14
https://www.virustotal.com/file/a2ffd0bc5e055e519fd3006bfdae422327d8e01310eae528267014c54293bfa4/analysis/1348524689/

jeffce
2012-09-25, 04:57
Hi,


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:


ClearJavaCache::

File::
c:\windows\AutoKMS.exe
c:\windows\Tasks\AutoKMS.job
c:\windows\Tasks\AutoKMSDaily.job


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update; please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

jeffce
2012-09-27, 02:54
Still with me?

jeffce
2012-09-28, 14:47
Due to lack of feedback, this topic will now be closed.
If you are the original poster and you still require help, please start a new thread.

-------------------