# Solved: adware virus - hyperlinks to ads on every web page



## Fishermoon (Feb 14, 2012)

Hello,

On every web page i am harassed by these hyperlinks leading to ads. If this is an infection and not something i could easily switch off or uninstall could someone please help me remove them.

This is my sytem info:

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
Processor: Intel(R) Celeron(R) CPU B815 @ 1.60GHz, Intel64 Family 6 Model 42 Stepping 7
Processor Count: 2
RAM: 4003 Mb
Graphics Card: Intel(R) HD Graphics Family, 1809 Mb
Hard Drives: C: Total - 238469 MB, Free - 169189 MB; D: Total - 238068 MB, Free - 226472 MB;
Motherboard: TOSHIBA, PWWHA
Antivirus: Kaspersky PURE, Updated and Enabled

Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:55:20, on 15/04/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Home\Desktop\Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Toshiba Places Icon Utility.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky PURE (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: CryptoStorage control service (CSObjectsSrv) - Infowatch - C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: IconMan_R - Realsil Microelectronics Inc. - C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @c:\Program Files (x86)\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - c:\Program Files (x86)\Nero\Update\NASvc.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Notebook Performance Tuning Service (TEMPRO) (TemproMonitoringService) - Toshiba Europe GmbH - C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\Windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 10761 bytes


----------



## Fishermoon (Feb 14, 2012)

Can anyone help? have i violated any forums rules?


----------



## dvk01 (Dec 14, 2002)

is it ALL webpages that have these hyperlinks or only some sites

follow advice *here* and post the logs those programs make

Did you see the big red message telling you what to do when you tried to make your first post in this topic or did you just decide to ignore it.


----------



## Fishermoon (Feb 14, 2012)

Thank you for replying

Yes the hyperlinks are on ALL web pages and has slowed my browsing speed.

I re-read the post which you directed me to. So here is my DDS:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 
Internet Explorer: 9.0.8112.16421
Run by Home at 18:07:48 on 2012-04-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4004.2128 [GMT 1:00]
.
AV: Kaspersky PURE *Enabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Spybot - Search && Destroy *Enabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Kaspersky PURE *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
FW: Kaspersky PURE *Enabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Home\Desktop\Security\HijackThis.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TEUA&bmod=TEUA
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TEUA&bmod=TEUA
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
BHO: TOSHIBA Media Controller Plug-in: {f3c88694-effa-4d78-b409-54b7b2535b14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TOSHIB~1.LNK - C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{1EA1A55B-390E-44FA-8878-E5C4D77B0C21} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{1EA1A55B-390E-44FA-8878-E5C4D77B0C21}\244584572633D253348383 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{E78EEF3D-89D7-4686-ACC5-CF1EE678C92A} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
BHO-X64: link filter bho - No File
BHO-X64: TOSHIBA Media Controller Plug-in: {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
mRun-x64: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun-x64: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun-x64: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"
AppInit_DLLs-X64: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\b64pm3ra.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.ixquick.com/uk/
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 CSCrySec;InfoWatch Encrypt Sector Library driver;C:\Windows\system32\DRIVERS\CSCrySec.sys --> C:\Windows\system32\DRIVERS\CSCrySec.sys [?]
R0 KLBG;Kaspersky Lab Boot Guard Driver;C:\Windows\system32\DRIVERS\klbg.sys --> C:\Windows\system32\DRIVERS\klbg.sys [?]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\system32\DRIVERS\tos_sps64.sys --> C:\Windows\system32\DRIVERS\tos_sps64.sys [?]
R1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;C:\Windows\system32\DRIVERS\CSVirtualDiskDrv.sys --> C:\Windows\system32\DRIVERS\CSVirtualDiskDrv.sys [?]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys --> C:\Windows\system32\DRIVERS\klim6.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-12 140672]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 AVP;Kaspersky PURE;C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe [2010-10-1 348760]
R2 cfWiMAXService;ConfigFree WiMAX Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-1-28 249200]
R2 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-3-10 46448]
R2 CSObjectsSrv;CryptoStorage control service;C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2012-2-13 1809920]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-3-29 598312]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-3-17 1181104]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-3-17 1185704]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-3-17 166528]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-2-13 2656280]
R3 CeKbFilter;CeKbFilter;C:\Windows\system32\DRIVERS\CeKbFilter.sys --> C:\Windows\system32\DRIVERS\CeKbFilter.sys [?]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\system32\DRIVERS\klmouflt.sys --> C:\Windows\system32\DRIVERS\klmouflt.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 TMachInfo;TMachInfo;C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2012-2-13 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-8 137632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BtFilter;Bluetooth LowerFilter Class Filter Driver;C:\Windows\system32\DRIVERS\btfilter.sys --> C:\Windows\system32\DRIVERS\btfilter.sys [?]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-2-10 112080]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2012-04-13 13:16:45 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CA841902-5A76-450C-8A3D-056EE3212516}\mpengine.dll
2012-04-11 02:00:26 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-11 02:00:26 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-11 02:00:25 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-11 02:00:25 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-11 02:00:25 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-11 02:00:24 5120  ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-11 02:00:24 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-08 20:31:58 -------- d-----w- C:\ProgramData\Premium
2012-04-08 20:31:45 -------- d-----w- C:\ProgramData\wxDfast
2012-04-08 20:30:47 -------- d-----w- C:\ProgramData\InstallMate
2012-03-29 21:18:50 -------- d-----w- C:\ProgramData\Canneverbe Limited
2012-03-29 21:18:49 -------- d-----w- C:\Users\Home\AppData\Roaming\Canneverbe Limited
2012-03-28 13:40:52 -------- d-----w- C:\ProcAlyzer Dumps
2012-03-27 00:04:28 -------- d-----w- C:\Users\Home\AppData\Local\Ilivid Player
2012-03-24 10:27:07 -------- d-----w- C:\Program Files (x86)\VideoLAN
2012-03-24 10:20:41 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-03-24 10:20:41 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-03-24 10:20:41 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2012-03-24 10:20:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-03-24 10:20:40 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2012-03-24 10:20:40 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll
2012-03-23 18:59:41 -------- d-----w- C:\Users\Home\AppData\Local\Nero_AG
2012-03-23 18:59:35 -------- d-----w- C:\Users\Home\AppData\Local\Nero
2012-03-23 17:52:05 -------- d-----w- C:\Program Files (x86)\uTorrent
2012-03-23 17:51:16 -------- d-----w- C:\Users\Home\AppData\Roaming\uTorrent
2012-03-20 06:03:49 -------- d-----w- C:\Windows\SysWow64\Wat
2012-03-20 06:03:48 -------- d-----w- C:\Windows\System32\Wat
2012-03-19 23:20:14 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-19 06:05:39 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2012-03-18 11:21:40 162392 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]\components\KavLinkFilter.dll
2012-03-18 11:21:14 85048 ----a-w- C:\Windows\System32\drivers\CSCrySec.sys
2012-03-18 11:21:14 66104 ----a-w- C:\Windows\System32\drivers\CSVirtualDiskDrv.sys
2012-03-18 11:20:12 -------- d-----w- C:\Program Files (x86)\Common Files\InfoWatch
2012-03-18 11:20:11 -------- d-----w- C:\ProgramData\Kaspersky Lab
2012-03-18 11:20:11 -------- d-----w- C:\Program Files (x86)\Kaspersky Lab
2012-03-18 10:58:43 -------- d-----w- C:\ProgramData\Kaspersky Lab Setup Files
2012-03-18 10:29:59 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-03-18 10:28:58 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-03-18 10:26:50 8669240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-03-18 10:18:50 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-18 10:18:50 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-18 10:18:50 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-18 10:18:42 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-18 10:18:42 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-18 10:18:42 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-18 10:18:42 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-17 20:26:15 -------- d-----w- C:\Users\Home\AppData\Roaming\SUPERAntiSpyware.com
2012-03-17 20:25:22 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-03-17 20:25:22 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-03-17 20:21:40 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-03-17 20:21:29 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2012-03-17 20:21:24  -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2012-03-17 17:51:10 -------- d-----w- C:\Users\Home\AppData\Local\Mozilla
2012-03-17 17:31:41 -------- d-----w- C:\Program Files (x86)\UEFI WinFlash
2012-03-17 14:40:02 -------- d-----w- C:\Program Files (x86)\Realtek WLAN Driver
2012-03-17 14:33:44 -------- d-----w- C:\Users\Home\AppData\Roaming\WinBatch
2012-03-17 14:29:18 -------- d-----w- C:\Users\Home\AppData\Local\ElevatedDiagnostics
2012-03-17 13:16:05 -------- d-----w- C:\Users\Home\AppData\Local\Diagnostics
2012-03-17 12:40:35 -------- d-----w- C:\Users\Home\AppData\Local\Adobe
2012-03-17 12:39:47 -------- d-----w- C:\Users\Home\AppData\Local\Toshiba
2012-03-17 12:39:04 -------- d-----w- C:\Users\Home\AppData\Local\VirtualStore
.
==================== Find3M ====================
.
2012-03-06 06:53:37 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-06 05:59:47 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-06 05:59:41 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-23 09:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-13 06:55:47 20592 ----a-w- C:\Windows\System32\drivers\CeKbFilter.sys
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 18:08:58.73 ===============

I have also attached the attach.txt file

Once again thank you for your assistance


----------



## dvk01 (Dec 14, 2002)

Does this happen in both Firefox & IE or only in one of the browsers
I can't see anything obvious to cause it so far so and Kaspersky Pure normally detects most of these pests

lets see what this will find & fix

Please download Malwarebytes' Anti-Malware to your desktop
from  HERE  orHERE

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded. 
Once the program has loaded, select Perform quick scan, then click Scan. 
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. 
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert) 
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot


----------



## Fishermoon (Feb 14, 2012)

Hi

This problem only occurs with Firefox. If it helps, when i hover the mouse over the hyperlinks "powered by text-enhance" is displayed. MBAM deleted 14 objects but after a reboot they are still present, unfortunately. Here is the log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.21.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Home :: UNNAMED [administrator]

Protection: Disabled

21/04/2012 18:08:52
mbam-log-2012-04-21 (18-08-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 198807
Time elapsed: 2 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\ProgramData\wxDfast (PUP.wxDfast) -> Quarantined and deleted successfully.

Files Detected: 12
C:\Users\Home\Downloads\Codec-C(1).exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\Codec-C.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\Codec-V(1).exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\Codec-V(2).exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\Codec-V.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\FastDownload(1).exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\Users\Home\Downloads\FastDownload.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\background.html (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\bhoclass.dll (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\content.js (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\ppjemjejnnojomfekgbpbbnecicblllf.crx (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\settings.ini (PUP.wxDfast) -> Quarantined and deleted successfully.

(end)


----------



## dvk01 (Dec 14, 2002)

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​* Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.  *

Download ComboFix from *Here* or * Here*to your Desktop.
*As you download it rename it to username123.exe*

***Note:  It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *renamed combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------



## Fishermoon (Feb 14, 2012)

Hi

The problem still persists. There is, perhaps, one issue: the file downloaded to my download folder. I don't know how to change this. So, i cut and pasted to desktop then renamed. Shall i re-do, downloading to desktop etc, or is this ok?

Here is the combo log:

ComboFix 12-04-20.03 - Home 21/04/2012 23:40:32.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4004.2431 [GMT 1:00]
Running from: c:\users\Home\Desktop\username123.exe.exe
AV: Kaspersky PURE *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
FW: Kaspersky PURE *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
SP: Kaspersky PURE *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Spybot - Search && Destroy *Disabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
.
c:\windows\SysWow64\drivers\ntfs.sys . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-21 to 2012-04-21 )))))))))))))))))))))))))))))))
.
.
2012-04-21 23:01 . 2012-04-21 23:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-21 17:06 . 2012-04-21 17:06 -------- d-----w- c:\users\Home\AppData\Roaming\Malwarebytes
2012-04-21 17:05 . 2011-07-08 06:55 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2012-04-21 17:05 . 2012-04-21 17:05 -------- d-----w- c:\programdata\Malwarebytes
2012-04-21 17:05 . 2012-04-21 17:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-21 17:05 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-20 11:22 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1E37D016-0F96-4621-832A-0F8E9A5FB27A}\mpengine.dll
2012-04-19 13:39 . 2012-04-19 13:39 -------- d-----w- c:\users\Home\AppData\Roaming\QFX Software
2012-04-19 13:39 . 2012-04-19 13:39 -------- d-----w- c:\programdata\QFX Software
2012-04-18 22:01 . 2012-04-18 22:01 -------- d-----w- c:\users\Home\AppData\Local\Adobe
2012-04-18 20:11 . 2011-12-15 00:46 222904 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2012-04-18 20:11 . 2012-04-18 20:11 -------- d-----w- c:\program files (x86)\KeyScrambler
2012-04-11 02:00 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 02:00 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 02:00 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 02:00 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 02:00 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 02:00 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 02:00 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-08 20:31 . 2012-04-08 20:31 -------- d-----w- c:\programdata\Premium
2012-04-08 20:30 . 2012-04-08 20:32 -------- d-----w- c:\programdata\InstallMate
2012-03-30 13:35 . 2012-03-30 13:36 -------- d-----w- c:\users\Home\AppData\Roaming\dvdcss
2012-03-29 21:18 . 2012-03-29 21:18 -------- d-----w- c:\programdata\Canneverbe Limited
2012-03-29 21:18 . 2012-03-29 21:18 -------- d-----w- c:\users\Home\AppData\Roaming\Canneverbe Limited
2012-03-29 21:18 . 2012-03-29 21:18 -------- d-----w- c:\program files (x86)\CDBurnerXP
2012-03-28 13:40 . 2012-03-28 13:40 -------- d-----w- C:\ProcAlyzer Dumps
2012-03-27 00:04 . 2012-03-27 00:04 -------- d-----w- c:\users\Home\AppData\Local\Ilivid Player
2012-03-24 10:27 . 2012-04-21 15:35 -------- d-----w- c:\users\Home\AppData\Roaming\vlc
2012-03-24 10:27 . 2012-03-24 10:27 -------- d-----w- c:\program files (x86)\VideoLAN
2012-03-24 10:20 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-03-24 10:20 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-03-24 10:20 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-03-24 10:20 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-03-24 10:20 . 2011-03-12 12:08 1465344 ----a-w- c:\windows\system32\XpsPrint.dll
2012-03-24 10:20 . 2011-03-12 11:23 870912 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2012-03-23 18:59 . 2012-03-23 18:59 -------- d-----w- c:\users\Home\AppData\Local\Nero
2012-03-23 18:59 . 2012-03-23 18:59 -------- d-----w- c:\users\Home\AppData\Roaming\Nero
2012-03-23 17:52 . 2012-03-23 17:52 -------- d-----w- c:\program files (x86)\uTorrent
2012-03-23 17:51 . 2012-04-21 14:16 -------- d-----w- c:\users\Home\AppData\Roaming\uTorrent
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-19 23:20 . 2012-03-19 23:20 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 09:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-18 10:18 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-18 10:18 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-18 10:18 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-18 10:18 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-13 06:55 . 2012-02-13 06:56 20592 ----a-w- c:\windows\system32\drivers\CeKbFilter.sys
2012-02-10 06:36 . 2012-03-18 10:29 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-18 10:29 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-03 04:34 . 2012-03-18 10:29 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-25 06:38 . 2012-03-18 10:18 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-18 10:18 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-18 10:18 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2010-10-01 22:05 129624 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\shellex.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2012-02-07 3865504]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"avp"="c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe" [2010-10-01 348760]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Toshiba Places Icon Utility.lnk - c:\program files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe [2011-8-26 1493888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~2\KASPER~1\KASPER~1\sbhook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-02-10 112080]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-11-29 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-08 137632]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\DRIVERS\CSCrySec.sys [x]
S0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\DRIVERS\klbg.sys [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
S1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\DRIVERS\CSVirtualDiskDrv.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
S2 CSObjectsSrv;CryptoStorage control service;c:\program files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2010-08-04 1809920]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-03-29 598312]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-02-07 1181104]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-02-07 1185704]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-02-07 166528]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys [x]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2010-10-01 22:06 170584 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\x64\ShellEx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Toshiba TEMPRO"="c:\program files (x86)\Toshiba TEMPRO\TemproTray.exe" [2011-02-10 1546720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-07 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-07 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-07 418136]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-02-11 11776104]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-12-08 710040]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\x64\kloehk.dll c:\progra~2\KASPER~1\KASPER~1\x64\sbhook64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TEUA&bmod=TEUA
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\b64pm3ra.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.ixquick.com/uk/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
Toolbar-Locked - (no file)
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-04-22 00:07:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-21 23:07
.
Pre-Run: 163,479,552,000 bytes free
Post-Run: 163,183,267,840 bytes free
.
- - End Of File - - B787808F6D8E31ECE6654F37529FECCC


----------



## dvk01 (Dec 14, 2002)

open an elevated cmd prompt by following the instructions shown here http://www.sevenforums.com/tutorials/783-elevated-command-prompt.html

then on that cmd window type sfc /scannow < press enter>

it will scan & should hopefully replace the infected/damaged ntfs.sys which I think is probabaly casuing your problems


----------



## Fishermoon (Feb 14, 2012)

Hi,

Unfortunately the problem still persists. I followed the instructions, did the scan and received the message "scan did not reveal any intrusions" or something of that kind. Nothing was replaced.


----------



## dvk01 (Dec 14, 2002)

lets get a look at the file & se what is wrong with it ( if anything)

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## Fishermoon (Feb 14, 2012)

Hi

Followed instructions and have a log to post, but no zip file. I looked in qoobox/quarantine but no zip file only a folder name "C"; another name "registry_backups" and two txt docs both named "catchme"

Here is the log:

ComboFix 12-04-20.03 - Home 23/04/2012 15:04:43.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4004.2484 [GMT 1:00]
Running from: c:\users\Home\Desktop\username123.exe.exe
Command switches used :: c:\users\Home\Desktop\CFScript.txt
AV: Kaspersky PURE *Disabled/Outdated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
FW: Kaspersky PURE *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
SP: Kaspersky PURE *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Spybot - Search && Destroy *Disabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-03-23 to 2012-04-23 )))))))))))))))))))))))))))))))
.
.
2012-04-23 14:11 . 2012-04-23 14:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-21 17:06 . 2012-04-21 17:06 -------- d-----w- c:\users\Home\AppData\Roaming\Malwarebytes
2012-04-21 17:05 . 2011-07-08 06:55 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2012-04-21 17:05 . 2012-04-21 17:05 -------- d-----w- c:\programdata\Malwarebytes
2012-04-21 17:05 . 2012-04-21 17:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-21 17:05 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-20 11:22 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1E37D016-0F96-4621-832A-0F8E9A5FB27A}\mpengine.dll
2012-04-19 13:39 . 2012-04-19 13:39 -------- d-----w- c:\users\Home\AppData\Roaming\QFX Software
2012-04-19 13:39 . 2012-04-19 13:39 -------- d-----w- c:\programdata\QFX Software
2012-04-18 22:01 . 2012-04-18 22:01 -------- d-----w- c:\users\Home\AppData\Local\Adobe
2012-04-18 20:11 . 2011-12-15 00:46 222904 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2012-04-18 20:11 . 2012-04-18 20:11 -------- d-----w- c:\program files (x86)\KeyScrambler
2012-04-11 02:00 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 02:00 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 02:00 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 02:00 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 02:00 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 02:00 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 02:00 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-08 20:31 . 2012-04-08 20:31 -------- d-----w- c:\programdata\Premium
2012-04-08 20:30 . 2012-04-08 20:32 -------- d-----w- c:\programdata\InstallMate
2012-03-30 13:35 . 2012-03-30 13:36 -------- d-----w- c:\users\Home\AppData\Roaming\dvdcss
2012-03-29 21:18 . 2012-03-29 21:18 -------- d-----w- c:\programdata\Canneverbe Limited
2012-03-29 21:18 . 2012-03-29 21:18 -------- d-----w- c:\users\Home\AppData\Roaming\Canneverbe Limited
2012-03-29 21:18 . 2012-03-29 21:18 -------- d-----w- c:\program files (x86)\CDBurnerXP
2012-03-28 13:40 . 2012-03-28 13:40 -------- d-----w- C:\ProcAlyzer Dumps
2012-03-27 00:04 . 2012-03-27 00:04 -------- d-----w- c:\users\Home\AppData\Local\Ilivid Player
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-19 23:20 . 2012-03-19 23:20 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 09:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-18 10:18 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-18 10:18 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-18 10:18 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-18 10:18 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-13 06:55 . 2012-02-13 06:56 20592 ----a-w- c:\windows\system32\drivers\CeKbFilter.sys
2012-02-10 06:36 . 2012-03-18 10:29 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-18 10:29 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-03 04:34 . 2012-03-18 10:29 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-25 06:38 . 2012-03-18 10:18 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-18 10:18 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-18 10:18 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((( [email protected]_23.03.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-04-21 23:02 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-23 14:12 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-23 14:12 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-21 23:02 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-23 14:12 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-21 23:02 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-04-22 09:57 35978  c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-22 09:57 36624 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-17 13:28 . 2012-04-22 09:57 7160 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3547180978-2016794528-2506506231-1000_UserData.bin
- 2012-04-21 23:02 . 2012-04-21 23:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-22 09:55 . 2012-04-23 14:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-22 09:55 . 2012-04-23 14:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-21 23:02 . 2012-04-21 23:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-17 17:30 . 2012-04-23 13:36 227592 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-04-21 22:08 628460 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-23 14:19 628460 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-04-21 22:08 110612 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-04-23 14:19 110612 c:\windows\system32\perfc009.dat
- 2012-03-17 13:24 . 2012-04-21 23:01 713488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-03-17 13:24 . 2012-04-21 23:21 713488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 05:01 . 2012-04-21 23:01 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-21 23:21 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2010-10-01 22:05 129624 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\shellex.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2012-02-07 3865504]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Toshiba Places Icon Utility.lnk - c:\program files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe [2011-8-26 1493888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDWinLogon]
SDWinLogon.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~2\KASPER~1\KASPER~1\sbhook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-02-10 112080]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-11-29 54136]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-08 137632]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\DRIVERS\CSCrySec.sys [x]
S0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\DRIVERS\klbg.sys [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
S1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\DRIVERS\CSVirtualDiskDrv.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
S2 CSObjectsSrv;CryptoStorage control service;c:\program files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2010-08-04 1809920]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-03-29 598312]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-02-07 1181104]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-02-07 1185704]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-02-07 166528]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys [x]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2010-10-01 22:06 170584 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\x64\ShellEx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"Toshiba TEMPRO"="c:\program files (x86)\Toshiba TEMPRO\TemproTray.exe" [2011-02-10 1546720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-07 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-07 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-07 418136]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-02-11 11776104]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-12-08 710040]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\x64\kloehk.dll c:\progra~2\KASPER~1\KASPER~1\x64\sbhook64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TEUA&bmod=TEUA
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\b64pm3ra.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.ixquick.com/uk/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
.
**************************************************************************
.
Completion time: 2012-04-23 15:36:31 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-23 14:36
ComboFix2.txt 2012-04-21 23:07
.
Pre-Run: 161,216,684,032 bytes free
Post-Run: 160,773,382,144 bytes free
.
- - End Of File - - 4ACBFD6F4577E75B932290C12E8561F2


----------



## dvk01 (Dec 14, 2002)

That file isn't showing as infected any longer

are you still getting the problem and if the answer is yes, is it ONLY in Firefox or also in IE and any other browser


----------



## Fishermoon (Feb 14, 2012)

Hi

Yes still infected. And this is ONLY on FireFox not IE - i do not have any other browsers.


----------



## dvk01 (Dec 14, 2002)

Download *OTScanIt.exe *to your Desktop 

Close any open browsers.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
Double-click on *OTS.exe* to start the program.
Now on the toolbar at the top select "Scan all users" then click the *Run Scan* button
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
If the log is too large to post, use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## Fishermoon (Feb 14, 2012)

Hi

OTS log:


```
OTS logfile created on: 24/04/2012 18:53:59 - Run 1
OTS by OldTimer - Version 3.1.47.2     Folder = C:\Users\Home\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 65.00% Memory free
8.00 Gb Paging File | 6.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.88 Gb Total Space | 148.31 Gb Free Space | 63.69% Space Free | Partition Type: NTFS
Drive D: | 232.49 Gb Total Space | 221.16 Gb Free Space | 95.13% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: UNNAMED
Current User Name: Home
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Users\Home\Desktop\OTS.exe -> [2012/04/24 18:44:00 | 000,646,656 | ---- | M] (OldTimer Tools)
mbamservice.exe -> C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -> [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation)
mbamgui.exe -> C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe -> [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation)
sdwscsvc.exe -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe -> [2012/02/07 18:18:30 | 000,166,528 | ---- | M] (Safer-Networking Ltd.)
sdupdsvc.exe -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe -> [2012/02/07 18:18:28 | 001,185,704 | ---- | M] (Safer-Networking Ltd.)
sdfssvc.exe -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe -> [2012/02/07 18:18:24 | 001,181,104 | ---- | M] (Safer-Networking Ltd.)
armsvc.exe -> C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -> [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated)
nasvc.exe -> c:\Program Files (x86)\Nero\Update\NASvc.exe -> [2011/03/29 14:33:08 | 000,598,312 | ---- | M] (Nero AG)
uns.exe -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -> [2011/02/01 13:24:42 | 002,656,280 | ---- | M] (Intel Corporation)
lms.exe -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -> [2011/02/01 13:24:40 | 000,326,168 | ---- | M] (Intel Corporation)
ndstray.exe -> C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe -> [2010/12/03 14:57:16 | 000,304,560 | ---- | M] (TOSHIBA CORPORATION)
avp.exe -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe -> [2010/10/01 23:06:36 | 000,348,760 | ---- | M] (Kaspersky Lab)
riconman.exe -> C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe -> [2010/08/04 17:11:34 | 001,809,920 | ---- | M] (Realsil Microelectronics Inc.)
protectedobjectssrv.exe -> C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe -> [2009/12/21 18:34:38 | 000,743,992 | ---- | M] (Infowatch)
cfswmgr.exe -> C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe -> [2009/07/28 20:26:42 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION)
itsecmng.exe -> C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe -> [2009/07/22 13:40:00 | 000,083,336 | ---- | M] (TOSHIBA CORPORATION)
cfsvcs.exe -> C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe -> [2009/03/10 18:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION)
 
[Modules - No Company Name]
[Win32 Services - Safe List]
64bit-(!SASCORE)  [Auto | Running] -> C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -> [2011/08/12 00:38:04 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com)
64bit-(TosCoSrv)  [Auto | Running] -> C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -> [2010/12/09 17:45:26 | 000,489,384 | ---- | M] (TOSHIBA Corporation)
64bit-(TOSHIBA HDD SSD Alert Service)  [On_Demand | Running] -> C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -> [2010/12/08 15:42:54 | 000,137,632 | ---- | M] (TOSHIBA Corporation)
64bit-(TODDSrv)  [Auto | Running] -> C:\Windows\SysNative\TODDSrv.exe -> [2010/10/20 14:41:00 | 000,138,656 | ---- | M] (TOSHIBA Corporation)
64bit-(wlcrasvc)  [Disabled | Stopped] -> C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -> [2010/09/22 17:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation)
64bit-(WinDefend)  [Auto | Running] -> C:\Program Files\Windows Defender\MpSvc.dll -> [2009/07/14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation)
(MBAMService) MBAMService [Auto | Running] -> C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -> [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation)
(SDWSCService) Spybot-S&D 2 Security Center Service [Auto | Running] -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe -> [2012/02/07 18:18:30 | 000,166,528 | ---- | M] (Safer-Networking Ltd.)
(SDUpdateService) Spybot-S&D 2 Updating Service [Auto | Running] -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe -> [2012/02/07 18:18:28 | 001,185,704 | ---- | M] (Safer-Networking Ltd.)
(SDScannerService) Spybot-S&D 2 Scanner Service [Auto | Running] -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe -> [2012/02/07 18:18:24 | 001,181,104 | ---- | M] (Safer-Networking Ltd.)
(AdobeARMservice) Adobe Acrobat Update Service [Auto | Running] -> C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -> [2012/01/03 06:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated)
(NAUpdate) Nero Update [Auto | Running] -> c:\Program Files (x86)\Nero\Update\NASvc.exe -> [2011/03/29 14:33:08 | 000,598,312 | ---- | M] (Nero AG)
(TemproMonitoringService) Notebook Performance Tuning Service (TEMPRO) [On_Demand | Stopped] -> C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe -> [2011/02/10 08:25:36 | 000,112,080 | ---- | M] (Toshiba Europe GmbH)
(UNS) Intel(R) Management and Security Application User Notification Service [Auto | Running] -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -> [2011/02/01 13:24:42 | 002,656,280 | ---- | M] (Intel Corporation)
(LMS) Intel(R) Management and Security Application Local Management Service [Auto | Running] -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -> [2011/02/01 13:24:40 | 000,326,168 | ---- | M] (Intel Corporation)
(TMachInfo) TMachInfo [On_Demand | Stopped] -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -> [2010/11/29 14:58:30 | 000,054,136 | ---- | M] (TOSHIBA Corporation)
(AVP) Kaspersky PURE [Auto | Running] -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe -> [2010/10/01 23:06:36 | 000,348,760 | ---- | M] (Kaspersky Lab)
(IconMan_R) IconMan_R [Auto | Running] -> C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe -> [2010/08/04 17:11:34 | 001,809,920 | ---- | M] (Realsil Microelectronics Inc.)
(TOSHIBA Bluetooth Service) TOSHIBA Bluetooth Service [On_Demand | Stopped] -> C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe -> [2010/04/12 10:45:00 | 000,196,976 | ---- | M] (TOSHIBA CORPORATION)
(clr_optimization_v4.0.30319_32) Microsoft .NET Framework NGEN v4.0.30319_X86 [Auto | Stopped] -> C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -> [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation)
(cfWiMAXService) ConfigFree WiMAX Service [Auto | Running] -> C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe -> [2010/01/28 16:44:40 | 000,249,200 | ---- | M] (TOSHIBA CORPORATION)
(CSObjectsSrv) CryptoStorage control service [Auto | Running] -> C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe -> [2009/12/21 18:34:38 | 000,743,992 | ---- | M] (Infowatch)
(clr_optimization_v2.0.50727_32) Microsoft .NET Framework NGEN v2.0.50727_X86 [Disabled | Stopped] -> C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -> [2009/06/10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation)
(ConfigFree Service) ConfigFree Service [Auto | Running] -> C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe -> [2009/03/10 18:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION)
 
[Driver Services - Safe List]
64bit-(MBAMProtector) MBAMProtector [File_System | On_Demand | Running] -> C:\Windows\SysNative\drivers\mbam.sys -> [2012/04/04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation)
64bit-(KLIF) Kaspersky Lab Driver [File_System | System | Running] -> C:\Windows\SysNative\drivers\klif.sys -> [2012/03/18 12:20:03 | 000,353,296 | ---- | M] (Kaspersky Lab)
64bit-(CeKbFilter) CeKbFilter [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\CeKbFilter.sys -> [2012/02/13 07:55:47 | 000,020,592 | ---- | M] (Compal Electronics, INC.)
64bit-(KeyScrambler) KeyScrambler [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\keyscrambler.sys -> [2011/12/15 01:46:42 | 000,222,904 | ---- | M] (QFX Software Corporation)
64bit-(SASDIFSV) SASDIFSV [Kernel | System | Running] -> C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -> [2011/07/22 17:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
64bit-(SASKUTIL) SASKUTIL [Kernel | System | Running] -> C:\Program Files\SUPERAntiSpyware\saskutil64.sys -> [2011/07/12 22:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
64bit-(igfx) igfx [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\igdkmd64.sys -> [2011/04/04 20:10:14 | 012,262,624 | ---- | M] (Intel Corporation)
64bit-(amdsata) amdsata [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\amdsata.sys -> [2011/03/11 07:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices)
64bit-(amdxata) amdxata [Kernel | Boot | Running] -> C:\Windows\SysNative\drivers\amdxata.sys -> [2011/03/11 07:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices)
64bit-(tosrfbd) Bluetooth RFBUS [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\tosrfbd.sys -> [2011/02/23 11:03:42 | 000,291,120 | ---- | M] (TOSHIBA CORPORATION)
64bit-(SynTP) Synaptics TouchPad Driver [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\SynTP.sys -> [2011/02/03 19:59:06 | 001,413,680 | ---- | M] (Synaptics Incorporated)
64bit-(Tosrfusb) Bluetooth USB Controller [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\tosrfusb.sys -> [2011/01/27 15:27:04 | 000,067,384 | ---- | M] (TOSHIBA CORPORATION)
64bit-(RTL8167) Realtek 8167 NT Driver [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\Rt64win7.sys -> [2011/01/13 19:58:30 | 000,413,800 | ---- | M] (Realtek                                            )
64bit-(iaStor) Intel AHCI Controller [Kernel | Boot | Running] -> C:\Windows\SysNative\drivers\iaStor.sys -> [2011/01/12 17:51:44 | 000,439,320 | ---- | M] (Intel Corporation)
64bit-(athr) Atheros Extensible Wireless LAN device driver [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\athrx.sys -> [2010/12/17 19:46:46 | 002,675,712 | ---- | M] (Atheros Communications, Inc.)
64bit-(TsUsbFlt) TsUsbFlt [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\TsUsbFlt.sys -> [2010/11/21 04:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation)
64bit-(HpSAMD) HpSAMD [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\HpSAMD.sys -> [2010/11/21 04:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company)
64bit-(TsUsbGD) Remote Desktop Generic USB Device [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\TsUsbGD.sys -> [2010/11/21 04:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation)
64bit-(MEIx64) Intel(R) Management Engine Interface [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\HECIx64.sys -> [2010/10/19 16:34:26 | 000,056,344 | ---- | M] (Intel Corporation)
64bit-(BtFilter) Bluetooth LowerFilter Class Filter Driver [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\btfilter.sys -> [2010/10/18 14:14:02 | 000,042,096 | ---- | M] (Atheros)
64bit-(Tosrfhid) Bluetooth RFHID [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\Tosrfhid.sys -> [2010/08/30 10:48:00 | 000,094,528 | ---- | M] (TOSHIBA Corporation.)
64bit-(RSUSBSTOR) RtsUStor.Sys Realtek USB Card Reader [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\RtsUStor.sys -> [2010/07/20 17:43:22 | 000,247,400 | ---- | M] (Realtek Semiconductor Corp.)
64bit-(tosrfec) Bluetooth ACPI [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\tosrfec.sys -> [2010/06/18 16:45:00 | 000,018,872 | ---- | M] (TOSHIBA Corporation)
64bit-(LPCFilter) LPC Lower Filter Driver [Kernel | Boot | Running] -> C:\Windows\SysNative\drivers\LPCFilter.sys -> [2010/03/22 10:55:20 | 000,046,192 | ---- | M] (COMPAL ELECTRONIC INC.)
64bit-(CSCrySec) InfoWatch Encrypt Sector Library driver [Kernel | Boot | Running] -> C:\Windows\SysNative\drivers\CSCrySec.sys -> [2009/12/14 13:44:24 | 000,085,048 | ---- | M] (Infowatch)
64bit-(CSVirtualDiskDrv) InfoWatch Virtual Disk driver [Kernel | System | Running] -> C:\Windows\SysNative\drivers\CSVirtualDiskDrv.sys -> [2009/12/14 13:44:24 | 000,066,104 | ---- | M] (Infowatch)
64bit-(KLBG) Kaspersky Lab Boot Guard Driver [Kernel | Boot | Running] -> C:\Windows\SysNative\drivers\klbg.sys -> [2009/10/14 22:18:38 | 000,040,464 | ---- | M] (Kaspersky Lab)
64bit-(klmouflt) Kaspersky Lab KLMOUFLT [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\klmouflt.sys -> [2009/10/02 20:39:32 | 000,021,008 | ---- | M] (Kaspersky Lab)
64bit-(KLIM6) Kaspersky Anti-Virus NDIS 6 Filter [Kernel | System | Running] -> C:\Windows\SysNative\drivers\klim6.sys -> [2009/09/14 15:46:42 | 000,027,152 | ---- | M] (Kaspersky Lab)
64bit-(kl1) kl1 [Kernel | System | Running] -> C:\Windows\SysNative\drivers\kl1.sys -> [2009/09/01 16:29:56 | 000,157,712 | ---- | M] (Kaspersky Lab)
64bit-(tdcmdpst) TOSHIBA Writing Engine Filter Driver [Kernel | On_Demand | Running] -> C:\Windows\SysNative\drivers\tdcmdpst.sys -> [2009/07/30 20:22:04 | 000,027,784 | ---- | M] (TOSHIBA Corporation.)
64bit-(TVALZ) TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver [Kernel | Boot | Running] -> C:\Windows\SysNative\drivers\TVALZ_O.SYS -> [2009/07/14 16:31:18 | 000,026,840 | ---- | M] (TOSHIBA Corporation)
64bit-(amdsbs) amdsbs [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\amdsbs.sys -> [2009/07/14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.)
64bit-(LSI_SAS2) LSI_SAS2 [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\lsi_sas2.sys -> [2009/07/14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation)
64bit-(stexstor) stexstor [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\stexstor.sys -> [2009/07/14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology)
64bit-(tos_sps64) TOSHIBA tos_sps64 Service [Kernel | Boot | Running] -> C:\Windows\SysNative\drivers\tos_sps64.sys -> [2009/06/24 15:36:48 | 000,482,384 | ---- | M] (TOSHIBA Corporation)
64bit-(ebdrv) Broadcom NetXtreme II 10 GigE VBD [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\evbda.sys -> [2009/06/10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation)
64bit-(b06bdrv) Broadcom NetXtreme II VBD [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\bxvbda.sys -> [2009/06/10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation)
64bit-(b57nd60a) Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0 [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\b57nd60a.sys -> [2009/06/10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation)
64bit-(hcw85cir) Hauppauge Consumer Infrared Receiver [Kernel | On_Demand | Stopped] -> C:\Windows\SysNative\drivers\hcw85cir.sys -> [2009/06/10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.)
(WIMMount) WIMMount [File_System | On_Demand | Stopped] -> C:\Windows\SysWOW64\drivers\wimmount.sys -> [2009/07/14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation)
 
[Registry - Safe List]
< 64bit-Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\Windows\SysWOW64\blank.htm -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\] > -> -> 
HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\: Main\\"Start Page" -> http://www.google.com/ig/redirectdomain?brand=TEUA&bmod=TEUA -> 
HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\: "ProxyEnable" -> 0 -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 11.0\extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 11.0\extensions\\Components -> C:\Program Files (x86)\Mozilla Firefox\components [C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\COMPONENTS] -> [2012/03/17 21:09:19 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins -> C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\PLUGINS -> 
HKLM\software\mozilla\Thunderbird\Extensions ->  -> 
HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\THBExt [C:\PROGRAM FILES (X86)\KASPERSKY LAB\KASPERSKY PURE\THBEXT] -> [2012/03/18 12:20:38 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
  -> C:\Users\Home\AppData\Roaming\Mozilla\Extensions -> [2012/03/17 18:51:15 | 000,000,000 | ---D | M]
  -> C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\b64pm3ra.default\extensions -> [2012/04/18 21:13:40 | 000,000,000 | ---D | M]
  -> C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\b64pm3ra.default\extensions\[email protected] -> [2012/04/11 08:27:03 | 000,000,000 | ---D | M]
  -> C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\b64pm3ra.default\extensions\[email protected] -> [2012/04/18 21:13:40 | 000,000,000 | ---D | M]
< FireFox Extensions [Program Folders] > -> 
  -> C:\Program Files (x86)\Mozilla Firefox\extensions -> [2012/03/18 12:21:40 | 000,000,000 | ---D | M]
  -> C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected] -> [2012/03/18 12:21:40 | 000,000,000 | ---D | M]
< HOSTS File > ([2012/04/23 15:33:02 | 000,000,027 | ---- | M] - 1 lines) -> C:\Windows\SysNative\Drivers\etc\hosts -> 
Reset Hosts
127.0.0.1       localhost
< 64bit-BHO's [HKEY_LOCAL_MACHINE] > -> 64bit-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} [HKLM] -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\ievkbd.dll [IEVkbdBHO Class] -> [2010/10/01 23:06:20 | 000,061,528 | ---- | M] (Kaspersky Lab)
{E33CF602-D945-461A-83F0-819F76A199F8} [HKLM] -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll [FilterBHO Class] -> [2010/10/01 23:06:22 | 000,345,176 | ---- | M] (Kaspersky Lab)
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll [Spybot-S&D IE Protection] -> [2012/02/07 18:18:22 | 002,866,120 | ---- | M] (Safer-Networking Ltd.)
{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} [HKLM] -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll [IEVkbdBHO Class] -> [2010/10/01 23:05:32 | 000,068,184 | ---- | M] (Kaspersky Lab)
{E33CF602-D945-461A-83F0-819F76A199F8} [HKLM] -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll [FilterBHO Class] -> [2010/10/01 23:05:36 | 000,268,888 | ---- | M] (Kaspersky Lab)
{F3C88694-EFFA-4d78-B409-54B7B2535B14} [HKLM] -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll [TOSHIBA Media Controller Plug-in] -> [2010/12/05 15:41:08 | 000,529,784 | ---- | M] (<TOSHIBA>)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"Locked" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< 64bit-Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"HotKeysCmds" -> C:\Windows\SysNative\hkcmd.exe [C:\Windows\system32\hkcmd.exe] -> [2011/04/07 17:22:40 | 000,391,000 | ---- | M] (Intel Corporation)
"IgfxTray" -> C:\Windows\SysNative\igfxtray.exe [C:\Windows\system32\igfxtray.exe] -> [2011/04/07 17:22:52 | 000,167,256 | ---- | M] (Intel Corporation)
"Persistence" -> C:\Windows\SysNative\igfxpers.exe [C:\Windows\system32\igfxpers.exe] -> [2011/04/07 17:22:44 | 000,418,136 | ---- | M] (Intel Corporation)
"RtHDVBg" -> C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 ] -> [2011/01/18 14:53:06 | 002,188,904 | ---- | M] (Realtek Semiconductor)
"RtHDVCpl" -> C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s] -> [2011/02/11 14:06:58 | 011,776,104 | ---- | M] (Realtek Semiconductor)
"TCrdMain" -> C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe] -> [2010/12/15 15:22:38 | 000,973,176 | ---- | M] (TOSHIBA Corporation)
"Toshiba TEMPRO" -> C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe [C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe] -> [2011/02/10 08:25:42 | 001,546,720 | ---- | M] (Toshiba Europe GmbH)
"TosReelTimeMonitor" -> C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [%ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe] -> [2010/12/14 16:00:52 | 000,038,304 | ---- | M] (TOSHIBA Corporation)
"TosSENotify" -> C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe] -> [2010/12/08 15:43:12 | 000,710,040 | ---- | M] (TOSHIBA Corporation)
"TosVolRegulator" -> C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe] -> [2009/11/11 14:31:34 | 000,024,376 | ---- | M] (TOSHIBA Corporation)
"TPwrMain" -> C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe [%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE] -> [2011/03/02 10:29:26 | 000,566,696 | ---- | M] (TOSHIBA Corporation)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"avp" -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe ["C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"] -> [2010/10/01 23:06:36 | 000,348,760 | ---- | M] (Kaspersky Lab)
"HWSetup" -> C:\Program Files\TOSHIBA\Utilities\HWSetup.exe [C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP] -> [2010/03/04 16:44:58 | 000,423,936 | ---- | M] (TOSHIBA Electronics, Inc.)
"ITSecMng" -> C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [%ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START] -> [2009/07/22 13:40:00 | 000,083,336 | ---- | M] (TOSHIBA CORPORATION)
"Malwarebytes' Anti-Malware" -> C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe ["C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray] -> [2012/04/04 15:56:38 | 000,462,408 | ---- | M] (Malwarebytes Corporation)
"SDTray" -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe ["C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"] -> [2012/02/07 18:19:44 | 003,865,504 | ---- | M] (Safer-Networking Ltd.)
< RunOnce [HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\] > -> HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce -> 
"FlashPlayerUpdate" -> C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11g_Plugin.exe [C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11g_Plugin.exe -update plugin] -> [2012/03/20 00:20:14 | 000,250,528 | ---- | M] (Adobe Systems, Inc.)
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000] > -> HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"ConsentPromptBehaviorAdmin" ->  [5] -> File not found
\\"ConsentPromptBehaviorUser" ->  [3] -> File not found
\\"EnableLinkedConnections" ->  [1] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000] > -> HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000] > -> HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< 64bit-Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{4248FE82-7FCB-46AC-B270-339F08212110}:{4248FE82-7FCB-46AC-B270-339F08212110} [HKLM] -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll [Button: &Virtual Keyboard] -> [2010/10/01 23:06:22 | 000,345,176 | ---- | M] (Kaspersky Lab)
{CCF151D8-D089-449F-A5A4-D9909053F20F}:{CCF151D8-D089-449F-A5A4-D9909053F20F} [HKLM] -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\klwtbbho.dll [Button: URLs c&heck] -> [2010/10/01 23:06:22 | 000,345,176 | ---- | M] (Kaspersky Lab)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{4248FE82-7FCB-46AC-B270-339F08212110}:{4248FE82-7FCB-46AC-B270-339F08212110} [HKLM] -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll [Button: &Virtual Keyboard] -> [2010/10/01 23:05:36 | 000,268,888 | ---- | M] (Kaspersky Lab)
{CCF151D8-D089-449F-A5A4-D9909053F20F}:{CCF151D8-D089-449F-A5A4-D9909053F20F} [HKLM] -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll [Button: URLs c&heck] -> [2010/10/01 23:05:36 | 000,268,888 | ---- | M] (Kaspersky Lab)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll [Menu: Spybot - Search && Destroy Configuration] -> [2012/02/07 18:18:22 | 002,866,120 | ---- | M] (Safer-Networking Ltd.)
< 64bit-Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s -> 
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< 64bit-Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< 64bit-Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< 64bit-Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\] > -> HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7756 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\] > -> HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-3547180978-2016794528-2506506231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.0.1 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{1EA1A55B-390E-44FA-8878-E5C4D77B0C21}\\DhcpNameServer -> 192.168.0.1   (Atheros AR9002WB-1NG Wireless Network Adapter) -> 
{E78EEF3D-89D7-4686-ACC5-CF1EE678C92A}\\DhcpNameServer -> 192.168.0.1   (Realtek PCIe FE Family Controller) -> 
< 64bit-AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs -> 
64bit-*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls -> 
C:\PROGRA~2\KASPER~1\KASPER~1\x64\kloehk.dll -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\kloehk.dll -> [2010/10/01 23:06:20 | 000,015,448 | ---- | M] (Kaspersky Lab)
C:\PROGRA~2\KASPER~1\KASPER~1\x64\sbhook64.dll -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\x64\sbhook64.dll -> [2010/10/01 23:06:24 | 000,069,720 | ---- | M] (Kaspersky Lab)
*MultiFile Done* -> -> 
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs -> 
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls -> 
C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\mzvkbd3.dll -> [2010/10/01 23:05:40 | 000,109,144 | ---- | M] (Kaspersky Lab)
C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\sbhook.dll -> [2010/10/01 23:05:40 | 000,072,280 | ---- | M] (Kaspersky Lab)
*MultiFile Done* -> -> 
< 64bit-Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
64bit-*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\Windows\explorer.exe -> [2011/02/25 07:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
64bit-*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\Windows\system32\userinit.exe -> C:\Windows\SysNative\userinit.exe -> [2010/11/21 04:24:28 | 000,030,720 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
64bit-*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
SystemPropertiesPerformance.exe -> C:\Windows\SysNative\SystemPropertiesPerformance.exe -> [2009/07/14 02:39:47 | 000,082,432 | ---- | M] (Microsoft Corporation)
/pagefile ->  -> File not found
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\Windows\SysWow64\explorer.exe -> [2011/02/25 06:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\Windows\system32\userinit.exe -> C:\Windows\SysWOW64\userinit.exe -> [2010/11/21 04:23:55 | 000,026,624 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
/pagefile ->  -> File not found
*MultiFile Done* -> -> 
< 64bit-Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> C:\Windows\SysNative\igfxdev.dll -> [2011/04/04 19:28:54 | 000,385,024 | ---- | M] (Intel Corporation)
klogon -> C:\Windows\SysNative\klogon.dll -> [2010/10/01 23:06:20 | 000,224,344 | ---- | M] (Kaspersky Lab)
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
SDWinLogon ->  -> File not found
< Vista Public Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications -> 
< Vista Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications -> 
64bit-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
\List\\"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon] -> [2012/02/07 18:19:44 | 003,865,504 | ---- | M] (Safer-Networking Ltd.)
\List\\"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe" -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service] -> [2012/02/07 18:18:24 | 001,181,104 | ---- | M] (Safer-Networking Ltd.)
\List\\"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater] -> [2012/02/07 18:19:52 | 003,821,976 | ---- | M] (Safer-Networking Ltd.)
\List\\"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe" -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service] -> [2012/02/07 18:18:28 | 001,185,704 | ---- | M] (Safer-Networking Ltd.)
< Vista Active Firewall Rules > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules -> 
{0FEC2111-F6F8-42FA-8962-F6C586E08165} -> rport=138 | profile=private | protocol=17 | dir=out | action=allow | [email protected],-28531 | app=system | 
{28E15283-BF99-4342-BA5F-55309F675B3C} -> lport=5355 | profile=private | protocol=17 | dir=in | action=allow | [email protected],-28548 | app=%systemroot%\system32\svchost.exe | svc=dnscache | 
{35BC76F7-4C00-4592-A542-7760D90E4243} -> rport=445 | profile=private | protocol=6 | dir=out | action=allow | [email protected],-28515 | app=system | 
{35DE91C6-E3BF-4727-A7D0-431CDD133D49} -> lport=137 | profile=private | protocol=17 | dir=in | action=allow | [email protected],-28519 | app=system | 
{70A7D648-7286-4B25-BB82-357EBD51EA7F} -> lport=rpc-epmap | profile=private | protocol=6 | dir=in | action=allow | [email protected],-28539 | svc=rpcss | 
{96DA24CB-0374-4148-98D0-222CC9E0AE4E} -> rport=5355 | profile=private | protocol=17 | dir=out | action=allow | [email protected],-28550 | app=%systemroot%\system32\svchost.exe | svc=dnscache | 
{9F2486AD-2442-40A2-A802-E2D28A7B7220} -> lport=rpc | profile=private | protocol=6 | dir=in | action=allow | [email protected],-28535 | app=%systemroot%\system32\spoolsv.exe | svc=spooler | 
{A7F1B629-D4B1-4414-85A2-B09A2AF90025} -> lport=1900 | protocol=17 | dir=in | action=allow | name=windows live communications platform (ssdp) | 
{AD63CBC5-0EB6-4B51-B11C-6882BCE3F249} -> rport=137 | profile=private | protocol=17 | dir=out | action=allow | [email protected],-28523 | app=system | 
{B73E2891-FA91-436C-8D30-F4FC6E9167D2} -> lport=138 | profile=private | protocol=17 | dir=in | action=allow | [email protected],-28527 | app=system | 
{B9C53AEF-6BA7-4D38-8721-C3694FB2DCF7} -> rport=139 | profile=private | protocol=6 | dir=out | action=allow | [email protected],-28507 | app=system | 
{CA832811-E9CA-4EC8-8E26-9AC63BCE40D7} -> lport=445 | profile=private | protocol=6 | dir=in | action=allow | [email protected],-28511 | app=system | 
{EF9D5841-3D76-4945-99E6-944D619025EE} -> lport=2869 | protocol=6 | dir=in | action=allow | name=windows live communications platform (upnp) | 
{F58F436A-07EC-4D53-911C-2260654CF8D2} -> lport=139 | profile=private | protocol=6 | dir=in | action=allow | [email protected],-28503 | app=system | 
< Vista Active Application Exception Rules > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules -> 
{03F2D0EE-5809-487D-B63E-9DB3A5BD0F1B} -> dir=in | action=allow | name=skype | app=c:\program files (x86)\skype\phone\skype.exe | 
{34E57831-B304-4447-95F9-A5EFC7C0CED2} -> protocol=6 | dir=in | action=allow | name=&#956;torrent (tcp-in) | app=c:\program files (x86)\utorrent\utorrent.exe | 
{3F398733-B648-4844-8284-75DACA09975C} -> dir=in | action=allow | name=windows live mesh | app=c:\program files (x86)\windows live\mesh\moe.exe | 
{486EC49F-AA7B-4C20-AFBA-8F8E8FB97C86} -> profile=private | protocol=1 | dir=in | action=allow | [email protected],-28543 | 
{54F7865B-D8D6-443D-9C48-34994220E00A} -> profile=public | protocol=6 | dir=in | action=allow | name=mcafee shared service host | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe | 
{6869744E-8C11-4D9E-96B9-53499499384C} -> profile=public | protocol=17 | dir=in | action=allow | name=mcafee shared service host | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe | 
{7573F019-5A47-497C-B0DC-51611944348F} -> profile=private | protocol=58 | dir=out | action=allow | [email protected],-28546 | 
{7D450148-46F5-4464-BC0B-B80144BF1BFB} -> profile=private | protocol=1 | dir=out | action=allow | [email protected],-28544 | 
{9B053D09-5874-4D58-AA85-D4BBB3A5231F} -> profile=private | protocol=58 | dir=in | action=allow | [email protected],-28545 | 
{B57E3B22-5AA4-4124-A43F-518E8B697EFB} -> dir=in | action=allow | name=windows live messenger | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe | 
{BE3ABAEE-812C-49AC-8ECC-B89E4694F6F3} -> dir=in | action=allow | name=windows live communications platform | app=c:\program files (x86)\windows live\contacts\wlcomm.exe | 
{FE09B503-6FC3-4479-80F6-0B0581ABEEAD} -> protocol=17 | dir=in | action=allow | name=&#956;torrent (udp-in) | app=c:\program files (x86)\utorrent\utorrent.exe | 
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe" -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service] -> [2012/02/07 18:18:24 | 001,181,104 | ---- | M] (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon] -> [2012/02/07 18:19:44 | 003,865,504 | ---- | M] (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater] -> [2012/02/07 18:19:52 | 003,821,976 | ---- | M] (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe" -> C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service] -> [2012/02/07 18:18:28 | 001,185,704 | ---- | M] (Safer-Networking Ltd.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" -> C:\Windows\SysNative\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> [2010/11/21 04:23:47 | 000,147,456 | ---- | M] (Microsoft Corporation)
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
64bit-comfile [open] -> "%1" %*
64bit-exefile [open] -> "%1" %*
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< 64bit-File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = ComFile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = ComFile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
 
[Files/Folders - Created Within 30 Days]
 OTS.exe -> C:\Users\Home\Desktop\OTS.exe -> [2012/04/24 18:43:55 | 000,646,656 | ---- | C] (OldTimer Tools)
 $RECYCLE.BIN -> C:\$RECYCLE.BIN -> [2012/04/23 17:28:53 | 000,000,000 | -HSD | C]
 temp -> C:\Windows\temp -> [2012/04/23 15:36:34 | 000,000,000 | ---D | C]
 SWREG.exe -> C:\Windows\SWREG.exe -> [2012/04/21 23:09:35 | 000,518,144 | ---- | C] (SteelWerX)
 SWSC.exe -> C:\Windows\SWSC.exe -> [2012/04/21 23:09:35 | 000,406,528 | ---- | C] (SteelWerX)
 NIRCMD.exe -> C:\Windows\NIRCMD.exe -> [2012/04/21 23:09:35 | 000,060,416 | ---- | C] (NirSoft)
 ERDNT -> C:\Windows\ERDNT -> [2012/04/21 23:09:25 | 000,000,000 | ---D | C]
 username123.exe.exe -> C:\Users\Home\Desktop\username123.exe.exe -> [2012/04/21 22:58:41 | 004,470,025 | R--- | C] (Swearware)
 Qoobox -> C:\Qoobox -> [2012/04/21 21:22:40 | 000,000,000 | ---D | C]
 Malwarebytes -> C:\Users\Home\AppData\Roaming\Malwarebytes -> [2012/04/21 18:06:02 | 000,000,000 | ---D | C]
 mbamswissarmy.sys -> C:\Windows\SysWow64\drivers\mbamswissarmy.sys -> [2012/04/21 18:05:53 | 000,041,272 | ---- | C] (Malwarebytes Corporation)
 Malwarebytes' Anti-Malware -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware -> [2012/04/21 18:05:53 | 000,000,000 | ---D | C]
 Malwarebytes -> C:\ProgramData\Malwarebytes -> [2012/04/21 18:05:52 | 000,000,000 | ---D | C]
 mbam.sys -> C:\Windows\SysNative\drivers\mbam.sys -> [2012/04/21 18:05:48 | 000,024,904 | ---- | C] (Malwarebytes Corporation)
 Malwarebytes' Anti-Malware -> C:\Program Files (x86)\Malwarebytes' Anti-Malware -> [2012/04/21 18:05:48 | 000,000,000 | ---D | C]
 QFX Software -> C:\Users\Home\AppData\Roaming\QFX Software -> [2012/04/19 14:39:58 | 000,000,000 | ---D | C]
 QFX Software -> C:\ProgramData\QFX Software -> [2012/04/19 14:39:58 | 000,000,000 | ---D | C]
 Adobe -> C:\Users\Home\AppData\Local\Adobe -> [2012/04/18 23:01:43 | 000,000,000 | ---D | C]
 KeyScrambler -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyScrambler -> [2012/04/18 21:11:13 | 000,000,000 | ---D | C]
 keyscrambler.sys -> C:\Windows\SysNative\drivers\keyscrambler.sys -> [2012/04/18 21:11:11 | 000,222,904 | ---- | C] (QFX Software Corporation)
 KeyScrambler -> C:\Program Files (x86)\KeyScrambler -> [2012/04/18 21:11:10 | 000,000,000 | ---D | C]
 Config.Msi -> C:\Config.Msi -> [2012/04/12 20:34:30 | 000,000,000 | ---D | C]
 mshtmled.dll -> C:\Windows\SysNative\mshtmled.dll -> [2012/04/11 03:02:51 | 000,096,256 | ---- | C] (Microsoft Corporation)
 mshtmled.dll -> C:\Windows\SysWow64\mshtmled.dll -> [2012/04/11 03:02:51 | 000,072,704 | ---- | C] (Microsoft Corporation)
 jscript9.dll -> C:\Windows\SysNative\jscript9.dll -> [2012/04/11 03:02:50 | 002,311,168 | ---- | C] (Microsoft Corporation)
 ieui.dll -> C:\Windows\SysNative\ieui.dll -> [2012/04/11 03:02:49 | 000,248,320 | ---- | C] (Microsoft Corporation)
 url.dll -> C:\Windows\SysNative\url.dll -> [2012/04/11 03:02:49 | 000,237,056 | ---- | C] (Microsoft Corporation)
 url.dll -> C:\Windows\SysWow64\url.dll -> [2012/04/11 03:02:49 | 000,231,936 | ---- | C] (Microsoft Corporation)
 ieui.dll -> C:\Windows\SysWow64\ieui.dll -> [2012/04/11 03:02:49 | 000,176,640 | ---- | C] (Microsoft Corporation)
 inetcpl.cpl -> C:\Windows\SysNative\inetcpl.cpl -> [2012/04/11 03:02:48 | 001,493,504 | ---- | C] (Microsoft Corporation)
 inetcpl.cpl -> C:\Windows\SysWow64\inetcpl.cpl -> [2012/04/11 03:02:48 | 001,427,456 | ---- | C] (Microsoft Corporation)
 jscript.dll -> C:\Windows\SysNative\jscript.dll -> [2012/04/11 03:02:48 | 000,818,688 | ---- | C] (Microsoft Corporation)
 jscript.dll -> C:\Windows\SysWow64\jscript.dll -> [2012/04/11 03:02:48 | 000,716,800 | ---- | C] (Microsoft Corporation)
 ntoskrnl.exe -> C:\Windows\SysNative\ntoskrnl.exe -> [2012/04/11 03:02:33 | 005,559,152 | ---- | C] (Microsoft Corporation)
 ntkrnlpa.exe -> C:\Windows\SysWow64\ntkrnlpa.exe -> [2012/04/11 03:02:32 | 003,968,368 | ---- | C] (Microsoft Corporation)
 ntoskrnl.exe -> C:\Windows\SysWow64\ntoskrnl.exe -> [2012/04/11 03:02:32 | 003,913,072 | ---- | C] (Microsoft Corporation)
 imagehlp.dll -> C:\Windows\SysNative\imagehlp.dll -> [2012/04/11 03:00:26 | 000,081,408 | ---- | C] (Microsoft Corporation)
 fs_rec.sys -> C:\Windows\SysNative\drivers\fs_rec.sys -> [2012/04/11 03:00:26 | 000,023,408 | ---- | C] (Microsoft Corporation)
 wintrust.dll -> C:\Windows\SysNative\wintrust.dll -> [2012/04/11 03:00:25 | 000,220,672 | ---- | C] (Microsoft Corporation)
 Premium -> C:\ProgramData\Premium -> [2012/04/08 21:31:58 | 000,000,000 | ---D | C]
 InstallMate -> C:\ProgramData\InstallMate -> [2012/04/08 21:30:47 | 000,000,000 | ---D | C]
 dvdcss -> C:\Users\Home\AppData\Roaming\dvdcss -> [2012/03/30 14:35:14 | 000,000,000 | ---D | C]
 Canneverbe Limited -> C:\ProgramData\Canneverbe Limited -> [2012/03/29 22:18:50 | 000,000,000 | ---D | C]
 Canneverbe Limited -> C:\Users\Home\AppData\Roaming\Canneverbe Limited -> [2012/03/29 22:18:49 | 000,000,000 | ---D | C]
 CDBurnerXP -> C:\Program Files (x86)\CDBurnerXP -> [2012/03/29 22:18:34 | 000,000,000 | ---D | C]
 ProcAlyzer Dumps -> C:\ProcAlyzer Dumps -> [2012/03/28 14:40:52 | 000,000,000 | ---D | C]
 Ilivid Player -> C:\Users\Home\AppData\Local\Ilivid Player -> [2012/03/27 01:04:28 | 000,000,000 | ---D | C]
 
[Files/Folders - Modified Within 30 Days]
 OTS.exe -> C:\Users\Home\Desktop\OTS.exe -> [2012/04/24 18:44:00 | 000,646,656 | ---- | M] (OldTimer Tools)
 PerfStringBackup.INI -> C:\Windows\SysNative\PerfStringBackup.INI -> [2012/04/24 18:19:42 | 000,726,316 | ---- | M] ()
 perfh009.dat -> C:\Windows\SysNative\perfh009.dat -> [2012/04/24 18:19:42 | 000,628,460 | ---- | M] ()
 perfc009.dat -> C:\Windows\SysNative\perfc009.dat -> [2012/04/24 18:19:42 | 000,110,612 | ---- | M] ()
 bootstat.dat -> C:\Windows\bootstat.dat -> [2012/04/24 18:18:21 | 000,067,584 | --S- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 -> [2012/04/23 17:35:50 | 000,025,120 | -H-- | M] ()
 7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 -> C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 -> [2012/04/23 17:35:50 | 000,025,120 | -H-- | M] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2012/04/23 17:28:20 | 3148,685,312 | -HS- | M] ()
 hosts -> C:\Windows\SysNative\drivers\etc\hosts -> [2012/04/23 15:33:02 | 000,000,027 | ---- | M] ()
 username123.exe.exe -> C:\Users\Home\Desktop\username123.exe.exe -> [2012/04/21 22:59:05 | 004,470,025 | R--- | M] (Swearware)
 Malwarebytes Anti-Malware.lnk -> C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk -> [2012/04/21 18:06:42 | 000,001,120 | ---- | M] ()
 lion.xps -> C:\Users\Home\Documents\lion.xps -> [2012/04/12 20:51:08 | 001,289,888 | ---- | M] ()
 Adobe Reader X.lnk -> C:\Users\Public\Desktop\Adobe Reader X.lnk -> [2012/04/12 20:36:26 | 000,002,026 | ---- | M] ()
 mbam.sys -> C:\Windows\SysNative\drivers\mbam.sys -> [2012/04/04 15:56:40 | 000,024,904 | ---- | M] (Malwarebytes Corporation)
 CDBurnerXP.lnk -> C:\Users\Public\Desktop\CDBurnerXP.lnk -> [2012/03/29 22:18:35 | 000,001,952 | ---- | M] ()
 
[Files - No Company Name]
 PEV.exe -> C:\Windows\PEV.exe -> [2012/04/21 23:09:35 | 000,256,000 | ---- | C] ()
 MBR.exe -> C:\Windows\MBR.exe -> [2012/04/21 23:09:35 | 000,208,896 | ---- | C] ()
 sed.exe -> C:\Windows\sed.exe -> [2012/04/21 23:09:35 | 000,098,816 | ---- | C] ()
 grep.exe -> C:\Windows\grep.exe -> [2012/04/21 23:09:35 | 000,080,412 | ---- | C] ()
 zip.exe -> C:\Windows\zip.exe -> [2012/04/21 23:09:35 | 000,068,096 | ---- | C] ()
 Malwarebytes Anti-Malware.lnk -> C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk -> [2012/04/21 18:06:42 | 000,001,120 | ---- | C] ()
 lion.xps -> C:\Users\Home\Documents\lion.xps -> [2012/04/12 20:51:07 | 001,289,888 | ---- | C] ()
 CDBurnerXP.lnk -> C:\Users\Public\Desktop\CDBurnerXP.lnk -> [2012/03/29 22:18:35 | 000,001,952 | ---- | C] ()
 CDBurnerXP.lnk -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CDBurnerXP.lnk -> [2012/03/29 22:18:35 | 000,001,910 | ---- | C] ()
 NDSTray.INI -> C:\Windows\NDSTray.INI -> [2012/02/13 08:22:58 | 000,000,000 | ---- | C] ()
 igcompkrng600.bin -> C:\Windows\SysWow64\igcompkrng600.bin -> [2011/04/04 20:07:00 | 000,145,804 | ---- | C] ()
 igkrng600.bin -> C:\Windows\SysWow64\igkrng600.bin -> [2011/04/04 20:06:58 | 000,963,116 | ---- | C] ()
 igfcg600m.bin -> C:\Windows\SysWow64\igfcg600m.bin -> [2011/04/04 20:06:58 | 000,216,876 | ---- | C] ()
 SynTPEnhPS.dll -> C:\Windows\SysWow64\SynTPEnhPS.dll -> [2011/02/03 19:56:58 | 000,066,856 | ---- | C] ()
< End of report >
```


----------



## dvk01 (Dec 14, 2002)

well that shows an unknown firefox extension so it is likely to be the culprit
Start *OTS*. Copy/Paste the information in the Code box below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Unregister Dlls]
[Registry - Safe List]
< FireFox Extensions [User Folders] > -> 
YY -> ~EmptyValue -> C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\b64pm3ra.default\extensions\[email protected]
[ZipFiles]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here *.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

let me know if that cures it 
if it does, look in the OT moved files folder & there should be a zip file in there
please do this so we can get a copy of this rogue software so the antispyware companies can include it in their fixes

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside ot moved files folder
or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## Fishermoon (Feb 14, 2012)

Hi

Yes, the problems are solved, thank you ever so much. I have uploaded a ZIP file to Spykiller - here is the link: http://thespykiller.co.uk/index.php/topic,9926.new.html#new

Also, i have no other problems nor did i encounter any, so long as the ZIP file is the correct one!

And once again thank you very much kind sir

Dan

(marked as solved)


----------



## dvk01 (Dec 14, 2002)

it looks like it came in as part of wxDfast
download manager or pretended to be that software


----------



## dvk01 (Dec 14, 2002)

need to do a bit more clearing up in view of what I discovered in teh file you sent 
Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe or renamed combofix icon as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *


----------



## Fishermoon (Feb 14, 2012)

Hi

Apparently Combofix had expired and was run in "reduced functionality mode"

Here is the log:

ComboFix 12-04-20.03 - Home 26/04/2012 14:20:13.5.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4004.2910 [GMT 1:00]
Running from: c:\users\Home\Desktop\username123.exe.exe
Command switches used :: c:\users\Home\Desktop\CFScript.txt
AV: Kaspersky PURE *Disabled/Outdated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
FW: Kaspersky PURE *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
SP: Kaspersky PURE *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Spybot - Search && Destroy *Disabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\InstallMate
c:\programdata\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\_Setup.dll
c:\programdata\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\_Setupx.dll
c:\programdata\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\0.ini
c:\programdata\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\20120408213047.log
c:\programdata\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\Setup.dat
c:\programdata\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\Setup.exe
c:\programdata\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\Setup.ico
c:\programdata\InstallMate\{C1E28B35-42CA-43F0-8B8B-85F6E7255916}\TsuDll.dll
c:\programdata\Premium
.
.
((((((((((((((((((((((((( Files Created from 2012-03-26 to 2012-04-26 )))))))))))))))))))))))))))))))
.
.
2012-04-26 13:22 . 2012-04-26 13:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-25 12:27 . 2012-04-25 12:27 -------- d-----w- C:\_OTS
2012-04-24 13:38 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6259FDC6-8A23-432B-BEDE-33C5DEB3AFDC}\mpengine.dll
2012-04-21 17:06 . 2012-04-21 17:06 -------- d-----w- c:\users\Home\AppData\Roaming\Malwarebytes
2012-04-21 17:05 . 2011-07-08 06:55 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2012-04-21 17:05 . 2012-04-21 17:05 -------- d-----w- c:\programdata\Malwarebytes
2012-04-21 17:05 . 2012-04-21 17:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-21 17:05 . 2012-04-04 14:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-19 13:39 . 2012-04-19 13:39 -------- d-----w- c:\users\Home\AppData\Roaming\QFX Software
2012-04-19 13:39 . 2012-04-19 13:39 -------- d-----w- c:\programdata\QFX Software
2012-04-18 22:01 . 2012-04-18 22:01 -------- d-----w- c:\users\Home\AppData\Local\Adobe
2012-04-18 20:11 . 2011-12-15 00:46 222904 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2012-04-18 20:11 . 2012-04-18 20:11 -------- d-----w- c:\program files (x86)\KeyScrambler
2012-04-11 02:00 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 02:00 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 02:00 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 02:00 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 02:00 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 02:00 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 02:00 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-03-30 13:35 . 2012-03-30 13:36 -------- d-----w- c:\users\Home\AppData\Roaming\dvdcss
2012-03-29 21:18 . 2012-03-29 21:18 -------- d-----w- c:\programdata\Canneverbe Limited
2012-03-29 21:18 . 2012-03-29 21:18 -------- d-----w- c:\users\Home\AppData\Roaming\Canneverbe Limited
2012-03-29 21:18 . 2012-03-29 21:18 -------- d-----w- c:\program files (x86)\CDBurnerXP
2012-03-28 13:40 . 2012-03-28 13:40 -------- d-----w- C:\ProcAlyzer Dumps
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-19 23:20 . 2012-03-19 23:20 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 09:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 06:38 . 2012-03-18 10:18 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-18 10:18 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-18 10:18 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-18 10:18 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-13 06:55 . 2012-02-13 06:56 20592 ----a-w- c:\windows\system32\drivers\CeKbFilter.sys
2012-02-10 06:36 . 2012-03-18 10:29 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-18 10:29 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-03 04:34 . 2012-03-18 10:29 3145728 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( [email protected]_23.03.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-04-21 23:02 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-26 13:23 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-26 13:23 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-21 23:02 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-26 13:23 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-21 23:02 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-04-23 16:30 36386 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-26 05:01 36672 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2012-03-17 12:23 . 2012-04-21 22:07 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-03-17 12:23 . 2012-04-25 18:12 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-17 12:23 . 2012-04-21 22:07 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-17 12:23 . 2012-04-25 18:12 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-25 18:12 16384  c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-21 22:07 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-17 13:28 . 2012-04-26 05:01 7284 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3547180978-2016794528-2506506231-1000_UserData.bin
- 2012-04-21 23:02 . 2012-04-21 23:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-26 13:23 . 2012-04-26 13:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-26 13:23 . 2012-04-26 13:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-21 23:02 . 2012-04-21 23:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-23 11:57 . 2012-04-24 13:24 144246 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2012-03-17 17:30 . 2012-04-26 13:02 228074 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-04-21 22:08 628460 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-26 05:09 628460 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-26 05:09 110612 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-04-21 22:08 110612 c:\windows\system32\perfc009.dat
+ 2012-03-17 13:24 . 2012-04-26 13:22 713488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2012-03-17 13:24 . 2012-04-21 23:01 713488 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 05:01 . 2012-04-21 23:01 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-26 13:22 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-03-17 13:24 . 2012-04-18 20:12 907072 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3547180978-2016794528-2506506231-1000-12288.dat
+ 2012-03-17 13:24 . 2012-04-26 13:22 907072 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3547180978-2016794528-2506506231-1000-12288.dat
+ 2012-03-17 13:24 . 2012-04-26 13:22 9857712 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3547180978-2016794528-2506506231-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2010-10-01 22:05 129624 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\shellex.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2010-03-04 423936]
"ITSecMng"="c:\program files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2012-02-07 3865504]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"avp"="c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe" [2010-10-01 348760]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Toshiba Places Icon Utility.lnk - c:\program files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe [2011-8-26 1493888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDWinLogon]
SDWinLogon.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~2\KASPER~1\KASPER~1\sbhook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BtFilter;Bluetooth LowerFilter Class Filter Driver;c:\windows\system32\DRIVERS\btfilter.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TemproMonitoringService;Notebook Performance Tuning Service (TEMPRO);c:\program files (x86)\Toshiba TEMPRO\TemproSvc.exe [2011-02-10 112080]
R3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2010-11-29 54136]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 CSCrySec;InfoWatch Encrypt Sector Library driver;c:\windows\system32\DRIVERS\CSCrySec.sys [x]
S0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\DRIVERS\klbg.sys [x]
S0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\DRIVERS\tos_sps64.sys [x]
S1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;c:\windows\system32\DRIVERS\CSVirtualDiskDrv.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe [2010-01-28 249200]
S2 ConfigFree Service;ConfigFree Service;c:\program files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-10 46448]
S2 CSObjectsSrv;CryptoStorage control service;c:\program files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe [2010-08-04 1809920]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2011-03-29 598312]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-02-07 1181104]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-02-07 1185704]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-02-07 166528]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
S3 CeKbFilter;CeKbFilter;c:\windows\system32\DRIVERS\CeKbFilter.sys [x]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-12-08 137632]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\KAVOverlayIcon]
@="{dd230880-495a-11d1-b064-008048ec2fc5}"
[HKEY_CLASSES_ROOT\CLSID\{dd230880-495a-11d1-b064-008048ec2fc5}]
2010-10-01 22:06 170584 ----a-w- c:\program files (x86)\Kaspersky Lab\Kaspersky PURE\x64\ShellEx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TosReelTimeMonitor"="c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe" [BU]
"Toshiba TEMPRO"="c:\program files (x86)\Toshiba TEMPRO\TemproTray.exe" [2011-02-10 1546720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-04-07 167256]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-04-07 391000]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-04-07 418136]
"TPwrMain"="c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE" [BU]
"TCrdMain"="c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-02-11 11776104]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-01-18 2188904]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-12-08 710040]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\x64\kloehk.dll c:\progra~2\KASPER~1\KASPER~1\x64\sbhook64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TEUA&bmod=TEUA
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\b64pm3ra.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.ixquick.com/uk/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-04-26 14:27:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-26 13:27
ComboFix2.txt 2012-04-23 14:36
ComboFix3.txt 2012-04-21 23:07
.
Pre-Run: 157,921,386,496 bytes free
Post-Run: 157,866,815,488 bytes free
.
- - End Of File - - DF6632CBAA923B690EEA51B1A3553293


----------



## dvk01 (Dec 14, 2002)

ok that looks fine now so

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop

Then reboot.

Please double-click *OTScanIt.exe* to run it.

press cleanup & it will will delete/uninstall all the tools we have used to fix your problems and all their backup folders and then delete itself when you next reboot

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/vulnerability_scanning/online/* for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place. * If windows update doesn't work, please come back & tell us*


----------

