19 replies to this topic

[boldfin]

Quick Scan with MBAM Pro shows two threats:

Backdoor.Agent File C\Users\Rob\AppData\Roaming\UseNetServ.exe
Malware.Trace Registry Key HKCU\Software\VB and VBA Program Settings\SrvID

DDS.txt below

I am a paying customer.








DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Rob at 21:07:54 on 2012-07-03
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3326.1389 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Windows\system32\dktahsp.exe
C:\Program Files\Windows Home Server\esClient.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe
C:\Program Files\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\reg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskhost.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Newsbin\newsbinpro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://sn123w.snt123.mail.live.com/default.aspx?wa=wsignin1.0
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [UsenetServices] c:\users\rob\appdata\roaming\UseServe.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe
mRun: [My Movies Tray] "c:\program files\binnerup consult\my movies for windows media center\My Movies Tray.exe"
mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
Trusted Zone: highland.com\office
DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1295333121964
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
TCP: Interfaces\{84461330-3775-4679-86C3-253BB5E78260} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{9AC50678-6F29-42C0-B92C-22B32EE56D11} : NameServer = 8.8.8.8 8.8.4.4
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rob\appdata\roaming\mozilla\firefox\profiles\mz85hv77.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\common~1\nero\browse~1\npBrowserPlugin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2011-10-9 56496]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2011-10-9 12464]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-6-29 66776]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/02/28 18:50:22];c:\program files\cyberlink\powerdvd dx\000.fcl [2012-2-28 87536]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-4-5 217600]
R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\windows home server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 239472]
R2 DkTahsp;OCUR SDV Service;c:\windows\system32\dktahsp.exe [2009-8-17 65536]
R2 esClient;Windows Media Center Client Service;c:\program files\windows home server\esClient.exe [2011-1-10 97136]
R2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\hewlett-packard\hp mediasmart server\MSSConnectorService.exe [2009-10-5 20992]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-2-14 13336]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-12-19 394672]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-11 654408]
R2 MediaCollectorService;MediaCollectorService;c:\program files\hewlett-packard\hp mediasmart server\MediaCollectorClient.exe [2009-10-5 81920]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2011-9-23 641832]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2012-4-5 9334784]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2012-4-5 275968]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-23 86544]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-30 22344]
R3 msta;Tuning Adapter Service;c:\windows\system32\drivers\msta.sys [2009-8-17 18432]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-4-13 67456]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-4-13 161024]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2009-4-20 44784]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-2-26 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-26 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-14 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-07-04 04:06:31 -------- d-----w- c:\users\rob\appdata\local\{E75E4197-088E-41E5-BDC4-929886D137D0}
2012-07-04 04:06:09 -------- d-----w- c:\users\rob\appdata\local\{1BE09295-1082-4EB3-B994-EE4CB973903C}
2012-07-03 14:57:41 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f9d91bec-dbde-4167-9c7a-165d901e6bfd}\gapaengine.dll
2012-07-03 14:56:34 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4b2e0a84-8288-43db-83af-1479e75132a1}\mpengine.dll
2012-07-03 14:26:22 738816 ----a-w- c:\users\rob\appdata\roaming\UseServe.exe
2012-07-03 03:45:33 -------- d-----w- c:\users\rob\appdata\local\{673679B3-2ED5-43F4-B44D-3FA869861853}
2012-07-03 03:45:13 -------- d-----w- c:\users\rob\appdata\local\{DC4BB9D4-7DF1-4BE4-97BF-E2CCF1A089B8}
2012-07-02 14:41:21 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-02 06:17:12 -------- d-----w- c:\users\rob\appdata\local\{5B03CC29-CA14-4A1A-B695-6F66706A8455}
2012-07-02 06:16:50 -------- d-----w- c:\users\rob\appdata\local\{D9ECD697-F21B-467C-ACB3-9308503CA9B6}
2012-07-01 18:16:24 -------- d-----w- c:\users\rob\appdata\local\{88C328BD-8223-4751-B6D3-58B72EA81991}
2012-07-01 18:16:13 -------- d-----w- c:\users\rob\appdata\local\{73E73947-0C3F-4B32-9FAF-6A48F9C50E64}
2012-06-30 22:41:29 -------- d-----w- c:\users\rob\appdata\local\{DA374AFF-D844-4BBA-8283-468D075CC41D}
2012-06-30 22:41:06 -------- d-----w- c:\users\rob\appdata\local\{2C70DB14-8EC2-45B7-9A5A-465DED71C1E8}
2012-06-30 10:40:53 -------- d-----w- c:\users\rob\appdata\local\{9F989FCF-7AAA-431B-B3D2-36166535FB45}
2012-06-30 10:40:31 -------- d-----w- c:\users\rob\appdata\local\{D857CF61-6EDC-4E37-BB61-5A31F5790A6B}
2012-06-29 22:40:07 -------- d-----w- c:\users\rob\appdata\local\{E420D828-83DD-4ED0-850B-1B52AC1DC39E}
2012-06-29 22:39:51 -------- d-----w- c:\users\rob\appdata\local\{2913235F-2873-4437-90AC-D5E175F35126}
2012-06-29 02:27:53 -------- d-----w- c:\users\rob\appdata\local\{0F1E3C4A-7046-4D81-B77B-97A77A6A7661}
2012-06-29 02:27:30 -------- d-----w- c:\users\rob\appdata\local\{B9CA9430-65F0-4461-88FD-758BFEEF863C}
2012-06-28 14:27:02 -------- d-----w- c:\users\rob\appdata\local\{5CD50142-56CB-41BF-9BE1-43A1EAA610D2}
2012-06-28 14:26:35 -------- d-----w- c:\users\rob\appdata\local\{775B5D9F-67F2-471D-A7AB-C74BED0AF8F1}
2012-06-28 04:16:21 -------- d-----w- c:\program files\AMD AVT
2012-06-28 04:16:15 -------- d-----w- c:\program files\AMD APP
2012-06-28 02:25:58 -------- d-----w- c:\users\rob\appdata\local\{DA541912-BA1B-4F02-B48F-30EE051F0133}
2012-06-28 02:25:46 -------- d-----w- c:\users\rob\appdata\local\{3E1F0DE1-9B36-4579-A916-FD5DC8A847D8}
2012-06-27 01:56:53 -------- d-----w- c:\users\rob\appdata\local\{8949294A-41A7-4018-AC36-AAF6514D53CB}
2012-06-27 01:56:30 -------- d-----w- c:\users\rob\appdata\local\{1322A18B-20AF-41A2-84CB-7A27D5DE5DB1}
2012-06-26 13:56:05 -------- d-----w- c:\users\rob\appdata\local\{ABA88789-DC7C-484A-A869-6D1E06416E5C}
2012-06-26 13:55:55 -------- d-----w- c:\users\rob\appdata\local\{73A8572F-FDD9-449D-BF87-8DB539610914}
2012-06-25 19:41:56 -------- d-----w- c:\users\rob\appdata\local\{D8CA4377-132C-4896-81E0-FBB8CCEA8368}
2012-06-25 19:41:38 -------- d-----w- c:\users\rob\appdata\local\{0B465C3E-3FF1-4ABD-94AA-183CA03FF00F}
2012-06-24 18:37:38 -------- d-----w- c:\users\rob\appdata\local\{10D4E33E-99F9-4B4F-970E-1421168ABE99}
2012-06-24 18:37:16 -------- d-----w- c:\users\rob\appdata\local\{701F56A9-AE71-45B7-A595-7BAB7864C0A7}
2012-06-24 06:36:51 -------- d-----w- c:\users\rob\appdata\local\{4AF9F52D-9771-40B6-A5B5-59ADC781C6B8}
2012-06-24 06:36:29 -------- d-----w- c:\users\rob\appdata\local\{BE8A43CC-9E61-44E2-A5E6-4FF55CB4E967}
2012-06-23 18:36:02 -------- d-----w- c:\users\rob\appdata\local\{E3BE6626-C19A-4E7F-AC77-28A047461D29}
2012-06-23 18:35:34 -------- d-----w- c:\users\rob\appdata\local\{C96E272F-24DB-4027-A560-A7C49EF57BCB}
2012-06-23 07:44:08 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-06-23 07:09:08 -------- d-----w- c:\users\rob\appdata\local\QuickPar
2012-06-23 07:08:17 -------- d-----w- c:\program files\QuickPar
2012-06-23 06:59:57 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-23 06:59:40 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-23 06:59:29 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-23 06:59:28 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-19 19:34:52 -------- d-----w- c:\users\rob\appdata\local\{EB660433-C800-4336-A874-7A021BF0E69A}
2012-06-19 19:34:42 -------- d-----w- c:\users\rob\appdata\local\{EF3570D2-59B2-4EE5-A7C9-FA7CCA0DDBCD}
2012-06-19 03:32:13 -------- d-----w- c:\users\rob\appdata\local\{20948427-56EE-4592-AB9F-F4116B856952}
2012-06-19 03:32:00 -------- d-----w- c:\users\rob\appdata\local\{B903EA9E-B1B7-4BF0-851B-7AC78436E9C6}
2012-06-18 14:18:27 -------- d-----w- c:\users\rob\appdata\local\{2A0EE2BA-4382-4DBE-B507-89775BD5BCA8}
2012-06-17 16:37:56 -------- d-----w- c:\users\rob\appdata\local\{643CFEAC-70DE-475C-A577-B27A5DBB92F0}
2012-06-17 04:37:17 -------- d-----w- c:\users\rob\appdata\local\{9B9079A8-E7E0-4CB6-9613-38489D9CAD71}
2012-06-17 03:33:32 -------- d-----w- c:\program files\Newsbin
2012-06-16 16:36:42 -------- d-----w- c:\users\rob\appdata\local\{8E194AD9-C608-4625-9F62-6E7263977E57}
2012-06-16 04:36:06 -------- d-----w- c:\users\rob\appdata\local\{BB873C56-CF7D-42BC-81B3-CF64C1863657}
2012-06-15 16:35:42 -------- d-----w- c:\users\rob\appdata\local\{35ECFE2E-1B7D-4C9F-8331-92D4FD34ED37}
2012-06-15 01:00:38 -------- d-----w- c:\users\rob\appdata\local\{5C282AC3-DD4E-43FD-9087-814E8FA70948}
2012-06-14 04:27:58 -------- d-----w- c:\users\rob\appdata\local\{F45F549B-CCE0-47D0-9038-1F2CB1AB8B6E}
2012-06-14 04:27:35 -------- d-----w- c:\users\rob\appdata\local\{09D1776A-3EAB-4C5F-8BBB-ADEFA6F7AC4D}
2012-06-13 22:14:34 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-06-13 22:14:34 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 22:14:33 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 22:14:33 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 22:14:32 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 22:14:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 16:27:10 -------- d-----w- c:\users\rob\appdata\local\{861A400D-7CD8-42DE-853A-3DB27DEB184C}
2012-06-13 16:26:47 -------- d-----w- c:\users\rob\appdata\local\{CA70C550-6D76-4219-A23D-7958FE2F7AFB}
2012-06-13 04:26:23 -------- d-----w- c:\users\rob\appdata\local\{385B490C-A126-4108-ACEE-C77A1EA2898C}
2012-06-13 04:26:00 -------- d-----w- c:\users\rob\appdata\local\{AC156247-F531-473E-9079-D0FECAA0E738}
2012-06-13 03:06:16 -------- d-----w- c:\program files\EaseUS
2012-06-12 16:25:35 -------- d-----w- c:\users\rob\appdata\local\{C2E95D2B-7721-4505-B08C-1966E5898564}
2012-06-12 16:25:12 -------- d-----w- c:\users\rob\appdata\local\{181D1A4C-46FF-4962-BB01-A77EB01D8B96}
2012-06-12 01:07:35 -------- d-----w- c:\users\rob\appdata\local\{6ED357B3-33E5-4859-9FF1-DA564C449B69}
2012-06-12 01:07:24 -------- d-----w- c:\users\rob\appdata\local\{15774BF5-0610-417D-9F9B-35D03761176C}
2012-06-10 17:22:45 -------- d-----w- c:\users\rob\appdata\local\{A48E0282-737E-4920-AF1B-DCF5682C331B}
2012-06-10 17:22:22 -------- d-----w- c:\users\rob\appdata\local\{DA1B1F4C-0E1B-415E-9C0F-C4F0EF57648D}
2012-06-10 05:21:57 -------- d-----w- c:\users\rob\appdata\local\{58FFE684-572D-4A98-B818-0658896BB2AF}
2012-06-10 05:21:33 -------- d-----w- c:\users\rob\appdata\local\{11E5D463-7DB5-46FB-9F47-F3959C5EAD22}
2012-06-09 17:21:08 -------- d-----w- c:\users\rob\appdata\local\{FAF2F2B2-F051-43A5-9189-A3F2565AA1DF}
2012-06-09 17:20:57 -------- d-----w- c:\users\rob\appdata\local\{BC024C30-58A2-4BE6-8730-308C3165EC74}
2012-06-08 16:38:57 -------- d-----w- c:\users\rob\appdata\local\{420807A6-7650-4C0F-B5D4-985B61928989}
2012-06-08 16:38:34 -------- d-----w- c:\users\rob\appdata\local\{734236D2-FE82-4F53-8575-8B4440C6E858}
2012-06-08 04:38:10 -------- d-----w- c:\users\rob\appdata\local\{38C62A23-672B-49A3-B7B1-3A51D5E8A1FE}
2012-06-08 04:37:59 -------- d-----w- c:\users\rob\appdata\local\{5449B5A3-4638-42B0-8505-9942446F8AB7}
2012-06-07 14:58:16 -------- d-----w- c:\users\rob\appdata\local\{A9E8027E-682C-4B98-951A-DADD942ADD3E}
2012-06-07 14:57:54 -------- d-----w- c:\users\rob\appdata\local\{AC2D9747-5876-43E3-9C18-EEEC3C4E03AF}
2012-06-07 02:57:29 -------- d-----w- c:\users\rob\appdata\local\{9FCF7E48-2CC0-47F0-B86F-9CB6A3764B55}
2012-06-07 02:57:07 -------- d-----w- c:\users\rob\appdata\local\{81A3771D-203C-4A63-A087-CFC2ACCD0499}
2012-06-06 14:56:55 -------- d-----w- c:\users\rob\appdata\local\{66773C6D-6DDF-43CA-9CB2-C63140EAA3B4}
2012-06-06 14:56:32 -------- d-----w- c:\users\rob\appdata\local\{21135FCB-EC2A-4B6F-B9C2-F241DD394424}
2012-06-06 02:56:07 -------- d-----w- c:\users\rob\appdata\local\{CB68B574-5EE6-4592-BBD5-8BA1CD7D989F}
2012-06-06 02:55:45 -------- d-----w- c:\users\rob\appdata\local\{C8196FEA-D15F-488B-92BF-2A822E48DEA6}
2012-06-05 13:03:34 -------- d-----w- c:\users\rob\appdata\local\{7FF60068-1869-48EF-8F77-5A6A79F0C150}
2012-06-05 13:03:12 -------- d-----w- c:\users\rob\appdata\local\{B446392F-71CC-4FA6-A03F-988B455540FA}
2012-06-05 01:02:48 -------- d-----w- c:\users\rob\appdata\local\{00AA0DC1-B39A-4644-A299-9B2DB54970D3}
2012-06-05 01:02:32 -------- d-----w- c:\users\rob\appdata\local\{3F25FACE-89CB-4A45-865C-AE656B3FD1B8}
.
==================== Find3M ====================
.
2028-06-08 23:38:06 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL
2012-06-23 07:44:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-23 07:44:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-06 05:34:22 159232 ----a-w- c:\windows\system32\clinfo.exe
2012-04-06 05:34:04 64512 ----a-w- c:\windows\system32\OpenVideo.dll
2012-04-06 05:33:52 56320 ----a-w- c:\windows\system32\OVDecode.dll
2012-04-06 05:32:56 13007872 ----a-w- c:\windows\system32\amdocl.dll
2012-04-06 05:21:10 9334784 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-04-06 02:22:00 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-04-06 02:21:52 909312 ----a-w- c:\windows\system32\aticfx32.dll
2012-04-06 02:16:52 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-04-06 02:16:24 451072 ----a-w- c:\windows\system32\atieclxx.exe
2012-04-06 02:15:50 217600 ----a-w- c:\windows\system32\atiesrxx.exe
2012-04-06 02:14:36 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2012-04-06 02:14:28 20992 ----a-w- c:\windows\system32\atimuixx.dll
2012-04-06 02:14:20 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-04-06 02:13:42 6800896 ----a-w- c:\windows\system32\atidxx32.dll
2012-04-06 02:00:08 52736 ----a-w- c:\windows\system32\coinst.dll
2012-04-06 01:50:56 19753984 ----a-w- c:\windows\system32\atioglxx.dll
2012-04-06 01:34:50 1831424 ----a-w- c:\windows\system32\atiumdmv.dll
2012-04-06 01:34:04 6203392 ----a-w- c:\windows\system32\atiumdag.dll
2012-04-06 01:30:14 46080 ----a-w- c:\windows\system32\aticalrt.dll
2012-04-06 01:30:06 44032 ----a-w- c:\windows\system32\aticalcl.dll
2012-04-06 01:25:30 13764096 ----a-w- c:\windows\system32\aticaldd.dll
2012-04-06 01:22:54 4795904 ----a-w- c:\windows\system32\atiumdva.dll
2012-04-06 01:11:18 360448 ----a-w- c:\windows\system32\atiadlxx.dll
2012-04-06 01:11:04 14848 ----a-w- c:\windows\system32\atiglpxx.dll
2012-04-06 01:10:52 33280 ----a-w- c:\windows\system32\atigktxx.dll
2012-04-06 01:10:22 275968 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-04-06 01:09:48 41984 ----a-w- c:\windows\system32\atiuxpag.dll
2012-04-06 01:09:34 32256 ----a-w- c:\windows\system32\atiu9pag.dll
2012-04-06 01:09:02 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-04-06 01:06:04 53760 ----a-w- c:\windows\system32\atimpc32.dll
2012-04-06 01:06:04 53760 ----a-w- c:\windows\system32\amdpcom32.dll
.
============= FINISH: 21:08:52.25 ===============

Attached Files

•  Attach.txt   8.52K   9 downloads

[Maniac]

Hello boldfin and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING


One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Step 1

Please uninstall the following application: Ask Toolbar


Step 2

• Launch Malwarebytes' Anti-Malware
  
• Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  
• Go to Scanner tab and select Perform Quick Scan, then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.


Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply



In your next reply, post the following log files:

• Malwarebytes' Anti-Malware log
  
• aswMBR log
  
• a new fresh DDS log file

[boldfin]

I have read everything you suggested. Let's give cleaning a try first.

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.07.04.06
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Rob :: BOLDFIN420 [administrator]
Protection: Enabled
7/4/2012 3:47:12 PM
mbam-log-2012-07-04 (15-47-12).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 289410
Time elapsed: 11 minute(s), 43 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCU\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\Rob\AppData\Roaming\UseNetServ.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
(end)



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-04 16:04:35
-----------------------------
16:04:35.100 OS Version: Windows 6.1.7601 Service Pack 1
16:04:35.100 Number of processors: 4 586 0x1707
16:04:35.100 ComputerName: BOLDFIN420 UserName: Rob
16:05:02.384 Initialize success
16:06:19.530 AVAST engine defs: 12070401
16:06:24.023 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
16:06:24.023 Disk 0 Vendor: WDC_WD10 07.0 Size: 953869MB BusType: 8
16:06:24.039 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-3
16:06:24.039 Disk 1 Vendor: WDC_WD20 05.0 Size: 1907729MB BusType: 8
16:06:24.039 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-4
16:06:24.039 Disk 2 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 8
16:06:24.054 Disk 0 MBR read successfully
16:06:24.054 Disk 0 MBR scan
16:06:24.070 Disk 0 Windows 7 default MBR code
16:06:24.070 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
16:06:24.132 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
16:06:24.164 Disk 0 scanning sectors +1953521664
16:06:24.288 Disk 0 scanning C:\Windows\system32\drivers
16:06:44.335 Service scanning
16:06:59.903 Service MpKslcd571702 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\MpKslcd571702.sys **LOCKED** 32
16:07:17.063 Modules scanning
16:07:28.483 Disk 0 trace - called modules:
16:07:28.514 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
16:07:28.529 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88821200]
16:07:28.529 3 CLASSPNP.SYS[8c79159e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x8688a028]
16:07:30.838 AVAST engine scan C:\Windows
16:07:35.113 AVAST engine scan C:\Windows\system32
16:12:18.853 AVAST engine scan C:\Windows\system32\drivers
16:12:41.769 AVAST engine scan C:\Users\Rob
16:13:40.067 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"
16:13:40.067 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-04 16:04:35
-----------------------------
16:04:35.100 OS Version: Windows 6.1.7601 Service Pack 1
16:04:35.100 Number of processors: 4 586 0x1707
16:04:35.100 ComputerName: BOLDFIN420 UserName: Rob
16:05:02.384 Initialize success
16:06:19.530 AVAST engine defs: 12070401
16:06:24.023 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
16:06:24.023 Disk 0 Vendor: WDC_WD10 07.0 Size: 953869MB BusType: 8
16:06:24.039 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-3
16:06:24.039 Disk 1 Vendor: WDC_WD20 05.0 Size: 1907729MB BusType: 8
16:06:24.039 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IAAStorageDevice-4
16:06:24.039 Disk 2 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 8
16:06:24.054 Disk 0 MBR read successfully
16:06:24.054 Disk 0 MBR scan
16:06:24.070 Disk 0 Windows 7 default MBR code
16:06:24.070 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
16:06:24.132 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
16:06:24.164 Disk 0 scanning sectors +1953521664
16:06:24.288 Disk 0 scanning C:\Windows\system32\drivers
16:06:44.335 Service scanning
16:06:59.903 Service MpKslcd571702 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\MpKslcd571702.sys **LOCKED** 32
16:07:17.063 Modules scanning
16:07:28.483 Disk 0 trace - called modules:
16:07:28.514 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
16:07:28.529 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88821200]
16:07:28.529 3 CLASSPNP.SYS[8c79159e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x8688a028]
16:07:30.838 AVAST engine scan C:\Windows
16:07:35.113 AVAST engine scan C:\Windows\system32
16:12:18.853 AVAST engine scan C:\Windows\system32\drivers
16:12:41.769 AVAST engine scan C:\Users\Rob
16:13:40.067 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"
16:13:40.067 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"
17:14:35.316 File: C:\Users\Rob\AppData\Roaming\UseServe.exe **INFECTED** MSIL:Agent-OG [Trj]
18:49:30.840 AVAST engine scan C:\ProgramData
19:02:53.445 Scan finished successfully
19:38:04.940 Disk 0 MBR has been saved successfully to "C:\Users\Rob\Desktop\MBR.dat"
19:38:05.034 The log file has been saved successfully to "C:\Users\Rob\Desktop\aswMBR.txt"



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Rob at 19:38:25 on 2012-07-04
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3326.1302 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Windows\system32\dktahsp.exe
C:\Program Files\Windows Home Server\esClient.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe
C:\Program Files\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\reg.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\ehome\ehmsas.exe
C:\Users\Rob\Desktop\aswMBR.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://sn123w.snt123.mail.live.com/default.aspx?wa=wsignin1.0
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
uRun: [UsenetServices] c:\users\rob\appdata\roaming\UseServe.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe
mRun: [My Movies Tray] "c:\program files\binnerup consult\my movies for windows media center\My Movies Tray.exe"
mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
Trusted Zone: highland.com\office
DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1295333121964
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{84461330-3775-4679-86C3-253BB5E78260} : DhcpNameServer = 209.18.47.61 209.18.47.62
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rob\appdata\roaming\mozilla\firefox\profiles\mz85hv77.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\common~1\nero\browse~1\npBrowserPlugin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\drivers\NBVol.sys [2011-10-9 56496]
R0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\drivers\NBVolUp.sys [2011-10-9 12464]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-6-29 66776]
R1 MpKslcd571702;MpKslcd571702;c:\programdata\microsoft\microsoft antimalware\definition updates\{e8ae3e55-479c-4be7-a1e7-e0043e77e064}\MpKslcd571702.sys [2012-7-4 29904]
R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/02/28 18:50:22];c:\program files\cyberlink\powerdvd dx\000.fcl [2012-2-28 87536]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-4-5 217600]
R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\windows home server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 239472]
R2 DkTahsp;OCUR SDV Service;c:\windows\system32\dktahsp.exe [2009-8-17 65536]
R2 esClient;Windows Media Center Client Service;c:\program files\windows home server\esClient.exe [2011-1-10 97136]
R2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\hewlett-packard\hp mediasmart server\MSSConnectorService.exe [2009-10-5 20992]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-2-14 13336]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-12-19 394672]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-11 654408]
R2 MediaCollectorService;MediaCollectorService;c:\program files\hewlett-packard\hp mediasmart server\MediaCollectorClient.exe [2009-10-5 81920]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2011-9-23 641832]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2012-4-5 9334784]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2012-4-5 275968]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-23 86544]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-30 22344]
R3 msta;Tuning Adapter Service;c:\windows\system32\drivers\msta.sys [2009-8-17 18432]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2011-4-13 67456]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2011-4-13 161024]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2009-4-20 44784]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-2-26 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-26 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-14 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-07-04 23:05:00 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e8ae3e55-479c-4be7-a1e7-e0043e77e064}\MpKslcd571702.sys
2012-07-04 22:58:20 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e8ae3e55-479c-4be7-a1e7-e0043e77e064}\mpengine.dll
2012-07-04 22:46:16 -------- d-----w- c:\users\rob\appdata\local\{EEE81CE0-B1E0-452E-BFED-7380F6FE215B}
2012-07-04 22:46:01 -------- d-----w- c:\users\rob\appdata\local\{63149514-E8E0-42B9-839A-D52DBCCF9FDA}
2012-07-04 04:06:31 -------- d-----w- c:\users\rob\appdata\local\{E75E4197-088E-41E5-BDC4-929886D137D0}
2012-07-04 04:06:09 -------- d-----w- c:\users\rob\appdata\local\{1BE09295-1082-4EB3-B994-EE4CB973903C}
2012-07-03 14:57:41 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{f9d91bec-dbde-4167-9c7a-165d901e6bfd}\gapaengine.dll
2012-07-03 14:56:34 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-03 14:26:22 738816 ----a-w- c:\users\rob\appdata\roaming\UseServe.exe
2012-07-03 03:45:33 -------- d-----w- c:\users\rob\appdata\local\{673679B3-2ED5-43F4-B44D-3FA869861853}
2012-07-03 03:45:13 -------- d-----w- c:\users\rob\appdata\local\{DC4BB9D4-7DF1-4BE4-97BF-E2CCF1A089B8}
2012-07-02 06:17:12 -------- d-----w- c:\users\rob\appdata\local\{5B03CC29-CA14-4A1A-B695-6F66706A8455}
2012-07-02 06:16:50 -------- d-----w- c:\users\rob\appdata\local\{D9ECD697-F21B-467C-ACB3-9308503CA9B6}
2012-07-01 18:16:24 -------- d-----w- c:\users\rob\appdata\local\{88C328BD-8223-4751-B6D3-58B72EA81991}
2012-07-01 18:16:13 -------- d-----w- c:\users\rob\appdata\local\{73E73947-0C3F-4B32-9FAF-6A48F9C50E64}
2012-06-30 22:41:29 -------- d-----w- c:\users\rob\appdata\local\{DA374AFF-D844-4BBA-8283-468D075CC41D}
2012-06-30 22:41:06 -------- d-----w- c:\users\rob\appdata\local\{2C70DB14-8EC2-45B7-9A5A-465DED71C1E8}
2012-06-30 10:40:53 -------- d-----w- c:\users\rob\appdata\local\{9F989FCF-7AAA-431B-B3D2-36166535FB45}
2012-06-30 10:40:31 -------- d-----w- c:\users\rob\appdata\local\{D857CF61-6EDC-4E37-BB61-5A31F5790A6B}
2012-06-29 22:40:07 -------- d-----w- c:\users\rob\appdata\local\{E420D828-83DD-4ED0-850B-1B52AC1DC39E}
2012-06-29 22:39:51 -------- d-----w- c:\users\rob\appdata\local\{2913235F-2873-4437-90AC-D5E175F35126}
2012-06-29 02:27:53 -------- d-----w- c:\users\rob\appdata\local\{0F1E3C4A-7046-4D81-B77B-97A77A6A7661}
2012-06-29 02:27:30 -------- d-----w- c:\users\rob\appdata\local\{B9CA9430-65F0-4461-88FD-758BFEEF863C}
2012-06-28 14:27:02 -------- d-----w- c:\users\rob\appdata\local\{5CD50142-56CB-41BF-9BE1-43A1EAA610D2}
2012-06-28 14:26:35 -------- d-----w- c:\users\rob\appdata\local\{775B5D9F-67F2-471D-A7AB-C74BED0AF8F1}
2012-06-28 04:16:21 -------- d-----w- c:\program files\AMD AVT
2012-06-28 04:16:15 -------- d-----w- c:\program files\AMD APP
2012-06-28 02:25:58 -------- d-----w- c:\users\rob\appdata\local\{DA541912-BA1B-4F02-B48F-30EE051F0133}
2012-06-28 02:25:46 -------- d-----w- c:\users\rob\appdata\local\{3E1F0DE1-9B36-4579-A916-FD5DC8A847D8}
2012-06-27 01:56:53 -------- d-----w- c:\users\rob\appdata\local\{8949294A-41A7-4018-AC36-AAF6514D53CB}
2012-06-27 01:56:30 -------- d-----w- c:\users\rob\appdata\local\{1322A18B-20AF-41A2-84CB-7A27D5DE5DB1}
2012-06-26 13:56:05 -------- d-----w- c:\users\rob\appdata\local\{ABA88789-DC7C-484A-A869-6D1E06416E5C}
2012-06-26 13:55:55 -------- d-----w- c:\users\rob\appdata\local\{73A8572F-FDD9-449D-BF87-8DB539610914}
2012-06-25 19:41:56 -------- d-----w- c:\users\rob\appdata\local\{D8CA4377-132C-4896-81E0-FBB8CCEA8368}
2012-06-25 19:41:38 -------- d-----w- c:\users\rob\appdata\local\{0B465C3E-3FF1-4ABD-94AA-183CA03FF00F}
2012-06-24 18:37:38 -------- d-----w- c:\users\rob\appdata\local\{10D4E33E-99F9-4B4F-970E-1421168ABE99}
2012-06-24 18:37:16 -------- d-----w- c:\users\rob\appdata\local\{701F56A9-AE71-45B7-A595-7BAB7864C0A7}
2012-06-24 06:36:51 -------- d-----w- c:\users\rob\appdata\local\{4AF9F52D-9771-40B6-A5B5-59ADC781C6B8}
2012-06-24 06:36:29 -------- d-----w- c:\users\rob\appdata\local\{BE8A43CC-9E61-44E2-A5E6-4FF55CB4E967}
2012-06-23 18:36:02 -------- d-----w- c:\users\rob\appdata\local\{E3BE6626-C19A-4E7F-AC77-28A047461D29}
2012-06-23 18:35:34 -------- d-----w- c:\users\rob\appdata\local\{C96E272F-24DB-4027-A560-A7C49EF57BCB}
2012-06-23 07:44:08 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-06-23 07:09:08 -------- d-----w- c:\users\rob\appdata\local\QuickPar
2012-06-23 07:08:17 -------- d-----w- c:\program files\QuickPar
2012-06-23 06:59:57 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-23 06:59:40 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-23 06:59:29 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-23 06:59:28 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-19 19:34:52 -------- d-----w- c:\users\rob\appdata\local\{EB660433-C800-4336-A874-7A021BF0E69A}
2012-06-19 19:34:42 -------- d-----w- c:\users\rob\appdata\local\{EF3570D2-59B2-4EE5-A7C9-FA7CCA0DDBCD}
2012-06-19 03:32:13 -------- d-----w- c:\users\rob\appdata\local\{20948427-56EE-4592-AB9F-F4116B856952}
2012-06-19 03:32:00 -------- d-----w- c:\users\rob\appdata\local\{B903EA9E-B1B7-4BF0-851B-7AC78436E9C6}
2012-06-18 14:18:27 -------- d-----w- c:\users\rob\appdata\local\{2A0EE2BA-4382-4DBE-B507-89775BD5BCA8}
2012-06-17 16:37:56 -------- d-----w- c:\users\rob\appdata\local\{643CFEAC-70DE-475C-A577-B27A5DBB92F0}
2012-06-17 04:37:17 -------- d-----w- c:\users\rob\appdata\local\{9B9079A8-E7E0-4CB6-9613-38489D9CAD71}
2012-06-17 03:33:32 -------- d-----w- c:\program files\Newsbin
2012-06-16 16:36:42 -------- d-----w- c:\users\rob\appdata\local\{8E194AD9-C608-4625-9F62-6E7263977E57}
2012-06-16 04:36:06 -------- d-----w- c:\users\rob\appdata\local\{BB873C56-CF7D-42BC-81B3-CF64C1863657}
2012-06-15 16:35:42 -------- d-----w- c:\users\rob\appdata\local\{35ECFE2E-1B7D-4C9F-8331-92D4FD34ED37}
2012-06-15 01:00:38 -------- d-----w- c:\users\rob\appdata\local\{5C282AC3-DD4E-43FD-9087-814E8FA70948}
2012-06-14 04:27:58 -------- d-----w- c:\users\rob\appdata\local\{F45F549B-CCE0-47D0-9038-1F2CB1AB8B6E}
2012-06-14 04:27:35 -------- d-----w- c:\users\rob\appdata\local\{09D1776A-3EAB-4C5F-8BBB-ADEFA6F7AC4D}
2012-06-13 22:14:34 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-06-13 22:14:34 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 22:14:33 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 22:14:33 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 22:14:32 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 22:14:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 16:27:10 -------- d-----w- c:\users\rob\appdata\local\{861A400D-7CD8-42DE-853A-3DB27DEB184C}
2012-06-13 16:26:47 -------- d-----w- c:\users\rob\appdata\local\{CA70C550-6D76-4219-A23D-7958FE2F7AFB}
2012-06-13 04:26:23 -------- d-----w- c:\users\rob\appdata\local\{385B490C-A126-4108-ACEE-C77A1EA2898C}
2012-06-13 04:26:00 -------- d-----w- c:\users\rob\appdata\local\{AC156247-F531-473E-9079-D0FECAA0E738}
2012-06-13 03:06:16 -------- d-----w- c:\program files\EaseUS
2012-06-12 16:25:35 -------- d-----w- c:\users\rob\appdata\local\{C2E95D2B-7721-4505-B08C-1966E5898564}
2012-06-12 16:25:12 -------- d-----w- c:\users\rob\appdata\local\{181D1A4C-46FF-4962-BB01-A77EB01D8B96}
2012-06-12 01:07:35 -------- d-----w- c:\users\rob\appdata\local\{6ED357B3-33E5-4859-9FF1-DA564C449B69}
2012-06-12 01:07:24 -------- d-----w- c:\users\rob\appdata\local\{15774BF5-0610-417D-9F9B-35D03761176C}
2012-06-10 17:22:45 -------- d-----w- c:\users\rob\appdata\local\{A48E0282-737E-4920-AF1B-DCF5682C331B}
2012-06-10 17:22:22 -------- d-----w- c:\users\rob\appdata\local\{DA1B1F4C-0E1B-415E-9C0F-C4F0EF57648D}
2012-06-10 05:21:57 -------- d-----w- c:\users\rob\appdata\local\{58FFE684-572D-4A98-B818-0658896BB2AF}
2012-06-10 05:21:33 -------- d-----w- c:\users\rob\appdata\local\{11E5D463-7DB5-46FB-9F47-F3959C5EAD22}
2012-06-09 17:21:08 -------- d-----w- c:\users\rob\appdata\local\{FAF2F2B2-F051-43A5-9189-A3F2565AA1DF}
2012-06-09 17:20:57 -------- d-----w- c:\users\rob\appdata\local\{BC024C30-58A2-4BE6-8730-308C3165EC74}
2012-06-08 16:38:57 -------- d-----w- c:\users\rob\appdata\local\{420807A6-7650-4C0F-B5D4-985B61928989}
2012-06-08 16:38:34 -------- d-----w- c:\users\rob\appdata\local\{734236D2-FE82-4F53-8575-8B4440C6E858}
2012-06-08 04:38:10 -------- d-----w- c:\users\rob\appdata\local\{38C62A23-672B-49A3-B7B1-3A51D5E8A1FE}
2012-06-08 04:37:59 -------- d-----w- c:\users\rob\appdata\local\{5449B5A3-4638-42B0-8505-9942446F8AB7}
2012-06-07 14:58:16 -------- d-----w- c:\users\rob\appdata\local\{A9E8027E-682C-4B98-951A-DADD942ADD3E}
2012-06-07 14:57:54 -------- d-----w- c:\users\rob\appdata\local\{AC2D9747-5876-43E3-9C18-EEEC3C4E03AF}
2012-06-07 02:57:29 -------- d-----w- c:\users\rob\appdata\local\{9FCF7E48-2CC0-47F0-B86F-9CB6A3764B55}
2012-06-07 02:57:07 -------- d-----w- c:\users\rob\appdata\local\{81A3771D-203C-4A63-A087-CFC2ACCD0499}
2012-06-06 14:56:55 -------- d-----w- c:\users\rob\appdata\local\{66773C6D-6DDF-43CA-9CB2-C63140EAA3B4}
2012-06-06 14:56:32 -------- d-----w- c:\users\rob\appdata\local\{21135FCB-EC2A-4B6F-B9C2-F241DD394424}
2012-06-06 02:56:07 -------- d-----w- c:\users\rob\appdata\local\{CB68B574-5EE6-4592-BBD5-8BA1CD7D989F}
2012-06-06 02:55:45 -------- d-----w- c:\users\rob\appdata\local\{C8196FEA-D15F-488B-92BF-2A822E48DEA6}
2012-06-05 13:03:34 -------- d-----w- c:\users\rob\appdata\local\{7FF60068-1869-48EF-8F77-5A6A79F0C150}
2012-06-05 13:03:12 -------- d-----w- c:\users\rob\appdata\local\{B446392F-71CC-4FA6-A03F-988B455540FA}
.
==================== Find3M ====================
.
2028-06-08 23:38:06 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL
2012-06-23 07:44:20 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-23 07:44:20 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-06 05:34:22 159232 ----a-w- c:\windows\system32\clinfo.exe
2012-04-06 05:34:04 64512 ----a-w- c:\windows\system32\OpenVideo.dll
2012-04-06 05:33:52 56320 ----a-w- c:\windows\system32\OVDecode.dll
2012-04-06 05:32:56 13007872 ----a-w- c:\windows\system32\amdocl.dll
2012-04-06 05:21:10 9334784 ----a-w- c:\windows\system32\drivers\atikmdag.sys
.
============= FINISH: 19:39:05.97 ===============

[Maniac]

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[boldfin]

Ran ComboFix:

ComboFix 12-07-05.02 - Rob 07/05/2012 8:04.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3326.1858 [GMT -7:00]
Running from: c:\users\Rob\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Rob\AppData\Roaming\8D5595
c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\Rob\AppData\Roaming\UseNetServ.exe
c:\users\Rob\AppData\Roaming\UseServe.exe
c:\users\Rob\g2mdlhlpx.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))
.
.
2012-07-05 15:12 . 2012-07-05 15:30 -------- d-----w- c:\users\Rob\AppData\Local\temp
2012-07-05 15:12 . 2012-07-05 15:12 -------- d-----w- c:\users\Mcx3-BOLDFIN420\AppData\Local\temp
2012-07-05 15:12 . 2012-07-05 15:12 -------- d-----w- c:\users\Mcx2-BOLDFIN420\AppData\Local\temp
2012-07-05 15:12 . 2012-07-05 15:12 -------- d-----w- c:\users\Jennifer\AppData\Local\temp
2012-07-05 15:12 . 2012-07-05 15:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-05 14:59 . 2012-07-05 14:59 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\MpKsl405aafcf.sys
2012-07-04 22:58 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\mpengine.dll
2012-07-03 14:57 . 2012-02-10 10:28 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F9D91BEC-DBDE-4167-9C7A-165D901E6BFD}\gapaengine.dll
2012-07-03 14:56 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\programdata\ATI
2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\program files\AMD AVT
2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\program files\AMD APP
2012-06-23 07:44 . 2012-06-23 07:44 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-06-23 07:09 . 2012-06-30 20:36 -------- d-----w- c:\users\Rob\AppData\Local\QuickPar
2012-06-23 07:08 . 2012-06-23 07:08 -------- d-----w- c:\program files\QuickPar
2012-06-23 06:59 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-23 06:59 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-23 06:59 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-23 06:59 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-23 06:59 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-23 06:59 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-23 06:59 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-23 06:59 . 2012-06-02 22:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-23 06:59 . 2012-06-02 22:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-17 03:33 . 2012-06-17 03:33 -------- d-----w- c:\program files\Newsbin
2012-06-13 22:14 . 2012-04-28 04:41 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-06-13 22:14 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 22:14 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 22:14 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 22:14 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 22:14 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 03:06 . 2012-06-13 03:06 -------- d-----w- c:\program files\EaseUS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2028-06-08 23:38 . 2011-08-11 04:48 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL
2012-06-23 07:44 . 2012-04-03 01:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-23 07:44 . 2011-06-06 15:56 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-27 01:22 . 2012-04-27 01:22 413696 ----a-r- c:\users\Rob\AppData\Roaming\Microsoft\Installer\{4229F016-3A60-439E-B626-DE4BD457469F}\ARPPRODUCTICON.exe
2011-03-18 17:53 . 2011-04-10 23:44 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
"My Movies Tray"="c:\program files\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe" [2011-12-15 477392]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-15 113288]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-11-20 128296]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-12-22 362432]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-05-09 1061520]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-2-7 603504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-06-08 01:48 362488 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2012-04-27 16:12 6065784 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2010-07-02 18:24 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2011-09-20 21:53 1493288 ----a-w- c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2010-06-08 01:47 2605424 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [x]
S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 MpKsl405aafcf;MpKsl405aafcf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\MpKsl405aafcf.sys [x]
S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/02/28 18:50];c:\program files\CyberLink\PowerDVD DX\000.fcl [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [x]
S2 DkTahsp;OCUR SDV Service;c:\windows\system32\dktahsp.exe [x]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [x]
S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [x]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 msta;Tuning Adapter Service;c:\windows\system32\Drivers\msta.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 07:44]
.
2012-07-05 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2012-04-11 18:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sn123w.snt123.mail.live.com/default.aspx?wa=wsignin1.0
Trusted Zone: highland.com\office
DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab
FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\mz85hv77.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKCU-Run-UsenetServices - c:\users\Rob\AppData\Roaming\UseServe.exe
HKLM-Run-Conime - c:\windows\system32\conime.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-408190252-3311634441-3888657169-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-408190252-3311634441-3888657169-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4696)
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Home Server\WHSTrayApp.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2012-07-05 08:33:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-05 15:33
.
Pre-Run: 387,760,070,656 bytes free
Post-Run: 388,317,569,024 bytes free
.
- - End Of File - - 948414ACFBE9E3BC2A4C82A5850773C5

[Maniac]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\program files\Ask.com

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[boldfin]

In your previous instructions, you asked me to uninstall the Ask.com Toolbar. This program was not listed under installed programs. There was a folder for it, however, in C:/program files - which I deleted. This was done yesterday.


ComboFix 12-07-05.02 - Rob 07/05/2012 19:50:26.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3326.1784 [GMT -7:00]
Running from: c:\users\Rob\Desktop\ComboFix.exe
Command switches used :: c:\users\Rob\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-06 to 2012-07-06 )))))))))))))))))))))))))))))))
.
.
2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Mcx3-BOLDFIN420\AppData\Local\temp
2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Mcx2-BOLDFIN420\AppData\Local\temp
2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Jennifer\AppData\Local\temp
2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-06 03:00 . 2012-07-06 03:00 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-05 15:12 . 2012-07-06 03:00 -------- d-----w- c:\users\Rob\AppData\Local\temp
2012-07-04 22:58 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E8AE3E55-479C-4BE7-A1E7-E0043E77E064}\mpengine.dll
2012-07-03 14:57 . 2012-02-10 10:28 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F9D91BEC-DBDE-4167-9C7A-165D901E6BFD}\gapaengine.dll
2012-07-03 14:56 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\programdata\ATI
2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\program files\AMD AVT
2012-06-28 04:16 . 2012-06-28 04:16 -------- d-----w- c:\program files\AMD APP
2012-06-23 07:44 . 2012-06-23 07:44 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-06-23 07:09 . 2012-06-30 20:36 -------- d-----w- c:\users\Rob\AppData\Local\QuickPar
2012-06-23 07:08 . 2012-06-23 07:08 -------- d-----w- c:\program files\QuickPar
2012-06-23 06:59 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-23 06:59 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-23 06:59 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-23 06:59 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-23 06:59 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-23 06:59 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-23 06:59 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-23 06:59 . 2012-06-02 22:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-23 06:59 . 2012-06-02 22:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-17 03:33 . 2012-06-17 03:33 -------- d-----w- c:\program files\Newsbin
2012-06-13 22:14 . 2012-04-28 04:41 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-06-13 22:14 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 22:14 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 22:14 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-13 22:14 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-13 22:14 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-13 03:06 . 2012-06-13 03:06 -------- d-----w- c:\program files\EaseUS
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2028-06-08 23:38 . 2011-08-11 04:48 158720 ----a-w- c:\windows\system32\VPMSDU32.DLL
2012-06-23 07:44 . 2012-04-03 01:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-23 07:44 . 2011-06-06 15:56 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-27 01:22 . 2012-04-27 01:22 413696 ----a-r- c:\users\Rob\AppData\Roaming\Microsoft\Installer\{4229F016-3A60-439E-B626-DE4BD457469F}\ARPPRODUCTICON.exe
2011-03-18 17:53 . 2011-04-10 23:44 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2012-05-09 06:39 1011344 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2569616]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
"My Movies Tray"="c:\program files\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe" [2011-12-15 477392]
"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-04-15 113288]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-11-20 128296]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-12-22 362432]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2012-05-09 1061520]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Windows Home Server.lnk - c:\windows\Installer\{21E49794-7C13-4E84-8659-55BD378267D5}\WHSTrayApp.exe [2011-2-7 603504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Rob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\users\Rob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2010-06-08 01:48 362488 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2012-04-27 16:12 6065784 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2010-07-02 18:24 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBAgent]
2011-09-20 21:53 1493288 ----a-w- c:\program files\Nero\Nero 11\Nero BackItUp\NBAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2010-06-08 01:47 2605424 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
2011-03-07 13:33 89456 ----a-w- c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 NBVol;Nero Backup Volume Filter Driver;c:\windows\system32\DRIVERS\NBVol.sys [x]
S0 NBVolUp;Nero Backup Volume Upper Filter Driver;c:\windows\system32\DRIVERS\NBVolUp.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2012/02/28 18:50];c:\program files\CyberLink\PowerDVD DX\000.fcl [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [x]
S2 DkTahsp;OCUR SDV Service;c:\windows\system32\dktahsp.exe [x]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [x]
S2 HPMSSConnectorSvc;HPMSSConnectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MSSConnectorService.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 MediaCollectorService;MediaCollectorService;c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaCollectorClient.exe [x]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 msta;Tuning Adapter Service;c:\windows\system32\Drivers\msta.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 07:44]
.
2012-07-06 c:\windows\Tasks\RegistryBooster.job
- c:\program files\Uniblue\RegistryBooster\rbmonitor.exe [2012-04-11 18:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sn123w.snt123.mail.live.com/default.aspx?wa=wsignin1.0
Trusted Zone: highland.com\office
DPF: {16F67783-7E72-4C39-99C4-4780A8335484} - hxxp://www.syncmyride.com/Own/Modules/UpdateCenter/applets/sync.cab
FF - ProfilePath - c:\users\Rob\AppData\Roaming\Mozilla\Firefox\Profiles\mz85hv77.default\
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-408190252-3311634441-3888657169-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-408190252-3311634441-3888657169-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-05 20:02:53
ComboFix-quarantined-files.txt 2012-07-06 03:02
ComboFix2.txt 2012-07-05 15:33
.
Pre-Run: 388,650,045,440 bytes free
Post-Run: 388,093,710,336 bytes free
.
- - End Of File - - 1AF48684F65612D6250FD1803BF15C11

[Maniac]

Good!

Please compress the following folder: C:\Qoobox\Quarantine
http://windows.micro...files-zip-files

Upload it somewhere, for example in www.rapidshare.com and send me a download link via PM.

[Maniac]

Thank you for your cooperation!

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

[boldfin]

I ran the scan with ESET's online tool. It took several hours. There were a few quarantined programs, most of which I recognized as being installed by me:
Uniblue Registry Booster, etc.

The log.txt doesn't see to say much...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK


Is this normal?

[boldfin]

Just ran the scan again. Log below:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251

[boldfin]

FYI - I am going to be travelling for a few days, and unable to continue th ecleaning process on this computer until I return. I appreciate your help so far, and will contact you when I return.

[Maniac]

Thanks for letting me know! Have a nice trip!

Then tell me how is your system now.

[boldfin]

I am back in town. I ran scans with MS Security Essentials znd MBAW, both came back with one threat each. MSSE reported a Win32 worm, which I quarantined, MBAW log is posted below. What next steps do you recommend?

Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.14.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Rob :: BOLDFIN420 [administrator]
Protection: Enabled
7/14/2012 12:56:05 PM
mbam-log-2012-07-14 (12-56-05).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280845
Time elapsed: 7 minute(s), 57 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\Rob\AppData\Roaming\jullli_2012 (Stolen.Data) -> Quarantined and deleted successfully.
(end)

[Maniac]

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan


Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and post it in your next reply.

[boldfin]

I just completed an automatic scan with the AVPTool, per your instructions. It took six hours to run the scan of my main drive. No threats were detected, so there is no Detected Threats report to post in this reply.

Just to make sure, I ran another MBAW Quick Scan:

Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.14.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Rob :: BOLDFIN420 [administrator]
Protection: Enabled
7/14/2012 10:45:03 PM
mbam-log-2012-07-14 (22-45-03).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 285703
Time elapsed: 9 minute(s), 34 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

What do you recommend at this point?

[Maniac]

Let me know how is your system now.

[boldfin]

It appears to be working normally. I rescanned with MBAW and MS Security Essentials, and no threats were found. I understand that there is no guarantee that the system is truly "clean", but please tell me if I should consider nuke/pave at this point.

[Maniac]

For now everything seems to be fine. What you should consider is changing all your passwords, especially banking accounts.

Please uninstall ComboFix:
www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Next, manually delete DDS, aswMBR and Kaspersky AVP. Please uninstall ESET Online Scanner too.

Some malware prevention tips:
http://forums.malwar...=0


Safe surfing!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!