Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

ZeroAccess Malware

Started by TheUnluckyOne , Oct 22 2011 11:26 AM

This topic is locked

#1
TheUnluckyOne

Posted 22 October 2011 - 11:26 AM

New Member

Member
6 posts

Hi. I think I've picked up a nasty malware called ZeroAccess. I say "think" because I've done many Google searches on the symptoms and vector of infections, and most of them seem to stem from outdated plugins (e.g. Java or Flash). Yet I always keep my plugins up-to-date, and I use Firefox. I'm certain that I obtained this malware from running a zero-day infected file.

Symptoms that have not yet appeared:

I CAN STILL perform a Google search without being redirected.
I CAN STILL run security tools and other EXE files.

Symptoms that have appeared:

I DO have a file called consrv.dll sitting in my C:\Windows\system32 folder.
I DO have a file called kwrd.dll sitting in C:\Windows\assembly\temp.
I DO get virus alerts from my security software (COMODO Internet Security) stating that viruses are trying to run from that same folder.
I DO have a random PING.exe process created from C:\Windows\svchost.exe every time I start my computer. This worries me.

The most important thing to note is that my security software -- COMODO Internet Security -- is still working. I've run a scan with it, and it finds only the temp files as generic/heuristic infections. Furthermore, the real-time protection is constantly finding the malicious files running from C:\Windows\assembly\temp, and every time I delete them, they return about 5-10 minutes later. This tells me this infection is bigger than some TMP and DLL files, despite my lacking some of the more common symptoms associated with this malware.

I was thinking it could be a rootkit, but COMODO hasn't picked up anything. I've also run scans with Malwarebytes, Hitman Pro, Norton Power Eraser, and the Kaspersky Virus Removal Tool. None of them find anything malicious, which suggests either this is zero-day malware or that I am not (yet) "fully" infected. My computer also doesn't seem to be slowing down any. Perhaps (hopefully) I only have "half" an infection?

I've run a quick scan with OTL as per the board rules. The scan log is pasted below.

OTL logfile created on: 10/22/2011 11:52:03 AM - Run 1
OTL by OldTimer - Version 3.2.31.0     Folder = C:\Users\Jay\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
5.98 Gb Total Physical Memory | 4.02 Gb Available Physical Memory | 67.19% Memory free
12.04 Gb Paging File | 10.01 Gb Available in Paging File | 83.14% Paging File free
Paging file location(s): c:\pagefile.sys 6200 6200 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 906.34 Gb Total Space | 662.61 Gb Free Space | 73.11% Space Free | Partition Type: NTFS
 
Computer Name: JAY-PC | User Name: Jay | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2011/10/22 01:50:50 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Jay\Downloads\OTL.exe
PRC - [2011/09/29 23:57:39 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/04/01 05:11:52 | 000,428,640 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
PRC - [2010/09/26 15:30:52 | 000,163,840 | ---- | M] (Lenovo) -- C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe
PRC - [2010/09/13 21:32:32 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/09/13 21:32:30 | 000,283,160 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
PRC - [2010/09/09 14:46:14 | 000,081,920 | ---- | M] (Lenovo) -- C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe
PRC - [2010/01/21 01:40:59 | 000,040,960 | ---- | M] () -- C:\Windows\SysWOW64\UMonit.exe
PRC - [2009/09/30 14:19:30 | 000,049,152 | ---- | M] (Lenovo) -- C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe
PRC - [2009/07/16 12:05:10 | 000,114,688 | ---- | M] (JME) -- C:\Program Files (x86)\jmesoft\hotkey.exe
PRC - [2009/07/13 20:14:28 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\PING.EXE
 
 
[color=#E56717]========== Modules (No Company Name) ==========[/color]
 
MOD - [2011/10/12 15:29:00 | 000,475,136 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\60c320dbe033e8ff4830cdc059933f2c\IAStorUtil.ni.dll
MOD - [2011/10/12 15:29:00 | 000,014,336 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\ebfad289d9759034cd3a887802fadb5b\IAStorCommon.ni.dll
MOD - [2011/10/12 14:28:47 | 000,771,584 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b2622080e047040fa044dd21a04ff10d\System.Runtime.Remoting.ni.dll
MOD - [2011/10/12 14:28:28 | 012,433,408 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6e592e424a204aafeadbe22b6b31b9db\System.Windows.Forms.ni.dll
MOD - [2011/10/12 14:28:23 | 001,587,200 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3b2cfd85528a27eb71dc41d8067359a1\System.Drawing.ni.dll
MOD - [2011/10/12 14:28:14 | 003,347,968 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d7a64c28cf0c90e6c48af4f7d6f9ed41\WindowsBase.ni.dll
MOD - [2011/10/12 14:28:11 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\130ad4d9719e566ca933ac7158a04203\System.Xml.ni.dll
MOD - [2011/10/12 14:28:08 | 007,963,648 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\abab08afa60a6f06bdde0fcc9649c379\System.ni.dll
MOD - [2011/10/12 14:28:08 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d5bcbeb9475ef62189f605bcca1cec6\System.Configuration.ni.dll
MOD - [2011/10/12 14:28:04 | 011,490,304 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2011/10/04 18:09:32 | 008,522,400 | ---- | M] () -- C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
MOD - [2011/09/29 23:57:39 | 001,833,944 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/08/05 17:49:19 | 000,928,256 | ---- | M] () -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\[email protected]\platform\WINNT_x86-msvc\components\lpxpcom.dll
MOD - [2011/06/18 16:26:14 | 000,003,584 | ---- | M] () -- C:\Windows\SysWOW64\RemoveFocusRect.dll
MOD - [2010/11/20 07:19:56 | 000,232,448 | ---- | M] () -- \\.\globalroot\systemroot\syswow64\mswsock.dll
MOD - [2010/01/21 01:40:59 | 000,040,960 | ---- | M] () -- C:\Windows\SysWOW64\UMonit.exe
MOD - [2009/10/26 02:52:38 | 000,139,264 | ---- | M] () -- C:\Windows\SysWOW64\ustor.dll
MOD - [2009/07/16 12:20:38 | 000,032,768 | ---- | M] () -- C:\Program Files (x86)\jmesoft\KeyHook.dll
MOD - [2008/12/30 14:09:34 | 002,088,960 | ---- | M] () -- C:\Program Files\Lenovo\Power Dial\LitModeSwitchRes.dll
MOD - [2007/12/31 13:27:42 | 000,007,168 | ---- | M] () -- C:\Program Files (x86)\jmesoft\VistaVolume.dll
 
 
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
 
SRV:[b]64bit:[/b] - [2011/10/10 08:32:14 | 000,341,296 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe -- (NitroReaderDriverReadSpool2)
SRV:[b]64bit:[/b] - [2011/10/07 18:47:16 | 002,663,568 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV:[b]64bit:[/b] - [2011/07/28 16:35:34 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:[b]64bit:[/b] - [2010/09/09 14:46:14 | 000,081,920 | ---- | M] (Lenovo) [On_Demand | Running] -- C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe -- (LitModeCtrl)
SRV:[b]64bit:[/b] - [2010/08/19 17:43:24 | 000,386,344 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberLink\Shared files\RichVideo64.exe -- (RichVideo64)
SRV:[b]64bit:[/b] - [2009/09/30 14:19:30 | 000,049,152 | ---- | M] (Lenovo) [Auto | Running] -- C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe -- (LenovoCOMSvc)
SRV:[b]64bit:[/b] - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/09/22 11:47:20 | 000,712,520 | ---- | M] (Mister Group) [Auto | Running] -- C:\Program Files (x86)\System Explorer\SystemExplorerService64.exe -- (SystemExplorerHelpService)
SRV - [2011/08/04 14:25:22 | 000,551,352 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\USB Safely Remove\USBSRService.exe -- (USBSafelyRemoveService)
SRV - [2011/06/18 17:14:14 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/04/01 05:11:52 | 000,428,640 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2010/09/13 21:32:32 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV:[b]64bit:[/b] - [2011/10/21 23:42:24 | 000,460,888 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\71051577.sys -- (71051577)
DRV:[b]64bit:[/b] - [2011/10/07 18:47:56 | 000,016,528 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\SysNative\drivers\cmderd.sys -- (cmderd)
DRV:[b]64bit:[/b] - [2011/08/05 17:37:15 | 000,270,912 | ---- | M] (DT Soft Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:[b]64bit:[/b] - [2011/07/28 17:23:16 | 009,980,416 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:[b]64bit:[/b] - [2011/07/28 17:23:16 | 009,980,416 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:[b]64bit:[/b] - [2011/07/28 15:54:10 | 000,309,248 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:[b]64bit:[/b] - [2011/06/06 17:07:00 | 000,231,440 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:[b]64bit:[/b] - [2011/05/10 08:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:[b]64bit:[/b] - [2011/04/01 00:07:54 | 004,184,672 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lvuvc64.sys -- (LVUVC64) Logitech Webcam C210(UVC)
DRV:[b]64bit:[/b] - [2011/04/01 00:06:22 | 000,341,856 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lvrs64.sys -- (LVRS64)
DRV:[b]64bit:[/b] - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:[b]64bit:[/b] - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:[b]64bit:[/b] - [2010/11/20 08:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:[b]64bit:[/b] - [2010/11/20 06:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:[b]64bit:[/b] - [2010/09/21 01:34:18 | 000,313,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress) Intel(R)
DRV:[b]64bit:[/b] - [2010/09/20 20:59:38 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) Intel(R)
DRV:[b]64bit:[/b] - [2010/09/13 21:24:26 | 000,437,272 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:[b]64bit:[/b] - [2010/05/07 18:43:30 | 000,030,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LVPr2M64.sys -- (LVPr2Mon)
DRV:[b]64bit:[/b] - [2010/05/07 18:43:30 | 000,030,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LVPr2M64.sys -- (LVPr2M64)
DRV:[b]64bit:[/b] - [2010/05/07 13:42:46 | 000,271,712 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvpopf64.sys -- (lvpopf64)
DRV:[b]64bit:[/b] - [2010/04/13 04:57:26 | 001,631,264 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RTL8192u.sys -- (RTL8192U)
DRV:[b]64bit:[/b] - [2010/02/21 21:49:58 | 000,052,224 | ---- | M] (Genesys Logic) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ustor2k.sys -- (USTOR2K)
DRV:[b]64bit:[/b] - [2009/12/30 11:21:26 | 000,031,800 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\revoflt.sys -- (Revoflt)
DRV:[b]64bit:[/b] - [2009/07/21 17:20:06 | 000,121,840 | ---- | M] (CyberLink) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wsvd.sys -- (wsvd)
DRV:[b]64bit:[/b] - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:[b]64bit:[/b] - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:[b]64bit:[/b] - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:[b]64bit:[/b] - [2009/07/13 19:01:09 | 000,679,936 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xnacc.sys -- (xnacc)
DRV:[b]64bit:[/b] - [2009/06/10 15:37:05 | 006,108,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:[b]64bit:[/b] - [2009/06/10 15:35:53 | 000,051,712 | ---- | M] (Realtek Semiconductor Corporation                           ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Rtnic64.sys -- (RTL8023x64)
DRV:[b]64bit:[/b] - [2009/06/10 15:35:33 | 000,389,120 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:[b]64bit:[/b] - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:[b]64bit:[/b] - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:[b]64bit:[/b] - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:[b]64bit:[/b] - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:[b]64bit:[/b] - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2011/10/22 10:58:30 | 000,000,298 | -HS- | M] () [File_System | Unknown | Running] -- C:\windows\6821560drv.spi -- (6821560drv)
DRV - [2010/03/22 21:13:08 | 000,015,712 | ---- | M] (Nicomsoft Ltd.) [Kernel | Boot | Running] -- C:\windows\system32\drivers\DDCDrv.sys -- (WinI2C-DDC)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/02/24 05:08:34 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Stopped] -- C:\Windows\SysWOW64\drivers\SSPORT.SYS -- (SSPORT)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf:  File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf:  File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0:  File not found
FF - HKLM\Software\MozillaPlugins\@nitropdf.com/NitroPDF: C:\Program Files (x86)\Nitro PDF\Reader 2\npnitromozilla.dll ( )
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/10/12 15:13:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/10/12 15:08:10 | 000,000,000 | ---D | M]
 
[2011/06/18 16:44:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jay\AppData\Roaming\Mozilla\Extensions
[2011/10/16 14:38:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions
[2011/09/24 00:29:18 | 000,000,000 | ---D | M] (Flagfox) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2011/08/18 23:44:15 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/10/15 19:57:00 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/08/25 22:12:47 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\[email protected]
[2011/08/06 19:31:53 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\[email protected]
[2011/10/21 01:10:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/09/29 23:57:39 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/10/21 01:03:24 | 000,611,224 | ---- | M] (Oracle Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
 
O1 HOSTS File: ([2011/10/22 01:44:50 | 000,000,760 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4:[b]64bit:[/b] - HKLM..\Run: [StartupDelayer] C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe (r2 Studios)
O4:[b]64bit:[/b] - HKLM..\Run: [UMonit] C:\Windows\SysWOW64\UMonit.exe ()
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe (JME)
O4 - HKLM..\Run: [ModeSwitch] C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe (Lenovo)
O4 - HKLM..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe ()
O4 - HKLM..\RunOnce: [GrpConv] C:\windows\SysWow64\grpconv.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EnableShellExecuteHooks = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousMachineGroupPolicy = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousUserGroupPolicy = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoThumbnailCache = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Disallow.Cpl = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Sync Center = Sync Center
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Credential Manager = Credential Manager
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: HomeGroup = HomeGroup
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Windows CardSpace = Windows CardSpace
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Speech Recognition = Speech Recognition
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Location and Other Sensors = Location and Other Sensors
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Backup and Restore = Backup and Restore
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Phone and Modem = Phone and Modem
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Parental Controls = Parental Controls
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Getting Started = Getting Started
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Windows Anytime Upgrade = Windows Anytime Upgrade
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Revo Uninstaller Pro = Revo Uninstaller Pro
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O13[b]64bit:[/b] - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: samsungsetup.com ([www] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 10.1.0)
O16 - DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1BCA482E-2CAA-4932-AB96-E1275DDCB765}: DhcpNameServer = 10.50.0.1 10.50.0.2 10.50.0.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{78529EC1-4EFE-445D-BE2B-2EB18A79AA84}: DhcpNameServer = 192.168.11.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87D4461F-91BD-4EFB-B24D-EA18E6E81D80}: NameServer = 8.8.8.8,8.8.4.4
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O20:[b]64bit:[/b] - AppInit_DLLs: (RemoveFocusRect.dll) - C:\windows\SysNative\RemoveFocusRect.dll ()
O20:[b]64bit:[/b] - AppInit_DLLs: (C:\windows\system32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)
O20 - AppInit_DLLs: (RemoveFocusRect.dll) -C:\windows\SysWow64\RemoveFocusRect.dll ()
O20 - AppInit_DLLs: (C:\windows\SysWOW64\guard32.dll) -C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:[b]64bit:[/b] - HKLM Winlogon: Shell - (explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) -C:\windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O27:[b]64bit:[/b] - HKLM IFEO\taskmgr.exe: Debugger - C:\Program Files (x86)\System Explorer\SystemExplorer.exe (Mister Group)
O27 - HKLM IFEO\taskmgr.exe: Debugger - C:\Program Files (x86)\System Explorer\SystemExplorer.exe (Mister Group)
O28:[b]64bit:[/b] - HKLM ShellExecuteHooks: {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
O28 - HKLM ShellExecuteHooks: {EE761688-C137-4b04-8FAB-3C9CDF0886F0} - C:\Program Files\GPSoftware\Directory Opus\dopuslib32.dll (GP Software)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:[b]64bit:[/b] - HKLM\..comfile [open] -- "%1" %*
O35:[b]64bit:[/b] - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:[b]64bit:[/b] - HKLM\...com [@ = comfile] -- "%1" %*
O37:[b]64bit:[/b] - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2011/10/22 11:08:54 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Local\ElevatedDiagnostics
[2011/10/22 10:31:17 | 000,460,888 | ---- | C] (Kaspersky Lab ZAO) -- C:\windows\SysNative\drivers\71051577.sys
[2011/10/22 01:32:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2011/10/22 01:24:00 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Local\NPE
[2011/10/22 01:24:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2011/10/22 01:01:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2011/10/21 21:56:37 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Malwarebytes
[2011/10/21 21:56:33 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/21 21:56:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/10/21 21:56:30 | 000,025,416 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2011/10/21 21:56:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/10/21 20:31:14 | 000,000,000 | ---D | C] -- C:\windows\system64
[2011/10/21 01:03:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2011/10/19 20:03:31 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Local\COMODO
[2011/10/13 13:55:59 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Local\28050
[2011/10/12 18:20:51 | 000,000,000 | -H-D | C] -- C:\VritualRoot
[2011/10/12 16:48:21 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\COMODO
[2011/10/12 16:48:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Comodo
[2011/10/12 16:48:15 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
[2011/10/12 16:45:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2011/10/12 16:45:49 | 000,000,000 | R--D | C] -- C:\Program Files (x86)\Skype
[2011/10/12 16:32:10 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nitro PDF Reader
[2011/10/12 16:07:40 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Nitro PDF
[2011/10/12 16:07:24 | 000,028,976 | ---- | C] (Nitro PDF Software) -- C:\windows\SysNative\nitrolocalmon2.dll
[2011/10/12 16:07:24 | 000,017,200 | ---- | C] (Nitro PDF Software) -- C:\windows\SysNative\nitrolocalui2.dll
[2011/10/12 16:07:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Nitro PDF
[2011/10/12 16:07:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nitro PDF
[2011/10/12 16:07:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Nitro PDF
[2011/10/12 16:07:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Nitro PDF
[2011/10/12 16:06:53 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Downloaded Installations
[2011/10/12 16:01:30 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad++
[2011/10/12 16:01:29 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Notepad++
[2011/10/12 16:01:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Notepad++
[2011/10/12 15:52:46 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/10/12 15:52:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/10/12 15:52:26 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/10/12 15:52:25 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/10/12 10:44:31 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
[2011/10/12 10:44:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
[2011/10/12 10:31:41 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2011/10/12 10:31:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2011/10/07 18:47:56 | 000,016,528 | ---- | C] (COMODO) -- C:\windows\SysNative\drivers\cmderd.sys
[2011/10/07 18:47:14 | 000,041,200 | ---- | C] (COMODO) -- C:\windows\SysNative\cmdcsr.dll
[2011/10/07 18:47:12 | 000,300,200 | ---- | C] (COMODO) -- C:\windows\SysWow64\guard32.dll
[2011/10/07 18:47:10 | 000,388,280 | ---- | C] (COMODO) -- C:\windows\SysNative\guard64.dll
[2011/09/30 10:20:54 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Daum
[2011/09/30 10:20:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Daum
[2011/09/28 13:47:55 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Speccy
[2011/09/28 13:47:55 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2011/09/24 11:10:18 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rainmeter
[2011/09/22 17:35:12 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Explorer
[2011/09/22 17:35:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Explorer
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2011/10/22 11:49:01 | 001,474,832 | ---- | M] () -- C:\windows\SysNative\drivers\sfi.dat
[2011/10/22 11:26:31 | 000,025,160 | ---- | M] () -- C:\windows\SysNative\drivers\hitmanpro35.sys
[2011/10/22 10:58:30 | 000,000,298 | -HS- | M] () -- C:\windows\6821560drv.spi
[2011/10/22 10:36:17 | 000,017,952 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/22 10:36:17 | 000,017,952 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/22 10:33:21 | 000,726,316 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2011/10/22 10:33:21 | 000,623,940 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2011/10/22 10:33:21 | 000,106,316 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2011/10/22 10:29:04 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2011/10/22 10:24:27 | 000,000,238 | ---- | M] () -- C:\windows\tasks\RunAsStdUser Task.job
[2011/10/22 01:44:50 | 000,000,760 | ---- | M] () -- C:\windows\SysNative\drivers\etc\hosts
[2011/10/21 23:42:24 | 000,460,888 | ---- | M] (Kaspersky Lab ZAO) -- C:\windows\SysNative\drivers\71051577.sys
[2011/10/16 00:11:25 | 000,008,704 | ---- | M] () -- C:\Users\Jay\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/12 16:48:21 | 000,001,846 | ---- | M] () -- C:\Users\Public\Desktop\COMODO Internet Security.lnk
[2011/10/12 16:07:22 | 000,002,001 | ---- | M] () -- C:\Users\Public\Desktop\Nitro PDF Reader.lnk
[2011/10/12 14:24:22 | 000,381,664 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
[2011/10/10 08:31:18 | 000,017,200 | ---- | M] (Nitro PDF Software) -- C:\windows\SysNative\nitrolocalui2.dll
[2011/10/10 08:31:16 | 000,028,976 | ---- | M] (Nitro PDF Software) -- C:\windows\SysNative\nitrolocalmon2.dll
[2011/10/07 18:47:56 | 000,016,528 | ---- | M] (COMODO) -- C:\windows\SysNative\drivers\cmderd.sys
[2011/10/07 18:47:14 | 000,041,200 | ---- | M] (COMODO) -- C:\windows\SysNative\cmdcsr.dll
[2011/10/07 18:47:12 | 000,300,200 | ---- | M] (COMODO) -- C:\windows\SysWow64\guard32.dll
[2011/10/07 18:47:10 | 000,388,280 | ---- | M] (COMODO) -- C:\windows\SysNative\guard64.dll
[2011/09/22 17:48:35 | 000,156,556 | -H-- | M] () -- C:\windows\SysWow64\mlfcache.dat
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2011/10/22 10:36:16 | 000,000,298 | -HS- | C] () -- C:\windows\6821560drv.spi
[2011/10/22 10:24:27 | 000,000,238 | ---- | C] () -- C:\windows\tasks\RunAsStdUser Task.job
[2011/10/22 01:10:27 | 000,025,160 | ---- | C] () -- C:\windows\SysNative\drivers\hitmanpro35.sys
[2011/10/12 16:48:21 | 000,001,846 | ---- | C] () -- C:\Users\Public\Desktop\COMODO Internet Security.lnk
[2011/10/12 16:07:22 | 000,002,001 | ---- | C] () -- C:\Users\Public\Desktop\Nitro PDF Reader.lnk
[2011/08/22 09:54:54 | 000,258,864 | ---- | C] () -- C:\windows\SUPDRun.exe
[2011/08/18 23:39:46 | 000,000,017 | ---- | C] () -- C:\Users\Jay\AppData\Local\resmon.resmoncfg
[2011/07/14 15:50:25 | 000,156,556 | -H-- | C] () -- C:\windows\SysWow64\mlfcache.dat
[2011/06/22 22:33:22 | 000,008,704 | ---- | C] () -- C:\Users\Jay\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/19 11:52:08 | 000,000,262 | ---- | C] () -- C:\windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2011/06/18 23:36:15 | 000,057,344 | ---- | C] () -- C:\windows\SysWow64\ArmAccess.dll
[2011/06/18 20:44:25 | 000,743,066 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/06/18 19:04:17 | 000,000,022 | -HS- | C] () -- C:\Users\Jay\AppData\Roaming\Sys2662.Config.Repository.bin
[2011/06/18 17:58:30 | 000,482,408 | ---- | C] () -- C:\windows\ssndii.exe
[2011/06/18 16:26:14 | 000,003,584 | ---- | C] () -- C:\windows\SysWow64\RemoveFocusRect.dll
[2011/04/01 00:07:02 | 010,877,272 | ---- | C] () -- C:\windows\SysWow64\LogiDPP.dll
[2011/04/01 00:07:02 | 000,102,744 | ---- | C] () -- C:\windows\SysWow64\LogiDPPApp.exe
[2011/04/01 00:06:56 | 000,331,608 | ---- | C] () -- C:\windows\SysWow64\DevManagerCore.dll
[2011/03/17 12:51:44 | 000,003,929 | ---- | C] () -- C:\windows\SysWow64\atipblag.dat
[2011/01/08 07:30:02 | 000,139,264 | ---- | C] () -- C:\windows\SysWow64\ustor.dll
[2011/01/08 07:30:02 | 000,040,960 | ---- | C] () -- C:\windows\SysWow64\UMonit.exe
[2011/01/08 07:30:00 | 000,001,393 | ---- | C] () -- C:\windows\SysWow64\IconCfg0.ini
[2011/01/08 07:30:00 | 000,000,722 | ---- | C] () -- C:\windows\SysWow64\ProductName.ini
[2011/01/08 07:27:23 | 000,008,192 | ---- | C] () -- C:\windows\SysWow64\drivers\IntelMEFWVer.dll
[2011/01/08 07:21:31 | 000,201,728 | ---- | C] () -- C:\windows\SetDrive.exe
[2011/01/08 07:21:30 | 000,036,864 | ---- | C] () -- C:\windows\WinWait.exe
[2010/11/22 22:04:40 | 000,097,121 | ---- | C] () -- C:\windows\SysWow64\atxaux64.exe
[2009/08/03 00:21:54 | 000,197,912 | ---- | C] () -- C:\windows\SysWow64\physxcudart_20.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelTraditionalChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelSwedish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelSpanish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelPortugese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelKorean.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelJapanese.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelGerman.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelFrench.dll
[2009/07/26 16:07:52 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- C:\windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- C:\windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\windows\SysWow64\mlang.dat
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2011/06/19 17:37:47 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Auslogics
[2011/09/22 18:23:29 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Design Science
[2011/10/12 16:06:53 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Downloaded Installations
[2011/10/21 22:14:14 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Dropbox
[2011/09/15 23:03:06 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\GPSoftware
[2011/06/18 17:37:45 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\johnsadventures.com
[2011/06/18 18:07:04 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Leadertech
[2011/07/26 16:09:02 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\LolClient
[2011/08/09 22:57:31 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Mp3tag
[2011/10/17 00:50:39 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Nitro PDF
[2011/10/12 16:02:06 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Notepad++
[2011/09/12 10:27:34 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\PotPlayerMini64
[2011/08/23 21:06:56 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Rainmeter
[2011/06/18 22:32:09 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\SoftGrid Client
[2011/08/23 20:52:07 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Stickies
[2011/08/18 21:59:49 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\USBSafelyRemove
[2011/10/21 18:29:27 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\uTorrent
[2011/10/22 10:24:27 | 000,000,238 | ---- | M] () -- C:\windows\Tasks\RunAsStdUser Task.job
[2011/09/27 11:37:04 | 000,032,540 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT
 
[color=#E56717]========== Purity Check ==========[/color]
 
 
 
[color=#E56717]========== Alternate Data Streams ==========[/color]
 
@Alternate Data Stream - 178 bytes -> C:\ProgramData\Temp:58A5270D
@Alternate Data Stream - 176 bytes -> C:\ProgramData\Temp:07BF512B

< End of report >

How do I rid myself of this infection?

#2
Essexboy

Posted 22 October 2011 - 11:35 AM

GeekU Moderator

Retired Staff
69,964 posts

Hi it is not zero access but its baby brother. We will kill the main elements first and then see what remains

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

Double click on ComboFix.exe & follow the prompts.
Accept the disclaimer and allow to update if it asks
When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

THEN

Run OTL.
Select All Users
Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open one notepad window.
Post this log along with the combofix one

#3
TheUnluckyOne

Posted 22 October 2011 - 11:37 AM

New Member

Topic Starter
Member
6 posts

Sorry for the double post, but I dug a little deeper in my Google researching, and one suggestion was to run Kaspersky TDSS Killer. I downloaded it and ran it, and it found zero threats. This would perhaps explain why I'm not getting any redirects, or any severe infections (e.g. trojan downloaders installing rogue AV software).

What it doesn't explain is why the devil I'm still getting these annoying files in C:\Windows\assembly\temp folder trying to run

EDIT: Essexboy posted just a few seconds before this post, so this post has nothing to do with his above; it is not a reply. I'll read his post and then post a follow-up.

Edited by TheUnluckyOne, 22 October 2011 - 11:38 AM.

#4
Essexboy

Posted 22 October 2011 - 11:40 AM

GeekU Moderator

Retired Staff
69,964 posts

TDSSKiller is not geared for this malware as generally it does not touch the MBR

The assembly files are part of the reason for redirects - note that in my OTL scan I am actually doing an investigation of that area

#5
TheUnluckyOne

Posted 22 October 2011 - 12:18 PM

New Member

Topic Starter
Member
6 posts

Alright, I ran ComboFix, and the log is pasted below.

ComboFix 11-10-21.06 - Jay 10/22/2011  12:43:42.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6127.4291 [GMT -5:00]
Running from: c:\users\Jay\Downloads\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {7554F4C5-5EC0-2FC6-8192-8DF831DBED51}
FW: COMODO Firewall *Enabled* {4D6F75E0-14AF-2E9E-AACD-24CDCF08AA2A}
SP: COMODO Defense+ *Disabled/Updated* {CE351521-78FA-2048-BB22-B68A4A5CA7EC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
(((((((((((((((((((((((((   Files Created from 2011-09-22 to 2011-10-22  )))))))))))))))))))))))))))))))
.
.
2011-10-22 17:49 . 2011-10-22 17:49	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-10-22 16:08 . 2011-10-22 16:08	--------	d-----w-	c:\users\Jay\AppData\Local\ElevatedDiagnostics
2011-10-22 06:32 . 2011-10-22 06:32	--------	d-----w-	c:\programdata\Kaspersky Lab
2011-10-22 06:24 . 2011-10-22 07:14	--------	d-----w-	c:\users\Jay\AppData\Local\NPE
2011-10-22 06:24 . 2011-10-22 06:24	--------	d-----w-	c:\programdata\Norton
2011-10-22 06:10 . 2011-10-22 16:26	25160	----a-w-	c:\windows\system32\drivers\hitmanpro35.sys
2011-10-22 06:01 . 2011-10-22 06:10	--------	d-----w-	c:\programdata\Hitman Pro
2011-10-22 02:56 . 2011-10-22 02:56	--------	d-----w-	c:\users\Jay\AppData\Roaming\Malwarebytes
2011-10-22 02:56 . 2011-10-22 02:56	--------	d-----w-	c:\programdata\Malwarebytes
2011-10-22 02:56 . 2011-10-22 02:56	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-22 02:56 . 2011-08-31 22:00	25416	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-10-21 06:03 . 2011-10-21 06:03	--------	d-----w-	c:\program files (x86)\Java
2011-10-20 01:03 . 2011-10-20 01:03	--------	d-----w-	c:\users\Jay\AppData\Local\COMODO
2011-10-13 18:55 . 2011-10-13 18:55	--------	d-----w-	c:\users\Jay\AppData\Local\28050
2011-10-12 23:20 . 2011-10-12 23:20	--------	d-----w-	C:\VritualRoot
2011-10-12 21:48 . 2011-10-12 23:22	--------	d-----w-	c:\programdata\Comodo
2011-10-12 21:48 . 2011-10-12 21:48	--------	d-----w-	c:\program files\COMODO
2011-10-12 21:45 . 2011-10-12 21:45	--------	d-----r-	c:\program files (x86)\Skype
2011-10-12 21:07 . 2011-10-17 05:50	--------	d-----w-	c:\users\Jay\AppData\Roaming\Nitro PDF
2011-10-12 21:07 . 2011-10-10 13:31	17200	----a-w-	c:\windows\system32\nitrolocalui2.dll
2011-10-12 21:07 . 2011-10-10 13:31	28976	----a-w-	c:\windows\system32\nitrolocalmon2.dll
2011-10-12 21:07 . 2011-10-12 21:07	--------	d-----w-	c:\programdata\Nitro PDF
2011-10-12 21:07 . 2011-10-12 21:07	--------	d-----w-	c:\program files\Common Files\Nitro PDF
2011-10-12 21:07 . 2011-10-12 21:07	--------	d-----w-	c:\program files (x86)\Nitro PDF
2011-10-12 21:07 . 2011-10-12 21:07	--------	d-----w-	c:\program files (x86)\Common Files\Nitro PDF
2011-10-12 21:06 . 2011-10-12 21:06	--------	d-----w-	c:\users\Jay\AppData\Roaming\Downloaded Installations
2011-10-12 21:01 . 2011-10-12 21:02	--------	d-----w-	c:\users\Jay\AppData\Roaming\Notepad++
2011-10-12 21:01 . 2011-10-12 21:01	--------	d-----w-	c:\program files (x86)\Notepad++
2011-10-12 20:52 . 2011-10-12 20:52	--------	d-----w-	c:\program files\iPod
2011-10-12 20:52 . 2011-10-12 20:52	--------	d-----w-	c:\program files\iTunes
2011-10-12 15:33 . 2011-09-06 03:03	3138048	----a-w-	c:\windows\system32\win32k.sys
2011-10-12 15:33 . 2011-08-27 05:37	861696	----a-w-	c:\windows\system32\oleaut32.dll
2011-10-12 15:33 . 2011-08-27 05:37	331776	----a-w-	c:\windows\system32\oleacc.dll
2011-10-12 15:33 . 2011-08-27 04:26	571904	----a-w-	c:\windows\SysWow64\oleaut32.dll
2011-10-12 15:33 . 2011-08-27 04:26	233472	----a-w-	c:\windows\SysWow64\oleacc.dll
2011-10-12 15:33 . 2011-08-17 05:26	613888	----a-w-	c:\windows\system32\psisdecd.dll
2011-10-12 15:33 . 2011-08-17 05:25	108032	----a-w-	c:\windows\system32\psisrndr.ax
2011-10-12 15:33 . 2011-08-17 04:24	465408	----a-w-	c:\windows\SysWow64\psisdecd.dll
2011-10-12 15:33 . 2011-08-17 04:19	75776	----a-w-	c:\windows\SysWow64\psisrndr.ax
2011-10-07 23:48 . 2011-10-07 23:48	93200	----a-w-	c:\windows\system32\drivers\inspect.sys
2011-10-07 23:47 . 2011-10-07 23:47	574216	----a-w-	c:\windows\system32\drivers\cmdGuard.sys
2011-10-07 23:47 . 2011-10-07 23:47	43248	----a-w-	c:\windows\system32\drivers\cmdhlp.sys
2011-10-07 23:47 . 2011-10-07 23:47	16528	----a-w-	c:\windows\system32\drivers\cmderd.sys
2011-10-07 23:47 . 2011-10-07 23:47	41200	----a-w-	c:\windows\system32\cmdcsr.dll
2011-10-07 23:47 . 2011-10-07 23:47	300200	----a-w-	c:\windows\SysWow64\guard32.dll
2011-10-07 23:47 . 2011-10-07 23:47	388280	----a-w-	c:\windows\system32\guard64.dll
2011-09-28 18:47 . 2011-09-28 18:47	--------	d-----w-	c:\program files\Speccy
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-21 06:03 . 2011-06-18 21:47	544656	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-10-04 23:09 . 2011-06-18 21:43	414368	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-06 20:45 . 2011-06-19 17:45	254400	----a-w-	c:\windows\system32\aswBoot.exe
2011-08-06 17:32 . 2011-08-06 16:58	140568	----a-w-	c:\windows\SysWow64\PhysX.cpl.bak
2011-08-05 22:37 . 2011-08-05 22:37	270912	----a-w-	c:\windows\system32\drivers\dtsoftbus01.sys
2011-07-31 06:51 . 2011-07-31 06:51	71680	----a-w-	c:\windows\system32\frapsv64.dll
2011-07-31 06:51 . 2011-07-31 06:51	65536	----a-w-	c:\windows\SysWow64\frapsvid.dll
2011-07-30 23:42 . 2011-06-19 04:36	57344	----a-w-	c:\windows\SysWow64\ArmAccess.dll
2011-07-28 22:23 . 2011-08-18 23:35	9980416	----a-w-	c:\windows\system32\drivers\atikmdag.sys
2011-07-28 22:09 . 2011-08-18 23:35	23921664	----a-w-	c:\windows\system32\atio6axx.dll
2011-07-28 21:44 . 2011-08-18 23:35	18388480	----a-w-	c:\windows\SysWow64\atioglxx.dll
2011-07-28 21:40 . 2011-08-18 23:35	151552	----a-w-	c:\windows\system32\atiapfxx.exe
2011-07-28 21:40 . 2011-08-18 23:35	726528	----a-w-	c:\windows\SysWow64\aticfx32.dll
2011-07-28 21:39 . 2011-08-18 23:35	852992	----a-w-	c:\windows\system32\aticfx64.dll
2011-07-28 21:36 . 2011-08-18 23:35	462848	----a-w-	c:\windows\system32\ATIDEMGX.dll
2011-07-28 21:36 . 2011-08-18 23:35	485376	----a-w-	c:\windows\system32\atieclxx.exe
2011-07-28 21:35 . 2011-08-18 23:35	204288	----a-w-	c:\windows\system32\atiesrxx.exe
2011-07-28 21:34 . 2011-08-18 23:35	120320	----a-w-	c:\windows\system32\atitmm64.dll
2011-07-28 21:34 . 2011-08-18 23:35	423424	----a-w-	c:\windows\system32\atipdl64.dll
2011-07-28 21:33 . 2011-08-18 23:35	356352	----a-w-	c:\windows\SysWow64\atipdlxx.dll
2011-07-28 21:33 . 2011-08-18 23:35	278528	----a-w-	c:\windows\SysWow64\Oemdspif.dll
2011-07-28 21:33 . 2011-08-18 23:35	21504	----a-w-	c:\windows\system32\atimuixx.dll
2011-07-28 21:33 . 2011-08-18 23:35	59392	----a-w-	c:\windows\system32\atiedu64.dll
2011-07-28 21:33 . 2011-08-18 23:35	43520	----a-w-	c:\windows\SysWow64\ati2edxx.dll
2011-07-28 21:30 . 2011-08-18 23:35	4198912	----a-w-	c:\windows\SysWow64\atidxx32.dll
2011-07-28 21:20 . 2011-08-18 23:35	4943360	----a-w-	c:\windows\system32\atidxx64.dll
2011-07-28 21:12 . 2011-08-18 23:35	1113088	----a-w-	c:\windows\system32\atiumd6v.dll
2011-07-28 21:11 . 2011-08-18 23:35	1828864	----a-w-	c:\windows\SysWow64\atiumdmv.dll
2011-07-28 21:11 . 2011-08-18 23:35	3871744	----a-w-	c:\windows\system32\atiumd6a.dll
2011-07-28 21:11 . 2011-08-18 23:35	51200	----a-w-	c:\windows\system32\aticalrt64.dll
2011-07-28 21:11 . 2011-08-18 23:35	46080	----a-w-	c:\windows\SysWow64\aticalrt.dll
2011-07-28 21:11 . 2011-08-18 23:35	44544	----a-w-	c:\windows\system32\aticalcl64.dll
2011-07-28 21:11 . 2011-08-18 23:35	44032	----a-w-	c:\windows\SysWow64\aticalcl.dll
2011-07-28 21:10 . 2011-08-18 23:35	9644544	----a-w-	c:\windows\system32\aticaldd64.dll
2011-07-28 21:09 . 2011-08-18 23:35	4256768	----a-w-	c:\windows\SysWow64\atiumdag.dll
2011-07-28 21:07 . 2011-08-18 23:35	8247296	----a-w-	c:\windows\SysWow64\aticaldd.dll
2011-07-28 21:03 . 2011-08-18 23:35	4056064	----a-w-	c:\windows\SysWow64\atiumdva.dll
2011-07-28 21:02 . 2011-08-18 23:35	5399040	----a-w-	c:\windows\system32\atiumd64.dll
2011-07-28 21:01 . 2011-08-18 23:35	58880	----a-w-	c:\windows\system32\coinst.dll
2011-07-28 20:54 . 2011-08-18 23:35	378368	----a-w-	c:\windows\system32\atiadlxx.dll
2011-07-28 20:54 . 2011-08-18 23:35	266240	----a-w-	c:\windows\SysWow64\atiadlxy.dll
2011-07-28 20:54 . 2011-08-18 23:35	15360	----a-w-	c:\windows\system32\atig6pxx.dll
2011-07-28 20:54 . 2011-08-18 23:35	13312	----a-w-	c:\windows\SysWow64\atiglpxx.dll
2011-07-28 20:54 . 2011-08-18 23:35	13312	----a-w-	c:\windows\system32\atiglpxx.dll
2011-07-28 20:54 . 2011-08-18 23:35	39936	----a-w-	c:\windows\system32\atig6txx.dll
2011-07-28 20:54 . 2011-08-18 23:35	32768	----a-w-	c:\windows\SysWow64\atigktxx.dll
2011-07-28 20:54 . 2011-08-18 23:35	309248	----a-w-	c:\windows\system32\drivers\atikmpag.sys
2011-07-28 20:53 . 2011-08-18 23:35	40960	----a-w-	c:\windows\system32\atiuxp64.dll
2011-07-28 20:53 . 2011-08-18 23:35	31744	----a-w-	c:\windows\SysWow64\atiuxpag.dll
2011-07-28 20:53 . 2011-08-18 23:35	38912	----a-w-	c:\windows\system32\atiu9p64.dll
2011-07-28 20:53 . 2011-08-18 23:35	29184	----a-w-	c:\windows\SysWow64\atiu9pag.dll
2011-07-28 20:52 . 2011-08-18 23:35	53248	----a-w-	c:\windows\system32\drivers\ati2erec.dll
2011-07-28 20:51 . 2011-08-18 23:35	53760	----a-w-	c:\windows\system32\atimpc64.dll
2011-07-28 20:51 . 2011-08-18 23:35	53760	----a-w-	c:\windows\system32\amdpcom64.dll
2011-07-28 20:51 . 2011-08-18 23:35	52736	----a-w-	c:\windows\SysWow64\atimpc32.dll
2011-07-28 20:51 . 2011-08-18 23:35	52736	----a-w-	c:\windows\SysWow64\amdpcom32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12	94208	----a-w-	c:\users\Jay\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12	94208	----a-w-	c:\users\Jay\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12	94208	----a-w-	c:\users\Jay\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12	94208	----a-w-	c:\users\Jay\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"ModeSwitch"="c:\program files\Lenovo\Power Dial\LitModeSwitch.exe" [2010-09-26 163840]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2010-06-08 618496]
"jmekey"="c:\program files (x86)\jmesoft\hotkey.exe" [2009-07-16 114688]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"HideRunAsVerb"= 1 (0x1)
"Disallow.Cpl"= 1 (0x1)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EE761688-C137-4b04-8FAB-3C9CDF0886F0}"= "c:\program files\GPSoftware\Directory Opus\dopuslib32.dll" [2011-09-09 358000]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 lvpopf64;Logitech POP Suppression Filter;c:\windows\system32\DRIVERS\lvpopf64.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 RTL8023x64;Realtek 10/100 NIC Family NDIS x64 Driver;c:\windows\system32\DRIVERS\Rtnic64.sys [x]
R3 RTL8192U;Realtek RTL8192u 802.11n Wireless LAN USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192u.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S0 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\system32\drivers\DDCDrv.sys [2008-04-08 20832]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-14 13336]
S2 LenovoCOMSvc;LenovoCOMService;c:\program files\Lenovo\Power Dial\LenovoCOMSvc.exe [2009-09-30 49152]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe [2011-10-10 341296]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe [2010-08-19 386344]
S2 SystemExplorerHelpService;System Explorer Help Service;c:\program files (x86)\System Explorer\SystemExplorerService64.exe [2011-09-22 712520]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-04-01 428640]
S2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files (x86)\USB Safely Remove\USBSRService.exe [2011-08-04 551352]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S3 e1cexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c62x64.sys [x]
S3 LitModeCtrl;LitModeCtrl;c:\program files\Lenovo\Power Dial\LitModeCtrl.exe [2010-09-09 81920]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech Webcam C210(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 USTOR2K;USB Mass Storage Windows Driver;c:\windows\system32\DRIVERS\ustor2k.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - 71051577
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-22 c:\windows\Tasks\RunAsStdUser Task.job
- c:\program files\GPSoftware\Directory Opus\dopus.exe [2011-09-16 21:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12	97792	----a-w-	c:\users\Jay\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12	97792	----a-w-	c:\users\Jay\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12	97792	----a-w-	c:\users\Jay\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12	97792	----a-w-	c:\users\Jay\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UMonit"="c:\windows\SysWOW64\UMonit.exe" [2010-01-21 40960]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-10-20 9264456]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher.exe" [2011-08-16 893440]
"combofix"="c:\combofix\CF25062.3XE" [2010-11-20 345088]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}"= "c:\program files\GPSoftware\Directory Opus\dopuslib.dll" [2011-09-09 1354904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"RequireSignedAppInit_DLLs"=0x0
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://lenovo.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\Microsoft Office\Office14\EXCEL.EXE/3000
Trusted Zone: samsungsetup.com\www
TCP: Interfaces\{87D4461F-91BD-4EFB-B24D-EA18E6E81D80}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
.txt=Notepad++_file
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{9F6BB26E-8769-4F45-9161-2920BF1193A1} - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
"ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z
[\]^_ã\00\00ã\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~ã\00\00ã\00\00\00\00^\00\00\00\00\00\00\00\00''""
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2011-10-22  12:56:37 - machine was rebooted
ComboFix-quarantined-files.txt  2011-10-22 17:56
.
Pre-Run: 711,513,829,376 bytes free
Post-Run: 711,248,211,968 bytes free
.
- - End Of File - - B2A0886924B46F20992BD9218744BD7C

After the computer restarted and ComboFix finished, my computer didn't feel any different. Perhaps this was, as I mentioned in my original post, because I never noticed a slow down to begin with. The only thing that I did notice (and that clued me in to this infection) was the persistent popups from COMODO Internet Security telling me I had malware running from the assembly folder, and PING.exe was also running comfortably in memory for some bizarre reason.

Now, however, PING.exe is no longer running in memory.

Then I ran a Quick Scan with OTL using the custom parameters. The log is pasted below.

OTL logfile created on: 10/22/2011 1:02:59 PM - Run 3
OTL by OldTimer - Version 3.2.31.0 	Folder = C:\Users\Jay\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
5.98 Gb Total Physical Memory | 4.52 Gb Available Physical Memory | 75.47% Memory free
12.04 Gb Paging File | 10.49 Gb Available in Paging File | 87.17% Paging File free
Paging file location(s): c:\pagefile.sys 6200 6200 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 906.34 Gb Total Space | 662.47 Gb Free Space | 73.09% Space Free | Partition Type: NTFS
Drive E: | 7.46 Gb Total Space | 7.40 Gb Free Space | 99.13% Space Free | Partition Type: NTFS
 
Computer Name: JAY-PC | User Name: Jay | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2011/10/22 01:50:50 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\Jay\Downloads\OTL.exe
PRC - [2011/10/19 08:51:20 | 002,566,472 | ---- | M] (Mister Group) -- C:\Program Files (x86)\System Explorer\SystemExplorer.exe
PRC - [2011/09/29 23:57:39 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
PRC - [2011/04/01 05:11:52 | 000,428,640 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
PRC - [2010/09/13 21:32:32 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/09/13 21:32:30 | 000,283,160 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
PRC - [2010/09/09 14:46:14 | 000,081,920 | ---- | M] (Lenovo) -- C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe
PRC - [2009/09/30 14:19:30 | 000,049,152 | ---- | M] (Lenovo) -- C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe
PRC - [2009/07/16 12:05:10 | 000,114,688 | ---- | M] (JME) -- C:\Program Files (x86)\jmesoft\hotkey.exe
 
 
[color=#E56717]========== Modules (No Company Name) ==========[/color]
 
MOD - [2011/10/12 15:29:00 | 000,475,136 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\60c320dbe033e8ff4830cdc059933f2c\IAStorUtil.ni.dll
MOD - [2011/10/12 15:29:00 | 000,014,336 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\ebfad289d9759034cd3a887802fadb5b\IAStorCommon.ni.dll
MOD - [2011/10/12 14:28:47 | 000,771,584 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b2622080e047040fa044dd21a04ff10d\System.Runtime.Remoting.ni.dll
MOD - [2011/10/12 14:28:28 | 012,433,408 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6e592e424a204aafeadbe22b6b31b9db\System.Windows.Forms.ni.dll
MOD - [2011/10/12 14:28:23 | 001,587,200 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3b2cfd85528a27eb71dc41d8067359a1\System.Drawing.ni.dll
MOD - [2011/10/12 14:28:14 | 003,347,968 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d7a64c28cf0c90e6c48af4f7d6f9ed41\WindowsBase.ni.dll
MOD - [2011/10/12 14:28:11 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\130ad4d9719e566ca933ac7158a04203\System.Xml.ni.dll
MOD - [2011/10/12 14:28:08 | 007,963,648 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\abab08afa60a6f06bdde0fcc9649c379\System.ni.dll
MOD - [2011/10/12 14:28:08 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d5bcbeb9475ef62189f605bcca1cec6\System.Configuration.ni.dll
MOD - [2011/10/12 14:28:04 | 011,490,304 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2011/09/29 23:57:39 | 001,833,944 | ---- | M] () -- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
MOD - [2011/09/27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2011/08/05 17:49:19 | 000,928,256 | ---- | M] () -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\[email protected]\platform\WINNT_x86-msvc\components\lpxpcom.dll
MOD - [2009/07/16 12:20:38 | 000,032,768 | ---- | M] () -- C:\Program Files (x86)\jmesoft\KeyHook.dll
MOD - [2007/12/31 13:27:42 | 000,007,168 | ---- | M] () -- C:\Program Files (x86)\jmesoft\VistaVolume.dll
 
 
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
 
SRV:[b]64bit:[/b] - [2011/10/10 08:32:14 | 000,341,296 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Common Files\Nitro PDF\Reader\2.0\NitroPDFReaderDriverService2x64.exe -- (NitroReaderDriverReadSpool2)
SRV:[b]64bit:[/b] - [2011/10/07 18:47:16 | 002,663,568 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV:[b]64bit:[/b] - [2011/07/28 16:35:34 | 000,204,288 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:[b]64bit:[/b] - [2010/09/09 14:46:14 | 000,081,920 | ---- | M] (Lenovo) [On_Demand | Running] -- C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe -- (LitModeCtrl)
SRV:[b]64bit:[/b] - [2010/08/19 17:43:24 | 000,386,344 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberLink\Shared files\RichVideo64.exe -- (RichVideo64)
SRV:[b]64bit:[/b] - [2009/09/30 14:19:30 | 000,049,152 | ---- | M] (Lenovo) [Auto | Running] -- C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe -- (LenovoCOMSvc)
SRV:[b]64bit:[/b] - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/09/22 11:47:20 | 000,712,520 | ---- | M] (Mister Group) [Auto | Running] -- C:\Program Files (x86)\System Explorer\SystemExplorerService64.exe -- (SystemExplorerHelpService)
SRV - [2011/08/04 14:25:22 | 000,551,352 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\USB Safely Remove\USBSRService.exe -- (USBSafelyRemoveService)
SRV - [2011/06/18 17:14:14 | 000,403,240 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2011/04/01 05:11:52 | 000,428,640 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe -- (UMVPFSrv)
SRV - [2010/09/13 21:32:32 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) Intel(R)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV:[b]64bit:[/b] - [2011/10/07 18:47:56 | 000,016,528 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\SysNative\drivers\cmderd.sys -- (cmderd)
DRV:[b]64bit:[/b] - [2011/08/05 17:37:15 | 000,270,912 | ---- | M] (DT Soft Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV:[b]64bit:[/b] - [2011/07/28 17:23:16 | 009,980,416 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:[b]64bit:[/b] - [2011/07/28 17:23:16 | 009,980,416 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:[b]64bit:[/b] - [2011/07/28 15:54:10 | 000,309,248 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:[b]64bit:[/b] - [2011/06/06 17:07:00 | 000,231,440 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:[b]64bit:[/b] - [2011/05/10 08:06:08 | 000,051,712 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:[b]64bit:[/b] - [2011/04/01 00:07:54 | 004,184,672 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lvuvc64.sys -- (LVUVC64) Logitech Webcam C210(UVC)
DRV:[b]64bit:[/b] - [2011/04/01 00:06:22 | 000,341,856 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lvrs64.sys -- (LVRS64)
DRV:[b]64bit:[/b] - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:[b]64bit:[/b] - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:[b]64bit:[/b] - [2010/11/20 08:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:[b]64bit:[/b] - [2010/11/20 06:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:[b]64bit:[/b] - [2010/09/21 01:34:18 | 000,313,520 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress) Intel(R)
DRV:[b]64bit:[/b] - [2010/09/20 20:59:38 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64) Intel(R)
DRV:[b]64bit:[/b] - [2010/09/13 21:24:26 | 000,437,272 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:[b]64bit:[/b] - [2010/05/07 18:43:30 | 000,030,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LVPr2M64.sys -- (LVPr2Mon)
DRV:[b]64bit:[/b] - [2010/05/07 18:43:30 | 000,030,304 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LVPr2M64.sys -- (LVPr2M64)
DRV:[b]64bit:[/b] - [2010/05/07 13:42:46 | 000,271,712 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lvpopf64.sys -- (lvpopf64)
DRV:[b]64bit:[/b] - [2010/04/13 04:57:26 | 001,631,264 | ---- | M] (Realtek Semiconductor Corporation               			) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RTL8192u.sys -- (RTL8192U)
DRV:[b]64bit:[/b] - [2010/02/21 21:49:58 | 000,052,224 | ---- | M] (Genesys Logic) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ustor2k.sys -- (USTOR2K)
DRV:[b]64bit:[/b] - [2009/12/30 11:21:26 | 000,031,800 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\revoflt.sys -- (Revoflt)
DRV:[b]64bit:[/b] - [2009/07/21 17:20:06 | 000,121,840 | ---- | M] (CyberLink) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wsvd.sys -- (wsvd)
DRV:[b]64bit:[/b] - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:[b]64bit:[/b] - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:[b]64bit:[/b] - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:[b]64bit:[/b] - [2009/07/13 19:01:09 | 000,679,936 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\xnacc.sys -- (xnacc)
DRV:[b]64bit:[/b] - [2009/06/10 15:37:05 | 006,108,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:[b]64bit:[/b] - [2009/06/10 15:35:53 | 000,051,712 | ---- | M] (Realtek Semiconductor Corporation               			) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Rtnic64.sys -- (RTL8023x64)
DRV:[b]64bit:[/b] - [2009/06/10 15:35:33 | 000,389,120 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:[b]64bit:[/b] - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:[b]64bit:[/b] - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:[b]64bit:[/b] - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:[b]64bit:[/b] - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:[b]64bit:[/b] - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2010/03/22 21:13:08 | 000,015,712 | ---- | M] (Nicomsoft Ltd.) [Kernel | Boot | Running] -- C:\windows\system32\drivers\DDCDrv.sys -- (WinI2C-DDC)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/02/24 05:08:34 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Stopped] -- C:\Windows\SysWOW64\drivers\SSPORT.SYS -- (SSPORT)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com/ [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.msn.com
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1172331316-481569588-85862213-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf:  File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\Microsoft Office\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf:  File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0:  File not found
FF - HKLM\Software\MozillaPlugins\@nitropdf.com/NitroPDF: C:\Program Files (x86)\Nitro PDF\Reader 2\npnitromozilla.dll ( )
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/10/12 15:13:02 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/10/12 15:08:10 | 000,000,000 | ---D | M]
 
[2011/06/18 16:44:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jay\AppData\Roaming\Mozilla\Extensions
[2011/10/16 14:38:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions
[2011/09/24 00:29:18 | 000,000,000 | ---D | M] (Flagfox) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
[2011/08/18 23:44:15 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/10/15 19:57:00 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011/08/25 22:12:47 | 000,000,000 | ---D | M] ("Xmarks") -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\[email protected]
[2011/08/06 19:31:53 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Jay\AppData\Roaming\Mozilla\Firefox\Profiles\gzqv13n3.Jay\extensions\[email protected]
[2011/10/21 01:10:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/09/29 23:57:39 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/10/21 01:03:24 | 000,611,224 | ---- | M] (Oracle Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
 
O1 HOSTS File: ([2011/10/22 12:53:46 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1   	localhost
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4:[b]64bit:[/b] - HKLM..\Run: [StartupDelayer] C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe (r2 Studios)
O4:[b]64bit:[/b] - HKLM..\Run: [UMonit] C:\Windows\SysWOW64\UMonit.exe ()
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [jmekey] C:\Program Files (x86)\jmesoft\hotkey.exe (JME)
O4 - HKLM..\Run: [ModeSwitch] C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe (Lenovo)
O4 - HKLM..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EnableShellExecuteHooks = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousMachineGroupPolicy = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SynchronousUserGroupPolicy = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoThumbnailCache = 1
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideRunAsVerb = 1
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Disallow.Cpl = 1
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Sync Center = Sync Center
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Credential Manager = Credential Manager
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: HomeGroup = HomeGroup
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Windows CardSpace = Windows CardSpace
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Speech Recognition = Speech Recognition
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Location and Other Sensors = Location and Other Sensors
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Backup and Restore = Backup and Restore
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Phone and Modem = Phone and Modem
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Parental Controls = Parental Controls
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Getting Started = Getting Started
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Windows Anytime Upgrade = Windows Anytime Upgrade
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowCpl: Revo Uninstaller Pro = Revo Uninstaller Pro
O7 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:[b]64bit:[/b] - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - %SystemRoot%\System32\nwprovau.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - %SystemRoot%\System32\winrnr.dll File not found
O15 - HKU\S-1-5-21-1172331316-481569588-85862213-1001\..Trusted Domains: samsungsetup.com ([www] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 10.1.0)
O16 - DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab (Java Plug-in 1.7.0_01)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1BCA482E-2CAA-4932-AB96-E1275DDCB765}: DhcpNameServer = 10.50.0.1 10.50.0.2 10.50.0.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{78529EC1-4EFE-445D-BE2B-2EB18A79AA84}: DhcpNameServer = 192.168.11.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87D4461F-91BD-4EFB-B24D-EA18E6E81D80}: NameServer = 8.8.8.8,8.8.4.4
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O20:[b]64bit:[/b] - AppInit_DLLs: (C:\Windows\System32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) -C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:[b]64bit:[/b] - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) -C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O27:[b]64bit:[/b] - HKLM IFEO\taskmgr.exe: Debugger - C:\Program Files (x86)\System Explorer\SystemExplorer.exe (Mister Group)
O27 - HKLM IFEO\taskmgr.exe: Debugger - C:\Program Files (x86)\System Explorer\SystemExplorer.exe (Mister Group)
O28:[b]64bit:[/b] - HKLM ShellExecuteHooks: {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
O28 - HKLM ShellExecuteHooks: {EE761688-C137-4b04-8FAB-3C9CDF0886F0} - C:\Program Files\GPSoftware\Directory Opus\dopuslib32.dll (GP Software)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:[b]64bit:[/b] - HKLM\..comfile [open] -- "%1" %*
O35:[b]64bit:[/b] - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:[b]64bit:[/b] - HKLM\...com [@ = ComFile] -- "%1" %*
O37:[b]64bit:[/b] - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2011/10/22 12:56:39 | 000,000,000 | ---D | C] -- C:\windows\temp
[2011/10/22 12:53:47 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2011/10/22 12:42:45 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2011/10/22 12:42:45 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2011/10/22 12:42:45 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2011/10/22 12:42:39 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2011/10/22 12:42:37 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/10/22 11:08:54 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Local\ElevatedDiagnostics
[2011/10/22 01:32:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2011/10/22 01:24:00 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Local\NPE
[2011/10/22 01:24:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2011/10/22 01:01:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2011/10/21 21:56:37 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Malwarebytes
[2011/10/21 21:56:33 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/10/21 21:56:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/10/21 21:56:30 | 000,025,416 | ---- | C] (Malwarebytes Corporation) -- C:\windows\SysNative\drivers\mbam.sys
[2011/10/21 21:56:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/10/21 01:03:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Java
[2011/10/19 20:03:31 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Local\COMODO
[2011/10/13 13:55:59 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Local\28050
[2011/10/12 18:20:51 | 000,000,000 | ---D | C] -- C:\VritualRoot
[2011/10/12 16:48:21 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\COMODO
[2011/10/12 16:48:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Comodo
[2011/10/12 16:48:15 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
[2011/10/12 16:45:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2011/10/12 16:45:49 | 000,000,000 | R--D | C] -- C:\Program Files (x86)\Skype
[2011/10/12 16:32:10 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nitro PDF Reader
[2011/10/12 16:07:40 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Nitro PDF
[2011/10/12 16:07:24 | 000,028,976 | ---- | C] (Nitro PDF Software) -- C:\windows\SysNative\nitrolocalmon2.dll
[2011/10/12 16:07:24 | 000,017,200 | ---- | C] (Nitro PDF Software) -- C:\windows\SysNative\nitrolocalui2.dll
[2011/10/12 16:07:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Nitro PDF
[2011/10/12 16:07:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nitro PDF
[2011/10/12 16:07:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Nitro PDF
[2011/10/12 16:07:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Nitro PDF
[2011/10/12 16:06:53 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Downloaded Installations
[2011/10/12 16:01:30 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Notepad++
[2011/10/12 16:01:29 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Notepad++
[2011/10/12 16:01:29 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Notepad++
[2011/10/12 15:52:46 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/10/12 15:52:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/10/12 15:52:26 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/10/12 15:52:25 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/10/12 10:44:31 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
[2011/10/12 10:44:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
[2011/10/12 10:31:41 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2011/10/12 10:31:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
[2011/10/07 18:47:56 | 000,016,528 | ---- | C] (COMODO) -- C:\windows\SysNative\drivers\cmderd.sys
[2011/10/07 18:47:14 | 000,041,200 | ---- | C] (COMODO) -- C:\windows\SysNative\cmdcsr.dll
[2011/10/07 18:47:12 | 000,300,200 | ---- | C] (COMODO) -- C:\windows\SysWow64\guard32.dll
[2011/10/07 18:47:10 | 000,388,280 | ---- | C] (COMODO) -- C:\windows\SysNative\guard64.dll
[2011/09/30 10:20:54 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Daum
[2011/09/30 10:20:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Daum
[2011/09/28 13:47:55 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Speccy
[2011/09/28 13:47:55 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2011/09/24 11:10:18 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rainmeter
[2011/09/22 17:35:12 | 000,000,000 | ---D | C] -- C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Explorer
[2011/09/22 17:35:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Explorer
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2011/10/22 12:59:46 | 000,726,316 | ---- | M] () -- C:\windows\SysNative\PerfStringBackup.INI
[2011/10/22 12:59:46 | 000,623,940 | ---- | M] () -- C:\windows\SysNative\perfh009.dat
[2011/10/22 12:59:46 | 000,106,316 | ---- | M] () -- C:\windows\SysNative\perfc009.dat
[2011/10/22 12:57:24 | 000,017,952 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/22 12:57:24 | 000,017,952 | -H-- | M] () -- C:\windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/22 12:53:46 | 000,000,027 | ---- | M] () -- C:\windows\SysNative\drivers\etc\hosts
[2011/10/22 12:50:14 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2011/10/22 12:39:01 | 001,474,832 | ---- | M] () -- C:\windows\SysNative\drivers\sfi.dat
[2011/10/22 11:26:31 | 000,025,160 | ---- | M] () -- C:\windows\SysNative\drivers\hitmanpro35.sys
[2011/10/22 10:58:30 | 000,000,298 | -HS- | M] () -- C:\windows\6821560drv.spi
[2011/10/22 10:24:27 | 000,000,238 | ---- | M] () -- C:\windows\tasks\RunAsStdUser Task.job
[2011/10/16 00:11:25 | 000,008,704 | ---- | M] () -- C:\Users\Jay\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/12 16:48:21 | 000,001,846 | ---- | M] () -- C:\Users\Public\Desktop\COMODO Internet Security.lnk
[2011/10/12 16:07:22 | 000,002,001 | ---- | M] () -- C:\Users\Public\Desktop\Nitro PDF Reader.lnk
[2011/10/12 14:24:22 | 000,381,664 | ---- | M] () -- C:\windows\SysNative\FNTCACHE.DAT
[2011/10/10 08:31:18 | 000,017,200 | ---- | M] (Nitro PDF Software) -- C:\windows\SysNative\nitrolocalui2.dll
[2011/10/10 08:31:16 | 000,028,976 | ---- | M] (Nitro PDF Software) -- C:\windows\SysNative\nitrolocalmon2.dll
[2011/10/07 18:47:56 | 000,016,528 | ---- | M] (COMODO) -- C:\windows\SysNative\drivers\cmderd.sys
[2011/10/07 18:47:14 | 000,041,200 | ---- | M] (COMODO) -- C:\windows\SysNative\cmdcsr.dll
[2011/10/07 18:47:12 | 000,300,200 | ---- | M] (COMODO) -- C:\windows\SysWow64\guard32.dll
[2011/10/07 18:47:10 | 000,388,280 | ---- | M] (COMODO) -- C:\windows\SysNative\guard64.dll
[2011/09/22 17:48:35 | 000,156,556 | -H-- | M] () -- C:\windows\SysWow64\mlfcache.dat
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2011/10/22 12:42:45 | 000,256,000 | ---- | C] () -- C:\windows\PEV.exe
[2011/10/22 12:42:45 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
[2011/10/22 12:42:45 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2011/10/22 12:42:45 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2011/10/22 12:42:45 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2011/10/22 10:36:16 | 000,000,298 | -HS- | C] () -- C:\windows\6821560drv.spi
[2011/10/22 10:24:27 | 000,000,238 | ---- | C] () -- C:\windows\tasks\RunAsStdUser Task.job
[2011/10/22 01:10:27 | 000,025,160 | ---- | C] () -- C:\windows\SysNative\drivers\hitmanpro35.sys
[2011/10/12 16:48:21 | 000,001,846 | ---- | C] () -- C:\Users\Public\Desktop\COMODO Internet Security.lnk
[2011/10/12 16:07:22 | 000,002,001 | ---- | C] () -- C:\Users\Public\Desktop\Nitro PDF Reader.lnk
[2011/08/22 09:54:54 | 000,258,864 | ---- | C] () -- C:\windows\SUPDRun.exe
[2011/08/18 23:39:46 | 000,000,017 | ---- | C] () -- C:\Users\Jay\AppData\Local\resmon.resmoncfg
[2011/07/14 15:50:25 | 000,156,556 | -H-- | C] () -- C:\windows\SysWow64\mlfcache.dat
[2011/06/22 22:33:22 | 000,008,704 | ---- | C] () -- C:\Users\Jay\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/19 11:52:08 | 000,000,262 | ---- | C] () -- C:\windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2011/06/18 23:36:15 | 000,057,344 | ---- | C] () -- C:\windows\SysWow64\ArmAccess.dll
[2011/06/18 20:44:25 | 000,743,066 | ---- | C] () -- C:\windows\SysWow64\PerfStringBackup.INI
[2011/06/18 19:04:17 | 000,000,022 | -HS- | C] () -- C:\Users\Jay\AppData\Roaming\Sys2662.Config.Repository.bin
[2011/06/18 17:58:30 | 000,482,408 | ---- | C] () -- C:\windows\ssndii.exe
[2011/06/18 16:26:14 | 000,003,584 | ---- | C] () -- C:\windows\SysWow64\RemoveFocusRect.dll
[2011/04/01 00:07:02 | 010,877,272 | ---- | C] () -- C:\windows\SysWow64\LogiDPP.dll
[2011/04/01 00:07:02 | 000,102,744 | ---- | C] () -- C:\windows\SysWow64\LogiDPPApp.exe
[2011/04/01 00:06:56 | 000,331,608 | ---- | C] () -- C:\windows\SysWow64\DevManagerCore.dll
[2011/03/17 12:51:44 | 000,003,929 | ---- | C] () -- C:\windows\SysWow64\atipblag.dat
[2011/01/08 07:30:02 | 000,139,264 | ---- | C] () -- C:\windows\SysWow64\ustor.dll
[2011/01/08 07:30:02 | 000,040,960 | ---- | C] () -- C:\windows\SysWow64\UMonit.exe
[2011/01/08 07:30:00 | 000,001,393 | ---- | C] () -- C:\windows\SysWow64\IconCfg0.ini
[2011/01/08 07:30:00 | 000,000,722 | ---- | C] () -- C:\windows\SysWow64\ProductName.ini
[2011/01/08 07:27:23 | 000,008,192 | ---- | C] () -- C:\windows\SysWow64\drivers\IntelMEFWVer.dll
[2011/01/08 07:21:31 | 000,201,728 | ---- | C] () -- C:\windows\SetDrive.exe
[2011/01/08 07:21:30 | 000,036,864 | ---- | C] () -- C:\windows\WinWait.exe
[2010/11/22 22:04:40 | 000,097,121 | ---- | C] () -- C:\windows\SysWow64\atxaux64.exe
[2009/08/03 00:21:54 | 000,197,912 | ---- | C] () -- C:\windows\SysWow64\physxcudart_20.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelTraditionalChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelSwedish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelSpanish.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelSimplifiedChinese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelPortugese.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelKorean.dll
[2009/08/03 00:21:54 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelJapanese.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelGerman.dll
[2009/08/03 00:21:52 | 000,058,648 | ---- | C] () -- C:\windows\SysWow64\AgCPanelFrench.dll
[2009/07/26 16:07:52 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin
[2009/07/14 00:38:36 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
[2009/07/13 21:35:51 | 000,000,741 | ---- | C] () -- C:\windows\SysWow64\NOISE.DAT
[2009/07/13 21:34:42 | 000,215,943 | ---- | C] () -- C:\windows\SysWow64\dssec.dat
[2009/07/13 19:10:29 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\windows\SysWow64\msjetoledb40.dll
[2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\windows\SysWow64\mlang.dat
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2011/06/19 17:37:47 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Auslogics
[2011/10/21 22:11:01 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\DAEMON Tools Lite
[2011/10/12 16:06:53 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Downloaded Installations
[2011/10/21 22:14:14 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Dropbox
[2011/09/15 23:03:06 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\GPSoftware
[2011/06/18 17:37:45 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\johnsadventures.com
[2011/06/18 18:07:04 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Leadertech
[2011/07/26 16:09:02 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\LolClient
[2011/08/09 22:57:31 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Mp3tag
[2011/10/17 00:50:39 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Nitro PDF
[2011/10/12 16:02:06 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Notepad++
[2011/09/12 10:27:34 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\PotPlayerMini64
[2011/08/23 21:06:56 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Rainmeter
[2011/06/18 22:32:09 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\SoftGrid Client
[2011/08/23 20:52:07 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\Stickies
[2011/08/18 21:59:49 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\USBSafelyRemove
[2011/10/21 18:29:27 | 000,000,000 | ---D | M] -- C:\Users\Jay\AppData\Roaming\uTorrent
[2011/10/22 10:24:27 | 000,000,238 | ---- | M] () -- C:\windows\Tasks\RunAsStdUser Task.job
[2011/09/27 11:37:04 | 000,032,540 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT
 
[color=#E56717]========== Purity Check ==========[/color]
 
 
 
[color=#E56717]========== Custom Scans ==========[/color]
 
 
[color=#A23BEC]< %SYSTEMDRIVE%\*.exe >[/color]
 
 
[color=#A23BEC]< MD5 for: EXPLORER.EXE  >[/color]
[2011/02/26 00:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
[2011/02/25 01:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\ERDNT\cache86\explorer.exe
[2011/02/25 01:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\explorer.exe
[2011/02/25 01:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[2011/02/26 01:14:34 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=3B69712041F3D63605529BD66DC00C48 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[2010/11/20 07:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
[2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\SysWOW64\explorer.exe
[2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
[2010/11/20 08:24:45 | 002,872,320 | ---- | M] (Microsoft Corporation) MD5=AC4C51EB24AA95B77F705AB159189E24 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe
 
[color=#A23BEC]< MD5 for: SVCHOST.EXE  >[/color]
[2009/07/13 20:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\ERDNT\cache86\svchost.exe
[2009/07/13 20:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\SysWOW64\svchost.exe
[2009/07/13 20:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009/07/13 20:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\ERDNT\cache64\svchost.exe
[2009/07/13 20:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\windows\SysNative\svchost.exe
[2009/07/13 20:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe
 
[color=#A23BEC]< MD5 for: USERINIT.EXE  >[/color]
[2010/11/20 07:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\ERDNT\cache86\userinit.exe
[2010/11/20 07:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\SysWOW64\userinit.exe
[2010/11/20 07:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2010/11/20 08:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\ERDNT\cache64\userinit.exe
[2010/11/20 08:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\windows\SysNative\userinit.exe
[2010/11/20 08:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c\userinit.exe
 
[color=#A23BEC]< MD5 for: WINLOGON.EXE  >[/color]
[2010/11/20 08:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\ERDNT\cache64\winlogon.exe
[2010/11/20 08:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\windows\SysNative\winlogon.exe
[2010/11/20 08:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
 
[color=#A23BEC]< C:\Windows\assembly\tmp\U\*.* /s >[/color]
 
[color=#E56717]========== Alternate Data Streams ==========[/color]
 
@Alternate Data Stream - 178 bytes -> C:\ProgramData\Temp:58A5270D
@Alternate Data Stream - 176 bytes -> C:\ProgramData\Temp:07BF512B

< End of report >

#6
Essexboy

Posted 22 October 2011 - 12:56 PM

GeekU Moderator

Retired Staff
69,964 posts

This was the infection

c:\windows\system32\consrv.dll
c:\windows\System64

It was running ping.exe

The last log looks clear any further problems whilst we sweep for orphans ?

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

#7
TheUnluckyOne

Posted 22 October 2011 - 01:07 PM

New Member

Topic Starter
Member
6 posts

Thanks a lot, Essexboy! But if that file and that folder were the infection, then what in the name of Bill Gates was the garbage sitting in the assembly folder? You've no idea how many times I was annoyed by those TMP files trying to run. Are they gone now? If not, how can I delete them? I think they are super hidden, because I checked "Show hidden files" and "Show system files" in Folder Options, but I still can't find them.

Anyway, here is my Malwarebytes Log.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7996

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/22/2011 2:04:16 PM
mbam-log-2011-10-22 (14-04-16).txt

Scan type: Quick scan
Objects scanned: 174264
Time elapsed: 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please advise me where to go from here.

Once again, thanks a ton for your help.

#8
Essexboy

Posted 22 October 2011 - 01:17 PM

GeekU Moderator

Retired Staff
69,964 posts

< C:\Windows\assembly\tmp\U\*.* /s >

========== Alternate Data Streams ==========

From the OTL log the folder that housed them is no longer present

Any further problems ?

#9
TheUnluckyOne

Posted 22 October 2011 - 09:56 PM

New Member

Topic Starter
Member
6 posts

Well the files were still there, but I managed to delete them using Command Prompt.

del C:\Windows\assembly\temp\*.* /q
del C:\Windows\assembly\temp\U\*.* /q

Now after a reboot, everything seems to be back to normal. Thanks so much for your help, Essexboy. Can I run the OTL cleanup now?

Edited by TheUnluckyOne, 22 October 2011 - 09:58 PM.

#10
Essexboy

Posted 23 October 2011 - 05:46 AM

GeekU Moderator

Retired Staff
69,964 posts

Yep please do - I may have to reformulate my OTL scan I think

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
Follow the prompts on the screen
A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

SPRING CLEAN

To manually create a new Restore Point

Go to Control Panel and select System
Select System
On the left select System Protection and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

GoStart > All programs > Accessories > system tools
Right click Disc cleanup and select run as administrator
Select Your main drive and accept the warning if you get one
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :yes:

#11
TheUnluckyOne

Posted 23 October 2011 - 09:45 AM

New Member

Topic Starter
Member
6 posts

Alright, I followed your instructions, and there were no problems! I think my computer is back to normal now. I'll run the FileHippo tool and make sure to keep everything updated. And Malwarebytes is definitely a keeper.

Thank you very much for helping me with my problem!

#12
Essexboy

Posted 23 October 2011 - 10:00 AM

GeekU Moderator

Retired Staff
69,964 posts

No problem - glad to be of assistance

#13
Essexboy

Posted 25 October 2011 - 01:12 PM

GeekU Moderator

Retired Staff
69,964 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.